Issue #17: Social engineering took down MGM
Howdy 👋🏾, Apple announced new phones and watches last week and celebrated its environmental accomplishments with a surprise cameo appearance by Mother Nature herself. If you missed the event or want a quick recap Rob Koch, Mindgrub’s Director of Mobile, and I sat down and talked about the event, iOS 17, and hints of what is to come from Vision Pro.
I’m excited to get my new iPhone 15 Pro Max (in blue titanium, if you’re wondering), but I’m dreading the now-yearly process of transferring MFA (multi-factor authentication) codes from my old device to the new one. MFA keys have become a necessary burden at pretty much any company these days. The idea is pretty simple, by using a generated secret code, a new 6-digit code is generated every 60 seconds that adds additional security to a password. The thing is, MFA keys do a great job of validating access to a device, but cannot determine if you are who you say you are, something that MGM became very aware of after social engineering brought the company to its knees.
Social engineering is exactly what it sounds like; it’s using information you can glean from the Internet or other sources to coerce people into doing something you want. We share so much information these days that we forget how much about us, and the companies we work for can be found on social media. For instance, things like an executive’s assistant’s name, where a colleague went to high school, names of hometown friends, or a co-worker’s nickname can be found easily from sources like Facebook, Instagram, or LinkedIn. The focal point of MGM’s attack was a 10-minute phone call to an IT person whom the hackers had identified through a LinkedIn search. They persuaded this individual, likely through a combination of pressure and a sense of urgency.
This poor IT worker was convinced to remove the MFA requirements from an account with high access and permissions these hackers already compromised, allowing them to add their own device as an MFA key giving them access to everything the user had access to. Once in, they manipulated MGM’s SSO (single sign-on) provider into granting additional user access to a false identity provider allowing them to impersonate higher and higher access leveled accounts. If all that sounds like a foreign language, the key is that once they got in with a privileged account, they used it as a Trojan horse to quickly move through other systems and compromise more and more parts of MGM’s infrastructure. Vox explained it in more detail here.
We go through great efforts to create giant technical walls and to build defenses into our systems to make them feel impenetrable, but in the end, it’s us, the humans that are the weak link of the most secure of systems. MGM is a reminder that we must be vigilant about the increasing number of attempts by hackers to trick us with phishing, smishing, and deep fakes. So with that somber note, here are my thoughts on tech & things:
⚡️If you love video games, regardless of the device or console, some of those games likely depend on the Unity game engine. Unity provides tools that accelerate game development and make it easier to do complex tasks like hit detection or complex 3D rendering, and they’re under fire for retroactively changing their pricing model. In the gaming world, it’s been quite the drama.
⚡️Speaking of games, two mega-game events happened last week. Nintendo Direct and PlayStation State of Play unveiled plans for the next few months of gaming console releases, mega remakes like Super Mario RPG, and the next installment in the remake of Final Fantasy 7. I can’t wait!
⚡️I’m looking forward to trying Automattic’s new Fediverse plugin that makes a WordPress site a first-class ActivityPub citizen. If you missed this in my past newsletters, read up on the Fediverse, but this bakes sharing directly into millions and billions of websites.
⚡️MGM’s recent issues remind me of a great piece by Matt Honan on how a hacker pitted Amazon and Apple against each other to social engineer his way into Matt’s iCloud account and destroy his entire digital presence. It’s worth the read and a reminder of why all those annoying annual security reviews and phishing tests matter.
-jason
P.S. If you’re reading this on a device with under 10% battery life, how do you do it? I found myself nodding and saying “yep” out loud while reading this op-ed from Jim Gaffigan on how hard it is to keep his kids’ phones charged. As he says, “The outlet is right there! With a phone charger plugged into the wall!” all you have to do is plug the device in. Also, if you’re unfamiliar with Jim Gaffigan, please do yourself a favor and watch this video about hot pockets.
📺 Have you watched any of Apple TV’s original shows? Silo, Hijack, and the Morning Show are fantastic, but Foundation Season 2 just ended and OMG is this show amazing! Season 1 started slow and took a few episodes to get its footing, but the payoff is worth the time. I can’t wait for the next season! Give it a watch, ya’ll.