It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Major hacks: social engineering seems most likely approach
page: 15
share:
Hear me out, as this is my take on things. I think most of the major hacks we hear about in the news are much more likely the result of social
engineering than botnet or other brute force approaches. Not that I rule out other hacking methods, but I think the effort vs. payoff is much better.
If anything, I think the non-social methods of hacking are employed more as a distraction to make the bigger weaknesses more readily exploitable. (I
think that was one of the biggest things Kevin Mitnick discussed for that time he was in the spotlight some years ago.)
So this is what I'm thinking. You have a company staff setup to handle lots of information. Of that staff, you might have up to a dozen well paid IT specialists. (Admin roles.) They watch ports, monitor various systems, keep on top of servers for uptime, etc. But these guys aren't your weakest link, they're usually paid well, have all the benefits, etc. For them, things are good and there's usually an attachment to what they're doing.
So who do you exploit as a hacker? The same company has in their employ something like 100+ customer service reps. However these people tend to be outsourced to remote data centers, or are on part time as contracted through various staffing services. More or less they're temps, and on average they're not being paid much more than minimum wage. As workers, they also tend to be treated as disposable, so not much job security either. However these lowest paid on the data-management totem pole have the same keys to all the pertinent info that the top brass does. (And to even do their job they need access to all the customer records by default.) If you want to social engineer the keys to the kingdom, this is where you make the hit. First not everyone takes the job seriously (meh, another temp gig), so they're bound to be a bit loose. Others do, but then its' a matter of finding those who are disgruntled or hurting for money while working in this role. The odds are good too, as there's like 50 to 1 vs. IT staff and perhaps 20 to 1 vs. higher ups managing and monitoring things. Don't hit it off as a hacker? Just make another bogus call into the system and re-roll the dice.
Thus the greatest hardware firewall in any business means little when the best keys to get in a system are relatively cheap. (Perhaps a few months wages?) I bet you could ask anyone that works at a phone bank type place that handles customer records or billing in one form or another, and they'd agree that security is apparently paper-thin on that end. (Also I did a stint working in that area, and the way things appeared to be done in some areas made me cringe a bit. I'm the type that stays honest and respected confidentiality for what I did, but I could see where less scrupulous types could easily pick up a bounty with access or knowledge they have by wandering into some darker parts of the internet. Thus my suspicion is most of the expensive hacks we see in the news occur from the inside.)
So if somebody wants to really secure their system, they really need to poll through the data handlers and penetration test them. And I'm willing to bet that's a lot more difficult than running a firewall and locking it down. For real security it's necessary that people in all data roles are on top of their game, but to get that you also have to be willing to pay them well and not treat them like dirt.
I'm posting this as a rant, as it seems like it really should be freakin' obvious. But most news seems to postulate that everything is vulnerable by doing things the hard way.
So this is what I'm thinking. You have a company staff setup to handle lots of information. Of that staff, you might have up to a dozen well paid IT specialists. (Admin roles.) They watch ports, monitor various systems, keep on top of servers for uptime, etc. But these guys aren't your weakest link, they're usually paid well, have all the benefits, etc. For them, things are good and there's usually an attachment to what they're doing.
So who do you exploit as a hacker? The same company has in their employ something like 100+ customer service reps. However these people tend to be outsourced to remote data centers, or are on part time as contracted through various staffing services. More or less they're temps, and on average they're not being paid much more than minimum wage. As workers, they also tend to be treated as disposable, so not much job security either. However these lowest paid on the data-management totem pole have the same keys to all the pertinent info that the top brass does. (And to even do their job they need access to all the customer records by default.) If you want to social engineer the keys to the kingdom, this is where you make the hit. First not everyone takes the job seriously (meh, another temp gig), so they're bound to be a bit loose. Others do, but then its' a matter of finding those who are disgruntled or hurting for money while working in this role. The odds are good too, as there's like 50 to 1 vs. IT staff and perhaps 20 to 1 vs. higher ups managing and monitoring things. Don't hit it off as a hacker? Just make another bogus call into the system and re-roll the dice.
Thus the greatest hardware firewall in any business means little when the best keys to get in a system are relatively cheap. (Perhaps a few months wages?) I bet you could ask anyone that works at a phone bank type place that handles customer records or billing in one form or another, and they'd agree that security is apparently paper-thin on that end. (Also I did a stint working in that area, and the way things appeared to be done in some areas made me cringe a bit. I'm the type that stays honest and respected confidentiality for what I did, but I could see where less scrupulous types could easily pick up a bounty with access or knowledge they have by wandering into some darker parts of the internet. Thus my suspicion is most of the expensive hacks we see in the news occur from the inside.)
So if somebody wants to really secure their system, they really need to poll through the data handlers and penetration test them. And I'm willing to bet that's a lot more difficult than running a firewall and locking it down. For real security it's necessary that people in all data roles are on top of their game, but to get that you also have to be willing to pay them well and not treat them like dirt.
edit on 23-10-2015 by
pauljs75 because: (no reason given)
I'm posting this as a rant, as it seems like it really should be freakin' obvious. But most news seems to postulate that everything is vulnerable by doing things the hard way.
edit on 23-10-2015 by pauljs75 because: (no reason given)
Yeah, all this from someone that post the way they think to a public forum and still thinks that they have anonymity...
If you don't take care of your IP, if you really post your true feelings and intents and if... just if you are sincere...there is a good chance someone can make a personality profile on who you really are. As such social engineering based upon that is rather simple because customer service is generally populated by people that do not generally poses super-critical analytical skills. This presents a good opportunity to social engineers; knowing that most of these customer service people are being attacked by low-grade disgruntled morons, a smooth and casual helpful voice is a breath of fresh air. Your happy demeanor and complimentary disposition os a stark contrast to you normal day of angry and hateful people; you identify.
The results are fabulous....
If you don't take care of your IP, if you really post your true feelings and intents and if... just if you are sincere...there is a good chance someone can make a personality profile on who you really are. As such social engineering based upon that is rather simple because customer service is generally populated by people that do not generally poses super-critical analytical skills. This presents a good opportunity to social engineers; knowing that most of these customer service people are being attacked by low-grade disgruntled morons, a smooth and casual helpful voice is a breath of fresh air. Your happy demeanor and complimentary disposition os a stark contrast to you normal day of angry and hateful people; you identify.
The results are fabulous....
edit on 23-10-2015 by notmyrealname because: thpelling
Ok what info does the business have and how much do you want it?
Internal company politics...find out where the office workers go for a beer and listen in for material that could be used to bribe people.
Bulk data, probably the simplest is to ring up and speak to someone as you might find where the offsite data backups are and then pop in as the new it guy and snaffle them.
If you want long term access so you can read and or alter data then it gets much more difficult but never out of reach...a firewalls not much use if you use a side door so get a worker friend to pop in a preconfigured router and plug it in to the network and then you can slurp away from your car as its very unlikely that they will detect it if done properly.
Read the job ad's they quite often tell you exactly what sort of tech the company uses and as such if you go the malware route you can make sure it won't trip their AV software etc.
Internal company politics...find out where the office workers go for a beer and listen in for material that could be used to bribe people.
Bulk data, probably the simplest is to ring up and speak to someone as you might find where the offsite data backups are and then pop in as the new it guy and snaffle them.
If you want long term access so you can read and or alter data then it gets much more difficult but never out of reach...a firewalls not much use if you use a side door so get a worker friend to pop in a preconfigured router and plug it in to the network and then you can slurp away from your car as its very unlikely that they will detect it if done properly.
Read the job ad's they quite often tell you exactly what sort of tech the company uses and as such if you go the malware route you can make sure it won't trip their AV software etc.
new topics
-
MH370 Again....
Disaster Conspiracies: 16 minutes ago -
Are you ready for the return of Jesus Christ? Have you been cleansed by His blood?
Religion, Faith, And Theology: 2 hours ago -
Chronological time line of open source information
History: 3 hours ago -
A man of the people
Diseases and Pandemics: 5 hours ago -
Ramblings on DNA, blood, and Spirit.
Philosophy and Metaphysics: 5 hours ago -
4 plans of US elites to defeat Russia
New World Order: 6 hours ago -
Thousands Of Young Ukrainian Men Trying To Flee The Country To Avoid Conscription And The War
Other Current Events: 10 hours ago
5