Looking into the new world of professional social engineering..

The art of human hacking is a quite intersting topic for the young generations to learn about the fact of social and digital engineering is very important so lets get started.

Nowadays social engineering can be imagined in security,goverment,education,military,psycology and every other applicant that you can imagine.

we see it being used by everyone and their brother now because it is not only the easiest attack vector—as it was seven years ago—but because it’s now also meriting the largest payloads for attackers.

The cost to set up an SE attack is low. The risk is even lower. And the potential payout is huge.

in 2017, more than 80% of all breaches had a social engineering element to them.

The IBM “2017 Cost of Data Breach Study” states that the average cost of a breach was 3.62 million US$. When the potential for a payout is that large, it’s certainly not hard to see why an attacker would want to use social engineering.

Giving you an old example of social engineering to explain you

in the book of Genesis, and it reportedly happened around 1800 BCE. Jacob wanted the blessing that was to be given to his older brother Esau. Knowing his father, Isaac, had failing eyesight and relied on other senses to know who he was speaking to, Jacob dressed in Esau’s clothing and prepared food like Esau would have prepared. Here’s the best part: Esau was known to be extraordinarily hairy, but Jacob wasn’t, so he fastened the skins of two young goats to his arms and the back of his neck. When Isaac reached out to touch Jacob, Isaac relied on his senses of smell, touch, and taste to tell him that he was with Esau rather than Jacob. According to the account in Genesis, Jacob’s social engineering attack worked!

I hope you will understand more about it in my next blog thankyou

Physical security while using internet..

Digital information is at the heart of every Internet transaction. The confidentiality, integrity, and availability of that information depends on the security of the following physical constituents of any computing environment:

Cyber security
  • hardware, in the broadest sense—machines, storage media, and transmission media;
  • the physical expression of the zeroes and ones that represent digital information (data and programs);
  • electricity, without which no digital information could change, move, or incite action; humans and the information they possess to run the system.
  • Internet security can be divided into two distinct areas:
    cybersecurity and physical security.
  • The former term pertains to threats and defenses mounted via the same channels as legitimate exchanges of digital information.
  • Encryption of information falls into this category. The role of physical security is to guard the four physical ingredients just outlined in two ways.
  • First, it must protect the integrity and availability of resources for legitimate use. Second, it must prevent the misuse of resources,for example, by breaches of confidentiality or theft of services.
  • Physical security and cybersecurity complement one another. Where an organization’s control over the physical ingredients ends, encryption and the like must take over. When cyberdefenses are strengthened, physical vul-
Programming

nerabilities become more inviting targets. Physical security serves cybersecurity. A breach of physical security,such as a password in the trash, can give a cyberattacker a foothold.

The advent of biometrics and smart cards can be viewed either as an expansion of physical security into cybersecurity territory or as a blurring of the line between the two forms of security.
Physical security issues extend as far as an organization’s resources. Because human knowledge is one of those assets, physical security concerns can span as far as information can spread. For instance, sensitive information could be revealed by an indiscreet question posted on a newsgroup. Thus, physical security is not constrained by a geographical footprint.
Physical security is intractable in the sense that certain events cannot be prevented. We cannot stop someone from demanding an off-duty employee’s password at gunpoint, for instance. Redundancy is the last line of defense for the integrity and availability of resources. Confidentiality, on the other hand, cannot be “backed up”; some damage, such the as revelation of personal information,
can never be repaired.

What is the meaning social engineering ?

With all the advances in technology, the oldest way to attack a password-based security system is still the easiest: coercion, bribery, or trickery against the users of the system.

Social engineering

Social engineering is an attack against people,
rather than machines. It is an outsider’s use of psychological tricks on legitimate users of a computer system,
usually to gain the information (e.g., user IDs and passwords) needed to access a system. The notorious“hacker” Kevin Mitnick, who was convicted on charges of computer and wire fraud and spent 59 months in federal prison, told a Congressional panel that he rarely used technology to gain information and used social engineering almost exclusively (Federation of American Scientists, n.d.).
According to a study by British psychologists, people often base their passwords on something obvious and easily guessed by a social engineer. Around 50% of computer users base them on the name of a family member, a partner, or a pet. Another 30% use a pop idol or sporting hero.
Another 10% of users pick passwords that reflect some kind of fantasy, often containing some sexual reference.
The study showed that only 10% use cryptic combinations that follow all the rules of “tough” passwords (Brown,
2002).
The best countermeasures to social engineering attacks are education and awareness. Users should be instructed never to tell anyone their passwords. Doing so destroys accountability, and a system administrator should never need to know it either.

Social engineering

Also, users should never write down their passwords. A clever social engineer will find it if it is “hidden” under a mouse pad or inside a desk drawer.

“Hashing” meaning and history

Hashing A hash function is an algorithm that takes variablelength string as the input and produces a fixed-length value (hash) as the output. The challenge for a hashing algorithm is to make this process irreversible; that is,finding

a string that produces a given hash value should be very difficult. It should also be difficult to find two arbitrary strings that produce the same hash value. Also called a message digest or fingerprint, several one-way hash functions are in common use today.

Among these are Secure Hashing Algorithm-1 (SHA-1) and Message Digest-5 (MD-5). The latter was invented by Ron Rivest for RSA Security, Inc. and produces a 128-bit hash value. for an example of output generated by MD5.
SHA-1 was developed by the U.S. National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) and produces 160-bit hash values.
SHA-1 is generally considered more secure than MD5 due to its longer hash value.
Microsoft Windows NT uses one-way hash functions to store password information in the Security Account Manager (SAM). There are no Windows32 Applications Programming Interface (API) function calls to retrieve user passwords because the system does not store them. It stores only hash values. However, even a hash-encrypted password in a database is not entirely secure. A cracking tool can compile a list of, say, the one million most commonly used passwords and compute hash functions from all of them.

Then the tool can obtain the system account database and compare the hashed passwords in the database with its own list to see what matches. This is called a “dictionary attack”
To make dictionary attacks more difficult, often a salt is used. A salt is a random string that is concatenated with a password before it is operated on by the hashing function.
The salt value is then stored in the user database, together with the result of the hash function. Using a salt makes dictionary attacks more difficult, as a cracker would have to compute the hashes for all possible salt values.
A simple example of a salt would be to add the time of day; for example, if a user logs in at noon using the password “pass,” the string that would be encrypted might be “1p2a0s0s.” By adding this randomness to the password,
the hash will actually be different every time the user logs in (unless it is at noon every day). Whether a salt is used and what the salt actually is depends upon the operating system and the encryption algorithm being used. On a FreeBSD system, for example, there is a function called crypt that uses the DES, MD5, or Blowfish algorithms to hash passwords and can also use three forms of salts.
According to Cambridge University professor of computing Roger Needham, the Cambridge Multiple Access

System (CMAS), which was an integrated online–offline terminal or regular input-driven system, may have been among the earliest to implement such one-way functions. It first went online in 1967 and incorporated password protection. According to Needham: “In 1966,
we conceived the use of one-way functions to protect the password file, and this was an implemented feature from day one” (R. Needham, personal communication, April 11, 2002).
One-way hashing is still being used today, although it does not address another weakness—in a networked environment, it is difficult to transmit the password securely to the server for verification without its being captured and reused, perhaps in a replay attack. To avoid revealing passwords directly over an untrusted network, computer scientists have developed challenge–response systems. At their simplest, the server sends the user some sort of challenge, which would typically be a random string of characters called a nonce. The user then computes a response,
usually some function based on both the challenge and the password. This way, even if the intruder captured a valid challenge–response pair, it would not help him or her gain access to the system, because future challenges would be different and require different responses.
These challenge-and-response systems are referred to as one-time password (OTP) systems. Bellcore’s S/KEY is one such system in which a one-time password is calculated by combining a seed with a secret password known only to the user and then applying a secure hashing algorithm a number of times equal to the sequence number.
Each time the user is authenticated, the sequence number expected by the system is decremented, thus eliminating the possibility of an attacker trying a replay attack using the same password again. One-time passwords were more prevalent before secure shell (SSH) and secure sockets layer (SSL) systems came into widespread use.

Protection of the passwords

Early on, the most basic and least secure method of authentication was to store passwords in plaintext (i.e., unencrypted) in a database on the server.

During authentication, the client would send his or her password to the server, and the server would compare this against the stored value.

Obviously, however, if the passwordfile were accessible to unauthorized users, the security of the system could be easily compromised.
In later systems, developers discovered that a server did not have to store a user’s password in plaintext form in order to perform password authentication.

Instead,
the user’s password could be transformed through a oneway function, such as a hashing function, into a randomlooking sequence of bytes.

Such a function would be difficult to invert. In other words, given a password, it would be easy to compute its hash, but given a hash, it would be computationally infeasible to compute the password from it (see “Hashing”). Authentication would consist merely of performing the hash function over the client’s password and comparing it to the stored value.

The password database itself could be made accessible to all users without fear of an intruder being able to steal passwords from it.

Going behind the passwords..

Cryptography is a powerful mechanism for securing data and keeping them confidential.

The idea is that the original message is scrambled via an algorithm (or cipher), and only those with the correct key can unlock the scrambled message and get back the plaintext contents.

In general,
the strength of a cryptographic algorithm is based on the length and quality of its keys.

Passwords are a similar problem. Based on their length and quality, they should be more difficult to attack either by dictionary, by hybrid,or by brute-force attacks. However, the quality of a password, just as the quality of a cryptographic key, is based on entropy. Entropy is a measure of disorder

How to make a best password

The ancient folk tale of Ali Baba and the forty thieves mentions the use of a password.

In this story, Ali Baba finds that the phrase “Open Sesame” magically opens the entrance to a cave where the thieves have hidden their treasure.

Similarly, modern computer systems use passwords to authenticate users and allow them entrance to system resources and data shares on an automated basis.
The use of passwords in computer systems likely can be traced to the earliest timesharing and dial-up networks.
Passwords were probably not used before then in purely batch systems.


The security provided by a password system depends on the passwords being kept secret at all times.

Thus,
a password is vulnerable to compromise whenever it is used, stored, or even known.

In a password-based authentication mechanism implemented on a computer system,passwords are vulnerable to compromise due to five essential aspects of the password system:
Passwords must be initially assigned to users when they are enrolled on the system;
Users’ passwords must be changed periodically;
The system must maintain a “password database”;
Users must remember their passwords; and Users must enter their passwords into the system at authentication time.


Because of these factors, a number of protection schemes have been developed for maintaining password

These include implementing policies and mechanisms to ensure “strong” passwords, encrypting the password database, and simplifying the sign-on and password synchronization processes.

Even so, a number of sophisticated cracking tools are available today that threaten password security.

For that reason, it is often advised that passwords be combined with some other form of security to achieve strong authentication.

Design a site like this with WordPress.com
Get started