Big Data for Social Engineering

First, it integrates with corporate directories such as Active Directory and social media sites like LinkedIn to map the connections between employees, as well as important outside contacts. Bell calls this the “real org chart.” Hackers can use such information to choose people they ought to impersonate while trying to scam employees. From there, AVA users can craft custom phishing campaigns, both in email and Twitter, to see how employees respond. via wired

This is a white hat tool, of course, a form of social engineering penetration testing. Two points of interest, though.

First, you can be pretty certain hackers are already using this sort of tool today to find the right person to contact, how to contact them, and to discover the things they know people will respond to. The rule of thumb you should keep in mind is — at least 80% of the time, hackers are already using the tools researchers come up with to do penetration testing. Remember all those fake people inhabiting the world of twitter, facebook, and the like? Some of them might not be just another click farm — some of them might be clickbait for hackers to find out who you are.

Second, this can teach us something about the human psyche and our ability to be hacked. The particular ploy described in the article is one straight out of Obedience to Authority, pitting someone’s knowledge of what is right and wrong against someone they think is an authority figure. Though not quite as stark as the electric shock machine, the idea that we can be tricked in this way should be sobering.

To put it in another context, isn’t this just advertising in the big data age? Find out about the person, who they respect, and what they believe, and then use those as vulnerabilities to get them to behave a certain way, or believe a certain thing? Something more serious to think about than the latest switch’s port count, isn’t it?