A brief overview of social engineering in the field of Internet. This article is the most accurate and at the same time simple and accessible language reflects the essence of the matter.
Primarily focused on familiarization. Useful to beginners. Experienced advise not to forget about such trifles (a common mistake).
In this article, I decided to examine aspects of social engineering (SI) in the area of Internet fraud and computer hacking.
Social engineering techniques used by cybercriminals, are reduced to the manipulation of behavior and pressure on the human operator. Burglar applying SI may not have huge knowledge in the field of networking and operating systems, but nevertheless can successfully "hack" the system.
Such techniques are of course not only used by hackers, but also in advertising and political technologies. Now, however, I will only consider the scope of the Internet.
The knowledge of human psychology to a large extent facilitates the work of hackers and attackers. People, unprofessional working with a PC, do not want to complicate your life remembering passwords. The most common way to save the password - stickers with passwords written sticky to the monitor or other equally convenient and accessible location. Read and remember a password for any person to be around is no problem, and please - a vulnerability found in the system. No measures to ensure the safety and protection against burglary will not save a person from knowing the real username and password.
If you've ever watched the movie "Hackers" and remember the moment when the main character and heroine rummage through garbage in search of passwords, you know - this is not a fantasy of the director, it is quite objective reality. It is not uncommon when people throw out unnecessary papers in the basket, without attaching much importance to what is written on them. Another aspect of the same film. The protagonist calls the television companies, representing an accountant, who when working at home has failed and requests hearted security guard to tell him some of the data needed to connect to the system. All this - examples of the hackers of the human factor.
It is of course superficial examples, but nevertheless reflect the ideology of the SI - the most vulnerable link in the system is a human. Naturally, the SI is not static and is constantly evolving. All new and new approaches are being developed for the manipulation of human behavior. One of the most prominent approaches to date - "fabricated pretext." This method has been used in virtually all areas of the Internet, of interest to hackers. This and Trojans infecting computers, and transfer electronic money to fraudsters account and unfair advertising.
The pretext in the received message you can be anything, such as the ability to obtain pirated software, watch a video on their content, and so on. The probability that when you click on the link you will infect your computer Trojan is very high. In the best case, all limited to promotional offers and minor injury to your PC.
It is also very common scam posts by representing your acquaintances, got in trouble or no-win situation, and asking you if you certainly want to help, send a certain amount of electronic money to those accounts. It can be reported "sick relatives" and "purchase of medicines" and "expensive operation." Fantasy crooks in this case seeks to create a message so that the maximum number of people pecked at him.
The aim of all these manipulations is to get you to perform an act required an attacker, and then, as they say, all methods are good. At the same time you fully commit yourself all the action and, in fact, an accomplice of the cracker.
Burglar, is aimed at a particular person, try to learn about their goals much information as possible. It's no secret, but few people think about the amount of information that anyone can podcherpnut about you using conventional search engines. This is your e-mail, Internet pager number, message boards and the like. All this is to some extent allows you to learn about a variety of data. An attacker can not posing, talk with you for you interesting topics, with the aim of conquering the trust, but you're not even aware of it, have a purpose or means of hacking.
Another party to use SI techniques is to calculate the user's password. Very often, a person working in a network and using personal services, not zatruzhdaet inventing itself sufficiently complex passwords. As a result, an attacker with knowledge of such aspect, applies a simple selection for compiling dictionaries of passwords. The most simple, but nonetheless widespread, the passwords are the type qwerty, 12345, user nikneym, birth date, pet names, and the like, which are often calculated simply.
Hackers applying SI, constitute the entire dictionary of common passwords, by which then carried out the attack on the goal.
Typically, an attacker who successfully applying SI, has a fairly good knowledge of psychology, sufficiently educated and may have some good actors' instincts. Knowledge of the attacker can not be very high in the field of computers, but you yourself will go through and so half the work for him. An attacker need only skillfully take advantage of the fruits of their "attacks".
The tools used by hackers, gets not only the Internet, but also any other means of communication - telephone, voice chat. skilled cracker must quickly determine the style and manner of communication with the purpose, or "hacking" fail. The same applies to the style of writing in e-mails or other messages.
Of course, methods and approaches SI is much wider and more complex in the mass, and this article describes some of all aspects of SI on the Internet.
The main objectives of the use of SI are:
Collection of information - one of the most important aspects of hacking via the SI.
Making the user a series of actions necessary for the attacker, operating only the user psychology.
The result of all these actions can be disastrous both for the user and for the company for which he works.
I want to say, do not underestimate the SI. Human stupidity knows no bounds, and the man himself sometimes give passwords, and even say thank you. Soc. Engineering does not end on the Internet and knowledge of the SI method is always useful in everyday life.
Soon my own article about social engineering will be written, in which I share my thoughts and ideas. (You can read my article in which I tell how to get licensed software absolutely free by applying skills SI - http://forum.antichat.ru/thread72978.html)
Related Links:
_http: //ru.wikipedia.org/wiki/Sotsialnaya_inzheneriya
_http: //www.citforum.ru/security/articles/soc_eng/
_http: //bugtraq.ru/library/books/attack/chapter02/
_http: //www.i2r.ru/static/450/out_16814.shtml
_http: //ci-razvedka.ru/Samples_Social_Ingeneering.html
_http: //ifrit.on.ufanet.ru/4.htm
_http: //www.fortunecity.com/skyscraper/pointone/545/g4.htm
Recommended literature:
- Social engineering hackers and social (Kuznetsov MV) More _http: //www.centrmag.ru/book2202201.html
- Mental viruses. How are programming your mind (Richard Brody) _http: //www.my-shop.ru/shop/books/190716.html
- I advise you to get acquainted with the literature on NLP (all kinds of pick-up, but rather take a course if it is possible, it will be much better than any of the literature), psychology, law (to know what you can do legally and what is not)
- The Art of Deception. invasion of Art. (Kevin Mitnick) These two books in other very boring, but read all of it should be. (If anyone should write to the PM, the tabernacle)