1
00:00:01,580 --> 00:00:04,190
Social engineering terminologies and techniques.

2
00:00:06,630 --> 00:00:13,020
Hackers, ethical hackers or PIN testers use social engineering tactics because it's usually easier

3
00:00:13,020 --> 00:00:16,780
to exploit people than it is to discover ways to hack the software.

4
00:00:17,190 --> 00:00:21,810
For example, it's much easier to fool someone into giving you their password than it is for you to

5
00:00:21,810 --> 00:00:23,400
try hacking their passwords.

6
00:00:24,150 --> 00:00:30,630
Social engineering is psychological manipulation of people into performing actions or divulging confidential

7
00:00:30,630 --> 00:00:31,290
information.

8
00:00:32,010 --> 00:00:38,280
The types of information that you seek can vary, but you usually try to trick the targeted victim into

9
00:00:38,280 --> 00:00:44,670
giving you their passwords or bank information or access to their computer to secretly install malicious

10
00:00:44,670 --> 00:00:50,430
software that will give you access to their passwords and sensitive information, as well as giving

11
00:00:50,430 --> 00:00:52,140
you control over their computers.

12
00:00:53,110 --> 00:00:59,160
You usually use the human relations and the intentions of the people in social engineering attacks.

13
00:00:59,910 --> 00:01:05,910
If you have enough information about the company to send a phishing email to the victims as the employer

14
00:01:06,000 --> 00:01:12,360
instead of someone they don't know, you won't believe the results in a social engineering attack.

15
00:01:12,510 --> 00:01:17,160
You get the best results if you use the fear and curiosity of the victims.

16
00:01:19,300 --> 00:01:25,540
Scare them, there is abnormal traffic from your computer to the others, it's probably a worm trying

17
00:01:25,540 --> 00:01:26,140
to spread.

18
00:01:26,620 --> 00:01:31,450
Have you ever visited a website that you shouldn't or downloaded something that you shouldn't trust

19
00:01:33,130 --> 00:01:34,450
or make them curious?

20
00:01:35,170 --> 00:01:42,310
Prepare a CD, drop it next to the victim accidentally and curiosity killed the cat.

21
00:01:43,540 --> 00:01:48,580
Let's explain why the human being is always under attack with the writings of Rick Ferguson, who's

22
00:01:48,580 --> 00:01:52,240
the director of security research and communications at Microsoft.

23
00:01:52,780 --> 00:01:56,110
People are always the weakest link in information security.

24
00:01:56,410 --> 00:02:02,800
You can deploy all the technology you want, but people simply cannot be programmed and can't be anticipated.

25
00:02:03,160 --> 00:02:09,010
As long as an attacker makes their delivery vehicle credible enough, a target is likely to click the

26
00:02:09,010 --> 00:02:10,900
link or open the file.

27
00:02:12,380 --> 00:02:19,130
The bugs in the human hardware are exploited in various combinations to create attack techniques, some

28
00:02:19,130 --> 00:02:20,840
of which are listed on this slide.

29
00:02:21,440 --> 00:02:24,350
Let's talk about the most famous techniques briefly.

30
00:02:26,010 --> 00:02:32,940
Shoulder surfing is simply the technique used to obtain confidential data such as pin numbers and passwords

31
00:02:33,300 --> 00:02:39,510
by observing the information without getting the victim's attention, for example, by looking over

32
00:02:39,510 --> 00:02:40,890
the victim's shoulder.

33
00:02:41,430 --> 00:02:47,850
This attack can be performed either at close range by directly looking over the victim's shoulder or

34
00:02:47,850 --> 00:02:52,410
from a longer range by, for example, using a pair of binoculars or similar hardware.

35
00:02:53,250 --> 00:02:59,850
Shoulder surfing is likely to be performed best in crowded places because it's easy to observe the information

36
00:03:00,150 --> 00:03:02,000
without getting the victim's attention.

37
00:03:03,500 --> 00:03:10,400
Dumpster diving, also known as trashing, is another popular method of social engineering, it's briefly

38
00:03:10,400 --> 00:03:13,910
looking for valuable things in someone else's waste bin.

39
00:03:14,450 --> 00:03:21,890
A huge amount of information can be collected through company dumpsters, company phone books, organizational

40
00:03:21,890 --> 00:03:29,870
charts, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts

41
00:03:29,870 --> 00:03:35,600
of sensitive data or login names and passwords, printouts of source code, etc..

42
00:03:36,170 --> 00:03:42,080
All of this information can be used to assist a social engineering attack to gain access to the target

43
00:03:42,080 --> 00:03:43,100
company's network.

44
00:03:45,280 --> 00:03:51,760
The dictionary meaning of tailgating is to drive to closely behind another vehicle, but as a social

45
00:03:51,760 --> 00:04:00,280
engineering attack technique, tailgating is seeking entry to a restricted area secured by unattended

46
00:04:00,280 --> 00:04:04,960
electronic access control, for example, by an RFID card.

47
00:04:06,010 --> 00:04:11,950
In this technique, you simply walk in behind the person who has legitimate access following common

48
00:04:11,950 --> 00:04:12,610
courtesy.

49
00:04:12,880 --> 00:04:19,270
The legitimate person will usually hold the door open for you, or you yourself may ask the employee

50
00:04:19,270 --> 00:04:20,650
to hold it open for you.

51
00:04:21,250 --> 00:04:27,640
The legitimate person may fail to ask for identification for any of several reasons, or may accept

52
00:04:27,640 --> 00:04:32,020
an assertion that the attacker has forgotten or lost the appropriate identity.

53
00:04:32,020 --> 00:04:37,870
Token, you may also fake the action of presenting an identity token or the action of looking through

54
00:04:37,870 --> 00:04:40,750
your pockets to find your identity token.

55
00:04:42,340 --> 00:04:44,920
During this course, we will see fishing in detail.

56
00:04:45,580 --> 00:04:52,510
For now, let's just talk about the concept in a fishing attack, typically the attackers sends an e-mail

57
00:04:52,510 --> 00:04:59,110
that appears to come from a legitimate business, a bank, a credit card company requesting verification

58
00:04:59,110 --> 00:05:04,120
of information and warning of some terrible consequences if it's not provided.

59
00:05:04,720 --> 00:05:11,500
The e-mail usually contains a link to a fraudulent Web page that seems legitimate with company logos

60
00:05:11,500 --> 00:05:18,400
and content and has a form requesting everything from a home address to an ATM cards pin or a credit

61
00:05:18,400 --> 00:05:19,090
card number.