ThreatConnect, typical of the tech studies, posted a four page analysis of the OPM hack. It included discussions of malware packages that were possibly used and means of connecting the hack to the Chinese. It was highly technical, well thought out and cogently presented.
But the phrase “social engineering” was used only once, in the last paragraph, as a near aside to the main threat – suggesting that the hacked data could help socially engineer someone.
This shows the typical lack of comprehension, among the technical crowd, about the craft of social engineering.
Social engineering has become about 75 percent of an average hacker’s toolkit, and for the most successful hackers, it reaches 90 percent or more.
I can easily find an organization chart within OPM giving titles and names with little research. Once I have a target, the target can be “humanly” engaged. Using one example, I find the “dream” love partner, or the ideal friend, not by hacking into a database, but by observing eye movements and other body language over a small course of time and inserting that ideal person into the target’s path. From that engagement and its end products, comes the need for explicit technical materials that I must use to gain what I want. The more sophisticated the social engineering, the less is the need for high technology.
A simple social engineering hack might involve leaving a thumb drive on the pavement close to the driver door of a car. The thumb drive might be labeled “naked photos” or “first quarter profits”. The idea is to influence the driver to insert the thumb drive into his computer. From that point technology takes over and the majority of the remaining hack will be purely technical. On the other hand, the “dream love partner” hack mentioned above would most likely require very few technical resources once the target’s password or other info has been obtained.
Read the whole thing — and up your awareness level if you want to reduce the threat level.