Hello URBE's summer students Class N713. Welcome !! Please, be so kind and search information in the net about
|
posted by PatMendoza @ 7:57 PM
28 comments
URBE Students summer 2006 - N713
This Blog has been created exclusively for the use of Professor Patricia Mendoza's summer class N713
Saturday, August 05, 2006
About Me
- Name: PatMendoza
- Location: Maracaibo, Zulia, Venezuela
I'm an Engineer in computer science teaching English as a second language at URBE in Maracaibo, Venezuela
Previous Posts
28 Comments:
Is the art and science of getting people to comply to your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behaviour and it is far from foolproof.Concentrates on the weaskest link of the computer security chain.People can user that information to guess your password for examples : the names of your children their birthdays or the license plate number on your car are all likely candidates for guessing as passwords. "MARGARET MEZA"
ANGEL LACRET C.I.: 18064066
alacret@hotmail.com
alacret@gmail.com
04141673303
Section: N711
Social Engineering;
The Human Factor or the weakest link
Computer fraud, black-hat hacking, cyber-terrorists; these new phrases describe an innovative generation of criminals that use over-the-wire technology to attack us, steal from us and terrorize us. However the best tool in their arsenal is not new. It is only used by the most experienced, the most dangerous the boldest hackers. It is called Social Engineering which is a term that may have been coined by the Nazi’s prior to World War II. It simply means deception. Deception and the Nazi’s; the terms fit together.
Does it work? Can seemingly smart people be easily deceived? Kevin Mitnick, who served five years in prison for repeated hacking said in testimony before Congress on the subject of Social Engineering, “I was so successful with that attack that I rarely had to resort to a technical attack.”
What people fall for such an attack and who do they work for? People like the U.S. Military, Pacific Bell, and the FBI.
Security professionals are well aware of the danger of these attacks and of the type of individuals that do the attacking and of the techniques that can help to harden an organization against a Social Engineering attack. So the ultimate question is why? Why if these things are known do the attacks still work?
We contend that it is the manner in which the threat is communicated to the every day non-security, non-technology personnel that are the Social Engineer’s targets and the manner in which they are trained to prevent such an attack.
name:José E. Mendez L.
CI:17.220.423 class:N713.
Social engineering: Is the practice of taking confidential information by manipulation of users. they will use the telephone or Internet to trick people. Social engineering also use to the act of face-to-face manipulation to gain physical access to computer systems...
example: a example is when the people attack using the e-mail that contain malicious payloads. it's very bad for the machines.
20 puntos... :)
ANGEL LACRET C.I.: 18064066
alacret@hotmail.com
alacret@gmail.com
04141673303
Section: N711
AS A FUTURE MANAGER..... WHAT YOU NEED TO KNOW
What motivates a Social Engineer
How you react to a threat
What plans you have for threats
The two general categories of motivation
Why people help Social Engineers
The difference between knowingly and unknowingly.
The difference between known and unknown
How we are all wired to fall for a Social Engineer
How to plan a Social Engineer attack.
How to analyze your culture
Why the door may need to be partially open.
Developing your Defense Plan
Getting Employee Buy-In
How to do Identify your Small Group Leaders
How to Make Them Retain the Skills!
Social engineering is basically the art of tricking people to do what you want in terms of robbing them. To do that they use several methods some of them are; the most common is simply a direct request, this is really unlikely to success but its also the easiest; another way to do it is planning a contrived situation in which the target is involved, that way you can pursuit them to gave you the information you need, and certainly involves gaining extensive knowledge of the target; one of the essential tools used by social engineering is good memory of the target’s facts, this is something that hackers tend to excel in, especially when it comes to facts relating to their field; another common trick is known as ``shoulder surfing''. This means that someone looks over your shoulder while you type in your password, that way they can stole your ATM card and take your money without having any troubles; also password sniffing is very common, this is like an intruder getting all the messages your computer send, looking for your password, they can get into your company security system, your e-bank, anything with a password that they found.
Most of this criminal acts can be avoided, by instead, you can be very aware of the people around your, avoid talking with estranger about your money, how much you made and things like that, always pay attention when you take money out of the ATM, that anyone is looking over your shoulder, that way you may be safe from this money stealers.
NIMARVI MONTIEL 17726949
ANGEL LACRET C.I.: 18064066
alacret@hotmail.com
alacret@gmail.com
04141673303
Section: N711
A SOCIAL ENGINEER is who make you revel importan and private information about your self or about where you work, using technical or non-technicall methods or resources
ANGEL LACRET C.I.: 18064066
alacret@hotmail.com
alacret@gmail.com
04141673303
Section: N711
A SOCIAL ENGINEER is who makes you revel importan and private information about your self or about where you work, using technical or non-technicall methods or resources
RINA PAOLA BONI.
Social engineering :is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.
Shoulder surfing :is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone.
Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
The password sniffer: is used to capture passwords as they pass across a network. The network could be a local area network, or the Internet itself. And the sniffer could be hardware (if the attacker has physical access to the network) or software (in which case all that is required is the ability to compromise a server). A favourite method for 'installing' a password sniffer onto a local area network would be through the use of a Trojan Horse.
Sicological profile and Behavior:
The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.
Impersonation generally means creating some sort of character and playing out the role. The simpler the role, the better. Sometimes this could mean just calling up, saying: “Hi, I’m Joe in MIS and I need your password,” but that doesn’t always work. Other times, the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him over the phone. According to Bernz, a hacker who has written extensively on the subject, they use little boxes to disguise their voices and study speech patterns and org charts. I’d say it’s the least likely type of impersonation attack because it takes the most preparation, but it does happen.
Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party (for example, the President’s executive assistant who is calling to say that the President okayed her requesting certain information), or a fellow employee. In a huge company, this is not that hard to do. There is no way to know everyone - IDs can be faked. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most employees want to impress the boss, so they will bend over backwards to provide required information to anyone in power.
Conformity is a group-based behavior, but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information now requested, such as if the hacker is impersonating an IT manager. When hackers attack in such a way as to diffuse the responsibility of the employee giving the password away, that alleviates the stress on the employee.
When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me
How to protect yourself from social engineers:
Be careful not to disclose information to someone you don’t know over the phone, through email, or when using the Internet.
Don’t share personal information though Internet chat rooms.
Understand how information will be used before sharing it with merchants.
Know if you have a choice in how your information is used and shared.
Have checks printed by reputable check vendors (like the credit union’s preferred provider)
Don’t include your Social Security Number, driver’s license or other information on requests for printing checks.
Limit the number of items with personal information and account numbers in your wallet when you travel.
For more information visit Federal Trade Commission: Tips for Protecting Your Personal Information.
Procedures:
Social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” (from searchsecurity.techtarget.com). Common social engineering scenarios include:
Telephoning a user and posing as a member of the IT team, who needs the user’s password and other information in order to troubleshoot problems with the network or the user’s account.Telephoning the IT department and posing as a high ranking executive in the company, pretending to have forgotten his/her password and demanding that information immediately because of a pressing business urgency.Developing a personal relationship with a user or IT team member with the intent of “sweet talking” the person out of confidential information that can be used to break into the network.A good social engineer is not only a good actor, but is also good at “reading” people to determine what type of ploy will work best with a particular person. When a hacker combines social engineering skills with technical expertise, it becomes easy to breach almost any network. Many common Internet scams, such as e-mails purporting to be from a user’s bank or credit card company and asking them to go to a Web site where they’re directed to fill in account information, are forms of social engineering.
Some social engineers base their success on research abilities. Such activities as “dumpster diving” (going through discarded paperwork to find credentials and other useful information) can also be considered a form of social engineering. Some hackers may develop elaborate schemes to pose as building repair personnel or even temporarily take jobs as janitors to gain initial access, while others do all of their work from afar and never set foot near the physical site. A determined hacker may put days or weeks of effort into gaining the trust of a target employee. This may be done in person, over the telephone or via e-mail or IM.
“Reverse social engineering” is a term used to refer to hackers who create some sort of problem on the network or the user’s computer and then come to the rescue (like the cases we occasionally read about where a person sets a fire and then rushes in to put it out, becoming an instant hero to the victims). This helps the social engineer gain trust quickly, and makes it easier for him/her to get desired information out of the victim. For example, the social engineer might then send an e-mailed attachment that contains malicious code through which he can gain control of the victim’s computer. Because the victim now “knows” (and trusts) the engineer, the victim doesn’t exercise the same caution about opening the attachment as would be the case if the attachment were from someone else
Rina Boni
osmary urdaneta.
What is Social Engineering ?
Basically, social engineering is the art and science of getting people to comply to your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behaviour and it is far from foolproof.
It also involves far more than simply quick thinking and a variety of amusing accents. Social engineering can involve a lot of 'groundwork', information gathering and idle chit chat before an attempt at gaining information is ever made. Like hacking, most of the work is in the preparation, rather than the attempt itself.
You may think this talk may seem to be a weak excuse to demonstrate how these techniques can be used for hacking. OK, fair enough. However, the only way to defend against this sort of security attack is to know what methods may be used. With this knowledge it is possible to pick-up on these techniques being used against either you or your company and prevent security breaches before anyone gets near your data. A CERT style security alert with few details is pointless in this case. It would simply boil down to "Some people may try to get access to your system by pretending some things are true. Don't let them." As usual, no help what-so-ever.
Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers are vulnerable.
Also, the human part of the a security set-up is the most essential. There is not a computer system on earth that doesn't rely on humans. This means that this security weakness is universal, independent of platform, software, network or age of equipment.
Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach.
A True Story
One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)
Password Sniffing
If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has become very popular is called ``password sniffing''.
It turns out that most networks use what's known as ``broadcast'' technology. What that means is that every message that a computer on the network transmits can be read by any other computer on that network. In practice, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it.
However, many computers can be programmed to look at every message on the network. If one does this, one can look at message which are not intended for you.
Hackers have programs which do this, and then scan all the messages which traverse a network looking for passwords. If you login to a computer across a network, and some computer on the network you use has been compromised this way, you may end up giving your password to the attacker.
Using this technique, hackers who've broken into computers which are on heavily used networks have collected thousands of passwords.
This is a serious threat to users who login to our computers from remote sites. If you login on the console of a computer, your password never crosses a network where it can be sniffed. But if you login from some other school, or from an internet service provider, you are dependent on the security of their network.
One way to protect yourself from password sniffing, is to arrange to not need to type your password. The program rlogin can be configured to not require your password. If you know ahead of time that you'll be using your account from a given computer, you can create a file named .rhosts and put a line with the name of the remote computer you'll be using in that file. If you try to rlogin to our computers from the computer listed in your .rhosts, you won't be asked for your password. In effect, our computer will trust the other computer for your account if you list it in your .rhosts.
There are some dangers associated with the use of .rhosts files. If the remote computer gets broken into, the hacker might deduce that he/she can simply rlogin to your account here. One way to minimize that risk is to not have .rhosts files on both machines point at each other. If your account on the remote machine doesn't have a .rhosts file which allows your SEAS account to login, somebody who's broken into the remote computer is less likely to notice that your account there can be used to breakin to our computers here.
Despite these dangers, the CNG feels that the dangers of password sniffing outweigh the dangers of .rhosts, and so in most cases we advise using rhosts if you expect to be accessing your SEAS account remotely.
Another better way to defend against password sniffing is to use one-time-passwords. A one-time-password is a password which is only good for one use. After you've used it once, it's no longer any good, and so sniffing it is useless to a hacker. Of course, somehow you must be able to login more then once.
On way to accomplish this is to carry a list of passwords. Each time you login, you use the next password on the list. Some systems even provide ``calculators'' so that you don't need to carry a list. The calculator, which may run on your Macintosh or PC, will tell you which is the next password on the list, so all you need to do is cut and paste the password from the calculator.
The SEAS has suffered two serious breakins in the last year as a result of passwords sniffed on remote sites. As a result, we are working on implementing procedures which will require remote users to use one-time-passwords to login to our computers. We hope to have this in place before Summer.
A big problem ?
Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it, because as I stated before, there isn't a computer system on earth that does not have humans as a part of it.
Almost every human being has the tools to attempt a social engineering 'attack', the only difference is the amount of skill used when making use of these tools.
sicological profile.
However, most social engineering is conducted by lone individuals and so the social pressure and other influencing factors have to be constructed by creating a believable situation which the target feels emmersed in.
If the situation, real or imaginary has certain characteristics then the target individual is more likely to comply with your requests. These characteristics include:
• Diffusion of responsibility away from the target individual. This is when the individual believes that they are not solely responsible for their actions.
• A chance for ingratiation. Compliance is more likely if the individual believes that by complying they are ingratiating themselves with someone who may give them future benefits. This is basically getting in with the boss.
• Moral duty. This is where an individual complies because they feel it is their moral duty to. Part of this is guilt. People prefer to avoid guilt feelings and so if there is a chance that they will feel guilty they will if possible avoid this outcome.
Personal persuasion
On a personal level there are methods that are used to make a person more likely to co-operate with you. The aim of personal persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your request.
There is a subtle difference. Basically, the target is simply being guided down the intended path. The target believes that they have control of the situation, and that they are exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have been invented is irrelevant. They target believes they are making a reasoned decision to exchange these benefits for a small loss of their time and energy.
Securing against human attacks
With all this information how would someone go about making their computer system more secure ? A good first step would be to make computer security part of everyone's job whether they use computer or not. This will not only boost their self perceived status with no extra cost to you but will make staff more vigilant. If you make someone involved in keeping your computer system secure they are more likely to pay closer attention to unauthorised individuals trying to gain access to a system.
However, the best defence against this, as with most things, is education. Explaining to employees the importance of computer security and that there are people who are prepared to try and manipulate them to gain access is an effective and wise first step. Simply forewarning people of possible attacks is often enough to make them alert enough to spot them. Remember, to give both sides of the story when educating people about computer security. This isn't just my personal bias. When individuals know both sides of an argument they are less likely to be disuaded from their chosen position. And if they are involved in computer security, their chosen position is likely to be on the side of securing your data.
There are attributes which people less likely to comply with persuasion tend to have. Less compliant people tend to be pretty bright, highly original, able to cope with stress and reasonably self confident. Stress management and self confidence can be taught or at least enhanced. Self assertion courses are often used for management employees, this training is excellent in reducing the chances of an individual being socially engineered, as well as having many other employment benefits.
What this comes down to is making people aware and involved in your security policy. This takes little effort and gives great rewards in terms of the amount of risk reduction.
Conclusion
Contrary to popular belief, it is often easier to hack people than sendmail. But it takes far less effort to have employees who can prevent and detect attempts at social engineering than it is to secure any unix system.
Sysadmins, don't let the human link in your security chain let your hard work go to waste. And hackers, don't let sysadmins get away with weak links, when it is their chains that are holding your data.
Social Engineering: is hacker-speak for tricking a person into revealing their password. A classic social engineering trick is for a hacker to send email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her.
Password Sniffing: If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has become very popular is called ``password sniffing''.
Shoulder Surfing: It (He, She) consists in ` To spy' physically to the users, to obtain generally keys of access to the system. The first one and more obvious it is simply a direct demand(lawsuit), where one asks an individual to complete his(her,your) task directly. Though probably it(he,she) has minor success, this one is the easiest and most sincere method. The individual knows what you want that they do exactly.
Personal persuasion: On a personal level there are methods that are used to make a person more likely to co-operate with you. The aim of personal persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your request.
The situations: The social engineering goes to the individuals with fewer knowledges, provided that the arguments and other factors of influence have to be constructed generating a credible situation that the individual executes.
Alejandro Romero
C.I 15.602.298
Email:Arom51@hotmail.com
Social engineering: it is a tool of use in order to deceive the people.
The Social engineering chooses to call to their victims, being become to happen through agencies, bank, of way to obtain confidential data of the people soon to swindle them.
A way to avoid it is not to provide no type of information to anybody, to less q is an authorized person, to deal with which nobody knows to the numbers of card or keys.
One of its main characteristic is that they know like manipulating people, of way q the people fall in the trap, they are very astute.
A my mom they swindled it, Making him think that if deposited a money him they were going to arrive a card that gave discount in store, and never I arrive this card.
dayana lozano 16729688
Social engineering: it is a tool of use in order to deceive the people.
The Social engineering chooses to call to their victims, being become to happen through agencies, bank, of way to obtain confidential data of the people soon to swindle them.
A way to avoid it is not to provide no type of information to anybody, to less q is an authorized person, to deal with which nobody knows to the numbers of card or keys.
One of its main characteristic is that they know like manipulating people, of way q the people fall in the trap, they are very astute.
A my mom they swindled it, Making him think that if deposited a money him they were going to arrive a card that gave discount in store, and never I arrive this card.
dayana lozano 16729688
Social engineering: it is a tool of use in order to deceive the people.
The Social engineering chooses to call to their victims, being become to happen through agencies, bank, of way to obtain confidential data of the people soon to swindle them.
A way to avoid it is not to provide no type of information to anybody, to less q is an authorized person, to deal with which nobody knows to the numbers of card or keys.
One of its main characteristic is that they know like manipulating people, of way q the people fall in the trap, they are very astute.
A my mom they swindled it, Making him think that if deposited a money him they were going to arrive a card that gave discount in store, and never I arrive this card.
dayana lozano 16729688
GABRIEL LUZARDO
C.I:16118725
N-713
Shoulder Surfing
Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
Another type of attack related to the naivete of the users of the system (but also to the control of physical access) is the denominated one to shoulder surfing. Espiar' to the users physically consists of `, to obtain generally key from access to the system. For example, a measurement that lamentably uses many users to remember their passwords is to point them in a stuck paper at the monitor of its PC or to write them in the part of under the keyboard; whatever it happens in front of the job, without problems can read login, password and even the machine name to which they belong. This, that us can seem a great triviality, unfortunately is not it, and it is used more than what many administrators or people in charge of security think; and not only in surroundings ` privados' or with a control of restricted access, like can be an operating theater of a computer center, but place at which anyone can arrive without no accreditation: personally, stuck years ago I could read ` clearly post-it' to the monitors of the PCs used by the personnel of information of department store of Valencia, in which they appeared the name of user, the key and the telephone of several systems of the company; whatever one approached the counter could read and memorizar this information without problems. Shoulder surfing not always sees beneficiary by the naivete of the simple users of an equipment; in determined occasions they are the own programmers (people which theoretically it has to know something more on security than the administration personnel or of attention to the public) those that design applications very susceptible to undergo attacks of this type. For example, in certain applications - specially some that execute on MS Windows, and that are more or less old - the keyed in passwords show clearly in screen the being. Anyone located near a person who is using them can read clearly that key; a perfect example of which one is not due to never do.
SOCIAL ENGENEERING:
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.
Contents
[hide]
• 1 Examples of social engineering
• 2 Social engineering in popular culture
• 3 See also
• 4 References
• 5 External links
A contemporary example of a social engineering attack is the use of e-mail attachments that contain malicious payloads (that, for instance, use the victim's machine to send massive quantities of spam). After earlier malicious e-mails led software vendors to disable automatic execution of e-mail attachments, users now have to explicitly activate attachments for this to occur. Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work.
Perhaps the simplest, but a still effective attack is tricking a user into thinking one is an administrator and requesting a password for various purposes. Users of Internet systems frequently receive messages that request password or credit card information in order to "set up their account" or "reactivate settings" or some other benign operation in what are called phishing attacks. Users of these systems must be warned early and frequently not to divulge sensitive information, passwords or otherwise, to people claiming to be administrators. In reality, administrators of computer systems rarely, if ever, need to know the user's password to perform administrative tasks. However, even this might not be necessary — in a 2003 Infosecurity survey, 90% of office workers gave away their password in exchange for a cheap pen. [1]
Social engineering also applies to the act of face-to-face manipulation to gain physical access to computer systems.
Training users about security policies and ensuring that they are followed is the primary defense against social engineering.
One of the most infamous social engineers in recent history is Kevin Mitnick.
Social Engineering is the term that hackers give to acquiring information about computer systems through non-technical means. Hackers usually consider Social Engineering to be calling people up within a targeted organization and asking them for information. The hackers usually use a variety of ruses to obtain information. Hackers may claim to be from the computer support staff and state that they need a user's password to correct a problem with the computer system. To the reader, Social Engineering might seem like a fancy word for lying. It is. It is also extremely effective.
Another type of Social Engineering involves obtaining a job at the targeted organization. By obtaining a job at the organization, an attacker might be given access to the information that they desire. Even if they are not given direct access to the information, they can possibly learn enough information to get additional access. A job as a janitor can be extremely valuable to a hacker. For example, a janitor is usually given access to areas of a building to which an average employee does not have access. Janitors can take their time to go through the garbage to obtain potentially valuable information. Additionally, janitors have the opportunity to go through a person's desk or belongings after they leave for the day. A recent edition of 2600: The Hacker's Quarterly includes an article on how to obtain a job as a janitor [Voyager 1994].
Social Engineering attacks may also involve going through trash dumpsters The term for going through trash dumpsters is "dumpster diving." Again, the tactic may seem to be almost comical, however it does provide very valuable information. It is well known that in the Defense Community there are classified materials destruction procedures. Burn bags and shredders are common throughout the U.S. Government, yet almost unheard of in private industry. The Masters of Deception, who compromised the U.S. telecommunications system to the point where they could have brought it down, were only able to do so after they obtained system passwords from the garbage of the New York Telephone Company [Slatalla & Quittner 1995].
There are other forms of Social Engineering that include criminal actions. There have been several cases cited that show that former Intelligence Operatives are now engaging in industrial espionage. These operatives are hired by foreign companies to gather economic intelligence. Actions performed by these people include theft of equipment and breaking into corporate facilities (Schweizer, 1993). Also actions used by thieves to collect credit card numbers, such as "Shoulder Surfing" where someone eavesdrops on someone else entering a password, are being used to collect computer passwords.
Social Engineering gives an outside attacker the knowledge and abilities of internal employees. It can also give an internal attacker more knowledge and abilities than they should have. Social Engineering can bypass all technical security mechanisms to allow an attacker to obtain the information of their choosing. In some cases, a Social Engineering attack may yield all the desired information without an attacker having to resort to technical means. This is an extremely important concept, because this indicates that a person who intends to obtain computer-based information does not need to know anything about computers.
There is an additional element to Social Engineering that must be considered. If a hacker breaks into a computer system and obtains information, then they are probably committing a crime. However, if a Social Engineer uses the telephone and asks someone for information, then there is definitely doubt as to if a crime has occurred. The person that gives out the information may be the person that is legally liable and may subject the organization to criminal or civil charges. For example, if a person calls up a hospital and asks for the name of all patients diagnosed with Acquired Immune Deficiency Syndrome (AIDS), and obtains the information by implying that they are from the Board of Health, the hospital could be sued by patients whose lives were damaged by the disclosure of the information. Essentially, Social Engineering attacks weaknesses in what is considered to be common sense.
Password Sniffing:
If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has become very popular is called ``password sniffing''.
It turns out that most networks use what's known as ``broadcast'' technology. What that means is that every message that a computer on the network transmits can be read by any other computer on that network. In practice, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it.
However, many computers can be programmed to look at every message on the network. If one does this, one can look at message which are not intended for you.
Hackers have programs which do this, and then scan all the messages which traverse a network looking for passwords. If you login to a computer across a network, and some computer on the network you use has been compromised this way, you may end up giving your password to the attacker.
Using this technique, hackers who've broken into computers which are on heavily used networks have collected thousands of passwords.
This is a serious threat to users who login to our computers from remote sites. If you login on the console of a computer, your password never crosses a network where it can be sniffed. But if you login from some other school, or from an internet service provider, you are dependent on the security of their network.
One way to protect yourself from password sniffing, is to arrange to not need to type your password. The program rlogin can be configured to not require your password. If you know ahead of time that you'll be using your account from a given computer, you can create a file named .rhosts and put a line with the name of the remote computer you'll be using in that file. If you try to rlogin to our computers from the computer listed in your .rhosts, you won't be asked for your password. In effect, our computer will trust the other computer for your account if you list it in your .rhosts.
There are some dangers associated with the use of .rhosts files. If the remote computer gets broken into, the hacker might deduce that he/she can simply rlogin to your account here. One way to minimize that risk is to not have .rhosts files on both machines point at each other. If your account on the remote machine doesn't have a .rhosts file which allows your SEAS account to login, somebody who's broken into the remote computer is less likely to notice that your account there can be used to breakin to our computers here.
Despite these dangers, the CNG feels that the dangers of password sniffing outweigh the dangers of .rhosts, and so in most cases we advise using rhosts if you expect to be accessing your SEAS account remotely.
Under no circumstances should you use a ``+'' (plus) character in your .rhosts!
Another better way to defend against password sniffing is to use one-time-passwords. A one-time-password is a password which is only good for one use. After you've used it once, it's no longer any good, and so sniffing it is useless to a hacker. Of course, somehow you must be able to login more then once.
On way to accomplish this is to carry a list of passwords. Each time you login, you use the next password on the list. Some systems even provide ``calculators'' so that you don't need to carry a list. The calculator, which may run on your Macintosh or PC, will tell you which is the next password on the list, so all you need to do is cut and paste the password from the calculator.
The SEAS has suffered two serious breakins in the last year as a result of passwords sniffed on remote sites. As a result, we are working on implementing procedures which will require remote users to use one-time-passwords to login to our computers. We hope to have this in place before Summer.
Common Procedures:
Social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” (from searchsecurity.techtarget.com). Common social engineering scenarios include:
• Telephoning a user and posing as a member of the IT team, who needs the user’s password and other information in order to troubleshoot problems with the network or the user’s account.
• Telephoning the IT department and posing as a high ranking executive in the company, pretending to have forgotten his/her password and demanding that information immediately because of a pressing business urgency.
• Developing a personal relationship with a user or IT team member with the intent of “sweet talking” the person out of confidential information that can be used to break into the network.
A good social engineer is not only a good actor, but is also good at “reading” people to determine what type of ploy will work best with a particular person. When a hacker combines social engineering skills with technical expertise, it becomes easy to breach almost any network. Many common Internet scams, such as e-mails purporting to be from a user’s bank or credit card company and asking them to go to a Web site where they’re directed to fill in account information, are forms of social engineering.
Some social engineers base their success on research abilities. Such activities as “dumpster diving” (going through discarded paperwork to find credentials and other useful information) can also be considered a form of social engineering. Some hackers may develop elaborate schemes to pose as building repair personnel or even temporarily take jobs as janitors to gain initial access, while others do all of their work from afar and never set foot near the physical site. A determined hacker may put days or weeks of effort into gaining the trust of a target employee. This may be done in person, over the telephone or via e-mail or IM.
“Reverse social engineering” is a term used to refer to hackers who create some sort of problem on the network or the user’s computer and then come to the rescue (like the cases we occasionally read about where a person sets a fire and then rushes in to put it out, becoming an instant hero to the victims). This helps the social engineer gain trust quickly, and makes it easier for him/her to get desired information out of the victim. For example, the social engineer might then send an e-mailed attachment that contains malicious code through which he can gain control of the victim’s computer. Because the victim now “knows” (and trusts) the engineer, the victim doesn’t exercise the same caution about opening the attachment as would be the case if the attachment were from someone else.
How to avoid it...
To prevent social engineers from succeeding in gaining the information they need to do their dirty work on your network, and to help detect when a possible social engineering attempt is occurring, the following steps should be taken:
• Physically secure the computers and network devices.
• Develop a detailed security policy addressing social engineering issues and enforce it throughout the company.
• Provide all users with training in how to recognize a social engineering attempt.
• Lock up paperwork and magnetic media containing confidential information and destroy it when it is no longer needed.
A good practice is to create a centralized database that logs social engineering attempts. For example, if a secretary receives a call from someone pretending to be the IT manager and asking for her password, she should be able to report the incident to a designated person or department, where it would be logged. This allows you to detect patterns and to be on guard for security breaches because you know someone is trying to get information that can be used to get into your network.
Defending against social as well as technical threats should be part of your “defense in depth” strategy, but it’s often ignored. Don’t assume that your users “know better” than to give out their passwords. Unless explicitly instructed otherwise, the average employee has no reason to question someone who seems to have a legitimate reason for asking. Even IT team members who are security-conscious might be hesitant to ask for proof of identity from an irate person claiming to be a member of upper management.
Protecting the network from social engineering attacks requires, first and foremost, a set of security policies that lay out the reasons and procedures for responding to these types of requests. Just developing the policies is not enough. In order to be effective:
• All members of management must agree to the policies and understand the need to properly prove their identities when making requests for passwords, etc.
• The policies must be disseminated to all users of the network, with education and training provided as to why compliance is essential.
• There should be explicitly defined consequences for violating the policies.
Your security policies should be specific and should address such issues as:
• Strong password policies: minimum length, complexity requirements, requirements to change passwords at specified intervals, prohibition on dictionary words, easily guessed numbers such as birthdates and social security numbers, etc., prohibitions on writing down passwords.
• Prohibitions against disclosing passwords, to whom (if anyone) passwords can be disclosed and under what circumstances, procedure to follow if someone requests disclosure of passwords.
• Requirement that users log off or use password protected screensavers when away from the computer, cautionary instructions on ensuring that no one is watching when you type in logon information, etc.
• Physical security measures to prevent visitors and outside contractors from accessing systems to place key loggers, etc.
• Procedure for verifying identity of users to IT department and IT personnel to users (secret PINs, callback procedures, etc.).
• Policies governing destruction (shredding, incineration, etc.) of paperwork, disks and other media that hold information a hacker could use to
Sicological profile and Behavior:
The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.
Impersonation generally means creating some sort of character and playing out the role. The simpler the role, the better. Sometimes this could mean just calling up, saying: “Hi, I’m Joe in MIS and I need your password,” but that doesn’t always work. Other times, the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him over the phone. According to Bernz, a hacker who has written extensively on the subject, they use little boxes to disguise their voices and study speech patterns and org charts. I’d say it’s the least likely type of impersonation attack because it takes the most preparation, but it does happen.
Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party (for example, the President’s executive assistant who is calling to say that the President okayed her requesting certain information), or a fellow employee. In a huge company, this is not that hard to do. There is no way to know everyone - IDs can be faked. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most employees want to impress the boss, so they will bend over backwards to provide required information to anyone in power.
Conformity is a group-based behavior, but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information now requested, such as if the hacker is impersonating an IT manager. When hackers attack in such a way as to diffuse the responsibility of the employee giving the password away, that alleviates the stress on the employee.
When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?”
Like many people knows an engineer is some one who studied the career and practices the profession, but in these case an social engineer is not a professional with a title and also never studied it. The name became only because the word engineer references the brilliant mind of the people who practice it. These people are not a professional but they are very intelligent.
There are many definitions that could assign, for example a social engineer is some one who use of psychological tricks on users of a computer system, in order to obtain information he needs to gain access to the system, also a social engineer is a person getting needed information (for example, a password) from a person rather than breaking into a system. Then a social engineer will be a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued information.
Is very difficult to avoid a social engineer, depending the method you will look at ways of combating attacks by identifying attacks, and by using preventative technology. For example a company should have in the security policy: address information access controls, setting up accounts, access approval, and password changes. Modems should never be permitted on the company intranet. Locks, IDs, and shredding should be required. Violations should be posted and enforced.
Carlos E. Sandrea B.
ID: 15.011.776
SOCIAL ENGINEERING
-HISTORY
During World War II, the German army counted between its rows with a formidable equipment of cryptanalysts whose mission consisted of decrypts the allied communications. Being based on the mathematics and science, their members got to decipher until a 50% of the allied communications that were intercepted. The Italian army did not count on a similar cryptanalyst force and, nevertheless, they deciphered a much greater number of communications. On its place, its so successful strategy was based on the bribe, the deceit and in lying down with the High Commands and some how get there secrets. This is a super example for the history of social engineering.
-DEFINITION
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick people into revealing sensitive information or getting them to do something that are against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes
-EXAMPLES
Here some simple examples that can shown how a simple situation can be interpreted like social engineering
- If you remember the film Independence Day, they Used an old space ship as cover for two humans to infiltrate the alien mother ship and upload a virus to destroy it
That shows us how we are surrounded by social engineering and looks easier learn how to live with it that fight with it
Alberto Barrios.
16.302.315
Like many people know an engineer is some one who studied the career and practices the profession, but in these case an social engineer is not a professional with a title and also never studied it. The name became only because the word engineer references the brilliant mind of the people who practice it. These people are not a professional but they are very intelligent.
There are many definitions that could assign, for example a social engineer is some one who use of psychological tricks on users of a computer system, in order to obtain information he needs to gain access to the system, also a social engineer is a person getting needed information (for example, a password) from a person rather than breaking into a system. Then a social engineer will be a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued information.
Is very difficult to avoid a social engineer, depending the method you will look at ways of combating attacks by identifying attacks, and by using preventative technology. For example a company should have in the security policy: address information access controls, setting up accounts, access approval, and password changes. Modems should never be permitted on the company intranet. Locks, IDs, and shredding should be required. Violations should be posted and enforced.
Carlos E. Sandrea B.
ID: 15.011.776
In the field of computer security, social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes.
Its importance has been enormously increased by the growth of modern methods of propaganda. Of these the most influential is what is called education. religion plays a part, though a diminishing one; the press, the cinema, and the radio play an increasing part.
Note:
Social engineering is an attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems!
iria villalobos
ID: 16.187.397
Social Engineering: Hacker Tactics
A social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.
Target and Attack: the typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
Social Engineering by Phone: A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. For example: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’”
Dumpster Diving: dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters.
On-Line Social Engineering: the Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password.
E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment ‘with a picture of the car’. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.”
Persuasion: The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.
Mariangel Linares - C.I: 4743121
SOCIAL ENGINEERING
One definition “It is the practice of obtaining confidential information by manipulation of legitimate users”. In other way is a person who takes information without a legal permition of the legitimate users. These peoples commonly use a telephone or internet to get information that they needs.
The psychological profile of the social engineering is simply and easy. It involves far more than simply quick thinking and a variety of amusing accents. Social engineering concentrates on the weakest link of the computer security chain. They hacking everything that they can, since a target until your personal computer.
They are a very friendly person, they talk to you and get all the information that they need, and cheat other people using a common language. One of the essential tools used for social engineering is a good memory for gathered facts.
Some people believes that is impossible hack information when send it by mail, but is truth and easier than we thought.
We have to be more secure when someone ask about us, when sends mails or receives ones.
Thayliana Zambrano.
C.I. 13931360
.- In my opinión about SOCIAL INGINEERING: IS A PERSON WHO TRICKING THE INFORMATION THE OTHER PERSON, FOR EXAMPLE AN PERSON AS HACKER. YOU CAN LOST YOUR PASSWORD ¡
I F YOU HAVE SEEN… WHO IS SOCIAL INGINIEER?
READ THE DEFINITION: ¡Social Engineering is hacker-speak for tricking a person into revealing their password. A classic social engineering trick is for a hacker to send email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her. As we explain later, it's possible for a hacker to forge email, making it look like it came from somebody you know to be a legitimate system administrator. Often the hacker will send this message to every user on a system, hoping that one or two users will fall for the trick.
DO YOU KNOW? Social Engineering is a person as selling. He meet your needs because he used to took something.
.-the people called Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information.
"WEN CHON HUNG"(the chinesse).
The origin of the word engineering it comes to ingenious. The social engineering is one practices that it is used to obtain data of other people thus to cheat them. And for obtain codes and others important information’s. For example card codes, banking accounts, directions etc… One form to deceive the people is calling to the victim announcing to him that has gained some prize, and solicit the personal information. Others forms is using the internet, by which is posible almost everything. Jose A. Gutierrez C. ID.18153380
The social engineering is a career in which people don’t have to study because only with your ingenious and some skills you can be a social engineer. Social engineer is in charge of obtaining confidential information from people who don’t realize what happened with them in that specific moment when this kind of engineer stole this information by manipulation.
Generally a social engineer uses the phone or the internet to trick people by saying real information, which convinces them to trust on him or her. The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user.
On the other hand, a way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a user’s password.
Those are methods that social engineers or say in other way “HACKERS” can use to trick or to manipulate people.
The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship.
The best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women.
In conclusion, as a recommendation people have to know Combat Strategies, which will look at ways of combating attacks by identifying attacks, and by using preventative technology, training, and policies.
Yenireé Albornoz
C.I. 17.461.744
LILYANA CARRILLO
I.D: 16065697
puchunguita69@hotmail.com
Section:N713
Social engineering is a concept in political science that refers to efforts to influence popular attitudes and social behavior on a large scale, whether by governments or private groups. In the political arena the counterpart of Social engineering is: Political engineering.
Karl Popper
In his classic political science book, The Open Society and Its Enemies, volume I, The Spell of Plato, Karl Popper examined the application of the critical and rational methods of science to the problems of the open society. In this respect, he made a crucial distinction between the principles of democratic social reconstruction (called 'piecemeal social engineering') and 'Utopian social engineering
Social engineering through history
Before one can engage in social engineering, one must have reliable information about the society that is to be engineered, and one must have effective tools to carry out the engineering. Both of these only became available relatively recently - roughly within the past one hundred years. The development of social science made it possible to gather and analyze information about social attitudes and trends, which is necessary in order to judge the initial state of society before an engineering attempt and the success or failure of that attempt after it has been implemented. At the same time, the development of modern communications technology and the media provided the tools through which social engineering could be carried out.
While social engineering can be carried out by any organization - whether large or small, public or private - the most comprehensive (and often the most effective) campaigns of social engineering are those initiated by powerful central governments.
NAME: Maria Flores.
CI: 14748566
Social Engineering is the science and the practics of getting people to comply to your wishes, for the social engineering is to easy involves people to take confidencial information that it going to use for itself. They usually do their job by internet taking valious information to other people, so be carefull with this kind of person. They also may try to get access to your system by pretending some things are true. "Don't let them."
Another common trick is known as ``shoulder surfing''. This simply means that somebody looks over your shoulder while you type in your password. Sometimes it's impossible to guarantee that nobody can see your keystrokes, for example in a crowded computer lab. But you should be on the look out for people looking over you shoulder for no good reason.
If you're suspicious of somebody, don't type your password until they've gone. If you think somebody has seen your password, change it after they're gone (use the command passwd).
If you can, try to type your password quickly. With practice, you can learn to type your password pretty quickly, even if you're not a great typist to start with.
It's decidedly impolite to look when somebody is typing their password. If somebody is watching you when you type your password, you can ask them to not look while you login.
These kind of person can change your life so you can not trust to no one.
Javier Ramirez
DEFINICION
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.
OTHERS TERMS RELATED
SHOULDER SURFING
- Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.
PASSWORD SNIFFING
If a hacker can't guess your password, there are other ways he/she can try to get it. One way which has become very popular is called ``password sniffing''.
It turns out that most networks use what's known as ``broadcast'' technology. What that means is that every message that a computer on the network transmits can be read by any other computer on that network. In practice, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it.
However, many computers can be programmed to look at every message on the network. If one does this, one can look at message which are not intended for you.
Hackers have programs which do this, and then scan all the messages which traverse a network looking for passwords. If you login to a computer across a network, and some computer on the network you use has been compromised this way, you may end up giving your password to the attacker.
Using this technique, hackers who've broken into computers which are on heavily used networks have collected thousands of passwords.
This is a serious threat to users who login to our computers from remote sites. If you login on the console of a computer, your password never crosses a network where it can be sniffed. But if you login from some other school, or from an internet service provider, you are dependent on the security of their network.
One way to protect yourself from password sniffing, is to arrange to not need to type your password. The program rlogin can be configured to not require your password. If you know ahead of time that you'll be using your account from a given computer, you can create a file named .rhosts and put a line with the name of the remote computer you'll be using in that file. If you try to rlogin to our computers from the computer listed in your .rhosts, you won't be asked for your password. In effect, our computer will trust the other computer for your account if you list it in your .rhosts.
There are some dangers associated with the use of .rhosts files. If the remote computer gets broken into, the hacker might deduce that he/she can simply rlogin to your account here. One way to minimize that risk is to not have .rhosts files on both machines point at each other. If your account on the remote machine doesn't have a .rhosts file which allows your SEAS account to login, somebody who's broken into the remote computer is less likely to notice that your account there can be used to breakin to our computers here.
Despite these dangers, the CNG feels that the dangers of password sniffing outweigh the dangers of .rhosts, and so in most cases we advise using rhosts if you expect to be accessing your SEAS account remotely.
Under no circumstances should you use a ``+'' (plus) character in your .rhosts!
Another better way to defend against password sniffing is to use one-time-passwords. A one-time-password is a password which is only good for one use. After you've used it once, it's no longer any good, and so sniffing it is useless to a hacker. Of course, somehow you must be able to login more then once.
On way to accomplish this is to carry a list of passwords. Each time you login, you use the next password on the list. Some systems even provide ``calculators'' so that you don't need to carry a list. The calculator, which may run on your Macintosh or PC, will tell you which is the next password on the list, so all you need to do is cut and paste the password from the calculator.
The SEAS has suffered two serious breakins in the last year as a result of passwords sniffed on remote sites. As a result, we are working on implementing procedures which will require remote users to use one-time-passwords to login to our computers. We hope to have this in place before Summer.
TYPICAL TARGETS
Typical targets include...
• Telephone Companies
• Financial & Banking Institutions
• Military Targets
• Large Corporations
• Government Agencies
The Internet boom has had it's share of engineering attacks. In general attacks focus on larger organizations, but never let your guard down! Any organization with data of any kind of value, makes a great target!
Untested Plans and Procedures
While organizations mlght understand their threats and vulnerabilities, and attempt to address the vulnerabilities through proper operational procedures, it is difficult to determine if the procedures are adequate unless they are tested. A good example of an untested procedure is the reliance upon internal identifiers. Many organizations establish an internal identifier that is used to authenticate an employee to another employee. For example. many organizations rely upon the Social Security Number to identify people. It takes very little effort for an outside attacker to obtain a Social Security Number before attempting to obtain the desired information.
A Social Engineering attack may be composed of several small attacks, which in and of themselves might be inconsequential. Unfortunately, the sum of a Social Engineering attack is greater than the sum of its parts. Small attacks will probably go unnoticed, and may occur over several months.
While an organization might establish a procedure that requires an authenticating mechanism, there must be procedures to protect authenticating mechanisms. This is where a large number of security plans fail. Many organizations may test a specific part of a security plan or procedure, however the security plans and procedures must be tested as a whole.
HOW DOES SOCIAL ENGINEERING WORK?
Social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.” (from searchsecurity.techtarget.com). Common social engineering scenarios include:
• Telephoning a user and posing as a member of the IT team, who needs the user’s password and other information in order to troubleshoot problems with the network or the user’s account.
• Telephoning the IT department and posing as a high ranking executive in the company, pretending to have forgotten his/her password and demanding that information immediately because of a pressing business urgency.
• Developing a personal relationship with a user or IT team member with the intent of “sweet talking” the person out of confidential information that can be used to break into the network.
A good social engineer is not only a good actor, but is also good at “reading” people to determine what type of ploy will work best with a particular person. When a hacker combines social engineering skills with technical expertise, it becomes easy to breach almost any network. Many common Internet scams, such as e-mails purporting to be from a user’s bank or credit card company and asking them to go to a Web site where they’re directed to fill in account information, are forms of social engineering.
Some social engineers base their success on research abilities. Such activities as “dumpster diving” (going through discarded paperwork to find credentials and other useful information) can also be considered a form of social engineering. Some hackers may develop elaborate schemes to pose as building repair personnel or even temporarily take jobs as janitors to gain initial access, while others do all of their work from afar and never set foot near the physical site. A determined hacker may put days or weeks of effort into gaining the trust of a target employee. This may be done in person, over the telephone or via e-mail or IM.
“Reverse social engineering” is a term used to refer to hackers who create some sort of problem on the network or the user’s computer and then come to the rescue (like the cases we occasionally read about where a person sets a fire and then rushes in to put it out, becoming an instant hero to the victims). This helps the social engineer gain trust quickly, and makes it easier for him/her to get desired information out of the victim. For example, the social engineer might then send an e-mailed attachment that contains malicious code through which he can gain control of the victim’s computer. Because the victim now “knows” (and trusts) the engineer, the victim doesn’t exercise the same caution about opening the attachment as would be the case if the attachment were from someone else.
How do you avoid being a victim?
• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the Internet before checking a web site's security (see Protecting Your Privacy for more information).
• Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org/phishing_archive.html).
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
ASDRUBAL FLORES
ID: 17371545
SECTION: N 713
SOCIAL ENGINEER
Is define like the obtaining of the confidential information for to To deceptive another people and take their money. The Psychological profile of the social engineers are Crafty people and very intelligent for can defraud.
Common procedures: a example is the use of e-mail attachments when lend the personal information.
How avoid it: to train the users in the use of political of safety and to insure itself that they are followed is the principal defense against the social engineering.
Ok guys I’ve been very pleased with your investigation and everybody demonstrated in the exam how your research was... Congrats!!, you did a pretty good job and I hope you’ve really learned and enjoyed working with the topic.
I’ll see you around and KEEP ON the good work!!
Post a Comment
<< Home