http://wiki.cas.mcmaster.ca/index.php?feed=atom&target=Shahinrs&title=Special%3AContributionsComputing and Software Wiki - User contributions [en]2026-04-09T21:02:30ZFrom Computing and Software WikiMediaWiki 1.15.1http://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-14T02:40:58Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a term used to describe a specific kind of [http://en.wikipedia.org/wiki/Denial_of_service Denial-of-Service](DoS) attack. The attack is achieved by the abuse of [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP] [http://en.wikipedia.org/wiki/Ping echo (ping)] which is sent to broadcast address. This can cause significant a increase in traffic which may block legitimate traffic, thus creating a denial of service. Smurfing victimises two parties generally, the target (the one being attacked), and the amplifier (the intermediate host which involuntarily lends its services to the attacker).<br />
<br />
{| __TOC__<br />
|}<br />
<br />
{|align="right"<br />
|-<br />
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
|}<br />
=What is Smurfing?=<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators.[1] "Smurfing" is originally derived from a cartoon, [http://en.wikipedia.org/wiki/Smurfs The Smurfs], which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.[1]<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''[http://en.wikipedia.org/wiki/Fraggle_attack Fraggle]''', which uses [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".[2]<br />
<br />
=How does a Smurf Attack take place?=<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed] source address (the address of the target) to the [http://en.wikipedia.org/wiki/Broadcast_address broadcast address] of the amplifier. The attacker has completed his portion of the attack.[3]<br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies.[4]<br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.<br />
<br />
<br clear=all/><br />
=Prevention=<br />
To prevent a router from being an amplifier, two simple configurations need to be implemented. <br />
* Routers and individual hosts should not respond to ping requests to broadcast addresses.<br />
* Routers should not forward packets directed to broadcast address.[5]<br />
<br />
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: <br />
<code>no ip directed-broadcast</code><br />
This configuration is for a [http://en.wikipedia.org/wiki/Cisco_Systems Cisco] router.[5]<br />
<br />
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.[6]<br />
<br />
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the [http://en.wikipedia.org/wiki/Security_policy security policy] of the network, then these prevention techniques can easily be by-passed.<br />
<br />
=References=<br />
[http://en.wikipedia.org/wiki/Smurfing_%28crime%29] Structuring<br />
<br />
[http://www.pentics.net/denial-of-service/white-papers/smurf.cgi] The Lastest In Denial Of Service Attacks: "Smurfing"<br />
<br />
[http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm] Information Warfare Going on the Offensive<br />
<br />
[http://www.networkworld.com/archive/1999b/0222gearhead.html] Attacked by smurf<br />
<br />
[http://en.wikipedia.org/wiki/Smurf_attack] Smurf attack<br />
<br />
[http://www.academ.com/nanog/oct1997/smurfing/sld001.htm] The Lastest In Denial Of Service Attacks: "Smurfing"<br />
<br />
=Also See=<br />
[[TCP/IP_Application_Development]]<br />
<br />
[[The_Great_Firewall_of_China]]<br />
<br />
[[Designing_a_Small_Business_Intranet]]<br />
<br />
[[The_Five-Layer_TCP/IP_Model:_Description/Attacks/Defense]]<br />
<br />
[[Social_engineering]]<br />
<br />
<br />
=External Links=<br />
[http://www.webopedia.com/TERM/S/smurf.html smurf]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP Spoofing]<br />
<br />
[http://www.javvin.com/networksecurity/SmurfAttack.html Smurf Attack and Fraggle Attack]<br />
<br />
[http://www-arc.com/sara/cve/Possible_DoS_problem.html Possible DoS (fraggle) Problem]<br />
<br />
[ftp://ftp.isi.edu/in-notes/rfc2267.txt Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]<br />
<hr><br />
<br />
--[[User:Shahinrs|Shahinrs]] 22:40, 13 April 2008 (EDT)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-14T00:33:45Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of [http://en.wikipedia.org/wiki/Denial_of_service Denial-of-Service](DoS) attack where an attacker floods a target with [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP] [http://en.wikipedia.org/wiki/Ping echo (ping)] traffic. <br />
{| __TOC__<br />
|}<br />
<br />
{|align="right"<br />
|-<br />
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
|}<br />
<br />
<br />
<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, [http://en.wikipedia.org/wiki/Smurfs The Smurfs], which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''[http://en.wikipedia.org/wiki/Fraggle_attack Fraggle]''', which uses [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed] source address (the address of the target) to the [http://en.wikipedia.org/wiki/Broadcast_address broadcast address] of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
To prevent a router from being an amplifier, two simple configurations need to be implemented. <br />
* Routers and individual hosts should not respond to ping requests to broadcast addresses.<br />
* Routers should not forward packets directed to broadcast address.<br />
<br />
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: <br />
<code>no ip directed-broadcast</code><br />
This configuration is for a [http://en.wikipedia.org/wiki/Cisco_Systems Cisco] router.<br />
<br />
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.<br />
<br />
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the [http://en.wikipedia.org/wiki/Security_policy security policy] of the network, then these prevention techniques can easily be by-passed.<br />
<br />
==References==<br />
* [http://www.webopedia.com/TERM/S/smurf.html smurf]<br />
* [http://www.academ.com/nanog/oct1997/smurfing/sld001.htm The Lastest In Denial Of Service Attacks: "Smurfing"]<br />
* [http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm Information Warfare Going on the Offensive]<br />
* [http://en.wikipedia.org/wiki/Smurf_attack Smurf attack]<br />
* [http://www.networkworld.com/archive/1999b/0222gearhead.html Attacked by smurf]<br />
* [http://www-arc.com/sara/cve/Possible_DoS_problem.html Possible DoS (fraggle) Problem]<br />
* [ftp://ftp.isi.edu/in-notes/rfc2267.txt Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]<br />
* [http://www.javvin.com/networksecurity/SmurfAttack.html Smurf Attack and Fraggle Attack]<br />
<hr><br />
--[[User:Shahinrs|Shahinrs]] 20:33, 13 April 2008 (EDT)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-14T00:29:07Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of [http://en.wikipedia.org/wiki/Denial_of_service Denial-of-Service](DoS) attack where an attacker floods a target with [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP] [http://en.wikipedia.org/wiki/Ping echo (ping)] traffic. <br />
{| __TOC__<br />
|}<br />
<br />
{|align="right"<br />
|-<br />
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
|}<br />
<br />
<br />
<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, [http://en.wikipedia.org/wiki/Smurfs The Smurfs], which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''[http://en.wikipedia.org/wiki/Fraggle_attack Fraggle]''', which uses [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed] source address (the address of the target) to the [http://en.wikipedia.org/wiki/Broadcast_address broadcast address] of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a DoS and render the target inaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
To prevent a router from being an amplifier, two simple configurations need to be implemented. <br />
* Routers and individual hosts should not respond to ping requests to broadcast addresses.<br />
* Routers should not forward packets directed to broadcast address.<br />
<br />
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: <br />
<code>no ip directed-broadcast</code><br />
This configuration is for a [http://en.wikipedia.org/wiki/Cisco_Systems Cisco] router.<br />
<br />
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.<br />
<br />
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanisms don't adequately enforce the [http://en.wikipedia.org/wiki/Security_policy security policy] of the network, then these prevention techniques can easily be by-passed.<br />
<br />
==References==<br />
* [http://www.webopedia.com/TERM/S/smurf.html smurf]<br />
* [http://www.academ.com/nanog/oct1997/smurfing/sld001.htm The Lastest In Denial Of Service Attacks: "Smurfing"]<br />
* [http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm Information Warfare Going on the Offensive]<br />
* [http://en.wikipedia.org/wiki/Smurf_attack Smurf attack]<br />
* [http://www.networkworld.com/archive/1999b/0222gearhead.html Attacked by smurf]<br />
* [http://www-arc.com/sara/cve/Possible_DoS_problem.html Possible DoS (fraggle) Problem]<br />
* [ftp://ftp.isi.edu/in-notes/rfc2267.txt Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]<br />
* [http://www.javvin.com/networksecurity/SmurfAttack.html Smurf Attack and Fraggle Attack]<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-14T00:10:23Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
{| __TOC__<br />
|}<br />
<br />
{|align="right"<br />
|-<br />
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
|}<br />
<br />
<br />
<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''Fraggle''', which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orchestrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a Denial-of-Service and render the target inaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
To prevent a router from being an amplifier, two simple configurations need to be implemented. <br />
* Routers and individual hosts should not respond to ping requests to broadcast addresses.<br />
* Routers should not forward packets directed to broadcast address.<br />
<br />
An example of how to configure a router so that packets are not forwarded to broadcast addresses would be: <br />
<code>no ip directed-broadcast</code><br />
This configuration is for a [[Cisco Systems|Cisco]] router.<br />
<br />
Another router configuration is to filter ICMP requests by source addresses. By applying a filter which will reject any outgoing packets that contain a source address from a different network, you eliminate the spoofing element of a Smurf attack.<br />
<br />
It is important to note that these prevention techniques apply only to protecting a network form being an amplifier or the source of an attack. A similar procedure is required to prevent a Fraggle attack. If, however, the security mechanism don't adequately enforce the security policy of the network, then these prevention techniques can easily be by-passed.<br />
<br />
==References==<br />
* [http://www.webopedia.com/TERM/S/smurf.html smurf]<br />
* [http://www.academ.com/nanog/oct1997/smurfing/sld001.htm The Lastest In Denial Of Service Attacks: "Smurfing"]<br />
* [http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm Information Warfare Going on the Offensive]<br />
* [http://en.wikipedia.org/wiki/Smurf_attack Smurf attack]<br />
* [http://www.networkworld.com/archive/1999b/0222gearhead.html Attacked by smurf]<br />
* [http://www-arc.com/sara/cve/Possible_DoS_problem.html Possible DoS (fraggle) Problem]<br />
* [ftp://ftp.isi.edu/in-notes/rfc2267.txt Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing]<br />
* [http://www.javvin.com/networksecurity/SmurfAttack.html Smurf Attack and Fraggle Attack]<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-13T21:19:24Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
{| __TOC__<br />
|}<br />
<br />
{|align="right"<br />
|-<br />
| [[Image:brainy.jpg|thumb|165px|''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
|}<br />
<br />
<br />
<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''Fraggle''', which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orcastrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a Denial-of-Service and render the target unaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
<br />
==References==<br />
http://www.webopedia.com/TERM/S/smurf.html<br />
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi<br />
http://www.academ.com/nanog/oct1997/smurfing/sld001.htm<br />
http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm<br />
http://en.wikipedia.org/wiki/Smurf_attack<br />
http://www.networkworld.com/archive/1999b/0222gearhead.html<br />
http://www-arc.com/sara/cve/Possible_DoS_problem.html<br />
<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-13T21:12:31Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
<br />
[[Image:brainy.jpg|thumb|165px|right|<br />
''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
{| __TOC__<br />
|}<br />
<br />
<br><br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''Fraggle''', which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orcastrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a Denial-of-Service and render the target unaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
<br />
==References==<br />
http://www.webopedia.com/TERM/S/smurf.html<br />
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi<br />
http://www.academ.com/nanog/oct1997/smurfing/sld001.htm<br />
http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm<br />
http://en.wikipedia.org/wiki/Smurf_attack<br />
http://www.networkworld.com/archive/1999b/0222gearhead.html<br />
http://www-arc.com/sara/cve/Possible_DoS_problem.html<br />
<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-13T21:12:05Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
<br />
[[Image:brainy.jpg|thumb|165px|right|<br />
''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
{| __TOC__<br />
|}<br />
<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''Fraggle''', which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
<br><br />
<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orcastrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a Denial-of-Service and render the target unaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
<br />
==References==<br />
http://www.webopedia.com/TERM/S/smurf.html<br />
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi<br />
http://www.academ.com/nanog/oct1997/smurfing/sld001.htm<br />
http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm<br />
http://en.wikipedia.org/wiki/Smurf_attack<br />
http://www.networkworld.com/archive/1999b/0222gearhead.html<br />
http://www-arc.com/sara/cve/Possible_DoS_problem.html<br />
<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-13T21:10:41Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
<br />
[[Image:brainy.jpg|thumb|165px|right|<br />
''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. The "smurf" attack's cousin is called '''Fraggle''', which uses UDP echo packets in the same fashion as the ICMP echo packets. It was a simple re-write of "smurf".<br />
<br />
==How does a Smurf Attack take place?==<br />
{|align="right"<br />
|-<br />
| [[Image:Smurf2.gif|thumb|450px|''http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm#Smurf_Attack'']]<br />
|}<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orcastrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
The attack itself is fairly simple. However the attacker will need a few things before the attack can be carried out. First the attacker will need a fast connection to the internet, and will need to find a large network, or a number of networks, that is attached to the Internet by a router that will forward ICMP requests. This network is the amplifier. The attacker will then send a ping request with a spoofed source address (the address of the target) to the broadcast address of the amplifier. The attacker has completed his portion of the attack. <br />
<br />
===The Amplifier===<br />
An amplifier is a large network that is connected to the internet with a router. The router must be able to perform an IP broadcast. When the router receives traffic to the broadcast address, it will forward the message to all the hosts on the network. If the router receives and broadcasts an ICMP ping request, most of the hosts will reply to the source address of the message. This means that if there are 500 hosts which reply to the IP broadcast, then for every 1 ping request to that amplifier, 500 ping relies are sent. When an attacker spoofs the source address of the ping requests, rather than the pings replies going back to the attacker, they will go to the spoofed address (i.e. the victim). If the attacker has a fast connection, then it can send several ping requests very quickly. The amplifier is assumed to have a much faster connection (i.e. T3) to accommodate the ping replies. <br />
<br />
===The Target===<br />
The target is generally a specific server or small network. Upon receiving the ICMP replies, the target is no longer able to make its services available to its intended users since it is busy processing these ICMP messages. This creates a Denial-of-Service and render the target unaccessible to other users.<br />
<br />
<br clear=all/><br />
==Prevention==<br />
<br />
==References==<br />
http://www.webopedia.com/TERM/S/smurf.html<br />
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi<br />
http://www.academ.com/nanog/oct1997/smurfing/sld001.htm<br />
http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm<br />
http://en.wikipedia.org/wiki/Smurf_attack<br />
http://www.networkworld.com/archive/1999b/0222gearhead.html<br />
http://www-arc.com/sara/cve/Possible_DoS_problem.html<br />
<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/File:Smurf2.gifFile:Smurf2.gif2008-04-13T20:21:47Z<p>Shahinrs: </p>
<hr />
<div></div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-13T20:19:57Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a form of Denial-of-Service attack where an attacker floods a target with ICMP echo (ping) traffic. <br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
<br />
[[Image:brainy.jpg|thumb|165px|right|<br />
''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
<br />
==What is Smurfing?==<br />
'''Smurfing''' is a banking industry term used to describe the act of splitting up a large financial transaction into several smaller ones to avoid scrutiny from regulators. "Smurfing" is originally derived from a cartoon, The Smurfs, which consisted of a large society of many small individuals. The coining of the term is attributed to Miami-based lawyer, Gregory Baldwin in the 1980s.<br />
<br />
'''Smurging''' or a '''Smurf Attack''' in the context of network security describes the act of many small ICMP pings being used to create very large network traffic congestion. <br />
<br />
==How does a Smurf Attack take place?==<br />
In order for a Smurf Attack to take place there are three parties which need to be considered. First is the attack who orcastrates the attack. Second is the amplifier, who is usually another victim of the attack, and lastly, the target.<br />
===The Attacker===<br />
<br />
===The Amplifier===<br />
<br />
===The Target===<br />
<br />
==Prevention==<br />
<br />
==References==<br />
http://www.webopedia.com/TERM/S/smurf.html<br />
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi<br />
http://www.academ.com/nanog/oct1997/smurfing/sld001.htm<br />
http://faculty.ed.umuc.edu/~meinkej/inss690/cummins/cummins.htm<br />
http://en.wikipedia.org/wiki/Smurf_attack<br />
http://www.networkworld.com/archive/1999b/0222gearhead.html<br />
http://www-arc.com/sara/cve/Possible_DoS_problem.html<br />
<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-11T22:36:09Z<p>Shahinrs: </p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a way of generating a lot of computer network traffic to a victim site. That is, it is a type of denial-of-service attack. Specifically, it floods a target system via spoofed broadcast ping messages.<br />
<br />
In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
<br />
[[Image:brainy.jpg|thumb|165px|right|<br />
''Brainy Smurf''<br>Smurfs, as a society, were against any sort of attack.]]<br />
<br />
==What is Smurfing?==<br />
<br />
==How does a Smurf Attack take place?==<br />
<br />
==Prevention==<br />
<br />
==References==<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/File:Brainy.jpgFile:Brainy.jpg2008-04-11T22:24:33Z<p>Shahinrs: </p>
<hr />
<div></div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/SmurfingSmurfing2008-04-11T22:21:55Z<p>Shahinrs: New page: '''Smurfing''' or a '''Smurf Attack''' is a way of generating a lot of computer network traffic to a victim site. That is, it is a type of denial-of-service attack. Specifically, it floods...</p>
<hr />
<div>'''Smurfing''' or a '''Smurf Attack''' is a way of generating a lot of computer network traffic to a victim site. That is, it is a type of denial-of-service attack. Specifically, it floods a target system via spoofed broadcast ping messages.<br />
<br />
In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
<br />
<br />
==What is Smurfing?==<br />
<br />
==How does a Smurf Attack take place?==<br />
<br />
==Prevention==<br />
<br />
==References==<br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-04T00:25:12Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin David Mitnick]'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what social engineers want, the objectives of a social engineer can be obtained more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide social engineers ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answers, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.<br />
<br />
Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.<br />
<br />
Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick]. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked and the use of the [[The_Mitnick_attack|Mitnick Attack]]. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.<br />
<br />
===Online===<br />
Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through [[Phishing|phishing]]. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on, however, was a link to the attacker's site which simply records the login information.<br />
<br />
===Persuasion===<br />
Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation (such as [[Identity_Theft|identity theft]] or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these personas provides the social engineer with the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colourful background story, a tempting offer, or even guilt the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.<br />
<br />
===Dumpster Diving===<br />
Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premise is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calendars, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the company’s protocols, terminology and many employee's names and other personal information.<br />
<br />
===Reverse Social Engineering===<br />
The objective in reverse social engineering is to have the mark ask the attacker for information, rather than the other way around. The advantage of this method is that the attacker can give out information that will suit his motives. For example, an attacker can call the supervisor of an office and inform him that there is maintenance scheduled on the office network and if people have problems accessing the system that they should call the attacker. Then the attacker will create a network outage and when the employees call, he can retrieve their login information. This kind of attack requires a significant amount of preparation; however, it can yield very successful results.<br />
<br />
==Protection==<br />
To protect against social engineering attacks, a company should implement [http://en.wikipedia.org/wiki/Security_policy security policies] which deal with both physical and psychological elements. Standard physical security mechanisms should be implemented which take into account network protection, password protection, and a system of securely disposing of trash. In addition, the policies should cover the education and training of employees to help recognize a social engineering attack. This kind of training should deal with how these attacks can happen, specific examples, and methods in which employees can authenticate who they are speaking with. It should also stress the importance of not giving out information that is not [http://en.wikipedia.org/wiki/Need_to_know need-to-know] or confidential (such as passwords). In general a good practice of [[Information_security_awareness|information security awareness]] will provide employees with a more sceptical attitude in giving out information.<br />
<br />
==References==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br><br><br />
<br />
<hr><br />
[[User:Shahinrs|Shahinrs]] 19:25, 3 December 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-04T00:21:18Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin David Mitnick]'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what social engineers want, the objectives of a social engineer can be obtained more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide social engineers ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answers, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.<br />
<br />
Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.<br />
<br />
Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick]. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked and the use of the [[The_Mitnick_attack|Mitnick Attack]]. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.<br />
<br />
===Online===<br />
Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through [[Phishing|phishing]]. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on, however, was a link to the attacker's site which simply records the login information.<br />
<br />
===Persuasion===<br />
Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation (such as [[Identity_Theft|identity theft]] or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these personas provides the social engineer with the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colourful background story, a tempting offer, or even guilt the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.<br />
<br />
===Dumpster Diving===<br />
Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premise is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calendars, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the company’s protocols, terminology and many employee's names and other personal information.<br />
<br />
===Reverse Social Engineering===<br />
The objective in reverse social engineering is to have the mark ask the attacker for information, rather than the other way around. The advantage of this method is that the attacker can give out information that will suit his motives. For example, an attacker can call the supervisor of an office and inform him that there is maintenance scheduled on the office network and if people have problems accessing the system that they should call the attacker. Then the attacker will create a network outage and when the employees call, he can retrieve their login information. This kind of attack requires a significant amount of preparation; however, it can yield very successful results.<br />
<br />
==Protection==<br />
To protect against social engineering attacks, a company should implement [http://en.wikipedia.org/wiki/Security_policy security policies] which deal with both physical and psychological elements. Standard physical security mechanisms should be implemented which take into account network protection, password protection, and a system of securely disposing of trash. In addition, the policies should cover the education and training of employees to help recognize a social engineering attack. This kind of training should deal with how these attacks can happen, specific examples, and methods in which employees can authenticate who they are speaking with. It should also stress the importance of not giving out information that is not [http://en.wikipedia.org/wiki/Need_to_know need-to-know] or confidential (such as passwords). In general a good practice of [[Information_security_awareness|information security awareness]] will provide employees with a more sceptical attitude in giving out information.<br />
<br />
==References==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]]</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-04T00:07:36Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answer, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.<br />
<br />
Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.<br />
<br />
Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was Kevin Mitnick. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked and the use of the [[The_Mitnick_attack|Mitnick Attack]]. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.<br />
<br />
===Online===<br />
Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through [[Phishing|phishing]]. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on however, was a link to the attacker's site which simply records the login information.<br />
<br />
===Persuasion===<br />
Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation (such as [[Identity_Theft|identity theft]] or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these persona provides the social engineer with a the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colorful background story, a tempting offer, or even guiling the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.<br />
<br />
===Dumpster Diving===<br />
Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premis is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calenders, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the companies protocols, terminology and many employee's names and other personal information.<br />
<br />
===Reverse Social Engineering===<br />
The objective in reverse social engineering is to have the mark ask the attacker for information, rather than the other way around. The advantage of this method is that the attacker can give out information that will suit his motives. For example, an attacker can call the supervisor of an office and inform him that there is maintenance scheduled on the office network and if people have problems accessing the system that they should call the attacker. Then the attacker will create a network outage and when the employees call, he can retrieve their login information. This kind of attack requires a significant amount of preperation, however it can yield very successful results.<br />
<br />
==Protection==<br />
To protect against social engineering attacks, a company should implement security policies which deal with both physical and psychological elements. Standard physical security mechanisms should be implemented which take into account network protection, password protection, and a system of securely disposing of trash. In addition, the policies should cover the education and training of emplyees to help recognize a social engineering attack. This kind of training should deal with how these attacks can happen, specific examples, and methods in which employees can authenticate who they are speaking with. It should also stress the importance of not giving out information that is not need-to-know or confidential (such as passwords). In general a good practice of [[Information_security_awareness|information security awareness]] will provide employees with a more skeptical attitude in giving out information.<br />
<br />
== References ==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-04T00:04:27Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answer, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.<br />
<br />
Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.<br />
<br />
Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was Kevin Mitnick. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked and the use of the [[The_Mitnick_attack|Mitnick Attack]]. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.<br />
<br />
===Online===<br />
Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through [[Phishing|phishing]]. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on however, was a link to the attacker's site which simply records the login information.<br />
<br />
===Persuasion===<br />
Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation (such as [[Identity_Theft||identity theft]] or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these persona provides the social engineer with a the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colorful background story, a tempting offer, or even guiling the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.<br />
<br />
===Dumpster Diving===<br />
Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premis is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calenders, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the companies protocols, terminology and many employee's names and other personal information.<br />
<br />
===Reverse Social Engineering===<br />
The objective in reverse social engineering is to have the mark ask the attacker for information, rather than the other way around. The advantage of this method is that the attacker can give out information that will suit his motives. For example, an attacker can call the supervisor of an office and inform him that there is maintenance scheduled on the office network and if people have problems accessing the system that they should call the attacker. Then the attacker will create a network outage and when the employees call, he can retrieve their login information. This kind of attack requires a significant amount of preperation, however it can yield very successful results.<br />
<br />
==Protection==<br />
To protect against social engineering attacks, a company should implement security policies which deal with both physical and psychological elements. Standard physical security mechanisms should be implemented which take into account network protection, password protection, and a system of securely disposing of trash. In addition, the policies should cover the education and training of emplyees to help recognize a social engineering attack. This kind of training should deal with how these attacks can happen, specific examples, and methods in which employees can authenticate who they are speaking with. It should also stress the importance of not giving out information that is not need-to-know or confidential (such as passwords).<br />
<br />
== References ==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-03T23:34:37Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answer, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.<br />
<br />
Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.<br />
<br />
Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was Kevin Mitnick. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.<br />
<br />
===Online===<br />
Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through phishing. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on however, was a link to the attacker's site which simply records the login information.<br />
<br />
===Persuasion===<br />
Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these persona provides the social engineer with a the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colorful background story, a tempting offer, or even guiling the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.<br />
<br />
===Dumpster Diving===<br />
Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premis is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calenders, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the companies protocals, termonology and many emplyee's names and other personal information.<br />
<br />
===Reverse Social Engineering===<br />
*Pretend to be someone in a position of authority<br />
**employees will ask him for information<br />
*Most difficult method to pull off<br />
**requires lots of preparation<br />
**but can yield the most successful results<br />
<br />
<br />
==Protection==<br />
*Security policies dealing with both physical and psychological elements<br />
**Standard physical security mechanisms<br />
***networks protection<br />
***good password protection<br />
***secure disposal of trash<br />
***standard security measures we’ve discussed in class<br />
**Education and training of employees<br />
***Making employees aware of Social Engineering<br />
***better recognize an attack<br />
***Authentication<br />
****Making sure the person they are speaking with is that person<br />
**Availability of ANY information<br />
***only give out information that’s need-to-know<br />
***Don’t give out confidential information<br />
<br />
==Conclusion==<br />
*Social Engineering attacks are very difficult to protect against. <br />
*A system’s security is only as strong as the people who maintain it. <br />
*With proper training, a social Engineering attack can be made extremely difficult. <br />
*However, it can never been fully projected against. <br />
<br />
== References ==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-03T09:16:29Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - [http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt Bernz]. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.<br />
<br />
==Aspects of Social Engineering==<br />
A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.<br />
===Human===<br />
The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.<br />
<br />
===System===<br />
The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack.<br />
*Most common method<br />
*Call a company and imitate someone in a position of authority or relevance.<br />
**Supervisor, manager, system admin.<br />
***pretend they can’t log into the system<br />
***or that they need your login to troubleshoot<br />
*Help desks are most prone to this<br />
**used to helping people<br />
**trained to give out information and be friendly<br />
**want to move on to next call<br />
**minimally educated in security area<br />
<br />
===Online===<br />
*Many people use same password and login for internet sites<br />
**Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person<br />
<br />
===Persuasion===<br />
*The true strength of a Social Engineer<br />
*Gaining trust by<br />
**impersonation (identiy theft)<br />
**imitation (made up identity)<br />
*Uses psychological methods<br />
**Guilt<br />
**Tempting offers<br />
<br />
===Dumpster Diving===<br />
*also known as trashing<br />
*looking through garbage for information<br />
*Many companies don’t implement any method of security for their garbage<br />
**user and password lists<br />
**Company directories<br />
**Event calendars<br />
**obsolete computers<br />
**printouts of source codes<br />
**The more a Social Engineer knows about:<br />
***a company<br />
***their protocols<br />
***terminology<br />
***the more likely he’ll be able to succeed.<br />
<br />
===Reverse Social Engineering===<br />
*Pretend to be someone in a position of authority<br />
**employees will ask him for information<br />
*Most difficult method to pull off<br />
**requires lots of preparation<br />
**but can yield the most successful results<br />
<br />
<br />
==Protection==<br />
*Security policies dealing with both physical and psychological elements<br />
**Standard physical security mechanisms<br />
***networks protection<br />
***good password protection<br />
***secure disposal of trash<br />
***standard security measures we’ve discussed in class<br />
**Education and training of employees<br />
***Making employees aware of Social Engineering<br />
***better recognize an attack<br />
***Authentication<br />
****Making sure the person they are speaking with is that person<br />
**Availability of ANY information<br />
***only give out information that’s need-to-know<br />
***Don’t give out confidential information<br />
<br />
==Conclusion==<br />
*Social Engineering attacks are very difficult to protect against. <br />
*A system’s security is only as strong as the people who maintain it. <br />
*With proper training, a social Engineering attack can be made extremely difficult. <br />
*However, it can never been fully projected against. <br />
<br />
== References ==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-12-03T07:58:36Z<p>Shahinrs: </p>
<hr />
<div>'''Social Engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is?<br />
*“the art and science of getting people to comply to your wishes” - Bernz. <br />
*Attacks human side of information security<br />
*not mind control or coercion.<br />
*but rather “ticking” people <br />
**do what you want them to do<br />
**give you information that you might not have access to<br />
<br />
==Aspects of Social Engineering==<br />
<br />
<br />
<br />
<br />
<br />
===Human===<br />
*Humans are generally the weakest part of any security system<br />
**System admins, maintenance people, employees<br />
***all have access to the system<br />
***any one of them can jeopardize security if they are not careful<br />
***knowingly or unknowingly<br />
*All Social Engineering attacks have something in common<br />
**Take advantage of a human being’s trust<br />
*Need 2 things for a Social Engineering attack<br />
**A knowledge of the system being attacked<br />
***Lots of background work<br />
***Terminology<br />
***Names of people and places<br />
***Protocols being used<br />
***The ability to gain people’s trust<br />
<br />
===Hardware===<br />
<br />
==Notable Examples==<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
*Most common method<br />
*Call a company and imitate someone in a position of authority or relevance.<br />
**Supervisor, manager, system admin.<br />
***pretend they can’t log into the system<br />
***or that they need your login to troubleshoot<br />
*Help desks are most prone to this<br />
**used to helping people<br />
**trained to give out information and be friendly<br />
**want to move on to next call<br />
**minimally educated in security area<br />
<br />
===Online===<br />
*Many people use same password and login for internet sites<br />
**Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person<br />
<br />
===Persuasion===<br />
*The true strength of a Social Engineer<br />
*Gaining trust by<br />
**impersonation (identiy theft)<br />
**imitation (made up identity)<br />
*Uses psychological methods<br />
**Guilt<br />
**Tempting offers<br />
<br />
===Dumpster Diving===<br />
*also known as trashing<br />
*looking through garbage for information<br />
*Many companies don’t implement any method of security for their garbage<br />
**user and password lists<br />
**Company directories<br />
**Event calendars<br />
**obsolete computers<br />
**printouts of source codes<br />
**The more a Social Engineer knows about:<br />
***a company<br />
***their protocols<br />
***terminology<br />
***the more likely he’ll be able to succeed.<br />
<br />
===Reverse Social Engineering===<br />
*Pretend to be someone in a position of authority<br />
**employees will ask him for information<br />
*Most difficult method to pull off<br />
**requires lots of preparation<br />
**but can yield the most successful results<br />
<br />
==Protection==<br />
*Security policies dealing with both physical and psychological elements<br />
**Standard physical security mechanisms<br />
***networks protection<br />
***good password protection<br />
***secure disposal of trash<br />
***standard security measures we’ve discussed in class<br />
**Education and training of employees<br />
***Making employees aware of Social Engineering<br />
***better recognize an attack<br />
***Authentication<br />
****Making sure the person they are speaking with is that person<br />
**Availability of ANY information<br />
***only give out information that’s need-to-know<br />
***Don’t give out confidential information<br />
<br />
==Conclusion==<br />
*Social Engineering attacks are very difficult to protect against. <br />
*A system’s security is only as strong as the people who maintain it. <br />
*With proper training, a social Engineering attack can be made extremely difficult. <br />
*However, it can never been fully projected against. <br />
<br />
==References==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-11-30T23:47:41Z<p>Shahinrs: </p>
<hr />
<div>'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
{| __TOC__<br />
|}<br />
<br><br />
<br />
[[Image:Mitnick.jpg|thumb|300px|right|<br />
'''Kevin David Mitnick'''<br />
<br>''Born October 6, 1963''<br><br />
Convicted of computer related crimes using social engineering.]]<br />
<br />
==What is Social Engineering?==<br />
Social Engineering is?<br />
*“the art and science of getting people to comply to your wishes” - Bernz. <br />
*Attacks human side of information security<br />
*not mind control or coercion.<br />
*but rather “ticking” people <br />
**do what you want them to do<br />
**give you information that you might not have access to<br />
<br />
==Aspects of Social Engineering==<br />
<br />
<br />
<br />
<br />
<br />
===Human===<br />
*Humans are generally the weakest part of any security system<br />
**System admins, maintenance people, employees<br />
***all have access to the system<br />
***any one of them can jeopardize security if they are not careful<br />
***knowingly or unknowingly<br />
*All Social Engineering attacks have something in common<br />
**Take advantage of a human being’s trust<br />
*Need 2 things for a Social Engineering attack<br />
**A knowledge of the system being attacked<br />
***Lots of background work<br />
***Terminology<br />
***Names of people and places<br />
***Protocols being used<br />
***The ability to gain people’s trust<br />
<br />
===Hardware===<br />
<br />
==Notable Examples==<br />
<br />
==Methods of Social Engineering==<br />
===By Phone===<br />
*Most common method<br />
*Call a company and imitate someone in a position of authority or relevance.<br />
**Supervisor, manager, system admin.<br />
***pretend they can’t log into the system<br />
***or that they need your login to troubleshoot<br />
*Help desks are most prone to this<br />
**used to helping people<br />
**trained to give out information and be friendly<br />
**want to move on to next call<br />
**minimally educated in security area<br />
<br />
===Online===<br />
*Many people use same password and login for internet sites<br />
**Using methods like Phishing can allow the Social Engineer to obtain lots of information about a person<br />
<br />
===Persuasion===<br />
*The true strength of a Social Engineer<br />
*Gaining trust by<br />
**impersonation (identiy theft)<br />
**imitation (made up identity)<br />
*Uses psychological methods<br />
**Guilt<br />
**Tempting offers<br />
<br />
===Dumpster Diving===<br />
*also known as trashing<br />
*looking through garbage for information<br />
*Many companies don’t implement any method of security for their garbage<br />
**user and password lists<br />
**Company directories<br />
**Event calendars<br />
**obsolete computers<br />
**printouts of source codes<br />
**The more a Social Engineer knows about:<br />
***a company<br />
***their protocols<br />
***terminology<br />
***the more likely he’ll be able to succeed.<br />
<br />
===Reverse Social Engineering===<br />
*Pretend to be someone in a position of authority<br />
**employees will ask him for information<br />
*Most difficult method to pull off<br />
**requires lots of preparation<br />
**but can yield the most successful results<br />
<br />
==Protection==<br />
*Security policies dealing with both physical and psychological elements<br />
**Standard physical security mechanisms<br />
***networks protection<br />
***good password protection<br />
***secure disposal of trash<br />
***standard security measures we’ve discussed in class<br />
**Education and training of employees<br />
***Making employees aware of Social Engineering<br />
***better recognize an attack<br />
***Authentication<br />
****Making sure the person they are speaking with is that person<br />
**Availability of ANY information<br />
***only give out information that’s need-to-know<br />
***Don’t give out confidential information<br />
<br />
==Conclusion==<br />
*Social Engineering attacks are very difficult to protect against. <br />
*A system’s security is only as strong as the people who maintain it. <br />
*With proper training, a social Engineering attack can be made extremely difficult. <br />
*However, it can never been fully projected against. <br />
<br />
==References==<br />
Bernz: “The complete Social Engineering FAQ!”<br />
http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt<br />
<br />
Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001<br />
http://www.securityfocus.com/infocus/1527<br />
<br />
“Social engineering (security)”, Wikipedia, November 19, 2007<br />
http://en.wikipedia.org/wiki/Social_engineering_(computer_security)<br />
<br />
“social engineering”, SearchSecurity, October 10, 2006<br />
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html<br />
<br />
Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001<br />
http://www.securityfocus.com/news/199<br />
<br />
Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006<br />
http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html<br />
<br />
“Social Engineering”, McGuill Network Communications Services, September 7, 2007<br />
http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-11-30T23:16:40Z<p>Shahinrs: </p>
<hr />
<div>'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricker the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
<br />
__NOTOC__ <br />
<br />
[[Image:Mitnick.jpg]]<br />
<br />
<br />
<br />
<br />
==Social engineering techniques and terms==<br />
All social engineering techniques are based on specific attributes of human decision-making known as [[List of cognitive biases|cognitive biases]].<ref>CSEPS Course Workbook, unit 3</ref> These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:<br />
<br />
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.<br />
<br />
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.<br />
<br />
<br />
<br />
== External links ==<br />
<br />
== References ==<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-11-30T23:09:58Z<p>Shahinrs: </p>
<hr />
<div>'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricker the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
[[Image:Mitnick.jpg]]<br />
<br />
<br />
<br />
<br />
==Social engineering techniques and terms==<br />
All social engineering techniques are based on specific attributes of human decision-making known as [[List of cognitive biases|cognitive biases]].<ref>CSEPS Course Workbook, unit 3</ref> These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:<br />
<br />
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.<br />
<br />
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.<br />
<br />
<br />
<br />
== External links ==<br />
<br />
== References ==<br />
<br />
<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-11-30T22:35:33Z<p>Shahinrs: </p>
<hr />
<div>'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricker the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
[[Image:Mitnick.jpg]]<br />
<br />
==Social engineering techniques and terms==<br />
All social engineering techniques are based on specific attributes of human decision-making known as [[List of cognitive biases|cognitive biases]].<ref>CSEPS Course Workbook, unit 3</ref> These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:<br />
<br />
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.<br />
<br />
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.<br />
[[Image:https://www.aiga.org/Resources/SymbolSigns/gif_large/01_telephone_inv.gif]]<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/File:Mitnick.jpgFile:Mitnick.jpg2007-11-30T22:30:32Z<p>Shahinrs: </p>
<hr />
<div>Kevin David Mitnick (born October 6, 1963) is one of the most notable computer hackers of the 1990's. He was convicted of computer related crimes in the late 1990's and served five years in prison (four of which were pre-trial). Mitnick was released on January 21, 2000 and now runs Mitnick Security Consulting, which is a computer security consulting company.</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/File:Mitnick.jpgFile:Mitnick.jpg2007-11-30T22:29:51Z<p>Shahinrs: </p>
<hr />
<div>Kevin David Mitnick (born October 6, 1963) is one of the most notable computer hackers of the 1990's. He was convicted of computer related crimes in the 1990's and served five years in prison (four of which were pre-trial). Mitnick was released on January 21, 2000 and now runs Mitnick Security Consulting, which is a computer security consulting company.</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/File:Mitnick.jpgFile:Mitnick.jpg2007-11-30T22:18:37Z<p>Shahinrs: Kevin Mitnick, one of the most notable social engineers</p>
<hr />
<div>Kevin Mitnick, one of the most notable social engineers</div>Shahinrshttp://wiki.cas.mcmaster.ca/index.php/Social_engineeringSocial engineering2007-11-07T12:36:31Z<p>Shahinrs: New page: '''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is ...</p>
<hr />
<div>'''Social engineering''' is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricker the person getting attacked. In many cases, the attacked never know that they have been attacked.<br />
<br />
<br />
==Social engineering techniques and terms==<br />
All social engineering techniques are based on specific attributes of human decision-making known as [[List of cognitive biases|cognitive biases]].<ref>CSEPS Course Workbook, unit 3</ref> These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:<br />
<br />
In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.<br />
<br />
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.<br />
[[Image:https://www.aiga.org/Resources/SymbolSigns/gif_large/01_telephone_inv.gif]]<br />
--[[User:Shahinrs|Shahinrs]] 07:36, 7 November 2007 (EST)</div>Shahinrs