Social Engineering

27/09/2015
Socialengineering(security)Wikipedia,thefreeencyclopedia
Socialengineering(security)
FromWikipedia,thefreeencyclopedia
Thisarticleisabouttheinformationsecurityconcept.Forinfluencingsocietyonalargescale,see
Socialengineering(politicalscience).
Socialengineering,inthecontextof
informationsecurity,refersto
psychologicalmanipulationofpeople
intoperformingactionsordivulging
confidentialinformation.Atypeof
confidencetrickforthepurposeof
informationgathering,fraud,orsystem
access,itdiffersfromatraditional"con"
inthatitisoftenoneofmanystepsina
morecomplexfraudscheme.
OPSECalert
Theterm"socialengineering"asanactofpsychologicalmanipulationisalsoassociatedwiththesocial
sciences,butitsusagehascaughtonamongcomputerandinformationsecurityprofessionals.[1]
Contents
1Techniquesandterms
1.1Pretexting
1.2Diversiontheft
1.3Phishing
1.3.1IVRorphonephishing
1.4Baiting
1.5Quidproquo
1.6Tailgating
1.7Othertypes
1.8Countermeasures
2Notablesocialengineers
2.1KevinMitnick
2.2ChristopherHadnagy
2.3BadirBrothers
2.4PeteHerzog
2.5Others
3Law
3.1Pretextingoftelephonerecords
3.2Federallegislation
3.31stSourceInformationSpecialists
3.4HewlettPackard
4Inpopularculture
5Seealso
6References
https://en.wikipedia.org/wiki/Social_engineering_(security)
1/10
27/09/2015
6References
7Furtherreading
8Externallinks
Techniquesandterms
Allsocialengineeringtechniquesarebasedonspecificattributesofhumandecisionmakingknownas
cognitivebiases.[2]Thesebiases,sometimescalled"bugsinthehumanhardware",areexploitedinvarious
combinationstocreateattacktechniques,someofwhicharelisted.Theattacksusedinsocialengineering
canbeusedtostealemployees'confidentialinformation.Themostcommontypeofsocialengineering
happensoverthephone.Otherexamplesofsocialengineeringattacksarecriminalsposingas
exterminators,firemarshalsandtechnicianstogounnoticedastheystealcompanysecrets.
Oneexampleofsocialengineeringisanindividualwhowalksintoabuildingandpostsanofficiallooking
announcementtothecompanybulletinthatsaysthenumberforthehelpdeskhaschanged.So,when
employeescallforhelptheindividualasksthemfortheirpasswordsandID'stherebygainingtheabilityto
accessthecompany'sprivateinformation.Anotherexampleofsocialengineeringwouldbethatthehacker
contactsthetargetonsocialnetworkingsiteandstartconversationwiththetarget.Slowlyandgradually,
thehackergainstrustofthetargetandthenusesittogetaccesstosensitiveinformationlikepasswordor
bankaccountdetails.[3]
Pretexting
Pretexting(adj.pretextual),alsoknownintheUKasblaggingorbohoing,istheactofcreatingandusing
aninventedscenario(thepretext)toengageatargetedvictiminamannerthatincreasesthechancethe
victimwilldivulgeinformationorperformactionsthatwouldbeunlikelyinordinarycircumstances.[4]An
elaboratelie,itmostofteninvolvessomepriorresearchorsetupandtheuseofthisinformationfor
impersonation(e.g.,dateofbirth,SocialSecuritynumber,lastbillamount)toestablishlegitimacyinthe
mindofthetarget.[5]
Thistechniquecanbeusedtofoolabusinessintodisclosingcustomerinformationaswellasbyprivate
investigatorstoobtaintelephonerecords,utilityrecords,bankingrecordsandotherinformationdirectly
fromcompanyservicerepresentatives.Theinformationcanthenbeusedtoestablishevengreater
legitimacyundertougherquestioningwithamanager,e.g.,tomakeaccountchanges,getspecificbalances,
etc.
Pretextingcanalsobeusedtoimpersonatecoworkers,police,bank,taxauthorities,clergy,insurance
investigatorsoranyotherindividualwhocouldhaveperceivedauthorityorrighttoknowinthemindof
thetargetedvictim.Thepretextermustsimplyprepareanswerstoquestionsthatmightbeaskedbythe
victim.Insomecases,allthatisneededisavoicethatsoundsauthoritative,anearnesttone,andanability
tothinkonone'sfeettocreateapretextualscenario.
Diversiontheft
Diversiontheft,alsoknownasthe"CornerGame"[6]or"RoundtheCornerGame",originatedintheEast
EndofLondon.
2/10
27/09/2015
Insummary,diversiontheftisa"con"exercisedbyprofessionalthieves,normallyagainstatransportor
couriercompany.Theobjectiveistopersuadethepersonsresponsibleforalegitimatedeliverythatthe
consignmentisrequestedelsewherehence,"roundthecorner".
Phishing
Mainarticle:Phishing
Phishingisatechniqueoffraudulentlyobtainingprivateinformation.Typically,thephishersendsanemail
thatappearstocomefromalegitimatebusinessabank,orcreditcardcompanyrequesting"verification"
ofinformationandwarningofsomedireconsequenceifitisnotprovided.Theemailusuallycontainsa
linktoafraudulentwebpagethatseemslegitimatewithcompanylogosandcontentandhasaform
requestingeverythingfromahomeaddresstoanATMcard'sPIN.
Forexample,2003sawtheproliferationofaphishingscaminwhichusersreceivedemailssupposedly
fromeBayclaimingthattheuser'saccountwasabouttobesuspendedunlessalinkprovidedwasclickedto
updateacreditcard(informationthatthegenuineeBayalreadyhad).Becauseitisrelativelysimpletomake
aWebsiteresemblealegitimateorganization'ssitebymimickingtheHTMLcode,thescamcountedon
peoplebeingtrickedintothinkingtheywerebeingcontactedbyeBayandsubsequently,weregoingto
eBay'ssitetoupdatetheiraccountinformation.Byspamminglargegroupsofpeople,the"phisher"counted
ontheemailbeingreadbyapercentageofpeoplewhoalreadyhadlistedcreditcardnumberswitheBay
legitimately,whomightrespond.
IVRorphonephishing
Mainarticle:Vishing
Phonephishing(or"vishing")usesarogueinteractivevoiceresponse(IVR)systemtorecreatealegitimate
soundingcopyofabankorotherinstitution'sIVRsystem.Thevictimisprompted(typicallyviaaphishing
email)tocallintothe"bank"viaa(ideallytollfree)numberprovidedinorderto"verify"information.A
typicalsystemwillrejectloginscontinually,ensuringthevictimentersPINsorpasswordsmultipletimes,
oftendisclosingseveraldifferentpasswords.Moreadvancedsystemstransferthevictimtotheattacker
posingasacustomerserviceagentforfurtherquestioning.
Baiting
BaitingisliketherealworldTrojanHorsethatusesphysicalmediaandreliesonthecuriosityorgreedof
thevictim.[7]
Inthisattack,theattackerleavesamalwareinfectedfloppydisk,CDROM,orUSBflashdriveina
locationsuretobefound(bathroom,elevator,sidewalk,parkinglot),givesitalegitimatelookingand
curiositypiquinglabel,andsimplywaitsforthevictimtousethedevice.
Forexample,anattackermightcreateadiskfeaturingacorporatelogo,readilyavailablefromthetarget's
website,andwrite"ExecutiveSalarySummaryQ22012"onthefront.Theattackerwouldthenleavethe
diskonthefloorofanelevatororsomewhereinthelobbyofthetargetedcompany.Anunknowing
employeemightfinditandsubsequentlyinsertthediskintoacomputertosatisfytheircuriosity,oragood
samaritanmightfinditandturnitintothecompany.
3/10
27/09/2015
Ineithercase,asaconsequenceofmerelyinsertingthediskintoacomputertoseethecontents,theuser
wouldunknowinglyinstallmalwareonit,likelygivinganattackerunfetteredaccesstothevictim'sPCand,
perhaps,thetargetedcompany'sinternalcomputernetwork.
Unlesscomputercontrolsblocktheinfection,PCssetto"autorun"insertedmediamaybecompromisedas
soonasaroguediskisinserted.
Hostiledevices,moreattractivethansimplememory,canalsobeused.[8]Forinstance,a"luckywinner"is
sentafreedigitalaudioplayerthatactuallycompromisesanycomputeritispluggedto.
Quidproquo
Quidproquomeanssomethingforsomething:
Anattackercallsrandomnumbersatacompany,claimingtobecallingbackfromtechnicalsupport.
Eventuallythispersonwillhitsomeonewithalegitimateproblem,gratefulthatsomeoneiscalling
backtohelpthem.Theattackerwill"help"solvetheproblemand,intheprocess,havetheusertype
commandsthatgivetheattackeraccessorlaunchmalware.
Ina2003informationsecuritysurvey,90%ofofficeworkersgaveresearcherswhattheyclaimed
wastheirpasswordinanswertoasurveyquestioninexchangeforacheappen.[9]Similarsurveysin
lateryearsobtainedsimilarresultsusingchocolatesandothercheaplures,althoughtheymadeno
attempttovalidatethepasswords.[10]
Tailgating
Mainarticle:Piggybacking(security)
Anattacker,seekingentrytoarestrictedareasecuredbyunattended,electronicaccesscontrol,e.g.by
RFIDcard,simplywalksinbehindapersonwhohaslegitimateaccess.Followingcommoncourtesy,the
legitimatepersonwillusuallyholdthedooropenfortheattackerortheattackersthemselvesmayaskthe
employeetoholditopenforthem.Thelegitimatepersonmayfailtoaskforidentificationforanyofseveral
reasons,ormayacceptanassertionthattheattackerhasforgottenorlosttheappropriateidentitytoken.The
attackermayalsofaketheactionofpresentinganidentitytoken.
Othertypes
Commonconfidencetrickstersorfraudstersalsocouldbeconsidered"socialengineers"inthewidersense,
inthattheydeliberatelydeceiveandmanipulatepeople,exploitinghumanweaknessestoobtainpersonal
benefit.Theymay,forexample,usesocialengineeringtechniquesaspartofanITfraud.
AveryrecenttypeofsocialengineeringtechniqueincludesspoofingorhackingIDsofpeoplehaving
popularemailIDssuchasYahoo!,Gmail,Hotmail,etc.Amongthemanymotivationsfordeceptionare:
Phishingcreditcardaccountnumbersandtheirpasswords.
Crackingprivateemailsandchathistories,andmanipulatingthembyusingcommonediting
techniquesbeforeusingthemtoextortmoneyandcreatingdistrustamongindividuals.
Crackingwebsitesofcompaniesororganizationsanddestroyingtheirreputation.
Computervirushoaxes
ConvincinguserstorunmaliciouscodewithinthewebbrowserviaselfXSSattacktoallowaccess
4/10
27/09/2015
totheirwebaccount
Countermeasures
Organizationsreducetheirsecurityrisksby:
Establishingframeworksoftrustonanemployee/personnellevel(i.e.,specifyandtrainpersonnel
when/where/why/howsensitiveinformationshouldbehandled)
Identifyingwhichinformationissensitiveandevaluatingitsexposuretosocialengineeringand
breakdownsinsecuritysystems(building,computersystem,etc.)
Establishingsecurityprotocols,policies,andproceduresforhandlingsensitiveinformation.
Trainingemployeesinsecurityprotocolsrelevanttotheirposition.(e.g.,insituationssuchas
tailgating,ifaperson'sidentitycannotbeverified,thenemployeesmustbetrainedtopolitelyrefuse.)
Performingunannounced,periodictestsofthesecurityframework.
Reviewingtheabovestepsregularly:nosolutionstoinformationintegrityareperfect.[11]
Usingawastemanagementservicethathasdumpsterswithlocksonthem,withkeystothemlimited
onlytothewastemanagementcompanyandthecleaningstaff.Locatingthedumpstereitherinview
ofemployeessuchthattryingtoaccessitcarriesariskofbeingseenorcaughtorbehindalocked
gateorfencewherethepersonmusttrespassbeforetheycanattempttoaccessthedumpster.[12]
Notablesocialengineers
KevinMitnick
ReformedcomputercriminalandlatersecurityconsultantKevinMitnickpointsoutthatitismucheasierto
tricksomeoneintogivingapasswordforasystemthantospendtheefforttocrackintothesystem.[13]
ChristopherHadnagy
ChristopherHadnagyisthesecurityprofessionalwhowrotethefirstframeworkdefiningthephysicaland
psychologicalprinciplesofsocialengineering.[14]Heismostwidelyknowforhisbooks,podcastandthe
beingthecreatoroftheDEFCONSocialEngineerCapturetheFlagandtheSocialEngineerCTFforKids.
BadirBrothers
BrothersRamy,Muzher,andShaddeBadirallofwhomwereblindfrombirthmanagedtosetupan
extensivephoneandcomputerfraudschemeinIsraelinthe1990susingsocialengineering,voice
impersonation,andBrailledisplaycomputers.[15]
PeteHerzog
PeteHerzogisaneurohackerandNotableSocialEngineeringResearcherforthenonprofitsecurity
researchorganization,ISECOM(http://www.isecom.org).Hecreatedthefirstsocialengineering
methodologyforquantifiabletestingofhumansecurityforOSSTMM2.1in2002[16](referredtoas
"ProcessSecurity"inthemanual).By2003hecreatedTrustMetricsformeasuringtheamountoftrustone
canputinanythinginaquantifiablemannerforOSSTMM3in2010.[17]In2009Herzogbeganworking
5/10
27/09/2015
withbrainwavescannersandtDCStodirectlymanipulatethebrainandunderstandhowpeoplelearnand
focusattention.[18]Bycombiningtrust,neurohacking,andsocialengineeringresearchheextendedthe
researchfieldtounderstandingwhypeoplefallformanipulationtechniquesandcataloginghowpeopleare
neurologicallyvulnerable.Hehaspresented"HowWeAreBroken"atSecTorin2010[19]andlaterin2014
towardsimprovingsecurityawarenesswith"5SecretstoBuildinganAmazingSecurityCultureinYour
Organization"atRVAs3c.[20]Alsoheappliedtheresearchtocombattingfraud,manipulation,andsocial
engineeringwiththeSecurityAwarenessLearningTactics(SALT)project[21]tospecificallydesignsecurity
awarenessbasedontheneuroresearch.Hehasalsoshownhowsocialengineeringcanbeusedtoimprove
jobhuntingfortheunemployedinthearticle,"HackingHumanResourcesIsaThing".[22]Herzogalso
appliesthesemanipulationtechniquestoHackerHighschool(http://www.HackerHighschool.org),anopen
andfreesecurityawarenessprojectwrittenanddesignedspecificallyforhowteensthinkandlearn.[23]and
againinthearticle"WhyWeTeachKidstoHackinSchools"wherehewrites,"Wearenearlydonewith
version2oftheHackerHighschoollessons,acompleterewritebasedonfeedbackandneurologicalstudies
ofhowteensthinkandlearn."[24]
Others
OthersocialengineersincludeFrankAbagnale,DavidBannon,PeterFoster,andStevenJayRussell.
Law
Incommonlaw,pretextingisaninvasionofprivacytortofappropriation.[25]
Pretextingoftelephonerecords
InDecember2006,UnitedStatesCongressapprovedaSenatesponsoredbillmakingthepretextingof
telephonerecordsafederalfelonywithfinesofupto$250,000andtenyearsinprisonforindividuals(or
finesofupto$500,000forcompanies).ItwassignedbyPresidentGeorgeW.Bushon12January2007.[26]
Federallegislation
The1999"GLBA"isaU.S.Federallawthatspecificallyaddressespretextingofbankingrecordsasan
illegalactpunishableunderfederalstatutes.Whenabusinessentitysuchasaprivateinvestigator,SIU
insuranceinvestigator,oranadjusterconductsanytypeofdeception,itfallsundertheauthorityofthe
FederalTradeCommission(FTC).Thisfederalagencyhastheobligationandauthoritytoensurethat
consumersarenotsubjectedtoanyunfairordeceptivebusinesspractices.USFederalTradeCommission
Act,Section5oftheFTCAstates,inpart:"WhenevertheCommissionshallhavereasontobelievethatany
suchperson,partnership,orcorporationhasbeenorisusinganyunfairmethodofcompetitionorunfairor
deceptiveactorpracticeinoraffectingcommerce,andifitshallappeartotheCommissionthata
proceedingbyitinrespectthereofwouldbetotheinterestofthepublic,itshallissueandserveuponsuch
person,partnership,orcorporationacomplaintstatingitschargesinthatrespect."
Thestatutestatesthatwhensomeoneobtainsanypersonal,nonpublicinformationfromafinancial
institutionortheconsumer,theiractionissubjecttothestatute.Itrelatestotheconsumer'srelationshipwith
thefinancialinstitution.Forexample,apretexterusingfalsepretenseseithertogetaconsumer'saddress
6/10
27/09/2015
fromtheconsumer'sbank,ortogetaconsumertodisclosethenameofhisorherbank,wouldbecovered.
Thedeterminingprincipleisthatpretextingonlyoccurswheninformationisobtainedthroughfalse
pretenses.
Whilethesaleofcelltelephonerecordshasgainedsignificantmediaattention,andtelecommunications
recordsarethefocusofthetwobillscurrentlybeforetheUnitedStatesSenate,manyothertypesofprivate
recordsarebeingboughtandsoldinthepublicmarket.Alongsidemanyadvertisementsforcellphone
records,wirelinerecordsandtherecordsassociatedwithcallingcardsareadvertised.Asindividualsshiftto
VoIPtelephones,itissafetoassumethatthoserecordswillbeofferedforsaleaswell.Currently,itislegal
toselltelephonerecords,butillegaltoobtainthem.[27]
1stSourceInformationSpecialists
U.S.Rep.FredUpton(RKalamazoo,Michigan),chairmanoftheEnergyandCommerceSubcommitteeon
TelecommunicationsandtheInternet,expressedconcernovertheeasyaccesstopersonalmobilephone
recordsontheInternetduringWednesday'sE&CCommitteehearingon"PhoneRecordsForSale:Why
Aren'tPhoneRecordsSafeFromPretexting?"Illinoisbecamethefirststatetosueanonlinerecordsbroker
whenAttorneyGeneralLisaMadigansued1stSourceInformationSpecialists,Inc.,on20January,a
spokeswomanforMadigan'sofficesaid.TheFloridabasedcompanyoperatesseveralWebsitesthatsell
mobiletelephonerecords,accordingtoacopyofthesuit.TheattorneysgeneralofFloridaandMissouri
quicklyfollowedMadigan'slead,filingsuiton24and30January,respectively,against1stSource
InformationSpecialistsand,inMissouri'scase,oneotherrecordsbrokerFirstDataSolutions,Inc.
Severalwirelessproviders,includingTMobile,Verizon,andCingularfiledearlierlawsuitsagainstrecords
brokers,withCingularwinninganinjunctionagainstFirstDataSolutionsand1stSourceInformation
Specialistson13January.U.S.SenatorCharlesSchumer(DNewYork)introducedlegislationinFebruary
2006aimedatcurbingthepractice.TheConsumerTelephoneRecordsProtectionActof2006wouldcreate
felonycriminalpenaltiesforstealingandsellingtherecordsofmobilephone,landline,andVoiceover
InternetProtocol(VoIP)subscribers.
HewlettPackard
PatriciaDunn,formerchairwomanofHewlettPackard,reportedthattheHPboardhiredaprivate
investigationcompanytodelveintowhowasresponsibleforleakswithintheboard.Dunnacknowledged
thatthecompanyusedthepracticeofpretextingtosolicitthetelephonerecordsofboardmembersand
journalists.ChairmanDunnlaterapologizedforthisactandofferedtostepdownfromtheboardifitwas
desiredbyboardmembers.[28]UnlikeFederallaw,Californialawspecificallyforbidssuchpretexting.The
fourfelonychargesbroughtonDunnweredismissed.[29]
Inpopularculture
InthemovieIdentityThief,MelissaMcCarthyusedpretextingtogetthenameandotheridentifying
informationofJasonBatemanenablinghertostealhisidentity.
InthefilmHackers,theprotagonistusedpretextingwhenheaskedasecurityguardforthetelephone
numbertoaTVstation'smodemwhileposingasanimportantexecutive.
InJeffreyDeaver'sbookTheBlueNowhere,socialengineeringtoobtainconfidentialinformationis
oneofthemethodsusedbythekiller,Phate,togetclosetohisvictims.
7/10
27/09/2015
InthemovieDieHard4.0,JustinLongisseenpretextingthathisfatherisdyingfromaheartattack
tohaveanOnStarAssistrepresentativestartwhatwillbecomeastolencar.
InthemovieSneakers,oneofthecharactersposesasalowlevelsecurityguard'ssuperiorinorderto
convincehimthatasecuritybreachisjustafalsealarm.
InthemovieTheThomasCrownAffair,oneofthecharactersposesoverthetelephoneasamuseum
guard'ssuperiorinordertomovetheguardawayfromhispost.
IntheJamesBondmovieDiamondsAreForever,BondisseengainingentrytotheWhytelaboratory
withathenstateoftheartcardaccesslocksystemby"tailgating".Hemerelywaitsforanemployee
tocometoopenthedoor,thenposinghimselfasarookieatthelab,fakesinsertinganonexistent
cardwhilethedoorisunlockedforhimbytheemployee.
InthetelevisionshowRockfordFiles,ThecharacterJimRockfordusedpretextingofteninhis
privateinvestigationwork.
InthepopularTVShowTheMentalist,protagonistPatrickJaneoftenusespretextingtotrick
criminalsintoconfessingtothecrimestheycommitted.
IntheTVshowBurnNotice,manycharactersareseenusingsocialengineeringinMichaelWesten's
psychprofileitisstatedthatheisveryskilledinsocialengineering.
IntheTVshowPsych,protagonistShawnSpenceroftenusespretextingtogainaccesstolocationshe
wouldotherwisenotbeallowedintowithoutpolicecredentials.
InthevideogameWatchDogs,protagonistAidenPearcestatesthathestudiedsocialengineering
whengrowingupintoalifeofcrimeandusessocialengineeringtacticstomanipulateother
charactersthroughoutthegametogettheinformationhewants.
Seealso
Confidencetrick
Countermeasure(computer)
CertifiedSocialEngineeringPreventionSpecialist(CSEPS)
CyberHUMINT
Cyberheist
InternetSecurityAwarenessTraining
ITrisk
Mediapranks,whichoftenusesimilartactics(thoughusuallynotforcriminalpurposes)
Penetrationtest
Phishing
Physicalinformationsecurity
Piggybacking(security)
SMiShing
Threat(computer)
Vishing
Vulnerability(computing)
References
1. Anderson,RossJ.(2008).Securityengineering:aguidetobuildingdependabledistributedsystems(2nded.).
Indianapolis,IN:Wiley.1040.ISBN9780470068526.Chapter2,page17
2. Jaco,K:"CSEPSCourseWorkbook"(2004),unit3,JacoSecurityPublishing.
3. "HackaFacebookAccountwithSocialEngineering(EasiestWay)~AmazingHackingTricks".
amazinghackingtricks.com.
8/10
27/09/2015
4. ThestoryofHPpretextingscandalwithdiscussionisavailableatDavani,Faraz(14August2011)."HP
PretextingScandalbyFarazDavani".Scribd.Retrieved15August2011.
5. "Pretexting:YourPersonalInformationRevealed
(http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre10.shtm)",FederalTradeCommission
6. "TrainForLife".Web.archive.org.5January2010.Archivedfromtheoriginalon5January2010.Retrieved
9August2012.
7. "SocialEngineering,theUSBWay".LightReadingInc.7June2006.Archivedfromtheoriginalon13July
2006.Retrieved23April2014.
8. http://md.hudora.de/presentations/firewire/PacSec2004.pdf
9. Leyden,John(18April2003)."Officeworkersgiveawaypasswords".Theregister.co.uk.Retrieved11April
2012.
10. "Passwordsrevealedbysweetdeal".BBCNews.20April2004.Retrieved11April2012.
11. Mitnick,K.,&Simon,W.(2005)."TheArtOfIntrusion".Indianapolis,IN:WileyPublishing.
12. Allsopp,William.Unauthorisedaccess:Physicalpenetrationtestingforitsecurityteams.Hoboken,NJ:Wiley,
2009.240241.
13. Mitnick,K:"CSEPSCourseWorkbook"(2004),p.4,MitnickSecurityPublishing.Adocumentarybasedon
KevinMetnick"FreedomDowntime"wasmadefeaturingtherealstoryofKevinMetnick,featuringsomereal
Hackers.
14. "SocialEngineeringFramework".Socialengineer.org.1October2010.
15. "Wired12.02:ThreeBlindPhreaks".Wired.com.14June1999.Retrieved11April2012.
16. http://isecom.securenetltd.com/osstmm.en.2.1.pdf
17. "ISECOMOpenSourceSecurityTestingMethodologyManual(OSSTMM)".osstmm.org.
18. "SmarterSaferBetter".facebook.com.
19. Security,trust,andhowwearebrokenbyPeteHerzog.Vimeo.
20. RVAs3c:PeteHerzogFiveSecretstoBuildinganAmazingSecurityCultureinYourOrganization.YouTube.
28July2014.
21. https://www.isecom.org/SALT.v3.SAMPLE.pdf
22. "InterviewwithaHacker:HackingHumanResourcesIsaThing".TheBlotMagazine.
23. http://opensource.com/life/12/8/hackerhighschoolstudentslearnredesignfuturearticle
24. PeteHerzog."WhyWeTeachKidstoHackinSchools".LinkedInPulse.
25. Restatement2dofTorts652C.
26. "Congressoutlawspretexting".ArsTechnica.
27. Mitnick,K(2002):"TheArtofDeception",p.103WileyPublishingLtd:Indianapolis,IndianaUnitedStatesof
America.ISBN0471237124
28. HPchairman:Useofpretexting'embarrassing'(http://news.cnet.com/HPchairmanUseofpretexting
embarrassing/21001014_36113715.html?tag=nefd.lede)StephenShankland,200609081:08PMPDTCNET
News.com
29. "Calif.courtdropschargesagainstDunn".News.cnet.com.14March2007.Retrieved11April2012.
Furtherreading
Boyington,Gregory.(1990).'BaaBaaBlackSheep'PublishedbyGregoryBoyingtonISBN0553263501
Harley,David.1998ReFloatingtheTitanic:DealingwithSocialEngineeringAttacks
(http://smallbluegreenblog.files.wordpress.com/2010/04/eicar98.pdf)EICARConference.
Laribee,Lena.June2006Developmentofmethodicalsocialengineeringtaxonomyproject
(http://faculty.nps.edu/ncrowe/oldstudents/laribeethesis.htm)Master'sThesis,NavalPostgraduateSchool.
Leyden,John.18April2003.Officeworkersgiveawaypasswordsforacheappen
(http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/).TheRegister.Retrieved
20040909.
Long,Johnny.(2008).NoTechHackingAGuidetoSocialEngineering,DumpsterDiving,andShoulder
SurfingPublishedbySyngressPublishingInc.ISBN9781597492157
Mann,Ian.(2008).HackingtheHuman:SocialEngineeringTechniquesandSecurityCountermeasuresPublished
byGowerPublishingLtd.ISBN0566087731orISBN9780566087738
9/10
27/09/2015
Mitnick,Kevin,Kasperaviius,Alexis.(2004).CSEPSCourseWorkbook.MitnickSecurityPublishing.
Mitnick,Kevin,Simon,WilliamL.,Wozniak,Steve,.(2002).TheArtofDeception:ControllingtheHuman
ElementofSecurityPublishedbyWiley.ISBN0471237124orISBN076454280X
Hadnagy,Christopher,(2011)SocialEngineering:TheArtofHumanHackingPublishedbyWiley.ISBN0470
639539
Externallinks
SocialEngineeringFundamentals(http://www.symantec.com/connect/articles/socialengineering
fundamentalspartihackertactics)Securityfocus.com.Retrievedon3August2009.
"SocialEngineering,theUSBWay".LightReadingInc.7June2006.Archivedfromtheoriginalon
13July2006.Retrieved23April2014.
ShouldSocialEngineeringbeapartofPenetrationTesting?
(http://www.darknet.org.uk/2006/03/shouldsocialengineeringapartofpenetrationtesting/)
Darknet.org.uk.Retrievedon3August2009.
"ProtectingConsumers'PhoneRecords"(http://www.epic.org/privacy/iei/sencomtest2806.html),
ElectronicPrivacyInformationCenterUSCommitteeonCommerce,Science,andTransportation.
Retrievedon8February2006.
Stripteaseforpasswords(http://www.msnbc.msn.com/id/21566341/)MSNBC.MSN.com.Retrieved
on1November2007.
SocialEngineer.org(http://www.socialengineer.org/)socialengineer.org.Retrievedon16
September2009.
Retrievedfrom"https://en.wikipedia.org/w/index.php?
title=Social_engineering_(security)&oldid=682814123"
Categories: Socialengineering(computersecurity)
Thispagewaslastmodifiedon26September2015,at06:44.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmay
apply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisa
registeredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.
10/10

Social Engineering

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Social Engineering

Hochgeladen von

Copyright:

Verfügbare Formate

27/09/2015

Das könnte Ihnen auch gefallen