By Sarah Granger Translation: Sword@chinansl.com Squall@chinansl.com A True Story A true story a few years ago, a group of strangers walked into a large ocean transport company and controlling the company's entire computer network. How did they do that? It is achieved by a little more help from many different employees there. First, they have studied the company for two days before stepping on the point. For example, by calling the human resource department to get the name of the company's important employee. Then, they pretend to be lost in front of the door, let others open the door to go in. Finally, when they entered the three-way security zone, they repeatedly appeared, this time they lost their identity logo, and an employee smiled and opened the door. This group of strangers know that the company's CFO is not in the company, so they entered his office and got financial information from the personal computer he did not locked. They turned the company's garbage and found a variety of valuable documents. They got the help of managing the garbage room to bring them to the company smoothly. These people also learned to imitate the sound of CFO, so they can pretend to be a CFO as an anxious look anxiously to ask the network password. Since then, they finally finally use conventional hackers to get the system's superuser privileges. In this case, the role played by these strangers is CFO to provide a network security consultant for its own computer, and the company's employees don't know. They can use social engineering to use social engineering without any rights without any rights from CFO (this story is about Kapil Rain, and he is currently a security expert in VeriSign, and working with others MCMMERCE SECURITY: A Beginner's Guide, this book is also the primary experience in his previous work.) Defining most of the introduction of social engineering has the beginning of this, "a science that makes others compliance with their own will. Art "(BERNZ 2)," A foreign hacker uses psychological means to deceive legal computer system users to get the information he needs to access the system "(Palumbo), or" information from others "information ( For example, passwords) rather than by breaking the target system "(BERG). In fact, these interpretations of social engineering can be said to be, the key is the angle issue you are. But at least one thing is to reach a consensus: That is, hacker, a smart utilization of hackers more tendency to trust in human nature. The hacker's goal is to get information to get the unauthorized access path of important systems to get some information in the system. Trust is the foundation of all security. The trust of protection and auditing is generally considered to be the weakest ring in the entire security chain. Human is naturally willing to believe that other people's prone to the tendency to make us most easily take advantage of this means. This is also highly emphasized by many very experienced security experts. Whether it is published now about network security vulnerabilities, patchs, and firewalls, they are still limited to safety. The basic goals of social engineering and other hacking methods are basically the same: all the hackers are not authorized to obtain the target system or to deceive the important information, network invasion, industrial intelligence, identity, or just Disrupt system or network. Common goals include telephone companies and response service agencies, famous large companies and financial organizations, military and government agencies, and hospitals. Now there is also the beginning of social engineering attacks, but only those relatively famous companies. It is difficult to find a good social engineering real case.
Universities that generally become an attack target are reluctant to admit that they have been victims of social engineering attacks (not only because there is a very embarrassing thing to recognize the basic security facilities, more importantly, this will greatly affect the institution. Image) and documentation records this type of attack is rare, so no one can affirm that he can completely distinguish between social engineering attacks. Why is institutions always become the goal of social engineering? This is because social engineering is a simple purpose means relative to many technical hacking methods illegally obtaining accounts. Even those who are highly technically high, just take the phone to ask other people to ask for passwords than entering the system through technical means. And actually this is also the hacker. The attacks of social engineering class can be divided into two levels: physical and psychological. First we discuss the physical location of the attack: work area, phone, your company's garbage pile, even on the Internet. For workspaces, hackers can simply go, just like movie, then begin to pretend to be allowed to enter the company's maintenance personnel or consultants. The invader leisurely puts the entire office until he or she found some password or some can be attacked on the company later, and after using the information, it will leave. Another means of obtaining audit information is a simple standing in the workspace to observe how company employees typing password and secretly remember. Social engineering attacks using the phone is the most popular social engineering tool for use by phone. Hackers can pretend to be a big or important person's identity to get information from other users. The general institution's consultation is easy to become the goal of such attacks. Hackers can disappear into the internal call of the agency to deceive PBX or company administrators, so it is not a safe practice that rely on the identity of people who call the phone. The following is a typical PBX trick mentioned by Computer Security Institute: "Hey, I am your AT & T maintenance member, I am working now, but I need to help me with a few keys." There is also a smarter means: " They will call you in the middle of the night: "Do you have called to Egypt? "" No. " "Then they will say," We now queried a valid call just happened, using your phone card and the phone is to call to Egypt. So you have to pay $ 2000 phone billing bills, although you can say this is actually a fee for others, "they will then say," I can help you eliminate this $ 200 phone bill. But you need you to tell me your AT & T card number and password. "Then most people will fall into this circle." (Computer security institute). The reason why the consultation is prone to social engineering is because the positions they have are helpful for others, so they may be utilized to obtain illegal information. Training generally accepted by the consultation desk is to ask them to be friendly and can provide information needed for others, so this has become a gold mine of social engineers. Training and education in the security fields accepted by most consultants, this has caused a lot of safety hazards. A expert working in a computer security agency has done such an experiment to reveal the security vulnerabilities hidden by the consultation station. He "called the front desk of a company." Who is the person in charge of the duty tonight? " "" Is Betty. "I have something to talk to Betty." "[His phone was transferred to Betty]" Hey, Betty, is it very bad today? " "No, why do you say this?" "" Your system stops. " "My system is not closed, the operation is very good." "He said:" You'd better quit login. "She quits login. Then he said," Now log in. "She logs in." But I have changed at a point here. " "He said" and re-exited it. "She is still very obvious." Betty, it seems that I have to log in to you directly to see what is your account. Now tell me your account and password. "Then Betty will tell him your account and password through the consultation.
"Another hacker's phone attack is to be realized by standing next to a paid phone or ATM machine. Ha hate can make a credit card number and password in this way. (A friend just in a big airport In this case, many people in the airport are standing next to the phone, so you should be particularly careful in this public place. Entering garbage fluttering is another commonly used social engineering means. Because of the business garbage pile Insior usually contains a lot of information. THE LAN TIMES lists the following information that may be found in the garbage heap: "Company's telephone capital, institutional form, memo, company's provisions, meeting time schedule, event And holidays, system manuals, printed sensitive information or login names and passwords, printed source code, disk and tape, company letter head format, and memo's format, and waste hardware. These resources can provide a large amount of information to hackers. Phone This can provide a hacker's name and phone number as a target and impersonation. The form of agency contains information that allows him to know the names of senior employees in the organization. The information in the memo allows them to get useful information to help them play trusted identity. The provisions of the company can let them understand how the institution's security is. Date Arrangements are more important, hackers can know which employees are absent from the company at a certain time. System manual, sensitive information, and other technical information can help hackers break into the mechanism's computer network. Finally, there is a problem with waste hardware, especially hard drives: hackers can recover it to obtain useful information. (We will discuss related discussions in the second article) Online Social Engineering International Interconnect is a paradise for accessing the password. This is mainly because many users set their own passwords to the same: Yahoo, Travelocity, Gap.com .......... So once the hacker has a password, he (or she) has received the right to use multiple accounts. A means commonly used by hackers is through online form for social engineering attacks. He can send a message to a lottery winning award to the user and ask the user to enter the name (and email address - so that he can even get the account name) and password used within the organization within the organization. This table is not only sent in a online form, and a normal mail can be transmitted. Moreover, if these forms use ordinary letters, these forms look more like being issued from legitimate institutions, and the possibility of deception is even greater. Another way to get information online is to pretend to be a password to the user via an administrator for the network. This method is not very effective because the user is high than the alertibility of hackers when online, but this method is still worth considering. Further, hackers may also place pop-up windows and let it look like a part of the entire website, claiming to solve certain problems, tempting users to re-enter account and password. At this time, the user generally knows that the password should not be transmitted by plaintext, but even such an administrator should regularly remind the user to prevent this type of spoof. If you want to make further security, the system administrator should warn the user to publicize its own password at all times unless it is a legally credible network work employee. Email can also be used as a means of more direct access to system access. For example, a virus, worm or Trojan may carry a virus, a worm or Trojan from an email attachment from a human trust-related person. A good case is VigilanTe's attack on AOL: "In this case, the hacker calls the technical support center of AOL and talks with technical support staff. In the conversation, hacker mentioned He is interested in selling his car at a low price. The technical support staff is very interested, so hackers have sent an email with an accessory indicating "car photo" to him. But actually, that is not a car The photo, the message performs a latter program that makes hackers can establish a connection through AOL's firewall.
Convince the hacker that they emphasize how to adjust a perfect psychological state from the elaboration of social engineering from the perspective of psychology. Basic persuasive means include:. Whether it is to use which method, the main purpose is to persuade the sensitive information required for the target leak, so a social engineer is actually a person who can be trusted and thus sensitive information. Another important place is not to ask too much information once, but every time you get a small amount of information from someone to maintain a good self-image. Play generally is to construct some type of role and act in accordance with the role. And the role should be, the better the role. At some point, just call the target, say: "Hey, I am MIS Joe, I need your password," But this way is not at all times. In other cases, the hacker will focus on a person in the target agency and pretend to ask him to ask for information when he is out. Based on Bernz, a hacker who published a lot of articles in this regard, they used some kind of small equipment to camouflage sounds and also studied a large number of organizational structures in the way they play targets. But I think this means basically does not have the characteristics of playing attacks, as it takes a lot of time to prepare, but in any case, this attack method is also existing. The roles that are often used in the play attack include: maintenance personnel, technical support staff, manager, trusted third-party personnel (such as the president's executive assistant calling the president, has allowed him to ask some information), or a corporate colleague . It is not difficult to achieve in a big company. Because each person is impossible to understand each person in the company, the identity identifier is forgery. Most of these roles have certain rights, so that others will be unbounded by autonomous. Most employees want to please the boss, so they will take the head of the information to provide the information they need for those who have the right. Let others obey a group-based behavior, but sometimes you can use to convince a single body, tell him that everyone has provided the same information asking for the hacker, assuming that the hacker now plays an IT manager. What hackers need to do is to make the goal temporarily unclear your duties. There is also a more controversial social engineering tool is just a simple manner of playing information. Its reason is that most people are willing to believe that the colleagues who call to seek help, hackers can only get basic trust. Further, most employees will respond, especially for women's requests. Slightly complimentary goals or flirt with him will make the goals will be happy to further cooperate, but smart hackers will grasp well when obtaining information, will not let goals have doubts about any special. A smile (if it is face-to-face, "thank you" can be the beginning of cooperation. If this is still not enough, the pretending novice can also achieve the goal: "I am confused, (blinking) Can you help me?" Reverse social engineering has gains illegal information more advanced means to "reverse Social Engineering. The hacker will play a person who does not exist but the right of rights allows business employees to take the initiative to ask information. If in-depth research, careful planning and implementation, reverse social engineering attack methods allow hackers to get more and better opportunities to get valuable information from employees. But this requires a lot of time to prepare, study, and work some preliminary hackers. According to the "hackwork: Social Engineering" written in Rick Nelson, reverse sociology includes three parts: secret damage, self-propelled and help. The hacker is first impulsive to the network to make the network have obvious problems, and then he will repair the network and get what he really needs from the employee. Those employees will not know that he is a hacker, because the problems in their network will be solved, and everyone will be very happy (including hackers ^ _ ^).
