Saturday, 18 May 2013



Social Engineering is the art of  manipulating people in to performing actions or divulging confidential information

This type of attack is non-technical and rely heavily unhuman interaction

Hackers use social engineering attacks to obtain information that will allow him/her to gain unauthorized acess to a valued system and the information that resides on that system.

The purpose of social engineering is usually to secretly install spyware other malicious software or to trick person in to handing over password and/or othere  sensitive financial or personal information

What are they looking for??

1:- Obtaining simple information such as your pet's name,where you are from,the places you have visited;information that you had give out freely to your friends 
2:- Take a close look at some of the 'secure' sites you log into .some have a 'secret questins' you  have to answer, if you can not remember your  user name  or password.The question pretty though for an out sider looking in to trying to hack into your account.

Tactics:

1:- Pretexting- Creating a fake scenario

2:- Phishing- Fraudulently obtaining private information

3:- Quid pro quo:- Somthing for somthing

4:- Baiting:- Real world trojan horse

5:- Diversion theft :- A con

Pretexting

Creating fake scrnario

Prior Research/Setup used to establish legitimacy
Give information that a user would normally not divulge

This technique is used to impersonate
Authority ect
Using prepared answers to victims questions
Other gathered information

Ex: Law Enforcement
Threat of alleged infraction to detain suspect and hold for questioning

Phishing

Fraudulently obtaining private information

Send an email that looks like it came from a legitimate business

Request verification of information and warn of some consequence if not provided

Usually contains link to a fraudulent web page that looks legitimate

User gives information to the social engineer
 Ex: Ebay Scam

Spear Fishing
Specific phishing
Ex: email that makes claims using your name 

Vishing
Phone phishing 
Rogue interactive voice system
Ex:call bank to verify information

Quid pro quo

Somthing for somthing

Call random numbers at a company, claiming to be from technical support.


Eventually, you will reach someone with a legitamite problem

Grateful you called them back, they will follow your instructions

The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

Baiting

Real world of trojan horse

Uses physical media

Relies on greed/curiosity of victim

Attacker leaves a malware infected cd or usb drive in a location sure to be found

Attacker puts a legitimate or curious lable to gain interest

Ex: "Company Earnings 2009" left at company elevator
Curious employee/Good samaritan uses
User inserts media and unknowingly installs malware

Diversion theft

A con

Persuade deliver person that delivery is requested elsewhere - "Round the Corner"

 When deliver is redirected, attacker pursuades delivery driver to unload delivery near address

Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van

Most companies do not prepare employees for this type of attack

Weakest link

No matter how strong your:
Firewalls
Intrusion Detection Systems
Cryptography
Anti-virus software 

You are the weakest link in computer security!
 People are more vulnerable than computers
"The weakest link in the security chain is the human element" -Kevin Mitnick 

Way to prevent and protection


 3rd Party test - Ethical Hacker
Have a third party come to your company and attempted to hack into your network
3rd party will attempt to glean information from employees using social engineering
Helps detect problems people have with security

Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information

Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

Before transmitting personal information over the internet, check the connection is secure and check the url is correct


If unsure if an email message is legitimate, contact the person or company by another means to verify

Be paranoid and aware when interacting with anything that needs protected

KEVIN MITNICK(Famous Social Engineer Hacker)

Went to prison for hacking
Became ethical hacker

"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."


Kevin Mitnick - Art of Deception

"People inherently want to be helpful and therefore are easily duped"


"They assume a level of trust in order to avoid conflict"


"It's all about gaining access to information that people think is innocuous when it isn't"

Here a nice voice on the phone, we want to be helpful

Social engineering cannot be blocked by technology alone

A qutoe from KEVIN MITNICK

"You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”




SOCIAL ENGINEERING




Thank you  for reading my post.Please coment and share 
Categories:

3 comments:

  1. .i want to sincerely and openly thank blackhatservers@gmail.com for her service…She saved me from infidelity and lies of my cheating husband. She was able to hack his phone so i listen to every call he either make or receive, email passwords and Facebook …i know there are lots of people out there looking for proof and evidence about one thing or the other. Be open and real with her so she can even be at the best of her service to you. Do contact her by email on blackhatservers@gmail.com

    ReplyDelete
  2. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business.

    ReplyDelete

  3. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline 347.857.7580 or the email address expressfoundations@gmail.com

    ReplyDelete




    Ankush Mohanty: is a Security Researcher and Analyst, with experience in various aspects of Information Security. Other then this he is a Certified Ethical Hacker. His all efforts are to make internet more Secure.


    MyFreeCopyright.com Registered & Protected
    MyFreeCopyright.com Registered & Protected