Google Maps Search

Google Maps Search

Phreaking

Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, like equipment and systems connected to public telephone networks. The term "phreak" is derived from the words "phone" and "freak". It may also refer to the use of various audio frequencies to manipulate a phone system. "Phreak", "phreaker", or "phone phreak" are names used for and by individuals who participate in phreaking. Additionally, it is often associated with computer hacking. This is sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking). information on this site is for educational purposes only! Wyretap Network ©2007 - 2010

Disclaimer: The information on this site is for educational and entertainment purposes only. It is not intended to encourage or teach you to break the law, that's what TV is for, albeit in a very flawed manner. The owner(s) of this website will not be held liable for anything you choose to do with the information contained on this site. If you want to learn how to rape, murder, loot, and commit acts of terror on a monumental scale, well, you won't find it here. Instead, tune-in to your nightly news and take a lesson from your 'elected' 'leaders'.

Social engineering techniques and terms

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[1] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. [2]
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).
As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many situations and will likely continue to be a security problem in the future.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
Phishing
Main article: Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
IVR or phone phishing
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
The technical name for phone phishing, is vishing.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.[3]
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available off the target's web site, and write "Executive Salary Summary Q2 2009" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
Quid pro quo
Quid pro quo means something for something:
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.[4] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.[5]
Other types
Common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud.
The latest type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo!, GMail, Hotmail, etc. Among the many motivations for deception are:
Phishing credit-card account numbers and their passwords.
Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
Hacking websites of companies or organizations and destroying their reputation.

The Real ID Coming Soon!!!

The Real ID Coming Soon!!!

Sunday, September 5, 2010

10 Social Networking Security Trends To Watch

MySpace. Facebook. LinkedIn. Orkut. Who doesn't have a profile on at least one of these sites these days? The explosion of social networking has reinvented communication as we know it, creating new opportunities to develop friendships, romances and business contacts all over the world -- a fact which has not gone unnoticed by the malware authors and organized crime.

"Things are happening at such a rapid rate, it's hard to slow that momentum," said Dan Hubbard, senior director, security and technology research, for Websense. "And because they're investing so much money in it, it's very difficult to insert security into that paradigm."

"The attackers understand that this is going on and are gravitating toward that," he added.

In a Web 2.0 world, social networking can turn into a security nightmare when hackers exploit users and steal information for profit. As a result, businesses and individuals alike will have to strike a balance, and find new ways to achieve their objectives while staying safe on the Internet.

Here's a look at some of the things experts say we can expect to see more of in the world of Web 2.0 social networking.Spam, Spam And More Spam

Like the Nigerian bank scam, this one is not going away any time soon.

Spammers that are getting the door slammed in their faces with e-mail spam filters now have found new ways to access users with social networking sites, especially in the workplace. Experts say that spam is more profitable than ever.

Experts say that 419 scams, named for the relevant section of the Nigerian penal code, which used to flood employee e-mail inboxes, now target their LinkedIn user profiles. And more attackers will target LinkedIn to access corporate accounts and intellectual property.

A recent phish, detected by researchers as SophosLabs, claimed to come from a 22-year-old woman living in the Ivory Coast who had inherited $6.5 million after her father passed away and requested a safe place (presumably your bank account) for the money to be deposited.

Does anybody actually believe this stuff anymore, you ask. The good news is that many users are already wise to the ways of Nigerian bank scams. The bad news is that some people actually still fall for them.Third Party Threats

It's no secret that as applications acquire more functionality, the more susceptible they are to security threats. As social networking sites encourage users to build add-ons for their network, users will be opening themselves up to exploits from vulnerabilities in third-party applications. Consequently, users will increasingly be subjected to things like buffer overflow vulnerabilities in image uploaders, which are typically hosted by third parties.

"The more function an application has, the less secure it tends to be," said Roger Thompson, chief research officer for AVG. "There are simply more opportunities for things to go wrong." Surprise, You've Got Spyware

Perhaps nothing is more ironic than pesky banner ads claiming that your site is hosting every kind of virus known to man and then offering to clean it up -- for a small fee of course. As more social networking users increasingly fear malware on their computers, they become bigger targets for these kinds of pop-up adware, tricking them to download fake anti-virus cleaners which are benign at best and destructive at worst. The irony of course is that this kind of adware is doing the very things that they're trying to prevent.
It's A Worm

It's social networking at its finest. Experts say social networking users can expect more threats to travel virally -- what infects one person will then infect everyone on his or her friends list.

One recent example was the Orkut worm, in which a prankster spread a spammy message to almost 400,000 Brazilian with profiles on the site. However, experts say that other rapid, self-replicating viruses will likely be more malicious, designed to steal or delete users' personal information like date of birth and passwords. That data can then be sold in numerous black market economies or used to acquire credit card and bank information. Often the same login credentials used on Facebook and MySpace are also used to access banking and other sensitive accounts.

'Poking' Holes in XXS Flaws

In a recent attack, millions of Facebook users were left exposed to a cross site scripting vulnerability affecting the user interface of the site's Job page. Among other things, the vulnerability gave the attackers the ability to install malicious software as well as trick users into handing over their credentials through fake logins. The social networking site plugged the hole May 23.

The takeaway is that the same threats plaguing Web 2.0 are amplified on social networking sites. Why? Because these sites rely on the prolific and rapid spread of information between users. And unlike other pages, malicious software is bound to be exposed to a high volume of people on these sites.

That said, it's safe to say that users can expect more than a poke once these vulnerabilities are detected by attackers. Reflecting the growing Web 2.0 threat, attackers will continue to find and exploit cross site scripting vulnerabilities on social networking sites. Once exploited, users will generally become the recipients of malicious downloaders, often unbeknownst to them, such as information stealing code or keystroke loggers.

Flash Attacks

It's the beauty of Web 2.0. There are more attacks on Flash now than ever before. Applications such as Adobe Air and Microsoft Silverlight, which allow the browser to be used in a more effective way, also increase the attack surface.

Naturally, the prolific use of Flash is one of the evolutions that make Facebook and MySpace so lucrative to attackers. As anyone with a profile knows, these technologies are extremely pervasive, as well as fun, when doing social networking. Unfortunately, a recent exploit in Adobe Flash has become a huge security threat. Experts say that so far hundreds of thousands of Websites have been compromised, including thousands of networking site pages, as the result of the Flash exploit loose in the wild.Phishing For Friends

As companies restrict access to social networking sites, the individual user will become the victim of highly targeted and personalized spearphishing attacks. These attacks could come in the form of spoofed pages. Or simply by an unknown user inviting someone to join their friend network.

It won't be hard. After all, a lot of your information, from where you spent your last vacation to your childhood pet, is probably already somewhere on your profile. Often, attackers will spoof or create a profile that will appear to be legitimate, then social engineer a message to entice the user to click in lots of places. Plus, experts say that often users are often more willing to click on unknown links or surrender personal information because they're on a trusted medium that encourages the unrestricted sharing of information.

"There's a huge problem of users using information in an unsafe way and sharing social information without thinking who could possibly be looking," said Graham Cluley, senior security consultant for Sophos. "If you make up a mother's maiden name, it isn't a matter of public record. There's no reason to display it for all and sundry to see."There's A MySpace Clause In The Company Handbook

With increased mobility, companies are also moving to become more flexible regarding users' rights to access their social networking pages.

This creates problems when it opens up completely new threat vectors. So don't be surprised if you see companies accordingly adopting policies that include social networking etiquette and safety. In addition, companies will also start to crack down on usage of these sites, or implement technology to limit how long you can be chatting with your former college roommate on Facebook.

"There are so many companies that have presence within those pages. Now companies are starting to create flexible policies and open those things up," said Dan Hubbard, senior director, security and technology research, for Websense. "Like anything there's user education, policies and enforcement. You have to have the technology to back these things up." Linked Out

When one door closes another opens.

This tried and true adage has never rung more true than with social networking. Attackers frustrated by their inability to enter corporate networks because of sophisticated controls, now have a whole new point of entry with LinkedIn, which allows them to access personal professional information and spoof employee profiles.

Plus, it's no secret that attackers follow the money. This networking site aimed at professionals also opens up a whole new attack vector for organized crime intending to pilfer intellectual property and corporate information, as well as the typical credit cards and social security numbers used in identity theft.All About The Money

Reflecting current cyber crime trends, experts say that attacks on social networking sites will increasingly become more financially driven.

Until recently, attacks like the Sammy worm on Facebook simply shut down sites and impeded traffic. However, soon similar attacks will wreak havoc on users' bank accounts as attacks become more complex and organized. This also means that sites like Facebook -- which touts a more professional, white-collar user base, as well as professional networking sites like LinkedIn, will increasingly become targets for organized crime.

"The types of attacks we've already seen, we'll see more of. They'll be better targeted toward monetization," said Brian Chess, founder and chief scientist for Fortify Software. "Along those same lines, having all of your information all there on a site that isn't controlled by users and whose security practices aren't paramount, isn't always the best deal.

While experts say that they can't predict the future, it's likely that social networking sites like MySpace and Facebook will start taking more responsibility regarding their security practices -- especially if users significantly change their behavior or avoid logging on altogether.

"Individuals have a tough time making decisions about security," said Chess, "but when they do, they can be really fickle about it."

Posted by at

1 comment:

elainezimm said...

Here is a resource for offender's families

http://www.theinmatelookup.com

October 26, 2011 at 4:57 PM

Post a Comment

Subscribe to: Post Comments (Atom)