The not-so-dark side of Social Engineering
Big data tools amplify the risks and benefits of social engineering
Published 12:29, 05 December 12
Anecdotal evidence from IDC research suggests that governments could perpetrate more cyber-attacks, for instance through social engineering, and not only be the victim of those actions.
All governments in Western Europe and beyond are concerned about cybersecurity. The majority of developed countries have developed cyber-security strategies, where the government has a key role to play to protect its own services and to coordinate the resilience of private sector infrastructure. However, most jurisdictions are struggling to design the appropriate governance model needed to execute on those strategies.
The darker side of the coin is that governments have silently started to leverage cyber-attack techniques, such as social engineering to their own advantage.
The relatively new fact is that these capabilities are applied not only against "enemy" countries, such as in the well known case of Stuxnet, or recent suspect attacks from China and Iran targeting the U.S., but also against the very citizens of those jurisdictions.
Police investigators creating a network of Facebook contacts to befriend drug dealers and eventually entice them to share criminal information is a well known use case. But governments could go beyond that and use it for tax investigation, and many other types of anti-fraud activities.
It is interesting to point out that social engineering could have a less dark side too, in particular deep segmentation and personalisation of the user experience for online and mobile services can make life easier for citizens.
For example a construction company that applies for a series of building permits, maybe across jurisdictions, can be enticed to go a click further and offer their banking details to pay for those permits online so that the cost of compliance and anti-fraud is minimised and this could happen simply by optimising the user experience from a social and not just technical standpoint. Or a single parent that applies for child benefits in a certain community could be enticed to offer additional information about the child education and leisure needs, which could automatically trigger a pop-up that offers access to a page that describes the schools and community care centers available in the neighborhood and the rating that other parents have given about those.
Social engineering is different from traditional information search and crawl through social media, it is about a more direct intrusion into citizens' lives, because it leads to "manipulating" citizens choices, by leading them to perform certain actions, but crossing the line into privacy infringement is very easy and big data methodologies and tools are amplifying the benefit and risks of doing so.
In a criminal investigation, magistrates could provide the lawful authorisation, as they do in the case of phone hacking, but in other government domains and service scenarios the policy and regulatory implications are, to say the least, more nuanced.
Posted by Massimiliano Claps