Talk about social engineering can be continued indefinitely, but this will not protect against intruders of all stripes. Among them are so talented guys who use non-standard and sophisticated methods. There are no typical counteractions to social engineers. Each situation requires an individual approach. The laxity, negligence of employees and the love to crackle in social networks from a working machine are the main holes in the security system of a firm/company.
Many companies that think that the problem of security is solved simply by hardware and software are mistaken. Trusted security technologies - firewalls, identification and encryption tools, intrusion detection systems, etc. - are ineffective against hackers using SI and OSI (social and reverse social engineering). Modern tech. means of protection have reached a level where a lot of time is spent on hacking, or the price of protected information is less than the cost of obtaining it.
Let's take a real example. There are a couple of guys I know who have moved away from hacker business, earn money by conducting various kinds of attacks on company servers, including using SI on the order of directors and then give recommendations on protection. They invited me to participate in one fascinating business - to see how it happens.
Given: a small firm that wholesales underwear. Employees - 22 people, including the director. He also hired these guys, because of his paranoid fear of competitors who are striving, by any means, to get super-duper secret information of the company.
Two very intelligent administrators, who were not informed by their superiors, successfully coped and repelled all attacks. Then they went the other way, began to look for a weak link among the employees and found it. Through observation on social networks and communication in the future, several suitable people were identified. To establish contact, a significant role was played by the fact that we learned the views, habits of people and much more that relates to character. With each individual work was carried out with an individual approach. Everything was used, including vile tricks. I will come up with the names of the employees so as not to get confused.
People were caught in contact. There was a whole performance. First, a nasty "troll" clung to her, who followed and clung to everything. Then, the “defender” appears on the stage, who masterfully smears the troll and that, shamed, disappears from her field of vision. Luda scatters her thanks to the savior, and a casual correspondence begins between them. As it should be according to the scenario, the savior has common interests.
Although, in high art, he is not in the tooth with his foot, but Google to the rescue! The woman gives her mail, which is very needed in the future. The moment is chosen when Luda comes from a working computer, a "friend" asks her to get a set of exactly such underwear for her wife through her company, as in the picture. A private Trojan is attached to it.
Cowardly and cautious Julia. There was something to dig into and to her - blackmail. This sheep bleated in private, to her reliable virtual girlfriend, about her parties from her husband. Fearing for the breakup of the family, she agreed to commit a petty malfeasance, which could result in tangible losses for the company.
The method of telling everything about cheating to a jealous husband / wife is one of the most common. It doesn't matter if it was real or not. To do this, it is not necessary to install hidden cameras or engage in photomontage, it is enough to be a good storyteller and be able to convince the interlocutor. And the jealousy of the spouse (wife) will do a good service. In jealous people, often the brains are completely turned off, one has only to name about treason.
Insolent and boorish Nadya... who is up to the n * dy and to the door. Trolling does not break through, she has seen her husband .... She also found a clue - a 14-year-old daughter, with whom she has serious conflicts. They blackmailed her by telling the girl that she was not native - adopted. The likelihood that a child will believe an outsider is far from zero, which will cause deep mental trauma. Dodavili this and the woman agreed to merge useful information.
No matter how good the boss is, there will always be someone dissatisfied with him. Let's call it Light. She did not manage to become a senior manager, the director nominated another employee. Since it was not possible to climb a step higher, then the salary remained the same. Greedy Sveta, after hesitating and haggling, agreed to help the "competitors".
And such as the thieving and narrow-minded accountant Misha is just a godsend for hackers! This employee will come in handy when you need to steal the firm's money, not just information. Who will be asked for a petty service, promising a decent amount, steal all the money, some of it, put it in his account and then tell the director of the firm / company who to look for the missing. And it will be extremely difficult for him to prove that he did not take and will not be able to explain where he got that large amount that was transferred for the service. In this case, do not run to the police.
So, the circle will be to blame. It is difficult to trace the path of money, who transferred it, but it is possible. But, such cases are turned through figureheads. Even being caught, the hacker will declare that he is not the leader, but only a performer, if he keeps a smaller part of the stolen, this legend will sound very convincing. And Mishan will thunder to the fullest! So now it has become fashionable to check employees for lice.
Now let's get to the fun part...
REVERSE SI. This is a type of attack in which the attacker creates a situation where the victim is faced with a problem and runs to the attacker for help. There is a diversion. For example, the victim hangs up during working hours in his favorite social network and suddenly cannot go there or in the mail. The attacker is already familiar with her in advance, communicates and positions himself as a computer guru. At least introduce yourself as an admin. A person with these troubles will not run to his admin, from whom he can easily get pissed off, but will ask a virtual friend to help. He will help with "good advice", get in there, execute commands such and such and launch a Trojan or a virus in the company's system with the help of the victim ... The organization of this type of attack is especially attractive to the attacker.
Let's look at some more methods...
This attack method is an adaptation of the Trojan horse and consists of using physical media. An attacker can plant an infected CD, or flash, in a place where the media can be easily found (toilet, elevator, parking lot). The carrier is faked as official, and is accompanied by a signature designed to arouse curiosity.
Example: An attacker could plant a CD bearing the corporate logo and a link to the official website of the target's company, and label it "Executive Salary Q1 2013". The disc can be left on the elevator floor, or in the lobby. An employee unknowingly can pick up a disk and insert it into a computer to satisfy his curiosity, or just a good Samaritan will take the disk to the company - here, yours was lying around.
If the company is large, where everyone does not know each other or different offices in the same building, a hacker can easily go into the right office with a disk / flash drive and say - MarVanna or Pyotr Ivanovich gave you documents, software, whatever. And there is a high probability that they will not ask why they did not transfer it over the internal network and insert an infected media. Although here you can take a break, MarVanna has problems with the network, and the boss asked for the file to be delivered to you.
Works in large and not so firms. An attacker can call a company on a random number and pretend to be a support person asking if there are any technical problems. If they are, in the process of "solving" them, the target enters commands that allow the hacker to run malicious software.
And it was like that, he got a job as a peddler of lunches. They served just the company that interested them and, as it were, casually communicated with women. In conversations, it slipped, the wife lost weight according to the super method - the exercises in the video lesson were recorded. Fat women were very interested, asked to copy the disc and wished to buy it. The virus was introduced, and bought for money.) The fat-assed young ladies were impatient to see the magical video tutorial and hurried to load disks into working machines.) They didn’t see me again ...
I said, about the vile schemes from which people suffered? Well, read on. As a result: "weak links" were fired. Well, something like that, foul and shitty.
People have lost their jobs, and all because they were victims of the JI. I can imagine how many people cursed not their stupidity, but our team. And sorry and not sorry for them. Dual feeling. Yes, I want to knock stupid chickens on the head. Cooley is useless if it is like that in life.
Many companies that think that the problem of security is solved simply by hardware and software are mistaken. Trusted security technologies - firewalls, identification and encryption tools, intrusion detection systems, etc. - are ineffective against hackers using SI and OSI (social and reverse social engineering). Modern tech. means of protection have reached a level where a lot of time is spent on hacking, or the price of protected information is less than the cost of obtaining it.
Let's take a real example. There are a couple of guys I know who have moved away from hacker business, earn money by conducting various kinds of attacks on company servers, including using SI on the order of directors and then give recommendations on protection. They invited me to participate in one fascinating business - to see how it happens.
Given: a small firm that wholesales underwear. Employees - 22 people, including the director. He also hired these guys, because of his paranoid fear of competitors who are striving, by any means, to get super-duper secret information of the company.
Two very intelligent administrators, who were not informed by their superiors, successfully coped and repelled all attacks. Then they went the other way, began to look for a weak link among the employees and found it. Through observation on social networks and communication in the future, several suitable people were identified. To establish contact, a significant role was played by the fact that we learned the views, habits of people and much more that relates to character. With each individual work was carried out with an individual approach. Everything was used, including vile tricks. I will come up with the names of the employees so as not to get confused.
People were caught in contact. There was a whole performance. First, a nasty "troll" clung to her, who followed and clung to everything. Then, the “defender” appears on the stage, who masterfully smears the troll and that, shamed, disappears from her field of vision. Luda scatters her thanks to the savior, and a casual correspondence begins between them. As it should be according to the scenario, the savior has common interests.
Although, in high art, he is not in the tooth with his foot, but Google to the rescue! The woman gives her mail, which is very needed in the future. The moment is chosen when Luda comes from a working computer, a "friend" asks her to get a set of exactly such underwear for her wife through her company, as in the picture. A private Trojan is attached to it.
Cowardly and cautious Julia. There was something to dig into and to her - blackmail. This sheep bleated in private, to her reliable virtual girlfriend, about her parties from her husband. Fearing for the breakup of the family, she agreed to commit a petty malfeasance, which could result in tangible losses for the company.
The method of telling everything about cheating to a jealous husband / wife is one of the most common. It doesn't matter if it was real or not. To do this, it is not necessary to install hidden cameras or engage in photomontage, it is enough to be a good storyteller and be able to convince the interlocutor. And the jealousy of the spouse (wife) will do a good service. In jealous people, often the brains are completely turned off, one has only to name about treason.
Insolent and boorish Nadya... who is up to the n * dy and to the door. Trolling does not break through, she has seen her husband .... She also found a clue - a 14-year-old daughter, with whom she has serious conflicts. They blackmailed her by telling the girl that she was not native - adopted. The likelihood that a child will believe an outsider is far from zero, which will cause deep mental trauma. Dodavili this and the woman agreed to merge useful information.
No matter how good the boss is, there will always be someone dissatisfied with him. Let's call it Light. She did not manage to become a senior manager, the director nominated another employee. Since it was not possible to climb a step higher, then the salary remained the same. Greedy Sveta, after hesitating and haggling, agreed to help the "competitors".
And such as the thieving and narrow-minded accountant Misha is just a godsend for hackers! This employee will come in handy when you need to steal the firm's money, not just information. Who will be asked for a petty service, promising a decent amount, steal all the money, some of it, put it in his account and then tell the director of the firm / company who to look for the missing. And it will be extremely difficult for him to prove that he did not take and will not be able to explain where he got that large amount that was transferred for the service. In this case, do not run to the police.
So, the circle will be to blame. It is difficult to trace the path of money, who transferred it, but it is possible. But, such cases are turned through figureheads. Even being caught, the hacker will declare that he is not the leader, but only a performer, if he keeps a smaller part of the stolen, this legend will sound very convincing. And Mishan will thunder to the fullest! So now it has become fashionable to check employees for lice.
Now let's get to the fun part...
REVERSE SI. This is a type of attack in which the attacker creates a situation where the victim is faced with a problem and runs to the attacker for help. There is a diversion. For example, the victim hangs up during working hours in his favorite social network and suddenly cannot go there or in the mail. The attacker is already familiar with her in advance, communicates and positions himself as a computer guru. At least introduce yourself as an admin. A person with these troubles will not run to his admin, from whom he can easily get pissed off, but will ask a virtual friend to help. He will help with "good advice", get in there, execute commands such and such and launch a Trojan or a virus in the company's system with the help of the victim ... The organization of this type of attack is especially attractive to the attacker.
Let's look at some more methods...
This attack method is an adaptation of the Trojan horse and consists of using physical media. An attacker can plant an infected CD, or flash, in a place where the media can be easily found (toilet, elevator, parking lot). The carrier is faked as official, and is accompanied by a signature designed to arouse curiosity.
Example: An attacker could plant a CD bearing the corporate logo and a link to the official website of the target's company, and label it "Executive Salary Q1 2013". The disc can be left on the elevator floor, or in the lobby. An employee unknowingly can pick up a disk and insert it into a computer to satisfy his curiosity, or just a good Samaritan will take the disk to the company - here, yours was lying around.
If the company is large, where everyone does not know each other or different offices in the same building, a hacker can easily go into the right office with a disk / flash drive and say - MarVanna or Pyotr Ivanovich gave you documents, software, whatever. And there is a high probability that they will not ask why they did not transfer it over the internal network and insert an infected media. Although here you can take a break, MarVanna has problems with the network, and the boss asked for the file to be delivered to you.
Works in large and not so firms. An attacker can call a company on a random number and pretend to be a support person asking if there are any technical problems. If they are, in the process of "solving" them, the target enters commands that allow the hacker to run malicious software.
And it was like that, he got a job as a peddler of lunches. They served just the company that interested them and, as it were, casually communicated with women. In conversations, it slipped, the wife lost weight according to the super method - the exercises in the video lesson were recorded. Fat women were very interested, asked to copy the disc and wished to buy it. The virus was introduced, and bought for money.) The fat-assed young ladies were impatient to see the magical video tutorial and hurried to load disks into working machines.) They didn’t see me again ...
I said, about the vile schemes from which people suffered? Well, read on. As a result: "weak links" were fired. Well, something like that, foul and shitty.
People have lost their jobs, and all because they were victims of the JI. I can imagine how many people cursed not their stupidity, but our team. And sorry and not sorry for them. Dual feeling. Yes, I want to knock stupid chickens on the head. Cooley is useless if it is like that in life.