SlideShare ist ein Scribd-Unternehmen logo

Ceh v5 module 09 social engineering

Vi Tính Hoàng Nam
Vi Tính Hoàng Nam

Ceh v5 module 09 social engineering

Technologie
1 von 67
Downloaden Sie, um offline zu lesen
Module IX Social Engineering Ethical Hacking Version 5
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Objective This module will familiarize you with the following: Social Engineering: An Introduction Types of Social Engineering Dumpster Diving Shoulder surfing Reverse Social Engineering Behaviors vulnerable to attacks Countermeasures for Social engineering Policies and Procedures Phishing Attacks Identity Theft Online Scams Countermeasures for Identity theft
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Flow Social Engineering Countermeasures Types of Social Engineering Countermeasures Behaviors vulnerable to attacks Identity Theft Online Scams Phishing Attacks Policies and Procedures
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited There is No Patch to Human Stupidity
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Social Engineering? Social Engineering is the human side of breaking into a corporate network Companies with authentication processes, firewalls, virtual private networks, and network monitoring software are still open to attacks An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with coworkers at a local pub after hours
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Social Engineering? (cont’d) Tactic or Trick of gaining sensitive information by exploiting basic human nature such as: • Trust • Fear • Desire to Help Social engineers attempt to gather information such as: • Sensitive information • Authorization details • Access details
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human Weakness People are usually the weakest link in the security chain A successful defense depends on having good policies, and educating employees to follow them Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited “Rebecca” and “Jessica” Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks Hackers commonly use these terms to social engineer victims Rebecca and Jessica mean a person who is an easy target for social engineering, like the receptionist of a company Example: • “There was a Rebecca at the bank and I am going to call her to extract privileged information.” • “I met Ms. Jessica, she was an easy target for social engineering.” • “Do you have any Rebecca in your company?”
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Office Workers Despite having the best firewall, intrusion- detection and antivirus systems, technology has to offer, you are still hit with security breaches One reason for this may be lack of motivation among your workers Hackers can attempt social engineering attack on office workers to extract sensitive data such as: • Security policies • Sensitive documents • Office network infrastructure • Passwords
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Types of Social Engineering Social Engineering can be divided into two categories: • Human-based – Gathering sensitive information by interaction – Attacks of this category exploits trust, fear and helping nature of humans • Computer-based – Social engineering carried out with the aid of computers
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering Posing as a Legitimate End User • Gives identity and asks for sensitive information • “Hi! This is John, from Department X. I have forgotten my password. Can I get it?” Posing as an Important User • Posing as a VIP of a target company, valuable customer, etc. • “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost system password. Can you help me out?”
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Posing as Technical Support • Calls as a technical support staff, and requests id & passwords to retrieve data • ‘Sir, this is Mathew, Technical support, X company. Last night we had a system crash here, and we are checking for the lost data. Can u give me your ID and Password?’
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Eavesdropping • Unauthorized listening of conversations or reading of messages • Interception of any form such as audio, video or written
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering: Shoulder Surfing Looking over your shoulder as you enter a password Shoulder surfing is the name given to the procedure that identity thieves use to find out passwords, personal identification number, account numbers and more Simply, they look over your shoulder--or even watch from a distance using binoculars, in order to get those pieces of information Passwords Hacker Victim
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Dumpster Diving • Search for sensitive information at target company’s – Trash-bins – Printer Trash bins – user desk for sticky notes etc • Collect – Phone Bills – Contact Information – Financial Information – Operations related information etc
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Dumpster Diving Example A man behind the building is loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials This information is sufficient to launch a social engineering attack on the company
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) In person • Survey a target company to collect information on – Current technologies – Contact information, and so on Third-party Authorization • Refer to an important person in the organization and try to collect data • “Mr. George, our Finance Manager, asked that I pick up the audit reports. Will you please provide them to me?”
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Tailgating • An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access • An authorized person may be unaware of having provided an unauthorized person access to a secured area Piggybacking • “I forgot my ID badge at home. Please help me.” • An authorized person provides access to an unauthorized person by keeping the secured door open
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Reverse Social Engineering • This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around • Reverse Social Engineering attack involves – Sabotage – Marketing – Providing Support Human-based Social Engineering ( cont’d)
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering These can be divided into the following broad categories: • Mail / IM attachments • Pop-up Windows • Websites / Sweepstakes • Spam mail
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Pop-up Windows • Windows that suddenly pop up, while surfing the Internet and ask for users’ information,to login or sign-in Hoaxes and chain letters • Hoax letters are emails that issue warnings to user on new virus, Trojans or worms that may harm user’s system. • Chain letters are emails that offer free gifts such as money, and software on the condition that if the user forwards the mail to said number of persons
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Instant Chat Messenger • Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates, maiden names • Acquired data is later used for cracking user’s accounts Spam email • Email sent to many recipients without prior permission intended for commercial purposes • Irrelevant, unwanted and unsolicited email to collect financial information, social security numbers, and network information
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Phishing • An illegitimate email falsely claiming to be from a legitimate site attempts to acquire user’s personal or account information • Lures online users with statements such as – Verify your account – Update your information – Your account will be closed or suspended • Spam filters, anti-phishing tools integrated with web browsers can be used to protect from Phishers
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Insider Attack If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prep someone to pass the interview, have that person get hired, and they are in It takes only one disgruntled person to take revenge, and your company is compromised • 60% of attacks occur behind the firewall • An inside attack is easy to launch • Prevention is difficult • The inside attacker can easily succeed • Difficult to catch the perpetrator
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Disgruntled Employee Disgruntled Employee Company Network Company Secrets Send the Data to Competitors Using Steganography Competitor Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Preventing Insider Threat There is no single solution to prevent an insider threat Some recommendations: • Separation of duties • Rotation of duties • Least privilege • Controlled access • Logging and auditing • Legal Policies • Archive critical data
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Common Targets of Social Engineering Receptionists and help desk personnel Technical support executives Vendors of target organization System administrators and Users
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Factors that make Companies Vulnerable to Attacks Insufficient security training and awareness Several organizational units Lack of appropriate security policies Easy access of information e.g. e-mail Ids and phone extension numbers of employees
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Why is Social Engineering Effective? Security policies are as strong as its weakest link, and humans are the most susceptible factor Difficult to detect social engineering attempts There is no method to ensure the complete security from social engineering attacks No specific software or hardware for defending against a social engineering attack
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited An attacker may: • Show inability to give valid callback number • Make informal requests • Claim of authority • Show haste • Unusually compliment or praise • Show discomfort when questioned • Drop the name inadvertently • Threaten of dire consequences if information is not provided Warning Signs of an Attack
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool : Netcraft Anti-Phishing Toolbar An anti-phishing system consisting of a toolbar and a central server that has information about URLs provided by Toolbar community and Netcraft Blocks phishing websites that are recorded in Netcraft’s central server Suspicious URLs can be reported to Netcraft by clicking Report a Phishing Site in the toolbar menu Shows all the attributes of each site such as host location, country, longevity and popularity Can be downloaded from www.netcraft.com
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Phases in a Social Engineering Attack Four phases of a Social Engineering Attack: •Research on target company –Dumpster diving, websites, employees, tour company and so on •Select Victim –Identify frustrated employees of target company •Develop relationship –Developing relationship with selected employees •Exploit the relationship to achieve the objective –Collect sensitive account information –Financial information –Current Technologies
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Behaviors Vulnerable to Attacks Trust • Human nature of trust is the basis of any social engineering attack Ignorance • Ignorance about social engineering and its effects among the workforce makes the organization an easy target Fear • Social engineers might threaten severe losses in case of non- compliance with their request
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Behaviors Vulnerable to Attacks ( cont’d) Greed • Social engineers lure the targets to divulge information by promising something for nothing Moral duty • Targets are asked for the help, and they comply out of a sense of moral obligation
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Impact on the Organization Economic losses Damage of goodwill Loss of privacy Dangers of terrorism Lawsuits and arbitrations Temporary or permanent closure
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Training • An efficient training program should consist of all security policies and methods to increase awareness on social engineering Countermeasures
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures (cont’d) Password policies • Periodic password change • Avoiding guessable passwords • Account blocking after failed attempts • Length and complexity of passwords – Minimum number of characters, use of special characters and numbers etc. e.g. ar1f23#$g • Secrecy of passwords – Do not reveal if asked, or write on anything to remember them
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Operational guidelines • Ensure security of sensitive information and authorized use of resources Physical security policies • Identification of employees e.g. issuing of ID cards, uniforms and so on • Escorting the visitors • Access area restrictions • Proper shredding of useless documents • Employing security personnel Countermeasures (cont’d)
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures (cont’d) Classification of Information • Categorize the information as top secret, proprietary, for internal use only, for public use, and so on Access privileges • Administrator, user and guest accounts with proper authorization Background check of employees and proper termination process • Insiders with a criminal background and terminated employees are easy targets for procuring information Proper incidence response system • There should be proper guidelines for reacting in case of a social engineering attempt
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Policies and Procedures Policy is the most critical component to any information security program Good policies and procedures are ineffective if they are not taught, and reinforced by the employees Employees need to emphasize their importance. After receiving training, the employee should sign a statement acknowledging that they understand the policies
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security Policies - Checklist Account setup Password change policy Help desk procedures Access privileges Violations Employee identification Privacy policy Paper documents Modems Physical access restrictions Virus control
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Summary Social Engineering is the human-side of breaking into a corporate network Social Engineering involves acquiring sensitive information or inappropriate access privileges by an outsider Human-based social engineering refers to person-to- person interaction to retrieve the desired information Computer-based social engineering refers to having computer software that attempts to retrieve the desired information A successful defense depends on having good policies and their diligent implementation
Phishing Attacks and Identity Theft
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Phishing? A form of identity theft in which a scammer uses an authentic-looking e-mail to trick recipients into giving out sensitive personal information, such as, a credit card, bank account or Social Security number Phishing attacks use both social engineering and technical subterfuge to steal consumer’s personal identity data, and financial account credentials (adapted from “fishing for information”)
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Attacks Phishing is the most common corporate identity theft scam today It usually involves an e-mail message asking consumers to update their personal information with a link to a spoofed website To give their schemes a legitimate look and feel, fraudsters commonly steal well-known corporate identities, product names, and logos It is easy to construct authentic websites for e- mail scams
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Hidden Frames Frames provide a popular method of hiding attack content They have uniform browser support and an easy coding style The attacker defines HTML code by using two frames The first frame contains the legitimate site URL information, while the second frame, occupying 0% of the browser interface, has a malicious code running
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Hidden Frames Example <html> <head> <title>Frame Based Exploit Example</title> </head> <body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0"> <iframe src="http://www.yahoo.com" width="100%" height="150" frameborder="0"></iframe> <iframe src="http://www.msn.com" width="100%" height="350" frameborder="0"></iframe> </body> </html>
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Obfuscation Using Strings - Uses a credible sounding text string within the URL • Example: http://XX.XX.78.45/ebay/account_update/now.asp Using @ sign - This kind of syntax is normally used for websites that require some authentication. The left side of @ sign is ignored and the domain name or IP address on the right side of the @ sign is treated as the legitimate domain (@ can be replaced with %40 unicode) • Example: http://www.citybank.com/update.asp@xx.xx.66.78/usb/process.asp Status Bar Tricks- The URL is so long that it can not be completely displayed in the status bar - Often combined with the @ so that the fraudulent URL is at the end and not displayed • Example http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&userso ption= SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.ht ml
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Obfuscation ( cont’d) Similar Name Tricks- These kinds of tricks use a credible sounding, but fraudulent, domain name Examples: • http://www.ebay-support.com/verify • http://www.citybank-secure.com/login • http://www.suntrustbank.com • http://www.amex-corp.com • http://www.fedex-security.com
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Encoding Techniques URLs are Encoded to disguise its true value using hex, dword, or octal encoding Sometimes @ is used in the disguise Sometimes @ sign is replaced with %40 Example: http://www.paypal.com@%32%32%30%2E%36%38%2E%32%31 %34%2E%32%31%33 • which translates into 220.68.214.213 http://www.paypal.com%40570754567 • which translates into 34.5.6.7
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited IP Address to Base 10 Formula To convert 66.46.55.116 to base 10 the formula is: 66 x (256)3 + 46 x (256)2 + 55 x (256)1 + 116 = 1110325108 After conversion test it by pinging 1110325108 in command prompt Exercise: Convert your classroom gateway IP address to base 10
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Karen’s URL Discombobulator It can determine the IP Address(es) associated with any valid domain name It can also form URLs referencing that computer, using several URL-encoding techniques Source courtesy http://www.karenware.com/powertools/ptlookup.asp
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited HTML Image Mapping Techniques The URL is actually a part of an image, which uses map coordinates to define the click area and the real URL, with the fake URL from the <A> tag is also displayed Example: <html> <head> <title>CEH Demo</title> </head> <body> <img src="file:///C:/SOMEIMAGE.jpg" width=“440" height=“356" border="0" usemap="#Map"> <map name="Map"> <area shape="rect" coords="146,50,300,84" href="http://certifiedhacker.com"> </map></body> </html>
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Browser Address Bars This is a fake address bar
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Toolbars This is a fake toolbar
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited DNS Cache Poisoning Attack This type of attack is based on a simple convention of IP address to host resolution Here is how it works: Every system has a host file in its systems directory. In the case of Windows, this file resides at the following location: C:WINDOWSsystem32driversetc This file can be used to hard code domain name translations
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited How do you steal Identity?
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited How to Steal Identity? Original identity – Steven Charles Address: San Diego CA 92130
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 1 Get hold of Steven’s telephone bill, water bill, or electricity bill using dumpster diving, stolen email, or onsite stealing
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 2 Go to the Driving License Authority Tell them you lost your driver’s license They will ask you for proof of identity like a water bill, and electricity bill Show them the stolen bills Tell them you have moved from the original address The department employee will ask you to complete 2 forms – 1 for replacement of the driver’s license and the 2nd for a change in address You will need a photo for the driver’s license
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 3 Your replacement driver’s license will be issued to your new home address Now you are ready to have some serious fun
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Comparison Original Identity Theft Same name: Steven Charles
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Go to a bank in which the original Steven Charles has an account (Example Citibank) Tell them you would like to apply for a new credit card Tell them you don’t remember the account number, and ask them to look it up using Steven’s name and address The bank will ask for your ID: Show them your driver’s license as ID ID is accepted. Your credit card is issued and ready for use Let’s go shopping STEP 4
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Steven has a New Credit Card The fake Steven visits Wal-Mart and purchases a 42” plasma TV and state-of-the-art Bose speakers The fake Steven buys a Vertu Gold Phone worth USD 20K
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Identity Theft - Serious Problem Identity theft is a serious problem The number of violations has continued to increase Securing personal information in the workplace and at home, and looking over credit card reports are just a few of the ways to minimize the risk of identity theft
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited “Nigerian” Scam The scam started with a bulk email or bulk faxing of a number of identical letters to businessmen, professionals, and other people who tend to have greater-than-average wealth The Nigerian scammers tried to make their potential victims think that they were going to scam the Nigerian Government, the Central Bank of Nigeria, and so on when, in fact, they were going to scam the recipients of the letters. The plan was to charge them to get in on the scam, or the portion of the scam for which they were willing to pay to make it work
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures Be suspicious of any email with urgent requests for personal financial information Do not use the links in an email to get to any web page, if you suspect the message might not be authentic Call the company on the telephone, or log onto the website directly by typing in the Web address into your browser Avoid filling out forms in an email that asks for personal financial information Always ensure that you are using a secure website when submitting credit card or other sensitive information via a web browser

Empfohlen

Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
Vi Tính Hoàng Nam
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
n|u - The Open Security Community
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Ceh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceCeh v5 module 08 denial of service
Ceh v5 module 08 denial of service
Vi Tính Hoàng Nam
 

Empfohlen

Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Ceh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webserversCeh v5 module 11 hacking webservers
Ceh v5 module 11 hacking webservers
Vi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
Vi Tính Hoàng Nam
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
n|u - The Open Security Community
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Ceh v5 module 08 denial of service
Ceh v5 module 08 denial of serviceCeh v5 module 08 denial of service
Ceh v5 module 08 denial of service
Vi Tính Hoàng Nam
 
Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks
Anuradha Moti T
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
ControlScan, Inc.
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptx
Santhosh Prabhu
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Phishing
PhishingPhishing
Phishing
Sagar Rai
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & Principles
LearningwithRayYT
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Qazi Anwar
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
Hacking
HackingHacking
Hacking
Sharique Masood
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptx
vdgtkhdh
 
Module 3 social engineering-b
Module 3 social engineering-bModule 3 social engineering-b
Module 3 social engineering-b
BbAOC
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 

Weitere ähnliche Inhalte

Was ist angesagt?

phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptx
vdgtkhdh
 

Was ist angesagt? (20)

Cyber attacks
Cyber attacks Cyber attacks
Cyber attacks
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptx
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Phishing
PhishingPhishing
Phishing
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Presentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human HackingPresentation of Social Engineering - The Art of Human Hacking
Presentation of Social Engineering - The Art of Human Hacking
 
Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...Social Engineering,social engeineering techniques,social engineering protecti...
Social Engineering,social engeineering techniques,social engineering protecti...
 
Social Engineering Attacks & Principles
Social Engineering Attacks & PrinciplesSocial Engineering Attacks & Principles
Social Engineering Attacks & Principles
 
System hacking
System hackingSystem hacking
System hacking
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Hacking
HackingHacking
Hacking
 
phishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptxphishing-awareness-powerpoint.pptx
phishing-awareness-powerpoint.pptx
 

Andere mochten auch

Module 3 social engineering-b
Module 3 social engineering-bModule 3 social engineering-b
Module 3 social engineering-b
BbAOC
 

Andere mochten auch (20)

Module 3 social engineering-b
Module 3 social engineering-bModule 3 social engineering-b
Module 3 social engineering-b
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
 
Social Engineering: &quot;The Cyber-Con&quot;
Social Engineering: &quot;The Cyber-Con&quot;Social Engineering: &quot;The Cyber-Con&quot;
Social Engineering: &quot;The Cyber-Con&quot;
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
 
Salvador Tió
Salvador TióSalvador Tió
Salvador Tió
 
project cvs (1)
project cvs (1)project cvs (1)
project cvs (1)
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
Ce hv6 module 49 creating security policies
Ce hv6 module 49 creating security policiesCe hv6 module 49 creating security policies
Ce hv6 module 49 creating security policies
 
File000140
File000140File000140
File000140
 
Hacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering RisksHacking the Helpdesk: Social Engineering Risks
Hacking the Helpdesk: Social Engineering Risks
 
Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.Cehv8 - Module 09: Social Engineering.
Cehv8 - Module 09: Social Engineering.
 
Social engineering for security attacks
Social engineering for security attacksSocial engineering for security attacks
Social engineering for security attacks
 
Cehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and BackdoorsCehv8 - Module 06: Trojans and Backdoors
Cehv8 - Module 06: Trojans and Backdoors
 
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypotsCehv8 - Module 17: Evading, IDS, firewalls, and honeypots
Cehv8 - Module 17: Evading, IDS, firewalls, and honeypots
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
 
Social engineering tales
Social engineering tales Social engineering tales
Social engineering tales
 

Ähnlich wie Ceh v5 module 09 social engineering

Engineering report ca2_Kritakbiswas.pptx
Engineering report ca2_Kritakbiswas.pptxEngineering report ca2_Kritakbiswas.pptx
Engineering report ca2_Kritakbiswas.pptx
prosunghosh7
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
Mehedi Hasan
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
Jayaseelan Vejayon
 

Ähnlich wie Ceh v5 module 09 social engineering (20)

Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)
 
Engineering report ca2_Kritakbiswas.pptx
Engineering report ca2_Kritakbiswas.pptxEngineering report ca2_Kritakbiswas.pptx
Engineering report ca2_Kritakbiswas.pptx
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Cyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxCyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptx
 
CYBER.pptx
CYBER.pptxCYBER.pptx
CYBER.pptx
 
Cyber_Crime_Security.pptx
Cyber_Crime_Security.pptxCyber_Crime_Security.pptx
Cyber_Crime_Security.pptx
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
 
Workshop on Cyber security and investigation
Workshop on Cyber security and investigationWorkshop on Cyber security and investigation
Workshop on Cyber security and investigation
 
Reconnaissance and Social Engineering
Reconnaissance and Social EngineeringReconnaissance and Social Engineering
Reconnaissance and Social Engineering
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Hackingppt 160730081605
Hackingppt 160730081605Hackingppt 160730081605
Hackingppt 160730081605
 
- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf- Social Engineering Unit- II Part- I.pdf
- Social Engineering Unit- II Part- I.pdf
 

Mehr von Vi Tính Hoàng Nam

Mehr von Vi Tính Hoàng Nam (20)

CATALOGUE QUESTEK (Tiếng Việt)
CATALOGUE QUESTEK (Tiếng Việt)CATALOGUE QUESTEK (Tiếng Việt)
CATALOGUE QUESTEK (Tiếng Việt)
 
CATALOG KBVISION (Tiếng Việt)
CATALOG KBVISION (Tiếng Việt)CATALOG KBVISION (Tiếng Việt)
CATALOG KBVISION (Tiếng Việt)
 
Catalogue 2015
Catalogue 2015Catalogue 2015
Catalogue 2015
 
Tl wr740 n-v4_user_guide_1910010682_vn
Tl wr740 n-v4_user_guide_1910010682_vnTl wr740 n-v4_user_guide_1910010682_vn
Tl wr740 n-v4_user_guide_1910010682_vn
 
CATALOGUE CAMERA GIÁM SÁT
CATALOGUE CAMERA GIÁM SÁTCATALOGUE CAMERA GIÁM SÁT
CATALOGUE CAMERA GIÁM SÁT
 
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
 
Các loại cáp mạng
Các loại cáp mạngCác loại cáp mạng
Các loại cáp mạng
 
Catalogue 10-2014-new
Catalogue 10-2014-newCatalogue 10-2014-new
Catalogue 10-2014-new
 
Qtx 6404
Qtx 6404Qtx 6404
Qtx 6404
 
Camera QTX-1210
Camera QTX-1210Camera QTX-1210
Camera QTX-1210
 
Brochua đầu ghi hình QTD-6100 Series
Brochua đầu ghi hình QTD-6100 SeriesBrochua đầu ghi hình QTD-6100 Series
Brochua đầu ghi hình QTD-6100 Series
 
NSRT: Dụng cụ tháo đầu báo
NSRT: Dụng cụ tháo đầu báoNSRT: Dụng cụ tháo đầu báo
NSRT: Dụng cụ tháo đầu báo
 
SLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quangSLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quang
 
SLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quangSLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quang
 
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQPEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
 
HRA-1000: Hiển thị phụ cho TT HCP-1008E
HRA-1000: Hiển thị phụ cho TT HCP-1008EHRA-1000: Hiển thị phụ cho TT HCP-1008E
HRA-1000: Hiển thị phụ cho TT HCP-1008E
 
RPP-ABW: TT báo cháy 10-20 kênh
RPP-ABW: TT báo cháy 10-20 kênhRPP-ABW: TT báo cháy 10-20 kênh
RPP-ABW: TT báo cháy 10-20 kênh
 
RPP-ECW: TT báo cháy 3-5 kênh
RPP-ECW: TT báo cháy 3-5 kênhRPP-ECW: TT báo cháy 3-5 kênh
RPP-ECW: TT báo cháy 3-5 kênh
 
HCP-1008E: TT báo cháy 8-24 kênh
HCP-1008E: TT báo cháy 8-24 kênhHCP-1008E: TT báo cháy 8-24 kênh
HCP-1008E: TT báo cháy 8-24 kênh
 
HCV-2/4/8: TT báo cháy 2,4,8 kênh
HCV-2/4/8: TT báo cháy 2,4,8 kênhHCV-2/4/8: TT báo cháy 2,4,8 kênh
HCV-2/4/8: TT báo cháy 2,4,8 kênh
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Ceh v5 module 09 social engineering

  • 2. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Objective This module will familiarize you with the following: Social Engineering: An Introduction Types of Social Engineering Dumpster Diving Shoulder surfing Reverse Social Engineering Behaviors vulnerable to attacks Countermeasures for Social engineering Policies and Procedures Phishing Attacks Identity Theft Online Scams Countermeasures for Identity theft
  • 3. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Flow Social Engineering Countermeasures Types of Social Engineering Countermeasures Behaviors vulnerable to attacks Identity Theft Online Scams Phishing Attacks Policies and Procedures
  • 4. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited There is No Patch to Human Stupidity
  • 5. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Social Engineering? Social Engineering is the human side of breaking into a corporate network Companies with authentication processes, firewalls, virtual private networks, and network monitoring software are still open to attacks An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with coworkers at a local pub after hours
  • 6. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Social Engineering? (cont’d) Tactic or Trick of gaining sensitive information by exploiting basic human nature such as: • Trust • Fear • Desire to Help Social engineers attempt to gather information such as: • Sensitive information • Authorization details • Access details
  • 7. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human Weakness People are usually the weakest link in the security chain A successful defense depends on having good policies, and educating employees to follow them Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone
  • 8. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited “Rebecca” and “Jessica” Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks Hackers commonly use these terms to social engineer victims Rebecca and Jessica mean a person who is an easy target for social engineering, like the receptionist of a company Example: • “There was a Rebecca at the bank and I am going to call her to extract privileged information.” • “I met Ms. Jessica, she was an easy target for social engineering.” • “Do you have any Rebecca in your company?”
  • 9. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Office Workers Despite having the best firewall, intrusion- detection and antivirus systems, technology has to offer, you are still hit with security breaches One reason for this may be lack of motivation among your workers Hackers can attempt social engineering attack on office workers to extract sensitive data such as: • Security policies • Sensitive documents • Office network infrastructure • Passwords
  • 10. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Types of Social Engineering Social Engineering can be divided into two categories: • Human-based – Gathering sensitive information by interaction – Attacks of this category exploits trust, fear and helping nature of humans • Computer-based – Social engineering carried out with the aid of computers
  • 11. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering Posing as a Legitimate End User • Gives identity and asks for sensitive information • “Hi! This is John, from Department X. I have forgotten my password. Can I get it?” Posing as an Important User • Posing as a VIP of a target company, valuable customer, etc. • “Hi! This is Kevin, CFO Secretary. I’m working on an urgent project and lost system password. Can you help me out?”
  • 12. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Posing as Technical Support • Calls as a technical support staff, and requests id & passwords to retrieve data • ‘Sir, this is Mathew, Technical support, X company. Last night we had a system crash here, and we are checking for the lost data. Can u give me your ID and Password?’
  • 13. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Eavesdropping • Unauthorized listening of conversations or reading of messages • Interception of any form such as audio, video or written
  • 14. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering: Shoulder Surfing Looking over your shoulder as you enter a password Shoulder surfing is the name given to the procedure that identity thieves use to find out passwords, personal identification number, account numbers and more Simply, they look over your shoulder--or even watch from a distance using binoculars, in order to get those pieces of information Passwords Hacker Victim
  • 15. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Dumpster Diving • Search for sensitive information at target company’s – Trash-bins – Printer Trash bins – user desk for sticky notes etc • Collect – Phone Bills – Contact Information – Financial Information – Operations related information etc
  • 16. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Dumpster Diving Example A man behind the building is loading the company’s paper recycling bins into the back of a truck. Inside the bins are lists of employee titles and phone numbers, marketing plans and the latest company financials This information is sufficient to launch a social engineering attack on the company
  • 17. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) In person • Survey a target company to collect information on – Current technologies – Contact information, and so on Third-party Authorization • Refer to an important person in the organization and try to collect data • “Mr. George, our Finance Manager, asked that I pick up the audit reports. Will you please provide them to me?”
  • 18. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Human-based Social Engineering ( cont’d) Tailgating • An unauthorized person, wearing a fake ID badge, enters a secured area by closely following an authorized person through a door requiring key access • An authorized person may be unaware of having provided an unauthorized person access to a secured area Piggybacking • “I forgot my ID badge at home. Please help me.” • An authorized person provides access to an unauthorized person by keeping the secured door open
  • 19. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Reverse Social Engineering • This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around • Reverse Social Engineering attack involves – Sabotage – Marketing – Providing Support Human-based Social Engineering ( cont’d)
  • 20. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering These can be divided into the following broad categories: • Mail / IM attachments • Pop-up Windows • Websites / Sweepstakes • Spam mail
  • 21. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Pop-up Windows • Windows that suddenly pop up, while surfing the Internet and ask for users’ information,to login or sign-in Hoaxes and chain letters • Hoax letters are emails that issue warnings to user on new virus, Trojans or worms that may harm user’s system. • Chain letters are emails that offer free gifts such as money, and software on the condition that if the user forwards the mail to said number of persons
  • 22. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Instant Chat Messenger • Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates, maiden names • Acquired data is later used for cracking user’s accounts Spam email • Email sent to many recipients without prior permission intended for commercial purposes • Irrelevant, unwanted and unsolicited email to collect financial information, social security numbers, and network information
  • 23. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Computer-based Social Engineering ( cont’d) Phishing • An illegitimate email falsely claiming to be from a legitimate site attempts to acquire user’s personal or account information • Lures online users with statements such as – Verify your account – Update your information – Your account will be closed or suspended • Spam filters, anti-phishing tools integrated with web browsers can be used to protect from Phishers
  • 24. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Insider Attack If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prep someone to pass the interview, have that person get hired, and they are in It takes only one disgruntled person to take revenge, and your company is compromised • 60% of attacks occur behind the firewall • An inside attack is easy to launch • Prevention is difficult • The inside attacker can easily succeed • Difficult to catch the perpetrator
  • 25. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Disgruntled Employee Disgruntled Employee Company Network Company Secrets Send the Data to Competitors Using Steganography Competitor Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc.
  • 26. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Preventing Insider Threat There is no single solution to prevent an insider threat Some recommendations: • Separation of duties • Rotation of duties • Least privilege • Controlled access • Logging and auditing • Legal Policies • Archive critical data
  • 27. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Common Targets of Social Engineering Receptionists and help desk personnel Technical support executives Vendors of target organization System administrators and Users
  • 28. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Factors that make Companies Vulnerable to Attacks Insufficient security training and awareness Several organizational units Lack of appropriate security policies Easy access of information e.g. e-mail Ids and phone extension numbers of employees
  • 29. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Why is Social Engineering Effective? Security policies are as strong as its weakest link, and humans are the most susceptible factor Difficult to detect social engineering attempts There is no method to ensure the complete security from social engineering attacks No specific software or hardware for defending against a social engineering attack
  • 30. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited An attacker may: • Show inability to give valid callback number • Make informal requests • Claim of authority • Show haste • Unusually compliment or praise • Show discomfort when questioned • Drop the name inadvertently • Threaten of dire consequences if information is not provided Warning Signs of an Attack
  • 31. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool : Netcraft Anti-Phishing Toolbar An anti-phishing system consisting of a toolbar and a central server that has information about URLs provided by Toolbar community and Netcraft Blocks phishing websites that are recorded in Netcraft’s central server Suspicious URLs can be reported to Netcraft by clicking Report a Phishing Site in the toolbar menu Shows all the attributes of each site such as host location, country, longevity and popularity Can be downloaded from www.netcraft.com
  • 32. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Phases in a Social Engineering Attack Four phases of a Social Engineering Attack: •Research on target company –Dumpster diving, websites, employees, tour company and so on •Select Victim –Identify frustrated employees of target company •Develop relationship –Developing relationship with selected employees •Exploit the relationship to achieve the objective –Collect sensitive account information –Financial information –Current Technologies
  • 33. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Behaviors Vulnerable to Attacks Trust • Human nature of trust is the basis of any social engineering attack Ignorance • Ignorance about social engineering and its effects among the workforce makes the organization an easy target Fear • Social engineers might threaten severe losses in case of non- compliance with their request
  • 34. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Behaviors Vulnerable to Attacks ( cont’d) Greed • Social engineers lure the targets to divulge information by promising something for nothing Moral duty • Targets are asked for the help, and they comply out of a sense of moral obligation
  • 35. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Impact on the Organization Economic losses Damage of goodwill Loss of privacy Dangers of terrorism Lawsuits and arbitrations Temporary or permanent closure
  • 36. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Training • An efficient training program should consist of all security policies and methods to increase awareness on social engineering Countermeasures
  • 37. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures (cont’d) Password policies • Periodic password change • Avoiding guessable passwords • Account blocking after failed attempts • Length and complexity of passwords – Minimum number of characters, use of special characters and numbers etc. e.g. ar1f23#$g • Secrecy of passwords – Do not reveal if asked, or write on anything to remember them
  • 38. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Operational guidelines • Ensure security of sensitive information and authorized use of resources Physical security policies • Identification of employees e.g. issuing of ID cards, uniforms and so on • Escorting the visitors • Access area restrictions • Proper shredding of useless documents • Employing security personnel Countermeasures (cont’d)
  • 39. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures (cont’d) Classification of Information • Categorize the information as top secret, proprietary, for internal use only, for public use, and so on Access privileges • Administrator, user and guest accounts with proper authorization Background check of employees and proper termination process • Insiders with a criminal background and terminated employees are easy targets for procuring information Proper incidence response system • There should be proper guidelines for reacting in case of a social engineering attempt
  • 40. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Policies and Procedures Policy is the most critical component to any information security program Good policies and procedures are ineffective if they are not taught, and reinforced by the employees Employees need to emphasize their importance. After receiving training, the employee should sign a statement acknowledging that they understand the policies
  • 41. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security Policies - Checklist Account setup Password change policy Help desk procedures Access privileges Violations Employee identification Privacy policy Paper documents Modems Physical access restrictions Virus control
  • 42. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Summary Social Engineering is the human-side of breaking into a corporate network Social Engineering involves acquiring sensitive information or inappropriate access privileges by an outsider Human-based social engineering refers to person-to- person interaction to retrieve the desired information Computer-based social engineering refers to having computer software that attempts to retrieve the desired information A successful defense depends on having good policies and their diligent implementation
  • 44. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Phishing? A form of identity theft in which a scammer uses an authentic-looking e-mail to trick recipients into giving out sensitive personal information, such as, a credit card, bank account or Social Security number Phishing attacks use both social engineering and technical subterfuge to steal consumer’s personal identity data, and financial account credentials (adapted from “fishing for information”)
  • 45. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Attacks Phishing is the most common corporate identity theft scam today It usually involves an e-mail message asking consumers to update their personal information with a link to a spoofed website To give their schemes a legitimate look and feel, fraudsters commonly steal well-known corporate identities, product names, and logos It is easy to construct authentic websites for e- mail scams
  • 46. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Hidden Frames Frames provide a popular method of hiding attack content They have uniform browser support and an easy coding style The attacker defines HTML code by using two frames The first frame contains the legitimate site URL information, while the second frame, occupying 0% of the browser interface, has a malicious code running
  • 47. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Hidden Frames Example <html> <head> <title>Frame Based Exploit Example</title> </head> <body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0"> <iframe src="http://www.yahoo.com" width="100%" height="150" frameborder="0"></iframe> <iframe src="http://www.msn.com" width="100%" height="350" frameborder="0"></iframe> </body> </html>
  • 48. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Obfuscation Using Strings - Uses a credible sounding text string within the URL • Example: http://XX.XX.78.45/ebay/account_update/now.asp Using @ sign - This kind of syntax is normally used for websites that require some authentication. The left side of @ sign is ignored and the domain name or IP address on the right side of the @ sign is treated as the legitimate domain (@ can be replaced with %40 unicode) • Example: http://www.citybank.com/update.asp@xx.xx.66.78/usb/process.asp Status Bar Tricks- The URL is so long that it can not be completely displayed in the status bar - Often combined with the @ so that the fraudulent URL is at the end and not displayed • Example http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&userso ption= SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.ht ml
  • 49. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Obfuscation ( cont’d) Similar Name Tricks- These kinds of tricks use a credible sounding, but fraudulent, domain name Examples: • http://www.ebay-support.com/verify • http://www.citybank-secure.com/login • http://www.suntrustbank.com • http://www.amex-corp.com • http://www.fedex-security.com
  • 50. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited URL Encoding Techniques URLs are Encoded to disguise its true value using hex, dword, or octal encoding Sometimes @ is used in the disguise Sometimes @ sign is replaced with %40 Example: http://www.paypal.com@%32%32%30%2E%36%38%2E%32%31 %34%2E%32%31%33 • which translates into 220.68.214.213 http://www.paypal.com%40570754567 • which translates into 34.5.6.7
  • 51. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited IP Address to Base 10 Formula To convert 66.46.55.116 to base 10 the formula is: 66 x (256)3 + 46 x (256)2 + 55 x (256)1 + 116 = 1110325108 After conversion test it by pinging 1110325108 in command prompt Exercise: Convert your classroom gateway IP address to base 10
  • 52. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Karen’s URL Discombobulator It can determine the IP Address(es) associated with any valid domain name It can also form URLs referencing that computer, using several URL-encoding techniques Source courtesy http://www.karenware.com/powertools/ptlookup.asp
  • 53. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited HTML Image Mapping Techniques The URL is actually a part of an image, which uses map coordinates to define the click area and the real URL, with the fake URL from the <A> tag is also displayed Example: <html> <head> <title>CEH Demo</title> </head> <body> <img src="file:///C:/SOMEIMAGE.jpg" width=“440" height=“356" border="0" usemap="#Map"> <map name="Map"> <area shape="rect" coords="146,50,300,84" href="http://certifiedhacker.com"> </map></body> </html>
  • 54. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Browser Address Bars This is a fake address bar
  • 55. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Toolbars This is a fake toolbar
  • 56. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited DNS Cache Poisoning Attack This type of attack is based on a simple convention of IP address to host resolution Here is how it works: Every system has a host file in its systems directory. In the case of Windows, this file resides at the following location: C:WINDOWSsystem32driversetc This file can be used to hard code domain name translations
  • 57. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited How do you steal Identity?
  • 58. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited How to Steal Identity? Original identity – Steven Charles Address: San Diego CA 92130
  • 59. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 1 Get hold of Steven’s telephone bill, water bill, or electricity bill using dumpster diving, stolen email, or onsite stealing
  • 60. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 2 Go to the Driving License Authority Tell them you lost your driver’s license They will ask you for proof of identity like a water bill, and electricity bill Show them the stolen bills Tell them you have moved from the original address The department employee will ask you to complete 2 forms – 1 for replacement of the driver’s license and the 2nd for a change in address You will need a photo for the driver’s license
  • 61. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited STEP 3 Your replacement driver’s license will be issued to your new home address Now you are ready to have some serious fun
  • 62. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Comparison Original Identity Theft Same name: Steven Charles
  • 63. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Go to a bank in which the original Steven Charles has an account (Example Citibank) Tell them you would like to apply for a new credit card Tell them you don’t remember the account number, and ask them to look it up using Steven’s name and address The bank will ask for your ID: Show them your driver’s license as ID ID is accepted. Your credit card is issued and ready for use Let’s go shopping STEP 4
  • 64. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Fake Steven has a New Credit Card The fake Steven visits Wal-Mart and purchases a 42” plasma TV and state-of-the-art Bose speakers The fake Steven buys a Vertu Gold Phone worth USD 20K
  • 65. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Identity Theft - Serious Problem Identity theft is a serious problem The number of violations has continued to increase Securing personal information in the workplace and at home, and looking over credit card reports are just a few of the ways to minimize the risk of identity theft
  • 66. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited “Nigerian” Scam The scam started with a bulk email or bulk faxing of a number of identical letters to businessmen, professionals, and other people who tend to have greater-than-average wealth The Nigerian scammers tried to make their potential victims think that they were going to scam the Nigerian Government, the Central Bank of Nigeria, and so on when, in fact, they were going to scam the recipients of the letters. The plan was to charge them to get in on the scam, or the portion of the scam for which they were willing to pay to make it work
  • 67. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Countermeasures Be suspicious of any email with urgent requests for personal financial information Do not use the links in an email to get to any web page, if you suspect the message might not be authentic Call the company on the telephone, or log onto the website directly by typing in the Web address into your browser Avoid filling out forms in an email that asks for personal financial information Always ensure that you are using a secure website when submitting credit card or other sensitive information via a web browser