A couple of months ago, Super Chris recommended a book to me written by an ex-hacker, The Art of Deception: Controlling the Human Element of Security (he doesn't just recommend hentai!). I found the sequel, The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers in the Ballieu library, and read that. The stories weren't all your typical Hollywood hacker stories - geeks sitting at a computer (although some were). One of the stories that interested me the most was one that didn't feature hacking in the traditional sense, but was more about social engineering.
One guy was hired to do a penetration test on a company. Basically, the company hires him to try and see how much information he can access as someone outside the company to try and expose security holes. One of the first things he did, was befriend a woman working in the company, and start talking to her. He pretended to be someone trying to get a job with the company, adding a little touch of desperation, and asked her for some information on the structure of the company.
Then he watched some people coming and going from the building for a while, and noticed a guy who people called "Chuckie" who seemed to know the people on security at the door. After Chuckie had left, he waited a bit, then approached one of the security guards and told a story about how Chuckie owed him some money, and said that he'd lend him something for his date tonight. Not only does he convince the security guard to let him in, but the guard ends up giving him $20 for his "date"!
So now that he's in, he talks to a receptionist, and claims to be a tech guy. He asks for her help with something. He says that one of the things social engineers take advantage of most is a person's innate desire to be helpful. So the receptionist ends up giving him access to her computer despite the fact that he still hasn't given her any ID or anything, and he installs a keylogger onto her system and also starts doing a dump of the files onto a USB.
He ends up wandering around, and with the help of more employees, gains access to various parts of the building that are meant to be off-limits, and also gets info without resorting to hacking in the traditional sense.
I'm interesting in computer forensics, but I'm wondering if maybe that's not the best area I could be in. I have a background in computing and psychology, so maybe I could be some sort of security consultant who talks to people about different ways people can break into their system? Another one of the stories in the book was about some hackers trying to break into a company. After trying for a long time, they were starting to wonder if it was possible to penetrate the security. Just before they were about to give up, one of the employees decides to open one of the ports into the company to host a server of some sort, and the hackers were able to gain access through that. To me, that just seems like a pretty stupid thing to do. Common sense should tell you that it's bad for security - although... I guess if you don't care all that much about the company you're working for, then you don't really care about its security.
One guy was hired to do a penetration test on a company. Basically, the company hires him to try and see how much information he can access as someone outside the company to try and expose security holes. One of the first things he did, was befriend a woman working in the company, and start talking to her. He pretended to be someone trying to get a job with the company, adding a little touch of desperation, and asked her for some information on the structure of the company.
Then he watched some people coming and going from the building for a while, and noticed a guy who people called "Chuckie" who seemed to know the people on security at the door. After Chuckie had left, he waited a bit, then approached one of the security guards and told a story about how Chuckie owed him some money, and said that he'd lend him something for his date tonight. Not only does he convince the security guard to let him in, but the guard ends up giving him $20 for his "date"!
So now that he's in, he talks to a receptionist, and claims to be a tech guy. He asks for her help with something. He says that one of the things social engineers take advantage of most is a person's innate desire to be helpful. So the receptionist ends up giving him access to her computer despite the fact that he still hasn't given her any ID or anything, and he installs a keylogger onto her system and also starts doing a dump of the files onto a USB.
He ends up wandering around, and with the help of more employees, gains access to various parts of the building that are meant to be off-limits, and also gets info without resorting to hacking in the traditional sense.
I'm interesting in computer forensics, but I'm wondering if maybe that's not the best area I could be in. I have a background in computing and psychology, so maybe I could be some sort of security consultant who talks to people about different ways people can break into their system? Another one of the stories in the book was about some hackers trying to break into a company. After trying for a long time, they were starting to wonder if it was possible to penetrate the security. Just before they were about to give up, one of the employees decides to open one of the ports into the company to host a server of some sort, and the hackers were able to gain access through that. To me, that just seems like a pretty stupid thing to do. Common sense should tell you that it's bad for security - although... I guess if you don't care all that much about the company you're working for, then you don't really care about its security.
2 comments:
If you're interested in Kevin's social engineering, you might want to watch his interview on The Broken Ep3. He talks about he got into social engineering/hacking. It's not his only interview that's around, but it's one I saw a while ago and it was quite interesting. You might also want to watch the other broken episodes. In ep1 they do some social engineering to get free pizza :P
I have the former book as well, so I can lend it to you if you like.
You're right - basically, nothing at the heart of what Mitnick writes about and what Mitnick is famous for is technology - it's all psychology.
Silence on The Wire is another excellent book about information security (I can lend you that one too), but it's not about the psychology of security and social engineering, it's about very interesting and little known things to do with information technology, both at hardware and software level, and it's well worth reading.
Post a Comment