How a hacker bypassed Google
Just what lengths will hackers go to? Multi-stage attacks based on a foundation of social engineering. At the beginning of this month, a hacker finally achieved his goal: to change the password on a customer account hosted by Web acceleration company CloudFlare, and change the customer's DNS records (LINK: http://blog.cloudflare.com/post-mortem-todays-atta...).
The compromise was made possible through a separate hack, of the company CEO's personal Gmail account. This was achieved by compromising his mobile phone account, itself made possible by calling the AT&T support desk and impersonating the CEO, offering his social security number as proof of identity.
Armed with this information, the hacker was able to access the CEO's corporate Gmail account, and the rest is history. Fortunately, the company was logging password reset attempts, so it was able to spot what had happened.
While it is easy to start pointing the finger at the different organisations involved, or suggest that the company should have done this or that differently, the fact is that this kind of complexity is typical for many organisations. Equally, many people might read this and say that it wouldn't happen to them, as they're not interesting enough.
But that would be avoiding the truth - that as well as complex IT environments, all but the smallest companies have both senior executives and customers that make interesting targets. But as this example shows, social engineering is not simply about heading straight for the target, but doggedly working through the required steps to achieve it. So, even if you don't feel you are important enough to matter, you could equally be someone who might be useful along the way, just like the AT&T helpdesk staff. Security awareness progammes are key to ensuring people, process and technology all play their part in the ever changing threat landscape.
Nobody should panic, but we could all do more to recognise that technology is not risk-free, whilst people can make mistakes and process is not always perfect. Like driving down the motorway, problems only start when we stop paying attention. With such attacks on the rise, we would all do well to take note.