The dangers of telecommuting in the face of social engineering

Today, the key word on the professional level is telework or remote collaboration.

Many companies around the world have adopted this model to be able to meet a need that was felt during containment.

However, the popularity of telework has also increased the risks associated with computer incidents. The form that takes it, working remotely has now become something very risky, even though it is trendy. Because to some extent the danger is everywhere. A small error of judgment, mishandling, an unwise choice, it is a whole system that is set in motion. As Anu Bourgeois, a professor of information at Georgia State University, put it: "Everyone became vulnerable at that time."

Indeed, security protocols when there are protocols, are not followed to the letter. This is the problem of training and mastery of areas and cyber risk is still relevant. With the hacking of Twitter, social engineering has become topical as a risk not to be overlooked. On this side fraud to the president, remains the most common practice. To succeed, cyber criminals will take time to analyze each essential element to impersonate the person who will allow it to deceive as many employees as possible. "Individuals collect data for sale on the dark web or on social networks. Once they have the information, on the day the president is on vacation, or absent, or unreachable, they call a member of the company, an accountant or other person, accounting or otherwise, pretending that it is him at the end of the line and ordering a transfer to countries or accounts from which the money obviously never comes back." , explains in the background, Fred Raynal, who keeps pointing out that this practice is certainly neglected but widespread for the last 6 years. "Social engineering: inexpensive, does not require large material means, relies on psychology and cognitive springs."

In this kind of practice, the psychological aspect is much more emphasised rather than the technical aspect. Individuals, the individuals concerned, i.e. cyber criminals, will impersonate an important person. And this repeatedly to create relationships of trust. This is a manipulation. "The perception of risk affects behaviour and plays a major role in the individual's decision-making process. Considering that the risk is low, an individual will not process information as rigorously as if they considered the risk high," says David Castonguay of the University of Montreal. "We are not at all sure of the technique in the computer sense, but of a field of neuroscience. Marketing, supermarkets use neuroscience as well. There's no shortage of applications," notes Quarkslab's president.

In this context, the sociologist Pierre Bourdieu observes: "The rulers today need a science capable of rationalizing, in two senses, domination, capable of both strengthening the mechanisms that ensure it and legitimizing it. It goes without saying that this science finds its limits in its practical functions, both among social engineers and among economic leaders. She can never make a radical challenge. ».

Moreover, social engineering, which was originally a more sophisticated practice, is nevertheless effective. The case of twitter hacking is here to remind us. And behind that we see that other problems are manifesting themselves. "It reveals another problem, and in general, it is who has access to our data? We have no way of knowing that. There is another problem: technologically today, we know how to store encrypted data. You can do it without worry in the cloud. But as long as they are encrypted, they cannot be deciphered. So at some point, this data has to be deciphered, and the question is who is deciphering it, and where do we decipher it? Is it on the servers of Twitter, Salesforce or Doctolib for example? »

In any case, the profile of the culprits has not yet been determined. There is a reluctannt to say that it is a group of cybercriminals, a state or a lonely person. For Fred Raynal, this incident "is the work of clever individuals, who did not respond only to technical considerations. They must have wondered what was the best way to make a Bitcoin scam, and then to think that it was by taking large accounts. They were simply pragmatic." For his part, the founder of Quarkslab remains skeptical. For him, all eventualities must be considered. "It may just be a Bitcoin scam group that wants to sell elon Musk's data to third parties, or governments that want to access personality data because they think it's interesting and want to follow it a little more closely because the more information you have about a person, the easier it is to attack them," he asks. "If a government did that, putting Bitcoins may have been used as a decoy to hide where it came from. One can also imagine a company or a set of private companies that want to access things and want to hide the purpose of their operation."

Now access an unlimited number of passwords:

Check out our hacking software