Manipulating people to make them do what one wants them to do.
is often the basis for some very fine hacks, where access is gained, not by attacking the computer directly, but by tricking people to provide access.
is, for example, wearing a home-made badge, and behaving self-confidently and self-importantly to enter a restricted area.
This is nicely lampooned in MoronsFromOuterSpace, where the impostor's reflexive attempt to cover up the name on his stolen uniform is taken and repeated throughout the secret complex as a macho salute
Phishing in cyberspace is like "fishing"
The two words are pronounced the same. Phishing is spelt Pfishing at times. End objective is identity theft achieved through deception. Possibly involve intermediate steps of installing spyware by unsuspecting users who actioned on a seemingly legitimate hyperlink.
Early attempts (and successes) at phishing were achieved through email spoofing.
Internationalized Domain Name exposure in Gecko (e.g. MozillaFirefox) Engines in browsers
Pharming is the result of evolution of Phishing
- malformed URL harder to spot due to character sets that are visually similar. See
- also a different link to this in WebApplicationSecurity, section on browsers
Term coined by "MX Logic". DNS poisoning or domain hijacks are main approaches of this new technique. See http://www.theregister.co.uk/2005/01/31/pharming/
- "Internet Storm Centre" "6 simple steps to beat phishing" at
- "CERT tips " at
- another FAQ on countermeasures at
- "Anti phishing working group" site at
for an Phishing example (late 2004) involving MS Media Player, and checkup on current WirelessSecurity
risks and countermeasures.
Technology to detect spoofed Web sites. Is it any good?
Speculation exist that InternetExplorer
v7 for WindowsXp
SP2 will have this technology. See
Some years ago, while working for an employer who no longer exists, I had an opportunity to experiment with SocialEngineering
For some reason, my employer thought that what we were doing was so-very-special that merely seeing our workplace would allow a competitor to go out, rewrite what we were doing, and trounce us in the marketplace. The irony of this is that we
were the ones copying the look-and-feel of a competitor's product. Among the measures to protect our secret was a receptionist who had to greet everyone as they came through the door.
Even more than most security policies, this was schizophrenic and ineffective.
One day I asked a friend to come visit me at work. Knowing about the gate-keeper receptionist, he asked "Just announce myself to the receptionist?" I decided to have some fun: "No, just do this... Go through the door, walking like you about to be late to an important meeting. Do not slow down. Turn right, go through the door into the hall and through the door on the other side of the hall. Go 5 feet, turn left, go 20 feet, and my desk is right there. Above all, act like you have every right in the world to be there."
Sure enough, he arrived at my desk having been challenged neither by the receptionist, nor by the office manager who he passed in the hallway. He just looked like he belonged there.
I used to do this from time to time when I was a student. I could get to the front of the stage at concerts or skip many queues, just by announcing "Engineer Coming Through" in an "I've got a job to do" voice. Unlike just pushing past, or even asking politely, it didn't seem as if anyone was upset by this practice. Most people seemed happy that whatever I was doing was more important. --FrankCarver
This is also known as the ItsOkImWithTheBand manuever
' -- PeteHardie
Other larger examples in clude (at least by my definition of the term) things like heavily taxing alcohol and tobacco to influence a society to consume less of them. -- LukeGorrie
Or, of course, the WarOnDrugs?
Which gives us a nice example of the LawOfUnintendedConsequences
If you ever want to read some incredible examples of SocialEngineering
Uncommon Therapy: The Psychiatric Techniques of Milton H. Erickson, MD
Milton felt it was more important to get people healthy than it was to get their consent to everything in the theraputic process. He used to do things like 'arrange' to have people in the waiting room of his office, pretending to be patients, so that he could force some interactions to occur.. and generally intervene in patient's lives. Interesting read.
has written a book on SocialEngineering
: "The Art of Deception: Controlling the Human Element of Security" ISBN 0471237124
The book provides many examples where SocialEngineering
is the safest and most effective way of getting secrets from people and organizations.
Also worth reading:
Fay Faron: Rip-Off. A writer's guide to crimes of deception. ISBN 0898798272
Although targeted at writers of fiction, it is primarily a comprehensive catalog of techniques making people hand over their money to you without asking a question.
See also SwarmTechnology