In this post I will explain a very intresting way of hacking the human OS. This is known as Social Engineering.
So, first of all what is social engineering? Social engineering is an art of manipulating people to get vital information from them.This information can be used to build an attack against the respective person. Any one can social engineer, even a kid. There are various methods to perform social engineering. Your options are endless, so make use of it and exploit the most powerful OS (the Human OS). Let me give a true example of social engineering.
One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm's entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees' names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.
Here are some methods of social engineering:
* Phishing - is a technique often used to obtain private information. Typically, the user sends an e-mail that appears to come from a legitimate business requesting "verification" of information and warning of some consequence if it is not provided. The e-mail usually contains a link to a web page that seems legitimate and has a form requesting everything from home address to an ATM card's PIN.
* IVR or phone phishing - also known as "vishing"; this technique uses an Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted to call in to the "bank" via a phone number provided in order to "verify" information.
* Baiting - Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
* Quid pro quo - An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
Advantage of Social Engineering
So to soak up what you've learned so far, which was, an introduction to social engineering and some examples on the very subject itself (SE). On to the very question that people want to hear and know. What can I GAIN from using social engineering? Anything! Like I said before, and not afraid to hesitate to say again, your options are endless when using social engineering! It all depends on your goal and how you approach it, is the defining factor of your outcome. Now with that said, don't go off thinking that you can take over the World in a matter of a few days, not going to happen. But what you can do is practice using social engineering, little by little, step by step; learn how to build your ground and the environment around it. So yes, think outside the box and learn to open new doors! Keep in mind that connections and relationships is everything in being a social engineer, without it, what can you build from nothing? Nothing! That's when social engineering comes in place, learn to make new friends, take the time to ask questions, and most importantly, learn your target! Like one once said, "My greatest enemy is also my best friend." You can achieve anything with the right mindset!
Believe it or not, more than 50% of people living on this Earth subconsciously don't know what they're capable of! That's a scary thought, that's a lot of potential lost!
So, what ya thinkin, U a social engineer? Of course you are even without knowing it.
skip to main |
skip to sidebar
Security and Ethics behind the Web
"This is our world now... the world of the electron and the switch, the beauty of the baud. I make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call me a criminal. I explore... and you call me a criminal. I seek after knowledge... and you call me a criminal. I exist without skin colour, without nationality, without religious bias... and you call me a criminal. You build atomic bombs, you wage wars, you murder, cheat, and lie to me and try to make me believe it's for my own good, yet I am the criminal.
"Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like.
"My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike."
"Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like.
"My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike."
