TIME Security

G20 Conference Gives Hackers High-Profile Targets

AUSTRALIA-G20-SUMMIT
Germany's Chancellor Angela Merkel (C) is welcomed upon her arrival at the airport in Brisbane to take part in the G20 summit on November 14, 2014. Peter Parks—AFP/Getty Images

Cybersecurity experts warn the global conference of world leaders is a prime target for hackers

At 3:10 a.m. on October 27, 2011, a less-than-diplomatic email landed in the inboxes of attendees at the G20 Summit, an annual gathering of heads of government and other representatives from the world’s top economic powers. “Ladies and Gentlemen,” the email began, “First Lady Nude Photos.” It was followed by a link that promised to open a stash of nude photos of France’s then-first lady, Carla Bruni. The link was also spring-loaded with malicious code that could infiltrate the device of a G20 delegate, opening a pathway to a wider network of devices. The sender needed only one hot blooded delegate to potentially infect an entire delegation.

It’s not hard to imagine the hacker or hackers’ motive. The G20 Summit draws leaders from 20 nations that comprise 86% of the world’s wealth. They bring in their wake some 4,000 delegates from various ministries, businesses and NGO’s, all of whom will converge on Brisbane, Australia Saturday for a weekend of handshakes and hobnobbing. They will also carry in their smartphones and laptops reams of sensitive communications, including agendas, talking points and trade secrets — a cornucopia of state interests that could offer rival nations an edge in future negotiations or standoffs.

It might sound a bit amateurish to send global bigwigs the same crudely-written emails that might turn up in the average joe’s spam folder, but security experts say hackers try every trick in the book to infiltrate the summit.

“Some groups that look spammy are the exact same groups that can send out extremely well-crafted emails,” says Nart Villeneuve, a senior researcher at the California-based security firm FireEye. The crude emails are often just the opening shot in a campaign that can extend to tainted memory sticks and emails that are indistinguishable from official G20 correspondence. FireEye researchers made headlines after last year’s G20 Summit in St. Petersburg, Russia when they exposed a concerted attack against five European foreign ministries. In that case, an email attachment labeled “US_military_options_in_Syria” installed malicious code as soon as the recipient opened the official-looking file.

Villeneuve had a front row seat to the St. Petersburg breach. His team traced the malware back to a command-and-control server in China, where they observed a ring of hackers known as “Ke3chang” in action. For a brief, two week window, Villeneuve’s team saw the hackers issue commands to search for files and open backdoors to other computers of interest.

“The attackers don’t have to compromise a high level diplomat first,” Villeneuve said. “It can begin with anyone on that network.”

The St. Petersburg hack wasn’t the first time such a global gathering had been targeted: During the 2012 Olympics, for example, tainted schedules circulated among the attendees. And in the run up to 2011 G20 Summit, malware-ridden files infected roughly 150 computers in the French Ministry of Finance. “It’s probably the first time it’s been as spectacular as this,” said France’s Budget Minister François Baroin at the time.

But the high-profile hacks could very well get more spectacular until all attendees at sensitive events like the G20 collectively shore up their online security. Each delegation crafts its own security plan, but in an ideal world, says FireEye Threat Intelligence Manager Jen Weedon, attendees would use disposable phones and laptops that can be wiped clean of all content before and after the conference. Still, many attendees come from countries that may not have the interest or resources to take such measures, which many may view as extreme or unwarranted. “You can’t expect them to become security experts overnight,” Weedon says. But G20 delegations ignore the security risks at their own peril: already, Weedon says, Tibetan activists at this year’s conference have been targeted by a malware-infected document related to protest information.

Ultimately, the problem of hackers running amok at global gatherings runs deeper than technology alone. All hacking scams exploit human vulnerabilities — lust, credulity, curiosity — that can’t always be solved with a smarter spam filter. “It takes a human to click on something,” observes Weedon, a warning that this weekend’s assemblage of power players may or may not heed when the promise of official correspondence or other tempting links land in their inboxes. They’re only flesh and blood, after all.

TIME Television

VIDEO: Watch ‘Secrets,’ The New Game of Thrones Season 4 Trailer

Vengence. Plotting. Dragons. April 6th can't come soon enough for GoT fans.

As HBO continues to ramp up the hype for the upcoming season of Game of Thrones, they’ve released a third teaser trailer for season four, called “Secrets.”

As we saw in the series’ two previous trailers (here and here) political tensions are rising in Westeros and the events of the Red Wedding are weighing heavily on several characters’ minds. Many of the characters can also be seen questioning their positions. Note Cersei Lannister asking new character Oberyn Martell, “what good is power if you cannot protect the ones you love?” What good, indeed.

April 6th can’t come soon enough for GoT fans.

TIME psychology

How to Find out Anything from Anyone

HS2434
Henrik S¿rensen / Photographer Henrik Sorensen

A former intelligence officer shares interrogation tips for getting people to spill on first dates and their salaries

Wish you knew whether the wisecracking guy in the next cubicle got a raise this year? Or whether that stylish woman sipping wine on your first date wants to have kids? Bet you’d like to know whether your nanny really takes the baby outside everyday per your instructions. Well, a new book by an army intelligence interrogator could help you get the answers to your most pressing questions.

“Find Out Anything from Anyone, Anytime: Secrets of Calculated Questioning From a Veteran Interrogator” by James O. Pyle and Maryann Karinch won’t help you force a hostile to reveal state secrets, but it does suggest ways to turn someone who’s on the fence into spilling what you want to know.

“There are two things people will not give you for free: money and information,” says Pyle, who plied his craft in the U.S. Army, the Army Intelligence Center and School and the Joint Intelligence of the Pentagon. He explains in the book that the key to pulling out information lies in things like the “control” question, in which you ask something to which you already know the answer to find out whether the person is “lying, uninformed, and/or not paying attention,” he says. Then there’s the “persistent” question in which you ask the same thing in different ways to “explore all facets of the desired information.”

But the most important thing to remember is that there’s nothing better at clamming people up than an interrogation. So try not to make it obvious that you’re pumping someone for information, but “have a conversation with information in it,” he says. That means offering up stuff about yourself and showing curiosity and interest in what the other person is saying.

Here’s how this army intelligence expert would help you get an answer in these typical scenarios:

Does a first date want kids?

This is a delicate subject to broach on a first date, and a direct question could scare off many people. Generally, the best approach is to say something about yourself and watch the other person’s reaction. If you want to know, for example, whether he’s been married, you might say that you have been and then watch the response you get. “The eyes are the big tellers,” Pyle says. “Do they say Ohmygosh? Is there a pull back?” Compare that to how the other person looks when talking about non-personal or non-emotional subjects.

For the kid question, he suggests using the “third party” approach. If there’s a child anywhere nearby, you might comment, “Wow, look at that cute kid.” The answer might not be definitive, but you will get very suggestive clues from “I guess, but they don’t belong in fancy restaurants,” versus “I have two little girls and I sure miss them.”

Is my co-worker making more than me?

Asking right out about another person’s salary can seem intrusive, even aggressive. But starting a conversation—and including some sly flattery—might work wonders. “If I was half as good as you are,” you might say, “I’d be earning twice what I’m making.” If your target bites, she might offer something you can build on, such as, “Oh, I’m not making all that much.” Then you could counter with a really high figure. “Oh, you must be making at least X grand.” That’s likely to be met with a disclaimer, “Oh, no, not that much.” Then, Pyle suggests you guess a way-low figure, and she’ll probably respond, “Oh, more than that.” At this point, she may just tell you. But even if she doesn’t, you’ll have a pretty good idea of the answer.

Does the nanny follow my instructions for taking care of my child?

This is a tricky situation. If your nanny did not follow your instructions to take baby Lindsey out, for example, she’ll be very reluctant to tell you. This is where it comes in handy to know the different kinds of questions. Don’t ask a question that produces a yes or no reply, Pyle says. Instead, you might ask these other kinds of questions, always in a conversational way. Ask for a narrative. “How was your walk today? Where did you go? What did you do?” People who want to cover something, according to FBI narrative analysis, tend to minimize and dismiss: “Fine. Just walked around and came back.”
If that’s the response you get, dig in. What time did you go out? What did you see? Who did you meet? If want to check her truthfulness, you can summarize what she’s said and either leave something out or add something in. If she doesn’t catch it and correct you, that’s a sign she may be lying. Also, if you catch her in a contradiction, you can question her further. And if you think she’s just getting flustered, you can relax the tension by asking her a non-pertinent question like “Oh, that smells good; what did you make for dinner?” Then after a while, you can return to the questions you want answered.

What’s the state of my elderly parents finances and how much will I have to pitch in if they need long term care?

Many elderly people are extremely private about their money and won’t tell their kids how much they’ve got, where it is, or whether they’ve signed any documents to allow access in an emergency. For this situation, Pyle advises a different strategy. “Make an appeal,” he says. Express your love and gratitude to them, bring up an example like the neighbor who had a stroke but whose rehab was delayed because she hadn’t given anyone her power of attorney. Then, say, ” I want to ask you some questions, not because I’m nosy, but so you can tell me how I can help you if you need it. ” Then just launch into your questions.

“It’s a disarming approach,” Pyle says. “If they don’t buy it, then ask, “Why can’t we talk about this? Why else?” That may get a useful dialogue going.

In any situation, Pyle says, from asking your 5-year-old what he ate for lunch at school to asking a prisoner of war what he was doing on that road, persistence tends to pay off. He suggests you just keep asking, “What else?” until they say, That’s all.” Most of all, start a conversation in which people want to tell you what you want to know — and likely won’t even realize they’re revealing anything. “You can lead a horse to water, but you can’t make it drink,” he says, adding. “But if you make ‘em thirsty, they’ll drink by themselves.”

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser