|
|
|
|
Social engineeringSocial Engineering: cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. Social engineering can be defined also as "misrepresentation of oneself in a verbal manner to another person in order to obtain knowledge that is otherwise unattainable." Social engineering, from a narrow point of view, is basically phone scams which pit your knowledge and wits against another human. This technique is used for a lot of things, such as gaining passwords, keycards and basic information on a system or organization. PHONESCaller ID units are helpful by pulling off a scam using callback. In order to do this, is used a voice changer. Social Engineering and phreaking cross lines quite a lot. The most obvious reasons are because phreaks need to access companies in other ways but computers. They use con games to draw info out of operators. Redboxing, greenboxing and other phreaking techniques can be used to avoid the phone bills. Through the internet, telnetting to california is free. Through phone lines, it's pricey. To pull off a social engineering with a phone, first thing is find a mark. To do this, X call a computer center and, using the voice changer, that can't access his account (in fact, the fingered account of someone else). Usually, it is used a female account. Most of the people working an area will ask for some sort of verification for identity, often a social security number. So, X should find out as much information about a mark as he can. Then, he get as much as he can about the system. Ask for the password, ask for telnet numbers, etc. He sound like a legitimate person. To act and speech as the person pretended to be, X call the person as a telemarketer or telephone sweepstakes person, to learn from the way they speak. Mail is not tapped, is cheap and is readily available. People will respond to sweepstakes forms with enthusiasm and will give to X whatever info he wants on it. He "obtain" a return address that include "his company's" logo and name, procured at stores for a relatively cheap price. Also, X uses a layout program, such as WordPerfect, QuarkXpress or PageMaker to emmulate a tottaly professional document. The professional get a PO box. Thus, X's mail should look like a mass mail sweepstakes. He uses computer labels and the like to keep this illusion. He need a list of employees from that company and their addresses. Illusion is everything. The information to his letter should include social security numbers. Another good idea is to say that he'll need a password to verify the prize with a voice call. Now, after stamping and addressing his letters, he send them out and wait. Soon he should receive some answers. At this point, he use a standard phone social engineering. Social Security numbers are the most common verification. INTERNETMany fingers give full names last logins, login locations and all sorts of info. Find someone who hasn't been on in quite sometime. There are also the classic schemes. Pretending to be a sysop in an IRC or online chat room can make people give up passwords with ease. LIVE This is very important. X can do quite a bit over a phone or through mail, but sometimes he just has to get off and do things himself. Find the company's UNIX minicomputer. They tend to keep them behind a big plate glass window, so X can check out how its connected. PUTTING IT TOGETHERTo hack a company to see their documents, even if X has access it would
be problematic to access the To accomplish this, first X get a list of employees. For companies, he uses a live engineering technique. Look for payroll sheets, or posted employee lists. If he look right, he can just ask a low level employee for a list. X finger each employee's account. Find out who has or hasn't used their account in the past few months. Those who haven't are his marks. Now he goes to the phone book and get the employees addresses. Then he creates a document in his DTP program that emmulates a short sweepstakes form or another short document commonly encountered in the field. It must look professional but subtle enough not to look false. Credibility once again. He include the social security number space as well as other information. Send these out and wait for a few days. Now get his phone and call their sysadm. Use women voices . They are EASILY manipulated with a woman's voice. If he sound helpless, they love it. So, that's all! The BAD is done! X obtain access to the company's secrets, which are no more secrets! To prevent this, BE AWARE ! SITE OF THE MONTH:
|
|
|
|
