Security and Privacy in a Networked World/No Tech Hacking

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti

Instead of a Motto: "You only have to ask"

"Activate the wealth corner of any crowded room by standing in it with a large kitchen knife and a sign that reads "Give Me All Your Money" - Rohan Candappa, The Little Book of Wrong Shui

Social Engineering - what is it?

In his well-known book "The Art of Deception", Kevin Mitnick has given the following definition:

"Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."

In short, it IS the art of deception. And despite Mitnick himself having been widely labelled as "the most dangerous hacker in the world", he was most of all a genius social engineer, having had a majority of his accomplishments without using technology.

PIBKAC again...

Some techniques

The following points are mostly summarized from "No Tech Hacking" by Johnny Long.

Dumpster Diving

An old bit of wisdom says "One man's trash is another man's treasure". While this makes sense also in its originally intended, general meaning (suggesting that old stuff can still be of use to somebody), it has a special meaning in data security.

Sometimes, important stuff ends up in the trash accidentally. More than often, however, it is thrown out by ignorant people. But whatever the reason, dumpsters can contain rather interesting material (and as shown on the photos in Johnny Long's book, they sometimes do not even need any diving).

Probably anyone would understand the security risk if a discarded and picked-up (by a stranger) document contains someone's password. Seemingly less obvious cases can however be as dangerous. For example, a job-seeker's form partially filled by a system administrator of a major defense contractor might be of interest to an agent of a hostile foreign power (disgruntled employees are easier to bribe). Payment invoices can point out shady transactions. But even a department staff list with working room and internal telephone numbers can be a good starting point for a social engineering scheme ("Hi, this is James from accounting, room 116. My boss, Mrs Peabody, asked me about <something of interest>, could you helped me with that?").

A special case worth mentioning are the "yellow sticky notes" (aka Post-Its and other fancy names). They are often used to write down important bits of information and stuck to some easily visible place. On the one hand, they often contain information that should NOT be that visible. On the other hand, the glue holding them in place tends to wear off after a while, the note glides down - and often ends up in some out of sight place (e.g. between a table leg and a wall). Depending of the janitor, the following step may be

  • the note is returned to the table for the owner to find
  • the note will remain where it is
  • the note ends up in the dumpster (for someone else to find)
  • the janitor has some interesting ideas what to do with the found information

The last two options can spell a lot of trouble.

Tailgating

Today, people are lazy and forget to close doors, so many doors are equipped with an automatic closing mechanism. This has further promoted the habit of "open-and-forget" - especially if there are other people around. And in the age of litigation (especially in some large first-world countries), no doormaker would want to risk a lawsuit by someone who got caught in the doorway - so the doors close slowly and if something obstructs the movement, they will not close at all.

People are also (mostly) nice. If someone follows you, most of us are told either to let them go first or at least pass the door to the next person. The question if the person is actually authorized to pass the doorway seems to be best left to the security staff.

Shoulder Surfing

...


Measures against physical defenses

...

Countermeasures

Dumpster Diving

...


Tailgating

...


Shoulder Surfing

...


Measures against physical defenses

...



Additional reading and links

  • LONG, Johnny. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing. Syngress, 2008
  • MITNICK, Kevin, SIMON, William L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, 2002
  • OOSTERLOO, Bernard. Managing Social Engineering Risk: Making Social Engineering Transparent. University of Twente, 2008


Study & Blog

  • Find and describe an interesting case of "no tech hacking".
Pärit leheküljelt "https://wiki.kakupesa.net/index.php?title=Security_and_Privacy_in_a_Networked_World/No_Tech_Hacking&oldid=4093"