The first behind-the-scenes story
Chapter 1 Safe Soft Rib
A company may purchase the best safety technology that can be bought by money. The employees are also well trained. They lock all the secrets before going home, and they have employed security guards in the industry. This company is still vulnerable. Some people may comply with all of the best security recommendations, install various recommended security products, and handle system configuration and application security patches, but they are still unsafe.
Human Factors
Among the prior to the Congress hearing, I explain that I can often get password passwords or other similar sensitive information from the company, just to pretend that someone directly opens. People often lead to the sense of security in a false sense. Imagine a responsible cute homeowner, he has a set of Madiko (translator Note: Medico, well-known brand, price expensive) anti-smash lock in the door of the house, to protect his wife, child and his home . He felt very sweet, because he made the family's protection very well. But what is the intrinsic entry of the password of the door password for breaking the window? Install a strong security system? Although useful, it is not safe enough. Regardless of whether the anti-theft lock is expensive or cheap, the security of the owner is still difficult to guarantee. why? Because the human factors are safe soft ribs.
Safety, usually just a fantasy, by it is a man, curious, and ignorant. The most respected scientist Einstein in the twentieth century: "There is only two things that are endless - the universe and human stupidity. But for the former, I don't dare to determine." The ultimate, social engineering attack, success It is ignorant of people's stupid or more common information security practices.
Like this owner, there are many information technology (IT) from the industry with similar misconceptions. They think that their company is solid, because it is equipped with a fine security device - firewall, intrusion detection, or more insurance system, such as a time token and biometric card. Anyone who believes that only by these safety equipment can ensure that the security is in a false sense of security, this is an example of living in the fantasy world, and they will inevitably encounter safety accidents.
Just as the famous security consultant said: "Safety is not a product, it is a process." The following steps say that security is not a technical issue, it is a problem with people and management. Because developers continue to create better security technology products, attackers use technology vulnerabilities more and more difficult. Thus, more and more people turn to the means of using people to attack. Crossing the people is very easy, just play a call of the cost and the smallest risk.
A deceived classic case
What is the biggest threat of corporate assets? Very simple, social engineers. An unscrupulous magician, attracting your attention with his left hand, stealing your secrets right hand. He is usually very friendly and will speak, and people will feel that he is honored. Let's look at a social engineering example:
Many people have remembering a young man named Stanley Mark Rifkin, and his adventure in the US Insurance Pacific Bank in Los Angeles. There are a lot of snepions, and Ruifin (same as me) never told others from others, so the following narrative is based on public reports.
Get a password
One day in 1978, Rifukin was inadvertently came to the electricity trading room of the authorized staff of the US Insurance Pacific Bank, where the daily turnover reached billions of dollars. The company worked at the time of Rifukin happened to develop a data backup system for the electric exchange room, which gave him a chance to understand the transfer program, including the step of unplugging the account. He learned that traders who were authorized to conduct wire will receive a strict protected password every morning to carry out telephone transfer transactions. In order to remember the daily password, the traders in the telegraph, and put the password on a piece of paper and attached it to the place where it is easy to see. On November day, Rifukin had a special reason to enter the wire train. After arriving in the electric exchange room, he made some records of the operation process, making it in determining the normal operation of the backup system. Take this opportunity to peek at the password on the paper, and remember it with your mind, and go out of the electric exchange room for a few minutes. Ruifu was later recalling: "It feels like a big prize."
Transfer
Ruifin is about 3 pm leaves the electricity room, and it is close to the paid phone at the front hall of the building, and put into a coin and call the wire train. At this point, he changed its identity and dressed as a bank staff - working in Mike Hansen in the International Department. That dialogue is like this:
"Hey, I am Mike Hansen in the International Department." He said that Miss listening to the phone said that Miss made him on the office on the normal work program. "286." he has prepared. Miss said: "Okay, how much is the password?" Ruifin recalled his "excitement". "4789" he tried to say a password calmly. He then letting the other party for one thousands of US $ 1 million from Irving Trust Company to a bank of the Swiss Zurich, and he has established a good account. The other party said: "Okay, I know, please tell me the account."
Ruifu was scared, and this problem did not take into account in advance. His deception programs have leaks. But he tried to keep his own role, very calm, and immediately answered each other: "I look at it, I will call you." This time, he dressed as a staff member of the wire train, and called another department of the bank, get it Remove the phone after the account. After receiving the other party: "Thank you." (Say "thank you" in this situation, it is really ironic.)
Successful
A few days later, Rifukin flights came to Switzerland to extract cash, and he took out eight million to purchase some diamonds through the Russian agent, and then the diamond was sealed in the belt, flew back to the United States. Rifugkin successfully implemented the largest bank robbery in history, he did not use weapons, and even need to assist in computer. Surprisingly, this incident is included in the Guinness World Record with the "largest computer fraud case". Stanley Rifule is used by deceived art, this skill and ability we now call it - social engineering.
Threatful natural
The story of Ruifin proves how unreliable feelings. Such an event (may not be $ 10 million, but the loss is lost) Every day, your funds may be lost, and the new product plan is stealing, but you don't know. Even if your company has no such thing, it will eventually appear. But when did it appear?