资源描述:
《social engineering fundamentals, part i hacker tactics》由会员上传分享,免费在线阅读,更多相关内容在教育资源-天天文库。
1、SocialEngineeringFundamentals,PartI:HackerTacticsSarahGranger2001-12-18SocialEngineeringFundamentals,PartI:HackerTacticsbySarahGrangerlastupdatedDecember18,2001ATrueStoryOnemorningafewyearsback,agroupofstrangerswalkedintoalargeshippingfirmandwalkedoutwithaccesstot
2、hefirm’sentirecorporatenetwork.Howdidtheydoit?Byobtainingsmallamountsofaccess,bitbybit,fromanumberofdifferentemployeesinthatfirm.First,theydidresearchaboutthecompanyfortwodaysbeforeevenattemptingtosetfootonthepremises.Forexample,theylearnedkeyemployees’namesbycall
3、ingHR.Next,theypretendedtolosetheirkeytothefrontdoor,andamanletthemin.Thenthey"lost"theiridentitybadgeswhenenteringthethirdfloorsecuredarea,smiled,andafriendlyemployeeopenedthedoorforthem.ThestrangersknewtheCFOwasoutoftown,sotheywereabletoenterhisofficeandobtainfi
4、nancialdataoffhisunlockedcomputer.Theydugthroughthecorporatetrash,findingallkindsofusefuldocuments.Theyaskedajanitorforagarbagepailinwhichtoplacetheircontentsandcarriedallofthisdataoutofthebuildingintheirhands.ThestrangershadstudiedtheCFO'svoice,sotheywereabletoph
5、one,pretendingtobetheCFO,inarush,desperatelyinneedofhisnetworkpassword.Fromthere,theyusedregulartechnicalhackingtoolstogainsuper-useraccessintothesystem.Inthiscase,thestrangerswerenetworkconsultantsperformingasecurityauditfortheCFOwithoutanyotheremployees'knowledg
6、e.TheywerenevergivenanyprivilegedinformationfromtheCFObutwereabletoobtainalltheaccesstheywantedthroughsocialengineering.(ThisstorywasrecountedbyKapilRaina,currentlyasecurityexpertatVerisignandco-authorofmCommerceSecurity:ABeginner'sGuide,basedonanactualworkplaceex
7、periencewithapreviousemployer.)DefinitionsMostarticlesI’vereadonthetopicofsocialengineeringbeginwithsomesortofdefinitionlike“theartandscienceofgettingpeopletocomplytoyourwishes”(Bernz2),“anoutsidehacker’suseofpsychologicaltricksonlegitimateusersofacomputersystem,i
8、nordertoobtaininformationheneedstogainaccesstothesystem”(Palumbo),or“gettingneededinformation(forexample,apassword)fromapersonratherthanbreakingintoasys