Principles of Cybersecurity, 1st Edition page 52

Copyright Goodheart-Willcox Co., Inc. 52 Principles of Cybersecurity work. However, if the hacker has credible information to support the request, he or she will appear as if entitled to the information. In his book The Art of Deception, Kevin Mitnick describes how easy it is to get individuals to tell you things. He uses inquiries such as: “I am writing a book and want to make sure I am using the correct terminology. Can you tell me if BankCU is the correct name of the ATM software company?” Most people want to be helpful and will provide information. He then takes that information, and calls another department and asks questions such as: “This is Chris from BankCU. I am doing a quality assurance check. Can I confi rm you are using our correct new support number of 1-800-555-1111?” This user will likely say, “No, we are using a different number,” since the hacker is providing an invalid number. Over time, the hacker will have enough credible information to call a company and pretend to be an employee from the bank. Then, he or she can obtain the specifi c information being targeted. Another convincing scheme is simple friendli- ness. A hacker can strike up a conversation with a target. The scheme could work like this: after chatting with a person, the hacker might say, “Didn’t you go to elementary school with my mom? Your name seems so familiar!” The victim might say, “Where did your mom go to school? My mom went to Kennedy Primary in Houston.” This may seem like innocent information, but many websites often ask security questions that in theory only the authorized person should know. The schools a user attended or the streets he or she lived on as a child are often on those preconfi gured lists. Figure 2-11 shows an example of a website with a secu- rity question for log in. Social Media Social media sites, such as Facebook, Twitter, Ins- tagram, and LinkedIn, are a treasure trove of informa- tion for hackers. Many users do not realize some of their information is not fully private. Other users sim- ply are not too concerned. Users also make the mistake of accepting friend requests or followers from people they do not know. Once a user has access to your social media site, the information you post or your profi le data can be read by anyone. A common mistake some people do not realize when using Facebook, if they share a post that was originally public, or comment on a public post, that could be accessible to users that are not your friends. Social media platforms are like breadcrumbs that hackers can follow. For example, suppose a hacker wants to fi nd out information about a user named JaMarques Owens. He or she may fi rst try to friend JaMarques. If he does not respond, the hacker would then start look- ing at JaMarques’s friends and see if he has identifi ed any family members. The hacker would start looking through those profi les and search as well. Over time, it is quite likely the hacker can fi nd out a great deal about JaMarques, including his family, friends, location, schools attended, and personal likes and dislikes. All of this even if JaMarques never accepts the friend request! The hacker can then search through other social media platforms and compile a great deal of informa- tion about JaMarques. Available security questions Goodheart-Willcox Publisher Figure 2-11. This website offers the user several security questions from which to choose. When the user created the account, he or she selected one of these questions and provided the correct answer.

Previous Page Next Page

Principles of Cybersecurity, 1st Edition Page 52 (64 of 634)

Resources and Downloads

Help