해킹기술은 눈부신 정도로 엄청난 기술 발전를 가져오고 있다.
이제는 직접 서버를 해킹하지 않아도 해킹할 수 있는 기술들이 속속 등장하고 있다. 인터넷 곳곳이 다 지뢰밭인 셈이다.
웹서핑할 때 마다 악성코드가 숨겨진 것이 없는지 부비트랩이나 함정 탐지하듯 해야 하는 시대가 되가고 있다.
해킹기술의 최고 정점은 Human Hacking이다.
Did you know that humans get Hacked as much as computers?
It is called social engineering and it has been happening long before computers ever existed!
바로 사회공학적인 공학기법이다. 컴퓨터가 존재하기도 전에 이 방법은 존재했었다.
1. Hacking Humans
Social engineering is the human side of breaking into a corporate network. Companies like ours with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don't know or failing to ask the right questions.
2. Social Engineering, an Example
AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL's tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.
3. Forms of Social Engineering
Social engineering is not limited to phone calls; many organizations have reported cases involving visitors impersonating a telephone repair technician requesting access to a wiring closet or a new member of the IT department needing help accessing a file.
People, for the most part, look at social engineering as an attack on their intelligence and no one wants to be considered "ignorant" enough to have been a victim. It's important to remember that no matter who you are, you are susceptible to a social engineering attack.
If you suspect social engineering – don't be afraid to ask questions and/or notify your IT department. If a caller requests information that is technical in nature, please refer them to your IT department.
[원문]
http://www.auditmypc.com/freescan/readingroom/social-engineering.asp