[Anti-spoofing art]: the essence of security threats

[Anti-spoofing art]: the essence of security threats
Today, the new anti-spoofing art by Kevin Mitnick, a big hacker, finally arrived. If he hadn't read a book for a long time, he quickly decided to read the book well, this article serves as the notes for reading this book! Kevin also wrote a book "the art of deception", which is about social engineering. In fact, it is similar to the book that he is reading today. Some content and examples overlap, but this is not important. I read this book with reverence. It is more like reading my autobiography or chatting.
I. Nature of security threats
With the development of the information society today, everything in the society seems to inevitably flow to information technology. It is used to store data, process business processes, and analyze and predict big data. The security threats faced by these applications have never changed. Security threats come from the assurance of binary vectors: Who are visitors? Does this person have the permission to perform the requested operation? Familiarity is actually the identity authentication and Access Control proposed by computer security very early. Although the form of information technology continues to develop, the nature of its security is always centered on these two factors.
Currently, many enterprises have deployed security software protection. Large enterprises purchase specialized commercial software or security equipment and even develop their own security protection products; small enterprises will also install free security protection software, such as the 360 Enterprise Edition. Traditional security devices such as identity authentication systems, file access control systems, and intrusion detection systems, has been trusted and deployed by most enterprises, but is that enough?
Strictly speaking, it is not enough. These security measures are indeed sufficient for "script boys". For general attackers, the technology used is relatively backward and easy to control. However, for advanced attackers, for example, hackers who exploit vulnerabilities and write security tools by themselves are just like virtual ones. Generally, attackers conduct a wide range of attacks to display their own capabilities. Advanced attackers have more explicit purposes, such as stealing information to make profits. Therefore, they will carry out a thorough attack plan, of course, this includes trying to bypass the security protection of the target enterprise.
The best way to bypass a highly protected enterprise security mechanism is undoubtedly to start from the perspective of "people", to gain trust from the social worker's administrator or related personnel, step by step, obtaining information to crack or bypass the security mechanism is the most convenient and practical method. Therefore, the essence of security threats lies in:
1. We want to prevent high-level attackers, rather than simple "script kiddies ";
2. Technology cannot solve all the problems, because there are still "people" factors, this failure will lead to a loss;

2. A typical deception case
The main character of our case today is a young man named rikin. Due to the business relationship, he needs to go to the wire transfer room of the Pacific Industrial Bank to maintain the system one day, but no doubt he sees the transfer password on the wall. So I secretly recorded the password, and then began a well-planned social engineering Attack:
1. Assume that the bank office staff calls the wire transfer room and asks for remittance. The wire transfer room requires that the office number and the same day's wire transfer number be stated. Rifkin responds to the work MM of the wire transfer room according to the previous homework;
2. Rifle kin requires MM to remit $10 million to a Swiss bank account;
3. MM accepted the request, but asked Rifkin to provide a cross-bank office authorization number. Rifkin was not expected to do so, but calmed down, replied and checked it, and then called MM;
4. Ask the office for the authorization number of the Cross-bank office to be sent to the office in disguise by Rifkin;
5. You have successfully transferred the money by calling the MM in the wire transfer room;
6. A week later, Rifkin flew to Switzerland and proposed to buy a pile of diamond with $8 million and sewed it back to the United States;
7. Soon after he was arrested, he was sued for "Computer Fraud;
Well, this case sounds mysterious, but it actually happens. You don't need to rob the bank with a single shot. Some of them do not work now. For example, the current phone numbers are displayed, and real identities are exposed. However, it shows us the power of social engineering, and the form and method can be changed along with the times.