Google Maps Search

Google Maps Search

Phreaking

Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems, like equipment and systems connected to public telephone networks. The term "phreak" is derived from the words "phone" and "freak". It may also refer to the use of various audio frequencies to manipulate a phone system. "Phreak", "phreaker", or "phone phreak" are names used for and by individuals who participate in phreaking. Additionally, it is often associated with computer hacking. This is sometimes called the H/P culture (with H standing for Hacking and P standing for Phreaking). information on this site is for educational purposes only! Wyretap Network ©2007 - 2010

Disclaimer: The information on this site is for educational and entertainment purposes only. It is not intended to encourage or teach you to break the law, that's what TV is for, albeit in a very flawed manner. The owner(s) of this website will not be held liable for anything you choose to do with the information contained on this site. If you want to learn how to rape, murder, loot, and commit acts of terror on a monumental scale, well, you won't find it here. Instead, tune-in to your nightly news and take a lesson from your 'elected' 'leaders'.

Social engineering techniques and terms

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[1] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:
Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. [2]
This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc).
As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many situations and will likely continue to be a security problem in the future.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
Phishing
Main article: Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
IVR or phone phishing
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
The technical name for phone phishing, is vishing.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.[3]
In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
For example, an attacker might create a disk featuring a corporate logo, readily available off the target's web site, and write "Executive Salary Summary Q2 2009" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
Quid pro quo
Quid pro quo means something for something:
An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.[4] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.[5]
Other types
Common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud.
The latest type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo!, GMail, Hotmail, etc. Among the many motivations for deception are:
Phishing credit-card account numbers and their passwords.
Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals.
Hacking websites of companies or organizations and destroying their reputation.

The Real ID Coming Soon!!!

The Real ID Coming Soon!!!

Thursday, September 2, 2010

How To Protect Against Eves Droppers



Introduction

Current email communication is clear text. Clear/plain text leaves emails open too many types of vulnerabilities. As messaging moves forward, new technologies will surface that solve these problems. This article will focus on solutions that could be implements to thwart the threat.

It is no longer acceptable to communicate the way we do when truncating confidential information. Email is the accepted way to send documents and information, it is most widely used due to it attributes of convenience and cost effectiveness. With these great attributes comes extreme vulnerability through various paths. We are carelessly forgetting to consider many important elements susceptible through unwanted intrusions of our mail, such as the state of authenticity and confidentiality, which is made vulnerable through actions such as eavesdropping, identity theft, message modification and false messaging, as well as invasion of privacy through backups not being protected.
Emails are extremely vulnerable to interception. The process by which emails are sent and received makes them exceedingly open to confidentiality flaws and thus authenticity flaws as well. Emails can be intercepted at many points on route to the recipient. The email is stored on a minimum of two servers on its way to the recipient. It is on the sender mail server as well as the recipient mail server. When travelling through the MX hosts the email is stored on each host as well. Due to the mails being stored on so many servers on route, increases the risk of intrusion. The way you choose to address your mail also has and affect, you may attract potential unauthorized personnel or hackers.

There is no protection from an unprincipled member of IT staff, monitoring mail servers, from intercepting your confidential emails, or from a hackers obtaining access to the mail server at points where physical access security and network security are weak, through malware (spyware, adware, Trojans, viruses). If that was not enough room for intrusion of confidential information, another route open to mail interception is through network traffic interception, where emails are monitored at a higher level, by governments’ agencies for example, based on suspicious keywords, these mails could be stored for long periods for later review, leaving room for breach of confidentially and authenticity later on. Emails can be read and modified in transit failing to maintain the confidentiality and authenticity element.
It is noted that information sent via email is at great risk of getting into the wrong hands and in order to maintain the transfer of confidential and authentic information to and fro, it is of utmost importance to secure our mail in the best ways possible.

Confidentiality

Sending an email from one user to another right now, is like sending a letter in a transparent envelope. The stamp is just the time and date, the address is the DNS name and zip code is the IP address of the server. The envelope a transparent encapsulation called SMTP and the message a simply formatted readable document that is easy to intercept monitor and read. There are too many gaps in the system enabling confidentiality breaches.

Authenticity

There are very few technical controls in typically implemented email that reflect the authenticity of messages, basically proving that the message has not been tampered with and that it indeed came from the user it says it came from. This is one of the reasons that many organisations do not use email to send formal documents that need registration. Due to so many confidentiality flaws in the email system, authenticity of emails is directly affected. Without proper email security and authentication the messages can be intercepted and modified, or falsely sent, legitimate emails could even be denied.

Secure and Protect Your Email

There are ways to help protect your computer from being intercepted via your mail, and thus information from getting into the wrong hands, as your operating system is your platform for your email. However, the only assurance of protection of your confidential information sent via email would be through encrypting ones emails. As mentioned previously you would not send confidential information within a letter not sealed in an envelope, so one should not be careless in sending emails that are not secured through encryption.

Encryption of Emails and How it Works

Through encrypting your email you are obtaining the best available email protection providing confidentiality. Encryption will deter all but the most devoted hackers from intercepting your mail, thus your best option to maintain the confidentiality of your mail. To ensure the authenticity of your mail you can use a personal email certificate to digitally sign your mail.

So, what exactly is encryption? Encryption is a means by which data, your email, is converted into a form of data (cipher text) that is not recognizable as clear/plain text. The security of encryption lies in the capacity of an algorithm to create cipher text that is not converted back to the original plain text with ease.

Typical email encryption is also referred to as PKI (Public key infrastructure). This type of encryption utilizes two keys, one being a private key (to encrypt the email) and the other a public key( to decrypt the email). You are the only one in possession of the private key; you thus encrypt your email with your private key. In order to read the mail one needs to decrypt it with the public key. Therefore you would give the public key to the person you are directing the mail to, and thus only that person will be able to read the email. The recipient could then reply to your email, encrypting it using the public key and you can then open and read it using your private key.

It is sensible to make it a norm to encrypt all of your mail rather than the odd confidential one, so that to the potential hacker they are seen as all being encrypted and no emphasis is placed on a few encrypted emails amongst the lot of unencrypted ones. One should not be advertising and drawing attention towards the encrypted emails and thus confidential information, through only encrypting certain emails and not the others.

Authentication

By utilizing encryption throughout your emails you in turn are authenticating and validating them as well. The most common form of authentication is your personal username and password. This could easily be captured by an unscrupulous individual which in turn could use them to send modified or false messaging looking as if it is coming from you. By encrypting, you are protecting this important information, your credentials, thereby assuring that the messages from that username and password are legitimate.

Encryption also provides validation through fingerprint and digital signature. By validating the emails you are assuring that the identity of the sender is legitimate and that the message or attachment incorporated within the email has remained unchanged by another source. A digital fingerprint inimitably identifies a message by using an algorithm. Any attempt to modify the message will in turn modify the fingerprint which will thus be different to the unique fingerprint proving that the message has been tampered with. Therefore fingerprints enable you to see if the message has been modified in any way. To assure that the message has come from the correct source you would use a digital signature. The digital signature is accomplished through the use of a private key. The sender would electronically sign the message and the fingerprint with their private key. The recipient would verify the message using the corresponding public key. This ensures that the message has not been altered in any way, and that it is the legitimate message from the expected sender.

Conclusion

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)