Try this test now, before reading on to see the answers. There is no right and wrong. Some people are more able to think differently and attack a problem from multiple angles than others. Fortunately, companies, and more broadly society, need all types of thinkers.

Herzog had the benefit of an entire audience full of security professionals to come up with some answers, like those listed here:

Although arguably the best answer, given by a member of the audience, was: “Get a bunch of marketing people in the room and redefine what ‘light’ means!”

“It’s about thinking beyond,” said Herzog. “Think how things are connected. Engineers talk about disrupting the photons, and there are a lot of different ways to shut off a light. Some people however just can’t think beyond the regular, and they stop at two. It comes down to how you learn and think, how self-aware you are, and also your situational awareness, which itself comes down to whether you can be manipulated.”

Ask a group of security professionals, law enforcers or possibly insurance investigators if they believe that they could be manipulated or defrauded, and they’re all likely to say yes. That’s because they all come into contact with hackers, con artists, scammers and other types of trickster, and have learnt that it’s actually rather easy to predict or even drive someone’s behaviour once you have a basic grasp of how the human brain works. But the ordinary person on the street doesn’t usually have this experience, and so few believe themselves to be easy to defraud. According to Herzog, they are at ‘amateur level’.

And he adds that the ‘experts’ can be easily defrauded, even when they know to be on their guard, once they are distracted. Pickpockets often operate in groups. One or two people act as lookouts, one person actually picks the target’s pocket, whilst the final person is the distraction. This could be someone ‘accidentally’ walking into or otherwise bumping the target, then apologising, rather too profusely, and for rather too long. Whilst the target is making puzzled faces at the stranger mumbling on and on about how sorry he is, the crime is taking place entirely without their knowledge.

“You are not designed by default to be security aware,” said Herzog. “You are not aware or even in control of your thoughts. You are a bag of hormones and disease making wants and needs.”

Strong stuff. But hang on, we’re not even in control of our thoughts now? Herzog is talking about the brain’s ‘autopilot’ system, where certain familiar actions and processes happen by default.

“Have you ever driven to work and not remembered how you got there?” he asked the audience. “It’s a default, you get distracted and you just don’t remember it. This autopilot exists for everything you do. You have to stop to make a conscious decision. You have to think through options to know you’re actually making the decision yourself, and even then sometimes the brain decides for you.”

His point is that we are not in true command of our own minds, but rather – and without wishing to get too philosophical – our consciousness exists in a compartment of the mind. For instance, you can ‘scream’ silently in your own head. Some people might even feel their stomach muscles tighten as they do so. Or you can imagine the colour red, or the emotion love.

“How is this possible?” asked Herzog. “It happens because it’s something you remember how to do. You watch a movie and you cried. It happened because something triggered you. It perhaps triggered a memory, and you were affected by that.”

To illustrate the point further, here’s another test. Picture a playing card, in full detail. Imagine the colour to its maximum possible extent – it’s a bright, vibrant card. Picture the card, and remember it.

Many people will have pictured the King of Hearts. Or if not that specific card, the vast majority would have pictured another red face card – that is the Jack, Queen or King of Hearts or Diamonds. This is because of a manipulation technique called ‘priming’. A few moments ago we mentioned the colour red, and the emotion love. Then the reader was asked to pick a card. Having pointed it out, the ruse is now obvious – but hidden amongst the distractions of trying to make sense of a fairly complicated philosophical point, it’s all too easy to miss.

And it’s this sort of manipulation that proves useful to groups who may exist on different sides of the law, but are nonetheless both very interested in your data. Hackers, and marketers.

“The truth is that if I’m a marketer and I only need one per cent of you to buy my product, this technique works very well. It works because you are not in control of your brains, you’re influenced by your environment,” said Herzog.

“You’re all different!” Shouts Brian. “Yes, we’re all different!” Parrots the crowd, clearly still very much following him and happy to repeat whatever he says. “I’m not,” claims one man, with his hand up.

It turns out that the man with his hand up was right, according to Herzog. “You are not unique or special,” he said at RVASec. “You are like one of huge groups of people who all act the same way and fall for the same things. You are screwed,” he added for comedic effect.

“You’re going to say ‘No, I’m special, my mom told me!’ he continued. “But there are hundreds of thousands of years that make you not special, because all of those [evolutionary] changes leads to where you are now, compared to [a few decades of your life which might make you different].”

A good example is the game ‘rock paper scissors’. Most people who could be classified as ‘followers’, which is a very significant proportion of the population, are likely to start a game with scissors. This group is people who have a favorite sports team, singer or band.

“It happens to be a correlation of the mind-set,” explains Herzog. “People who band together or follow something almost always pick scissors first.”

This fact that we have evolved to be so broadly similar also enables mind reading, after a fashion. This enables the horoscope industry, for one. There are many traits, habits and fears that are common to almost everyone. Herzog explained that you can name an aspirational trait (you are progressing well in your career), use a little flattery (you are more intelligent that most of your peers realise), and add a little piece about insecurity from which we all suffer (you’re not always happy with the way people perceive you), and you can pretend to ‘read’ just about anyone.

Unfortunately, the fact that we are all so similar in many ways does not lead to good team working.

“You are not able to work well with others,” said Herzog. “You like to think you can. You are designed primarily as a social animal, but despite that fraternization is the most mentally complicated thing you do.”

There is nothing more tiring for the brain that being around and interacting with other people, especially at work.

“Your brain is always in high gear making sure you don’t say the wrong thing to the wrong person,” he added. “Sales people have it really tough as they have to be so careful about what they say and how they say it.”

The problem is exacerbated by people’s natural tendency to socialize when on a break. When you go for your coffee break, you chat to colleagues. If you’re sitting, bored, at your desk, you chat. Herzog explains that this all contributes to mental fatigue, which most suffer at work. And he adds that the problem is worst of all in the US.

“Way too many American companies are actually being manipulated, attacked and defrauded. Part of problem is that America has one of the greatest number of overworked information workers. There’s no way you work a standard 40-hour week. When I take a job here in the US, it’s 60 or even 80 hours [per week] at first just to show how dedicated you are.”

And it’s impossible for workers to be able to combat hackers and fraudsters who already understand how to manipulate others, if they’re too exhausted to spot the signs and make safe choices.

So what have we learnt so far? That it’s surprisingly simple to get people to do what you want them to do, that people have limited control over their thoughts and actions, are running on autopilot much of the time, and to top it off, are mentally tired most of the time that they are at work.

It sounds like a ‘perfect storm’ – a confluence of phenomena - which together create a situation ideal for hackers and scammers. Let’s have a look at some examples of how it works in real life.

So firms like Fazio Mechanical don’t just build and install refrigeration, they actively monitor the systems remotely, to ensure that they’re only using as much power as absolutely necessary, and to get advanced warning of any potentially costly malfunctions. And the company doesn’t just deal with frozen items, it also manages the heating and air conditioning systems for its clients.

The company is an expert in an industry known as HVAC – Heating, Ventilation and Air Conditioning.

In chapter three we found out just how much information the supermarkets know about us. In this chapter, we’ll learn just how vulnerable that data is in their hands, and expand upon the massive cyber breach at US retail chain Target mentioned earlier in this book. We’ll also explain why we’re briefly so interested in air conditioning.

On December 19^th 2013 Target announced that it had suffered a data breach in which millions of customer records were stolen. It later transpired that the thieves had maintained access to Target’s servers between November 27^th and December 15^th 2013, during which time they had downloaded details of around 40 million credit and debit cards belonging to the supermarket’s customers. Other information was taken too, including 70 million customer records containing names, addresses, email addresses and phone numbers.

For Target, this was catastrophic. In August 2014 it announced that it expected the breach to cost the company in the region of $148 million – still significant despite overall sales revenues of $72.6 billion for the year. On top of the financial loss, the firm also lost its CEO and Chief Information Officer (CIO), who were both sacrificed to appease investors and show the markets that the firm had ‘taken action’. And on top of even that, there’s the reputational damage to the Target brand, which has suffered enormous negative publicity following the breach, with a resultant erosion of customer trust (which was perhaps at least partly behind the firm’s 46 per cent year on year drop in profits in the fourth quarter of 2013).

But how did it happen?

What’s interesting is that the breach is now thought to have been entirely preventable, and that’s not always the case in cyber security. Corporations, governments and even individuals are engaged in a constant, high-stakes game of cat and mouse with hackers, whether they’re aware of it or not. Hackers – using the term broadly to cover everything from teenage boys in their bedrooms to well-funded state-sponsored professionals – use networks of compromised machines, known as bot-nets, to send out almost unthinkable quantities of spam (for example over 200 billion spam messages were sent in March 2014 according to Cisco), and also to ‘rattle the front doors’ of websites and corporate servers to test their security. They have vast numbers of other techniques too, but describing all of them would fill several volumes. The ultimate aim for most of their efforts though is to find out whose security is weakest, at which point they can break in and deface the site, take it offline for no reason beyond their own entertainment, steal information if there’s anything valuable, or ignore it if it seems unlikely to hold anything of worth.

This is hacking at its most basic level, and the aim for those potentially being attacked is simply not to be the ‘low hanging fruit’. In other words; don’t be the softest target. Have at least some security measures, be it a correctly configured firewall, spam-filter on your email server, or properly set up identity and access management systems, and you’ll largely escape from the mass trawling of the internet perpetrated by this sort of low-grade opportunistic attack.

What keeps Chief Information Security Officers (CISOs) and others in charge of corporate security awake at night is the other sort of attack – the specific, targeted kind. The prevailing view amongst cyber security professionals is that once a well-funded or skilled hacking group has decided that it wants to get inside your servers, then there’s basically nothing you can do to stop them, besides locking the door, barring the windows, unplugging the internet and basically going out of business.

Fortunately most non-state hacking is financially motivated, as it was in the case with the Target attack. In this instance it’s not necessary to attempt to make cyber intrusion impossible, just financially unviable. If it costs a hacker more in terms of effort and investment than the likely return will be once the desired information has been captured and sold on, then they’ll give up and move on to a softer target.

There is another form of targeted attack, or rather, another source, and that’s a targeted attack from another nation state. Perhaps the most well-known example was the ‘Stuxnet’ cyber-attack on Iran’s nuclear programme, discovered in June 2010. The computer worm, designed to attack industrial programmable logic controllers, caused around a fifth of Iran’s nuclear centrifuges to spin out of control and damage themselves, putting the nation’s nuclear programme back several years. Stuxnet is thought to have been designed by Israeli and US teams, although at the time of writing no group has confirmed ownership for obvious political reasons.

The Windows flaw which allowed Stuxnet to function (which involved the way Windows handles the loading of DLL files) was swiftly patched by Microsoft in August 2010. However in March 2015 it was revealed that the patch failed to fully plug the vulnerability, when Microsoft released another patch to address the vulnerability. Assuming this fix actually works, that’s at least five years during which Stuxnet was known and its operation not fully blocked.

It’s tempting to cast this sort of state hacking to the side in the belief that it only affects the bad guys, and consumer privacy is unaffected by it, but that’s a fallacy. For instance the Flame malware, discovered in 2012, attacks computers running Windows, and is used for cyber espionage purposes. It can record audio (including conversations over Skype), take screenshots, record key presses and network traffic. It can also turn infected machines into Bluetooth beacons which try to download contact data from other local Bluetooth-enabled devices. It was described by security firm Kaspersky Labs as “20 times more complex than Stuxnet”.

The point is that governments are aware of the security holes via which these forms of malware (and there are many more which we don’t have the time to go into here) operate, but they choose not to notify the security industry so that their malware continues to work. This leaves vulnerabilities out in the open for anyone to exploit, and creates an environment in which everyone with a device is insecure.

Back to the assault on Target, this was a targeted attack, but from a hacking group rather than a state. Had its network proved sufficiently resilient, the group would most like have moved on, and the company might never even have noticed the attempt. In fact, this is precisely what should have happened (although strictly speaking a diligent company should be monitoring attempted hacks too).

Six months before it was breached, Target invested $1.6 million on a sophisticated new security tool from a vendor called FireEye. This tool is designed to protect against advanced malware and other forms of cyber-attack, and also to notify network administrators once attacks have been caught. If set up properly, it could have automatically detected the malware used to infiltrate Target’s network, and deleted it before any harm was done. The fact that it didn’t is now believed to be because that functionality had been deliberately turned off by Target’s security staff, as they weren’t yet familiar with the new system, and didn’t feel comfortable using all of its features.

If you were wondering why the CIO, the person with ultimate responsibility for technology within the company, was fired after the breach, then look no further. Having to admit that the network had been breached because the expensive and shiny new software designed to protect it hadn’t yet been switched on must have been the low-point in Beth Jacob’s 12 years at the retailer. In fact, what surprised most observers was that it took six months for Jacob to go.

The tool Target purchased is the same as that employed by organizations like the CIA and the Pentagon. Networks don’t come with more stringent security requirements than those. The FireEye software is slightly different from certain other anti-malware solutions, in that it can react to new and unknown suspicious software in real-time, rather than relying on the more common practise of comparing suspected viruses with a database of known malware looking for matches. The problem with that technique is that a hacker need only make a very subtle alteration to a commonly available piece of malware in order for it to look new to an anti-virus database. Security vendors update these databases very regularly, but they are still essentially reactive, and all but useless against determined attackers.

Instead, FireEye creates a completely new and separate virtual network which mirrors the real system on which it is installed. When traffic arrives knocking on the door from the internet, it is shown in to the virtual network, rather than the actual live one in use by the organization. This means that the tool can look to see how the software behaves once it’s let loose. If it turns out to be a plain old PDF with nothing nasty lurking within, then it can be released to its intended recipient. But if it starts writing directly to the servers’ registries or attempting to get access where it shouldn’t and send data back out to the internet, the administrators are notified and the software is kept well away from the real network.

Back to Fazio Mechanical. It was access privileges supplied to the HVAC firm which were used to gain access to Target’s network. So one of the world’s largest corporate hacks of all time was down to a refrigeration company.

After the breach, once Fazio’s involvement became apparent, many sources reported that it was the firm’s remote monitoring activities which had been behind its network access. However, the firm released a statement in February 2014 declaring that its network access was for billing, amongst other activities.

“Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach,” it reported on its website.

The fact that access details given out to Fazio Mechanical were stolen and subsequently used in the Target breach illustrates the security maxim ‘you are only as secure as your supply chain’.

On 30^th November 2013 the FireEye tool captured the first evidence of malware from the hackers, uploaded using the Fazio Mechanical credentials to gain access. The hackers proceeded to upload around five samples of malware in total, all of which were captured, with alerts sent to Target’s administrators. The alerts were ignored. Again, it wasn’t the systems to blame, but the people.

And the opportunities for responsible staff to notice and stop the breach before anything important was taken didn’t stop there. Target also had Symantec Endpoint Protection, an anti-virus tool, installed on its network. It too detected the malware and sent alerts to administrators. These too were ignored.

In a third layer of protection, the company also had a team of security specialists in Bangalore actively monitoring its networks, looking for threats and suspicious activity. They too spotted the malware and sent the alert through to Target’s own security team based in Minneapolis. Yet again, Target failed to respond.

The attack started slowly – and it could afford to, with all the notifications being ignored - with the hackers initially uploading their card-stealing software to just a few Target cash registers, and testing that it worked properly.

“By the end of the month — just two days later — the intruders had pushed their malware to a majority of Target’s point-of-sale devices, and were actively collecting card records from live customer transactions,” wrote security expert Brian Krebs on his blog.

The hackers managed to collect over 11GB of data from 1,797 Target stores. Federal law enforcers discovered evidence of the breach on servers the hackers were using to transfer the data out of the US and across to Russia, and notified Target on 12^th December. Three days later, Target made the breach public.

In its statement, Fazio Mechanical described the attack as a “sophisticated cyber-attack operation.” But rather than being truly sophisticated, it appears from everything we now know about the breach that the malware itself wasn’t especially well engineered; rather the breach happened because nobody at Target bothered to stop it.

In fact Bloomberg quoted McAfee director of threat intelligence operations Jim Walter as describing the malware as “absolutely unsophisticated and uninteresting.”

In short the breach happened because Target was careless. And being careless about its security effectively means that it was careless with its customer data.

But there’s still a piece of the jigsaw missing. We know that the hackers managed to get access to Target’s network by stealing credentials from one of its sub-contractors, but how did they make that first step towards the eventual breach?

Whilst that information hasn’t yet been made public, and the FBI, who investigated Fazio Mechanical in the wake of the breach certainly aren’t telling, reports have surfaced suggesting that an email malware attack was carried out on the HVAC supplier several months before the Target breach. Krebs suggested on his blog that the malware in question was Citadel, a fairly common hacking tool designed to steal network passwords.

With the Target breach serious enough to arouse the interest of the FBI, it’s unsurprising that Fazio itself went on the defensive, and made a statement that its “system and security measures are in full compliance with industry practices.”

However, Krebs cites investigators in the case who apparently said that the firm had nothing more sophisticated protecting itself from cyber-attack than the free version of Malwarebytes Anti-Malware. Whilst this particular tool can scan for threats when manually requested by the user, it doesn’t provide protection in real-time, and is actually prohibited from corporate use by the terms of its license agreement.

If that’s true, then Fazio’s systems and security measures were entirely inadequate, and certainly not in compliance with industry practices.

So that’s how the hackers obtained initial access to Target’s network, probably via its external billing or project management system. But getting to sensitive data like customer credit card information from there is quite a leap, especially given that it’s good practice to segregate a network according to the sensitivity of the data it handles, for precisely this reason. Having access to the external-facing partner billing system shouldn’t also allow access to the point of sale systems. So either Target’s network was very poorly or not at all segregated, the hackers obtained additional access credentials from somewhere else, or they managed to escalate their access privileges via Active Directory (a Microsoft directory service which handles authentication and security policies for Windows-based networks).

The point of all this is that we already know how supermarkets play fast and loose with customer data in an attempt to encourage them to spend more money in their stores; now we see how vulnerable that data is to anyone with half a mind to go and grab it for themselves.

The further problem is the overcollection of data by supermarkets. By collecting and holding more of our data than they actually need, they do us even more of a disservice when they fail to adequately protect it.

And what happens to the data once it’s in the nefarious hands of the cyber criminals? Usually it gets sold on in shady cyber markets to the highest bidder (or indeed simply anyone prepared to meet the asking price). According to reports, the hackers made in the region of $53.7 million from selling around 1-3 million of their haul of customer cards (apparently the average price for a viable stolen credit card at the time was $26.85). The rest of the cards were cancelled by their respective banks before they could be used for fraud, but by any measure, a return of nearly $60 million must count as a wildly successful job for the hackers.

Whilst we’re discussing the financial impact of the heist, it’s worth mentioning that it also cost banks over $240 million to replace the stolen cards, though the banks would have been able to recoup at least some of this from Target. And Target’s costs don’t stop there, ousting their CEO, Gregg Steinhafel – who ‘stepped down’ according to the official line – cost the firm another $55 million.

All in all, a lot of people were left wishing someone had switched on the shiny new security software.

Hackers motivate people to open their messages by posing as legitimate organizations, or people. Anyone with an email account will be familiar with the tide of spam that fills their junk folder, purporting to be from their bank, mortgage provider, or even online gaming network. The best examples of these messages are very hard to distinguish from the real thing, since it’s not terribly hard to copy and paste an organization’s logo into an email, use appropriate language, and obfuscate a link. The last point is crucial, since many consumers are not sufficiently savvy to realise that what appears to be www.bbc.co.uk actually directs the user to www.yourebeinghacked.com. The canny user will know to ‘mouse over’ the link, which in most browsers will reveal the actual URL that the link will direct it to, however this functionality doesn’t exist in most mobile browsers. Given that internet traffic is rapidly migrating from laptops and desktops to mobile devices (with around 60 per cent of web traffic now coming from mobile devices as of June 2014 according to Comscore), this failsafe is becoming less effective.

This technique of faking a legitimate email is called Phishing. It started on US media firm AOL, with hackers attempting to pass themselves off as support staff in order to steal passwords and account information from other users.

For example: ‘Hello, this is the AOL helpdesk. Please enter your username and password below in order to verify your account’ is the sort of message they might have sent.

Once they’d successfully hacked into an account, it would then be used to commit fraud, or to send out spam. It became so prevalent that in the mid-1990s, AOL added a subscript to all instant messages which stated: “No one working at AOL will ask for your password or billing information”, a message which is common in most corporate communications to consumers today.

Phishing got its name from the common HTML tag ‘<><’ which appeared in almost all early AOL chat transcripts. Hackers at the time used those characters to replace terms like ‘hacking’ ‘spamming’ or any other words likely to be filtered by AOL’s security staff in order to find criminal activity. Since ‘<><’ appeared naturally in every transcript, it was completely unusable as a search term. Phishing’s stylized spelling came from the term ‘phreaking’, where hackers learnt how to abuse the intricacies of telecommunications networks to obtain free long-distance calls, among other things (a practice enjoyed by no lesser luminaries than Apple founders Steve Jobs and Steve Wozniak in their youth).

The basic format of email malware is plain spam, for example it could be an email asking you to click a link for access to cheap Viagra. Phishing, being slightly more sophisticated, purports to come from a legitimate source, with the more advanced examples being hard to distinguish from the real thing, and the cruder variants being poorly spelled and thrown together.

Today phishing is used to do everything from spy on you, to harvesting your details, by both individual hackers and nation states. The phishing attempt could be embedded within a Word document, a PDF file attached to a message, a malicious link, remotely loaded image, or from a faked website. The ways in which you can be infected by malware are seemingly endless, and are still growing.

Unfortunately for RSA Security, a division of storage firm EMC but a major security firm in its right, a famous example of a successful phishing attack, and one which also involved aspects of social engineering, happened at its expense in March 2011. A hacking group sent phishing emails with the subject “2011 Recruitment Plan” to two specially selected groups of employees. That’s a nice generic title which could appear relevant in just about any corporation. Most firms run security training as standard for their employees, and one of the first rules is don’t open email attachments if you’re not completely sure you know who the sender is. Unfortunately for RSA, that’s exactly what one of the employees did.

Is this surprising? Given what we know about humans running on autopilot and being mentally tired purely by being at work, we have to say: no. However, you’d be right to expect better from a security firm.

The email sending address was obfuscated, or ‘spoofed’ in hacking parlance, to appear to come from a “web master” at Beyond.com, a recruitment website. The message itself contained just one line of text: “I forward this file to you for review. Please open and view it.”

It also had an attachment, an Excel file, which on the face of it isn’t terribly suspicious. However, when opened, the spreadsheet triggered an embedded Adobe Flash player exploit – a previously unknown or ‘zero day’ vulnerability in fact – which then installed a backdoor known as ‘Poison Ivy’ on that user’s machine.

With the machine successfully under his thrall (most hackers being male, we’re going to assume this wasn’t an exception for now), the cyber criminal was then able to install further malware without anyone at RSA noticing. This enabled him access to more of the machine’s systems and files, which allowed him to gather usernames and passwords for several other company tools, which in turn gave him access to other employees with access to more sensitive corporate data.

The final stage of the attack was to copy the data over to the hacker’s own servers, which is harder that it sounds, with most large corporations actively monitoring for unusual patterns of data movement both within and without the organization’s boundaries. However, that’s exactly what the hacker did, uploading the sensitive data to another compromised machine at a hosting provider, and then on to the hacker’s own system from there.

A couple of weeks after the attack, RSA Security uploaded a blog to its website giving its version of events, some of which genuinely gave us more insight into what had happened, whilst other parts simply attempted to justify the breach.

What’s interesting in the blog is where it discusses the use of social media in determining the right targets at RSA, and how to persuade them to open the malicious file.

“The first thing actors like those behind the APT [Advanced Persistent Threat] do is seek publicly available information about specific employees – social media sites are always a favorite. With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.”

This illustrates both sides of the blog. It explains a little more around how the attackers managed to get inside such a well-protected network, but also describes the malware used as an APT.

If you asked ten different security experts to define APT, you’d probably end up with around 12 different explanations. But the gist is that it’s a network attack where the hacker maintains the breach for a length of time, with the intent to steal data rather than simply deface a website or otherwise cause damage.

It’s a marketing buzzword, designed to make technology budget holders believe that there’s a good reason to get their corporate wallets out when the security firms come calling. In this instance it’s designed to make us believe that there is little or nothing that RSA could have done to avoid the breach, so sophisticated and ingenious was the attack.

The blog continues: “When it comes to APTs it is not about how good you are once inside, but that you use a totally new approach for entering the organization. You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees.

“One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses. It’s a little similar to stealth air fighters: for decades you’ve based your air defense on radar technology, but now you have those sneaky stealth fighters built with odd angles and strange composite materials. You can try building bigger and better radars, or, as someone I talked to said, you can try staring more closely at your existing radars in hope of catching some faint signs of something flying by, but this isn’t going to turn the tide on stealthy attackers. Instead you have to think of a new defense doctrine.”

Whilst it’s true that as security technology has improved, the human element has become the softest target in many cases, not everyone agrees that this particular attack was really so unique and special.

Jeremiah Grossman, founder of WhiteHat Security, said on Twitter at the time: “I can’t tell if this RSA APT blog post is actually being serious or an April 1st gag. The content is absurd either way.”

This attack employed elements of social engineering, a technique which goes beyond phishing in terms of both its complexity and success rates, and it involves using the very information we talked about in the last chapter – the information we give out freely over social media.

If your goal is to entice someone to visit your website, where you’ll download malware onto their machine, imagine how much more success you’re likely to have if you can convince that person that you’re a friend or acquaintance. It’s actually not that hard in most cases, but it does involve more effort than the standard spam message rolled out in its millions.

In the last chapter we discussed ‘Girls Around Me’, which allowed the sort of people desperate enough to download an app to help them con a potential partner into going home with them to find out all manner of personal details about their prey to enable the trick. This has much in common with social engineering attacks.

A hacking group might decide to target an individual responsible for server administration at the firm whose data they’re interested in. After tracking that person on social media for a few days, they can build up a pretty accurate picture of his or her likes, dislikes and habits, as well as map of their recent activities. It’s then a fairly simple job for someone to approach the target and pass themselves off as a casual acquaintance. For example they could refer to a recent golf tournament in which they know the target participated, claiming perhaps to be a friend of a friend met at the event. They would know the target’s interests, and should, with a little social skill, be able to strike up a rapport. This could all happen in person or even over email or social media, over days, weeks or even months.

Once the target’s confidence has been gained, the scam moves on to the next level. Early on in the relationship our hacker would have claimed to work for a supplier, partner or customer, perhaps even faking up a LinkedIn account, or other social media presence to legitimise the lie. Then the hacker calls the target discussing some urgent problem, asking for access to a certain system to solve it. And it would be a system which the hacker would legitimately have a need to access, if he really did work the organization he claimed to, and it wouldn’t sound like an unreasonable request to the target, who has no reason to be suspicious of his or her new friend.

So the hackers obtain their access, worth potentially millions of dollars, depending on the nature of the information the target firm is guarding, and all it has cost them is a little time.

In his book ‘Social Engineering: The Art of Human Hacking’, penetration tester Christopher Hadnagy describes how he used social engineering techniques to hack his way into the servers of a printing firm who had employed him to test its security. The CEO of the company was confident that he at least would be impervious to any attempts to mine him for information, saying that “hacking him would be next to impossible” since he “guarded his secrets with his life.”

Evidently the CEO hadn’t attended a presentation by Pete Herzog, otherwise he’d be aware of absurdity of that claim.

In the book Hadnagy describes the CEO as someone who thought of himself as “never going to fall for this.” “He was thinking someone would probably call and ask for his password and he was ready for an approach like that,” he added.

Hadnagy performed some fairly simple internet searching, and quickly found server locations, email and physical addresses, IP addresses and various other types of data on the company. But this wasn’t enough information to be able to pass himself off as someone with an existing relationship with the firm, and from there to go about conning someone into giving him server access.

But that changed when he learnt from social media that a member of the CEO’s family was in remission from cancer. This was the breakthrough he had been waiting for.

Hadnagy called the chief executive and claimed to be raising cash for a cancer-related charity. He had already discovered the CEO’s favorite sports team and restaurant from Facebook, and used that information in the ruse – offering vouchers for those restaurants and tickets to see that team as prizes as part of the fundraising. It was the perfect way to hook the target and reel him in.

With his emotional triggers successfully pulled, the CEO sensed nothing awry. He gave Hadnagy his email address so he could send him a PDF with more information on the fundraising, even going so far as to give out his exact version of Adobe reader: “I want to make sure I’m sending you a PDF you can read,” Hadagny told him.

If you want to send a piece of malware to someone which exploits a loophole in part of the Adobe suite of software – as in the RSA Security breach – then knowing the version they’re using is incredibly helpful, it means you know exactly which piece of malware will work.

The CEO opened the file, the malware was installed, and as simply as that, Hadagny had access to his machine. The unhackable CEO had been hacked.

“He felt it was unfair we used something like that,” said Hadnagy. “But this is how the world works. A malicious hacker would not think twice about using that information against him.”

Our private data is held by countless firms all over the world, gleaned from more sources than we could guess at. Many of these firms have poor security technology and practises, and as we’ve seen, even those whose very business is security are still unable to keep out the determined hacker.

And on top of that, many of us freely give up much of this information over social media, which can itself be used against us to trick us into unlocking what few secrets both we, and the organizations we work for have left.

So what can do? What can organizations do to protect themselves, and help us to help them?

One answer is to improve corporate security awareness training. In most firms this training, where it happens at all, constitutes an hour in a meeting room within the first month of employment and that’s it, forever. A security person will tell staff not to open suspicious emails, maybe hand over a mouse mat branded with ‘I’m secure!’ or similar on it, and the lesson will be forgotten by the time the employee has had his or her next coffee break.

A better solution is to make security training a regular activity, with frequent tests and exercises given to staff. And these don’t even have to be security-related tests – a brain teaser is a good start. It just needs to be something to engage the employee’s mind, and make force that person to come out of autopilot.

Some organizations go further, and send out phishing emails of their own to their staff. When someone opens the compromised attachment, instead of installing malware onto their machine, it makes a message pop up telling them about their mistake and reminding them of their cyber duties.

Herzog recommends that firms allow their staff to report suspicious activity anonymously, as people will inevitably make mistakes, and could be reluctant to report the potentially disastrous results for fear or incriminating themselves.

“Firms need a way [for staff to] anonymously contact security departments to say something is wrong, with no reprisals. They went on a site they shouldn’t, they took a call they shouldn’t, they opened an attachment they shouldn’t. They need to be able to tell you that something went wrong.”

After all, if a firm is facing a security breach which will quickly cost it hundreds of millions of dollars and destroy its reputation, what’s more important? To find and stop the breach, or to shout at a member of staff?

As for consumers, a good start would be to share much less information on social media, and to regularly check privacy settings. Does the whole world really need to know every last detail about you?

If the answer to that last question is ‘yes’, then you might just have to resign yourself to a lifetime of risk. Or you might believe that you’re perfectly well protected by the law. If you’d rather not be disabused of this notion, you might want to skip the next chapter…