Tuesday, February 9, 2016

You may have seen this story...

You may have seen this story...  A hacker published (on Sunday) the names and other information about 20,000 FBI agents.  When I first read the very superficial and (of course!) breathless news reports, I had two immediate questions:
  1. Are there really 20,000 FBI agents?  That seems like an awfully big number.
  2. Did the hacker get this information by exploiting technology vulnerabilities, or some other way?
The first question turned out to be easy.  The FBI says it employs roughly 35,000 people, and this estimate from the son of an agent estimates that 21,000 of them are “Special Agents”.  So, yeah, it seems likely that there really are that many of them.  Sheesh.  My own math: their average salary is around $100k, so the FBI Special Agent payroll is something like $2 billion a year.  By the time you add benefits, expenses, office space, cars, training, guns, ammunition, etc., it's likely something like $4 billion a year.  I wonder what benefit U.S. citizens get for that expenditure?  That's not a complaint, I'm really wondering.  I don't actually know what the FBI does that would justify that magnitude of expense.  That's a lot of money!  Do they really need that many Special Agents?

The second question is answered by this article.  Assuming that information is accurate and complete (and I feel foolish even considering that, given it's sourced by a news organization), the information was obtained by good old-fashioned Kevin Mitnick-style “social engineering”.  The hacker tricked someone into giving him access to a classified account.  No special technical knowledge required.  This is very often the case – the very best, most perfectly maintained security technology can easily be bypassed if a hacker can trick an authorized user into letting him in.

Not long ago I read a version of this social engineering that involved something else altogether: a way to steal valuable cars.  It seems a gang of car thieves realized that customers of a restaurant with valet service were voluntarily handing the keys of their cars to the valets.  So they paid the real valets at a fancy Boston restaurant to take a night off – and they paid them very well.  Then the car thieves too the place of the real valets, and parked customer's cars for about an hour.  Then they simply drove off with the eight most valuable customer's cars, using the keys that the customers handed them.  At the time the news story I read was written, they had not been caught.

Often the social engineering approaches that succeed at hacking into things like those FBI records are just as plausible as that car example.  Most of the time, if you poke into the details, you'll come away thinking “That could have happened to me!”  It doesn't take particularly stupid or foolish people to be tricked...

No comments:

Post a Comment