Welcome to Bucaro TecHelp!

Bucaro TecHelp
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds


Victims of Sandy Hook

Stop the Slaughter of Innocents. Congress is bought and paid for by gun lunatics and gun promotion groups. If you want to live in a safe America, help buy Congress back for America. Send a donation to Mayors Against Illegal Guns, 909 Third Avenue, 15th Floor New York, NY 10022


Social Engineering Attack Counter Measures

Kevin Mitnick is a world renowned hacker who has gained unauthorized access to many secure computer networks, including that of Pacific Bell, Chesapeake and Potomac Telephone Company, DEC, TRW, GTE, and many others. He was eventually convicted and sentenced to 12 months in prison. Upon questioning as to how he was able to successfully break into so many protected networks, he revealed that in many cases he simply called the company and asked for the password.

That's right; he simply called the company and asked for the password. This type of hacking has become know as "Social Engineering". Social engineering means tricking people into performing actions or divulging confidential information. Kevin Mitnick is now a security consultant who advises companies on how to secure their systems, including securing them from social engineering attacks.

Three common methods of fooling or manipulating people into divulging confidential information are; Pretexting, Baiting, and Phishing.

Pretexting

Pretexting is creating a false reason or false story (the pretext) for needing the confidential information. One part of it might be convincing the target that you have the authority to access the information. Pretexting might require the hacker to contact the business several times to gather non-confidential information which can be used in a later attack to establish credibility.

Common pretexting scenarios are: Claiming to be a member of the company's help desk or a service company needing the target's username and password to login to troubleshoot a computer problem; Claiming to be a member of the police, Internal Revenue Service, or other government agency needing the victim's username and password to login to gather information for an investigation.

Baiting

In a baiting attack, the hacker leaves a CD, DVD or USB flash drive, with a legitimate looking company label, in a location where it looks like it was inadvertently left. The label should have a curiosity-piquing title, like "Executive Salary Summary". An employee finds it and either turns it in to a manager who inserts it into a computer, or the employee them self inserts it into a computer. In either case, the CD, DVD or USB flash drive places a virus on the system which will give the hacker a back-door into the company's computer network.

Phishing

In phishing, the hacker sends an email that appears to come from a legitimate business indicating that, for some very important reason (sometimes even claiming the target's account has been hacked) the target must click on a link in the email to update or verify their account information. The link takes them to a web page that seems legitimate - with company logo, and a form into which they enter their credit card information.

A common phishing scenario is receiving an email sent from eBay indicating that the user's account will be suspended unless they they click on the link provided to update their credit card information. The link takes them to a web page with eBay's logo that looks legitimate. It's very easy for a hacker to get an individuals email address from a user's eBay auction information.

RSS Feed RSS Feed


Follow Stephen Bucaro Follow @Stephen Bucaro


Computer Subsections

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2016 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268