Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > General GSO > General Security Information
qcred11
Nov 2 2004, 02:40 AM
QUOTE

Munir Kotadia
ZDNet Australia
November 01, 2004, 08:39 GMT
   
Old-fashioned techniques for conning people are being applied to new technology in order to break into networks and computers, warns the analyst firm

The greatest security risk facing large companies and individual Internet users over the next 10 years will be the increasingly sophisticated use of social engineering to bypass IT security defences, according to analyst firm Gartner.

Gartner defines social engineering as "the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer". This involves criminals persuading a user to click on a link or open an attachment that they probably know they shouldn't.

Rich Mogull, research director for information security and risk at Gartner, said social engineering is more of a problem than hacking.

"People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioural tendencies that can be exploited with careful manipulation.

"Many of the most-damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking," said Mogull.

According to Mogull, identity theft is a major concern because more criminals are "reinventing old scams" using new technology.

"Criminals are using social engineering to take the identity of someone either for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone's personal privacy," said Mogull.

Rob Forsyth, managing director at Sophos in Australia and New Zealand, told ZDNet Australia about a 'malicious and cynical' scam that recently targeted unemployed Australians.

According to Forsyth, the potential victim received an email that purported to come from Credit Suisse bank advertising a job opportunity. The email asked the recipient to go to a Web site that was an almost exact replica of the actual Credit Suisse site -- but this version contained an application form for the 'vacancy'.

Forsyth said the replicated Web site was recreated so thoroughly that it took experts 'some time' to confirm that it was actually fake.

"It took us some time to determine it was a fake site. It was not necessarily groundbreaking but quite a clever combination of technology.

"They are targeting those people in the community that are most in need -- those seeking work. It is exactly those people that might be vulnerable to this kind of overture," said Forsyth.

Gartner's Mogull said: "We believe social engineering is the single greatest security risk in the decade ahead."


beardednose
Nov 2 2004, 05:20 AM
I disagree. Viruses, worms, and malware/spyware are the biggest security threat. I wrote a whole thread on this way back, but here's a summary....

Almost everyone gets viruses, worms, and malware. They may not get in, but they bounce up against our machines. Most people have still not be social engineered (I'm not counting phishing, but even if you do, not everyone has been phished yet, like my mother).

This category will get worse. So will SE. The other issue is that these attacks are incorporating more sophisticated methods that don't require as much user interaction (just add computer).

A new reason I disagree: SE takes too much time, effort, and exposure for the attacker. Viruses et. al. are quick and dirty and once launched, off they go. Just plug it in and it works.

The more Gartner opens its mouth, the more I wonder about them. I've taken what they say with so much salt, that pretty soon, we going to run out, and I'm going to have to switch to pepper or even garlic. Maybe if I stuffed that up their unbeardednoses a few times, they've wake up and smell the pasta... cool.gif
kbnet
Nov 2 2004, 07:51 AM
I personally believe that these factors are not comparable. True, they are both serious security risks, but I believe that you can not draw a line under which threat is 'greater' than the other.

I think the seriousness of these security breaches are really going to depend on the situation and the malicious intent of the attack. In general one risk will not be greater than the other, you could only determine the 'greater' risk from comparing two situations were both techniques are applied.

For example, releasing a worm can affect hundreds, thousands even millions of people / companies. Therefore, i would classify this as a more wide spread attack, maybe focusing on no one in particular (this will depend on the characteristics of the worm). This is therefore a serious security risk because of the vast amount of people infected, but the worm may not be particularly malicious and is therefore not a major security risk. For example, the worm may just display a message saying "Hello World!". Not malicious, but would still be regarded as a security risk.

However, I would consider Social Engineering as a more focused attack on a particular user / company. By gaining access to a companies system via social engineering would be regarded as a serious security risk from the companies perspective. However, the seriousness of this breach will depend on the intent.

Be good to hear other peoples opinions on this.

(Only just woke up so i hope it all makes sense :-s )

Cheers
beardednose
Nov 5 2004, 06:15 AM
QUOTE
However, the seriousness of this breach will depend on the intent.


What? If I read you right (and I probably don't), this says that if I don't INTEND to shutdown your network with a worm (a la Morris), that's not a serious as if I intended to do it and it worked. Hmmmmm.

Perhaps you were looking at it from a penalty standpoint instead of results?

I was looking at serious in terms of who it could happen to and the impact on the individual. In that case, anyone can get a virus, but not everyone will get SE'd or hacked. Viral surprises are more likely than SE cons or direct hacks, unless you count the viral kisses that actually hack.

Speaking of kisses, what ever happened to sliggyp (as I always called her). We aint got a good *lick* from that chick in quite a wick. Maybe she got a job at the post office....



harbaughisback
Nov 5 2004, 08:44 AM
in the preverbial unhackable system, there is always a way to SE to hack it, else it is an unusable system. viruses, etc. can not do this.
the power of social engineering is essentially unlimited and the power of viruses are limited to their initial intent.
so i think that se'ing is more powerful in general, but also agree that the greatest threat, esp for sheer number, is the virus (and it's like).
belgther
Nov 9 2004, 04:03 PM
social engineering is a cruel way to hack a computer/a server
for example many people were fooled by these fake "mirabilis" users
they were coming and saying that they are mirabilis and want to get passwords...
i even know some famous lamers who are respected by the hackers and are counted as hackers because of their good SE tricks...
aelphaeis_mangarae
Nov 12 2004, 09:12 AM
Viruses and worms and vulns are a serious threat because they are very common.

However social engineering can be very powerful, i myself thought i would never fall victim to SE, until one day i did.

And i wasnt not expecting it at all, nearly everyone is vulnerable to social engineering, one of the greatest hacks of all time was a hack on microsoft using a visual basic trojan.

exp0sed
Aug 9 2005, 05:35 AM
QUOTE(kbnet @ Nov 2 2004, 02:51 AM)
I personally believe that these factors are not comparable.  True, they are both serious security risks, but I believe that you can not draw a line under which threat is 'greater' than the other.

I think the seriousness of these security breaches are really going to depend on the situation and the malicious intent of the attack.  In general one risk will not be greater than the other, you could only determine the 'greater' risk from comparing two situations were both techniques are applied.

For example, releasing a worm can affect hundreds, thousands even millions of people / companies.  Therefore, i would classify this as a more wide spread attack, maybe focusing on no one in particular (this will depend on the characteristics of the worm).  This is therefore a serious security risk because of the vast amount of people infected, but the worm may not be particularly malicious and is therefore not a major security risk.  For example, the worm may just display a message saying "Hello World!". Not malicious, but would still be regarded as a security risk.

However, I would consider Social Engineering as a more focused attack on a particular user / company.  By gaining access to a companies system via social engineering would be regarded as a serious security risk from the companies perspective.  However, the seriousness of this breach will depend on the intent.

Be good to hear other peoples opinions on this.

(Only just woke up so i hope it all makes sense :-s )

Cheers
*




I would also add that the threat of each also hinges on how secure your network already is. for example, a company who spends a lot of money on firewalls, etc and has a "secure" network in place would probably be more susceptable to social engineering attempts, where a company who spends little or no money securing the network will be more vulnerable to viruses, etc.

I cant remember who said but at the end of the day "your network is only as good as the people at that run it" - untrained personell who use weak passwords and voluntarily give at to much information is a threat to any company, no matter how secure or insecure the network seems to outsiders.

I think I would personally be more concerned about social engineering because I think when security policies are put in place this a topic that employees tend to forget about as time passes, if it is even mentioned at all. If you spend spend a reasonable amount of money keeping your network secure virus infections will be ocassionally occur but should be minimal. Ultimately the weakest link are the people.

Just my thoughts...

-exp0sed
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.