|作者: coki [coki] 论坛用户||登录|
A Conversation with Kevin Mitnick
THE ART OF DECEPTION
Q: Why did you write this book?
A: I see this as a training tool to raise awareness about the deceptive methods, tactics and strategies used by industrial spies, hackers, and vandals to compromise computer systems or gain access to information. It doesn�t matter how much money a company, organization, or government agency spends on technological security systems or protocols. If they don�t take the time to train and educate their people they will remain totally vulnerable to social engineers.
Q: What is social engineering?
A: While relatively unknown to the general public, the term �social engineering?is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through.
Q: Why did you choose The Art of Deception as the title of this book?
A: Social engineering attacks are all about manipulation and deception. I also wanted to pay tribute to Sun Tzu�s legendary treatise on warfare, The Art of War. One of the techniques he describes is the use of deception to gain an advantage over an enemy.
Q: This book is full of stories detailing successful social engineering attacks. Are you recounting specific strikes that you carried out over the years?
A: The techniques used in each incident are ones that I, and others, have used in the past to successfully compromise various enterprises but the details of the stories are totally fictional. The whole point of this is not to recount my exploits but to illustrate the tactics, strategies, and procedures used by social engineers every day.
Q: How did you become a social engineer?
A: My first encounter with what I would eventually learn to call social engineering came about during my high school years in the 1970s, when I met another student who was caught up in the hobby called phone phreaking. Phone phreaking is a type of hacking that allows you to explore the telephone network by exploiting telephone company employees and the phone system itself. At the time the phone company was just starting to switch over from mechanical to computerized systems so it wasn�t long before phone phreaking led to computer hacking. Social engineering came into play because, in trying to learn about the secret internal structure of the system, phone phreakers would often masquerade as legitimate phone company employees. They�d call various departments and offices and sweet-talk people out of information by using phone company lingo and terminology to sound authoritative. From there I began taking computer-programming classes. I had always been something of a prankster so I started using what I was learning to pull pranks on teachers and fellow students. And I was always intrigued by the notion of being able to find out information not normally available to the public.
Q: What�s the first thing a social engineer does when he mounts an attack on a target?
A: The first stage of any attack is the research phase. Using open source information such as SEC filings and annual reports, marketing brochures, patent applications, press clippings, industry magazines, Web site content, and even materials taken from your targets?garbage, you learn everything you can about the company and individual people in it. Who in the organization has access to the material you�re seeking? Where do they work? Where do they live? What computer operating systems do they work with? What�s the organizational chart of the company? Who works in which office and where are the various offices located geographically? Remember, as a social engineer you�re trying to pass yourself off as someone who has a right, and a need, to know. In order to do that you have to know the lingo, the terminology, and the internal systems of the company you are targeting. After the research phase you develop the attack itself�the pretext or ruse you�ll use to build rapport and trust with an individual that can be exploited. Once the attack is carried out, and you�ve exploited that trust, if the information obtained is only a step to a final goal, you return to the earlier steps in the cycle until the goal is reached.
Q: How is it that social engineers are so easily able to maneuver people?
A: They take advantage of human nature. In my opinion, people are very trusting. They tend to give others the benefit of doubt. They also tend to think of others in the workforce as having the same morals and ethics as themselves. They wouldn�t think of deceiving someone into taking an action so they rarely assume someone would try to deceive them. Social engineers are also expert at manipulating our desire to be helpful, our sympathy, our gullibility, and even our curiosity.
Q: What�s the difference between a direct attack and an indirect attack?
A: Imagine you�re working for a corporation. You get in the elevator one day and you see that someone has dropped a floppy disk on the floor. The disk is red, has a company logo on it, and a label that reads, �Confidential ?Salary History for all Personnel.? Facing that kind of situation what�s the first thing most of us would do? We�d give in to curiosity, put the disk in our computer, and open it up to see what�s on it. Perhaps we�d see an icon for a Word document labeled �payroll file?or �salary history.? Chances are we�d click on that icon to see what others in the company are making compared to what we�re earning. What happens then? You see a message box that says something like �Application Can�t Open?or �File Corrupted.? Unbeknownst to you, what you�ve done is install a Trojan horse on your computer that will allow an intruder access to the corporate network from the outside. You might then turn the disk over to human resources. They put it in their computer system to check it out and now the attacker has access to two computers. This is a classic example of an indirect attack.
A direct attack is one in which the attacker actually communicates with the target either over the phone, in person, via fax, or email. In most circumstances the attacker is impersonating someone else�another employee, a vendor, a high-status executive�and trying to get his or her target to reveal information, install software, or go to a website that ends up hurting the corporation�s computer infrastructure. For example, let�s say an attacker wants to hit John Wiley & Sons. He or she might set up a bogus web site designed to look totally legitimate. The site has a registration program on it that asks visitors to register an e-mail address and password. The attacker then sends an email to 1000 Wiley employees encouraging them to register for a drawing to win a free prize. The email also contains a link to the bogus web site. Let�s say only 10 percent of the employees to whom you�ve sent your email actually respond. And let�s assume 10 percent of the responders register using the same password they use at work (in order not to have to remember a lot of different passwords, most of us use the same password again and again). With those 25 email addresses and passwords the attacker now has a means of gaining access to Wiley�s computer system.
Q: What do you think will most surprise readers of this book?
A: I think readers will be surprised by the clever techniques social engineers use to deceive and manipulate people into doing what they want them to do. I think they�ll also be surprised at the gullibility of those who are targeted by social engineers. From personal experience I can tell you there are a lot of na�ve, trusting, vulnerable people out there. P.T. Barnum said there�s a sucker born every minute. Hopefully this book will lower the number of suckers�or at least retrain them so social engineers can no longer trick them.
Q: Are there any particular giveaways that might tell us we�re being made the victim of a social engineer or strategies we can use to prevent that from happening?
A: The most common tip off is when the caller refuses to give their callback number. And the best strategy to use is to ask yourself why me? Why am I being called? Is this something I normally do or is this out of the ordinary? If you�re being asked to perform a task�however innocuous�by someone you don�t personally know, you need to give the request closer scrutiny.
Q: Why are new employees particularly vulnerable to social engineering attacks?
A: New employees are often uneducated about all the necessary security policies and procedures; they�ve had limited face-to-face contact with others in the company so they don�t always know who all the players are; and they tend to be more trusting and cooperative so as to show they are good �team players.? They�re unlikely to question the authority of a social engineer posing as a fellow employee�particularly when that fellow employee is at a higher level in the hierarchy than they are.
Q: What do you want readers to get out of this book?
A: I want them to understand that anyone can be manipulated. There will be some readers out there who will think they could never be deceived by these techniques. But even the savviest individual can be suckered. Not too long ago I was social engineered by a member of the media. I was rushing around Washington, D.C. at the time trying to deal with an FCC matter so I was a bit distracted. I got a call from a reporter who told me my publisher wanted me to speak with him. I knew my publisher was putting together a publicity campaign for The Art of Deception and the reporter cited the name of one of my Wiley contacts, so it seemed a legitimate request. After the story ran, the people at Wiley asked me why I talked to this guy. I said, I guess I was social engineered into it. Anyone can be vulnerable to the skilled social engineer. What I want this book to do is raise readers?awareness. At the very least they need to understand there are people out there willing to lie, cheat, steal, and manipulate them so as to get what they want. Unless they start thinking about how vulnerable they are they�ll continue to risk not only their company�s assets but also their own jobs.
[此贴被 TomyChen(quest) 在 06月01日18时29分 编辑过]
|地主 发表时间: 06/01 16:06|
|回复: intrusive [intrusive] 论坛用户||登录|
|B1层 发表时间: 11/01 22:30|
|回复: genius_li [genius_li] 论坛用户||登录|
|B2层 发表时间: 11/06 11:17|
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.