社会工程学攻击选项是
Malware isn’t the only online threat to worry about. Social engineering is a huge threat, and it can hit you on any operating system. In fact, social engineering can also occur over the phone and in face-to-face situations.
恶意软件并不是唯一需要担心的在线威胁。 社会工程是一个巨大的威胁,它可以在任何操作系统上给您带来打击。 实际上,社交工程也可以通过电话和面对面的情况进行。
It’s important to be aware of social engineering and be on the lookout. Security programs won’t protect you from most social engineering threats, so you have to protect yourself.
重要的是要意识到社会工程学并保持警惕。 安全程序无法保护您免受大多数社会工程威胁的威胁,因此您必须保护自己。
社会工程学解释 (Social Engineering Explained)
Traditional computer-based attacks often depend on finding a vulnerability in a computer’s code. For example, if you’re using an out-of-date version of Adobe Flash — or, god forbid, Java, which was the cause of 91% of attacks in 2013 according to Cisco — you could visit a malicious website and that website would exploit the vulnerability in your software to gain access to your computer. The attacker is manipulating bugs in software to gain access and gather private information, perhaps with a keylogger they install.
传统的基于计算机的攻击通常取决于在计算机代码中发现漏洞。 例如,如果您使用的是Adobe Flash的过时版本(或禁止使用Java ,根据思科的说法,这是2013年造成91%攻击的原因),则可以访问恶意网站,并且该网站会利用您软件中的漏洞来访问您的计算机。 攻击者正在操纵软件中的错误以获取访问权限并收集私人信息,也许他们安装了键盘记录程序即可。
Social engineering tricks are different because they involve psychological manipulation instead. In other word, they exploit people, not their software.
社会工程技巧不同,因为它们涉及心理操纵。 换句话说,他们利用人员而不是他们的软件。
You’ve probably already heard of phishing, which is a form of social engineering. You may receive an email claiming to be from your bank, credit card company, or another trusted business. They may direct you to a fake website disguised to look like a real one or ask you to download and install a malicious program. But such social-engineering tricks don’t have to involve fake websites or malware. The phishing email may simply ask you to send an email reply with private information. Rather than try to exploit a bug in a software, they try to exploit normal human interactions. Spear phishing can be even more dangerous, as it’s a form of phishing designed to target specific individuals.
您可能已经听说过网络钓鱼 ,这是一种社会工程形式。 您可能会收到一封声称来自您的银行,信用卡公司或其他受信任企业的电子邮件。 他们可能会将您定向到伪装成真实网站的伪造网站,或要求您下载并安装恶意程序。 但是,这种社交工程技巧不必涉及假网站或恶意软件。 网络钓鱼电子邮件可能只是要求您发送包含私人信息的电子邮件回复。 他们没有尝试利用软件中的错误,而是试图利用正常的人机交互。 鱼叉式网络钓鱼甚至更危险,因为它是一种针对特定个人的网络钓鱼形式。
社会工程实例 (Examples of Social Engineering)
One popular trick in chat services and online games has been to register an account with a name like “Administrator” and send people scary messages like “WARNING: We have detected someone may be hacking your account, respond with your password to authenticate yourself.” If a target responds with their password, they’ve fallen for the trick and the attacker now has their account password.
聊天服务和在线游戏中的一种流行技巧是注册一个名称为“ Administrator”的帐户,并向人们发送可怕的消息,例如““警告:我们已检测到有人可能正在入侵您的帐户,并使用您的密码进行身份验证。” 如果目标使用他们的密码进行响应,则说明他们已陷入困境,攻击者现在拥有了他们的帐户密码。
If someone has personal information on you, they could use it to gain access to your accounts. For example, information like your date of birth, social security number, and credit card number are often used to identify you. If someone has this information, they could contact a business and pretend to be you. This trick was famously used by an attacker to gain access to Sarah Palin’s Yahoo! Mail account in 2008, submitting enough personal details to gain access to the account through Yahoo!’s password recovery form. The same method could be used to over the phone if you have the personal information the business requires to authenticate you. An attacker with some information on a target can pretend to be them and gain access to more things.
如果有人掌握了您的个人信息,他们可以使用它来访问您的帐户。 例如,诸如您的出生日期,社会保险号和信用卡号之类的信息通常用于识别您的身份。 如果某人掌握了此信息,他们可以联系一家公司并假装为您。 攻击者以著名的方式使用了这一技巧,以访问Sarah Palin的Yahoo!。 在2008年发送邮件帐户,提交足够的个人详细信息,以便通过Yahoo!的密码恢复表单访问该帐户。 如果您拥有企业进行身份验证所需的个人信息,则可以通过电话使用相同的方法。 拥有目标信息的攻击者可以伪装成目标,并获得对更多事物的访问权。
Social engineering could also be used in person. An attacker could walk into a business, inform the secretary that they’re a repair person, new employee, or fire inspector in an authoritative and convincing tone, and then roam the halls and potentially steal confidential data or plant bugs to perform corporate espionage. This trick depends on the attacker presenting themselves as someone they’re not. If a secretary, doorman, or whoever else is in charge doesn’t ask too many questions or look too closely, the trick will be successful.
社会工程学也可以亲自使用。 攻击者可能进入企业,以权威和令人信服的口吻通知秘书他们是维修人员,新雇员或消防检查员,然后漫游大厅,并可能窃取机密数据或工厂漏洞来进行公司间谍活动。 此技巧取决于攻击者将自己显示为不是他们的人。 如果秘书,门卫或其他负责人没有问太多问题或看得太近,那么trick俩将会成功。
Social-engineering attacks span the range of fake websites, fraudulent emails, and nefarious chat messages all the way up to impersonating someone on the phone or in-person. These attacks comes in a wide variety of forms, but they all have one thing in common — they depend on psychological trickery. Social engineering has been called the art of psychological manipulation. It’s one of the main ways “hackers” actually “hack” accounts online.
社交工程攻击涵盖了伪造网站,欺诈性电子邮件和恶意聊天消息的范围,一直到冒充电话或面对面的人。 这些攻击有多种形式,但是它们都有一个共同点-它们依赖于心理欺骗。 社会工程学被称为心理操纵的艺术。 这是“黑客”实际上在线“黑客”帐户的主要方式之一。
如何避免社会工程 (How to Avoid Social Engineering)
Knowing social engineering exists can help you battle it. Be suspicious of unsolicited emails, chat messages, and phone calls that ask for private information. Never reveal financial information or important personal information over email. Don’t download potentially dangerous email attachments and run them, even if an email claims they’re important.
了解社会工程学可以帮助您与之抗衡。 对不请自来的电子邮件,聊天消息和要求私人信息的电话保持警惕。 切勿通过电子邮件透露财务信息或重要的个人信息。 即使电子邮件声称它们很重要,也不要下载并运行有潜在危险的电子邮件附件。
You also shouldn’t follow links in an email to sensitive websites. For example, don’t click a link in an email that appears to be from your bank and log in. It may take you to a fake phishing site disguised to look as your bank’s site, but with a subtly different URL. Visit the website directly instead.
您也不应点击电子邮件中指向敏感网站的链接。 例如,不要单击似乎来自您的银行的电子邮件中的链接并登录。这可能会将您带到伪装成您的银行网站的伪造钓鱼网站,但URL却有所不同。 而是直接访问该网站。
If you receive a suspicious request — for example, a phone call from your bank asks for personal information — contact the source of the request directly and ask for confirmation. In this example, you’d call your bank and ask what they want rather than divulging the information to someone who claims to be your bank.
如果您收到可疑请求(例如,您的银行打来的电话询问您的个人信息),请直接与请求来源联系并要求确认。 在此示例中,您将打电话给银行并询问他们想要什么,而不是将信息泄露给声称是您银行的人。
Email programs, web browsers, and security suites generally have phishing filters that will warn you when you visit a known phishing site. All they can do is warn you when you visit a known phishing site or receive a known phishing email, and they don’t know about all the phishing sites or emails out there. For the most part, it’s up to you to protect yourself — security programs can only help a little bit.
电子邮件程序,Web浏览器和安全套件通常具有网络钓鱼过滤器,这些过滤器会在您访问已知的网络钓鱼站点时向您发出警告。 他们所能做的就是在您访问已知的钓鱼网站或收到已知的钓鱼电子邮件时向您发出警告,而他们并不知道那里的所有钓鱼网站或电子邮件。 在大多数情况下,您需要保护自己-安全程序只能提供一点帮助。
It’s a good idea to exercise a healthy suspicion when dealing with requests for private data and anything else that could be a social-engineering attack. Suspicion and caution will help protect you, both online and offline.
在处理对私人数据的请求以及任何其他可能引起社会工程攻击的请求时,请保持怀疑的态度是一个好主意。 怀疑和谨慎将帮助保护您的在线和离线状态。
Image Credit: Jeff Turnet on Flickr
图片来源: Flickr上的Jeff Turnet
翻译自: https://www.howtogeek.com/180186/htg-explains-what-is-social-engineering-and-how-can-you-avoid-it/
社会工程学攻击选项是
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
