Security and Privacy in a Networked World/No Tech Hacking: erinevus redaktsioonide vahel
WikiHaldur (arutelu | kaastöö) Resümee puudub |
WikiHaldur (arutelu | kaastöö) |
||
| 19. rida: | 19. rida: | ||
=== Dumpster Diving === | === Dumpster Diving === | ||
An old bit of wisdom says "One man's trash is another man's treasure". While this makes sense also in its originally intended, general meaning (suggesting that old stuff can still be of use to somebody), it has a special meaning in data security. | |||
Sometimes, important stuff ends up in the trash accidentally. More than often, however, it is thrown out by ignorant people. But whatever the reason, dumpsters can contain rather interesting material (and as shown on the photos in Johnny Long's book, they sometimes do not even need any diving). | |||
Probably anyone would understand the security risk if a discarded and picked-up (by a stranger) document contains someone's password. Seemingly less obvious cases can however be as dangerous. For example, a job-seeker's form partially filled by a system administrator of a major defense contractor might be of interest to an agent of a hostile foreign power (disgruntled employees are easier to bribe). Payment invoices can point out shady transactions. But even a department staff list with working room and internal telephone numbers can be a good starting point for a social engineering scheme ("Hi, this is James from accounting, room 116. My boss, Mrs Peabody, asked me about <something of interest>, could you helped me with that?"). | |||
=== Tailgating === | === Tailgating === | ||
Redaktsioon: 30. märts 2014, kell 10:54
Instead of a Motto: "You only have to ask"
"Activate the wealth corner of any crowded room by standing in it with a large kitchen knife and a sign that reads "Give Me All Your Money" - Rohan Candappa, The Little Book of Wrong Shui
Social Engineering - what is it?
In his well-known book "The Art of Deception", Kevin Mitnick has given the following definition:
"Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."
In short, it IS the art of deception. And despite Mitnick himself having been widely labelled as "the most dangerous hacker in the world", he was most of all a genius social engineer, having had a majority of his accomplishments without using technology.
PIBKAC again...
Some techniques
The following points are mostly summarized from "No Tech Hacking" by Johnny Long.
Dumpster Diving
An old bit of wisdom says "One man's trash is another man's treasure". While this makes sense also in its originally intended, general meaning (suggesting that old stuff can still be of use to somebody), it has a special meaning in data security.
Sometimes, important stuff ends up in the trash accidentally. More than often, however, it is thrown out by ignorant people. But whatever the reason, dumpsters can contain rather interesting material (and as shown on the photos in Johnny Long's book, they sometimes do not even need any diving).
Probably anyone would understand the security risk if a discarded and picked-up (by a stranger) document contains someone's password. Seemingly less obvious cases can however be as dangerous. For example, a job-seeker's form partially filled by a system administrator of a major defense contractor might be of interest to an agent of a hostile foreign power (disgruntled employees are easier to bribe). Payment invoices can point out shady transactions. But even a department staff list with working room and internal telephone numbers can be a good starting point for a social engineering scheme ("Hi, this is James from accounting, room 116. My boss, Mrs Peabody, asked me about <something of interest>, could you helped me with that?").
Tailgating
...
Shoulder Surfing
...
Measures against physical defenses
...
Countermeasures
Dumpster Diving
...
Tailgating
...
Shoulder Surfing
...
Measures against physical defenses
...
Additional reading and links
- LONG, Johnny. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing. Syngress, 2008
- MITNICK, Kevin, SIMON, William L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, 2002
- OOSTERLOO, Bernard. Managing Social Engineering Risk: Making Social Engineering Transparent. University of Twente, 2008
Study & Blog
- Find and describe an interesting case of "no tech hacking".
