"As security systems get increasingly difficult to crack, hackers are turning toward a new source of information: people."
Social engineering has almost always been the most productive way to gain access. Jessica McDiarmid does her credibility a disservice by indicating that social engineering is a new development.
For a while, you could only get info out of humans "retail", that is, one or a few pieces of data at a time. You could easily extract data from a computer "wholesale", thousands or millions of records per breach.
Exactly. However, sp332 may have meant that worms and such are much more effective at getting access to more systems and information quickly, but not in a targeted way.
Isn't social engineering just conning? Why do we need a new name?
I remember a bit from The Art of The Steal which was written by Frank Abagnale, who is the real life inspiration for Catch Me if You Can. He talked about how to make free long distance calls in those days. Call a company via a payphone. Ask to be transferred to the switchboard. Make up some BS about being a part of the company and urgently needing to make an outside call. They dial the number and connect you, the end.
Sounds like "social engineering" to me as well. Or just good old fashioned conning, possibly re-discovered by hackers and given a new title. They're just using the same methods we've been using to get private information since the dawn of private information. Namely sweet-talking third parties that hold the information and don't really know any better.
I read "Ghost in the Wires" (a book about Kevin Mitnick's life) a month or two ago, and it's astonishing how well he knew the system. He was doing stuff like the above, but also getting around the callback as well (I don't recall exactly what he did, but it was something along the lines of conning the line workers to divert an exec's phone number for testing purposes just long enough to get the callback). That was just one of many times he pulled these sorts of stunts for curiousity's sake.
You can throw money at a problem like security, but it's the underpaid employee earning $7.99 an hour that you should be throwing money at if you want a secure company. The weak link in any security is always people.
>Set up an internal company security word of the day and don’t give any information to anyone who doesn’t know it.
I don't think it's a good idea. Imagine a social engineering attack from inside the company, or if somehow the hacker has access to the word of the day. When he'll say the word, the guy on the other end of the phone will be way more relaxed and ready to give much more information...
Are there anywhere some more detailed information about the challenge? I guess the conference recordings are not going to include the social engineering live session?
Social engineering has almost always been the most productive way to gain access. Jessica McDiarmid does her credibility a disservice by indicating that social engineering is a new development.