An open door for hackers?
December 3, 2023 by Alistair Enser
In my last blog I wrote that security today is a combination of cyber, physical and personal. They are converging, and the threat presented by one leads to another if not managed properly. I also argued this means that while the choice of camera manufacturer is important, who you partner with to specify, install and maintain it is equally if not more important.
Watch our corporate video (click link and scroll to video) and you will see that threats come in many sizes, not just technology. It’s just as likely that your threat is internal, and you need to seriously consider access control privileges, who has access to the network, different types of data and parts of a building.
With that in mind this weekend I started reading an interesting book by Jenny Radcliffe, called “People Hacker”, in which she describes her experiences as a penetration tester, trying to gain access to buildings in order to gauge the effectiveness of their security systems and procedures.
It’s a great book and I highly recommend it: if you work in the security industry, her tales of sneaking into even the best-protected office will most definitely resonate, and she tells her stories with humour. They also speak to my comments above about the importance of identifying where the risk lies, and not relying on technology alone to keep you secure.
As she explains in her book, social engineering is behind most if not all, successful attempts into a building, and from there into a network. Her examples include “masquerading as a trusted contact to encourage an employee to click a malicious link or email, pretending to be a reliable baking institution to capture login credentials, or similar activities designed to gain entry into target systems.”
Often, these attempts are not sophisticated, and rely more on guile and persuasiveness than complicated scams. She recounts an occasion when she gained access to a corporate boardroom simply by pretending to be there to measure up for some new carpet. Sample book and measuring tape in hand, her flustered pleas with security staff were all that were required to be allowed in.
On another occasion, she stuck a handwritten note asking that a door be kept open to a key access route in and out of a building. It’s amazing, but as she explains, many people respect such a request, even though it is counter to best practice and, indeed, is precisely not what building users have been told to do.
As Jenny describes it, social engineering is simply another form of hacking. A secure facility relies on rules being followed, in the same way that we expect our personal details to be protected by those that host the images captured on our phones, or provide the messaging services we rely on.
Yet our security is under threat even there – this week, the head of WhatsApp in Europe said he would rather pull out of the UK than be forced to remove end to end encryption as part of the government’s planned Online Safety Bill.
As Will Cathcart, WhatsApp chief explains: “Our users all around the world want security. Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”
The Online Safety Bill has the noble aim of keeping children safe online, and I 100% support that intent, however, is it really right that everyone’s privacy must be compromised as a result?
Where does safety stop, and state-wide surveillance start? It sounds very 1984 and Orwellian.
Are we all prepared to have all of our messages from any source scanned ‘in case we are committing any sort of crime?’. Perhaps we might trust our government more than citizens in less democratic ‘states’ to only search for specific content, and not snoop on the rest, however, once you have let the genie out of the bottle you cannot put it back in, and you can’t legislate for what others may do. As Cathcart explains: “We’ve recently been blocked in Iran, for example. But we’ve never seen a liberal democracy do that.”
His comments were echoed by the president of rival messaging platform, Signal, who said last month that the company “would absolutely 100 percent walk [away from the UK] rather than ever undermine the trust that people place in us to provide a truly private means of communication.”
The link between Jenny’s book and the comments from WhatsApp and Signal is that security involves finding a delicate balance between mitigating risk and curtailing freedoms. That balance is hard to maintain, and requires constant assessment: as I have said before, there is no fixed, ‘fit and forget’ solution!
If you are interested in the book, you can download a sample on Kindle before you commit if you are interested (I’m not on commission I promise).
I’d value your thoughts and comments on the subject and maybe we can catch up next time with more feedback.