Social engineers, or people hackers, specialize in getting you to share information you shouldn't -- like personal details that could lead to a password being stolen. Laurie Segall reports.
A cyber security guy gave a lecture in my class once and he said "The most difficult part of cyber security is the people". "You can rewrite code, you can isolate networks, but people like to be helpful and that is all it takes for a hacker to get in"
This is true. People believe that most people are not very trusting of others but in fact, studies have shown that people are much more trusting of strangers than we'd assume. One of the studies I remember they called a bunch of random people, told them to flip a coin, and if it was heads, they win money. If it was tails, they didn't win. It was split evenly 50/50 on who reported heads and tails, meaning people weren't lying to say they got heads just to win the fake prize. They actually believed the caller and flipped a coin. Pretty interesting. This sort of psychology can be quite fascinating, especially since we don't know exactly how or why it all works the way it does.
A quote that I remember is "if there is a conflict between security and usability, usability always wins". An example for this is that if employees are required to use long and complicated passwords, they will start writing them down on a piece of paper on their workplace. I also know a company where there was a requirement to use second factor authentication to access certain data, and the session regularly expired while looking through the data. Only took 1 day until someone wrote a "stay alive" script that prevented the expiry. If you restrict the user rights on computers too much (e.g. keep them from installing software they actually need), employees will start working on their private PCs and transfer data. If employees are required to change their passwords regularly, they will only change a minor detail about it (e.g. change a digit at the end of it) I think this goes in a similar direction - you can totally make an IT system quite secure, but you really need to be careful how it impacts usability. This, combined with, as you said, general helpfulness and trust in other people's good intentions will always be a weakness. Imo, if social engineering is done well (involving publicly available information about a company or private data that makes things seem plausible, almost everyone will fall for it. I include myself here btw. If someone really did his research on me and crafts an email with believable content from a person or company I interact with, without any obvious red flags, it is quite likely that I will click a link or open an email attachment...
I recommend you to watch some defcon presentations on social engineering. It's really easy to convince people to give you the information. You have to understand that all he does was asking a guy to search a web-site. What they didn't tell you that somebody had to find that exploit, wrote a code/script... Not to mention they need to mess around his/theirs system and dig deep for flaws.
When used for crime, these kinds of people are called manipulators and sociopaths. This guy was smart enough to make a good living off of being conniving and convincing. Pretty cool dude.
Ya alot of the top hackers change sides after they are caught by fbi and are asked for a good plea deal or no jail at all if they would instead use their knowledge and help the government
That's not sociopathy, Sociopathy is someone who doesn't have the ability to form their own emotions, and can't really comprehend why emotions are important, and they can become great a miming emotions, so yes sociopaths are great manipulators, but there's a whole bunch of impulse stuff that comes along with it.
its not impossible, its possible. We have something called a brain inplant where a chip gets inplanted in your brain, after thats done you can hack it. They inplant these chips into paralyzed people in some countrys like America so they can gain control of parts of their body. So with a chip inplanted in your brain hackers can manipulate the signals and make harm. This tech is many years old so google it if you dont believe me. You can do same thing with cookroaches and other insects aswell, Google cyber cookroach, inplant a chip into his antennas and you can control the cookroach like a robot.
I find it very hard to believe that this script could, with a *single* input from a person, grant any useful access to anything, let alone enough to 'bring down the company'. This is hyperbolic to say the least. I've worked in Operations and tech support, I would never go to a page one of my clients told me to go to, I would vet it on a virtual machine....for THIS very reason.
I know right, this is news doing scare bs once again. Just clicking a link doesn’t give them access to your whole computer. Otherwise it be completely unsafe to surf the web, since clicking links is the entire process of surfing the web. These scam sites are always trying to get you to run executables. Why the heck would they bother if just clicking the link for the executable download was enough?
Yea it’s mostly bullshit unless he had some kind of zero-day that allowed him to get a reverse shell onto this dudes pc through RCE but I really doubt that.
I'm guessing the real problem here is not that Ken from support visited a website, it's that the remote desktop software on his computer wasn't configured to ask for authentication. All the website did was provide his computer's local IP address and then the hacker used that to connect to his computer. He could have easily done this completely without Ken from support's assistance by simply scanning the local network for computers that respond on whatever port they are using for RDP. That whole call to Ken from support was nothing but added dramatic effect.
@annaparker8234 I think this video give the wrong portrayal. I'm in tech so I know what you are talking about, which is totally logical, but this video definitely made it look like the user interaction was all it took to completely own them.
@@Dark_Rizz Moron you can't hack robux by messing with inspect element. The currency is stored on secured roblox servers. I already tried with picto and failed.
"There are very, very bad people, which means it falls to the good people to try to fight it. We have so much potential to shape our culture, our values, our safety - if not us, then who?" Exactly the confirmation I needed to hear to clear up my own dilemma, and feelings of responsibility for others in my situation. I was unsure whether to pursue fighting a seemingly small issue, or concede to someone who is blatantly abusing their power and position because it would be much easier to just give in and a LOT less stressful. But, this guy just gave me more motivation to keep me going. And he is right.
@@puchu_5001 nevermind. It's in the past. Evil neighbors and evil HOA in my old neighborhood in Florida. They attacked a single mom (and others before me too), vandalized my property, and I had to cash in what little retirement I had worth thousands of dollars in order to hire lawyers to fight them. My own lawyers scammed me too. I only lived in my house for 4 years. That was enough for me. You can't win against an evil HOA. Don't bother fighting them. There is no law that will protect you against them. 4 years of hell and that was the last straw. I moved to Alaska. No more HOA ever again.
@@puchu_5001 she's in Alaska so she was probably in the midst of fighting with a bear; the bear obviously won, took her phone, then made this comment while pretending to be her. It's a very tragic story, and we watched it play out.
@@revivalamt6991 metasploitable is a machine meant to be created to practice exploitation and pentesting, on the other hand metasploit is the one handles the exploits
Our internal "customers" were supposed to open problem tickets for help, not call someone in IT. Yea, that rarely worked -- especially for managers and higher. 🤣🤣🤣
that's bullshit, browser always prompts you if you are giving any sort of permission. On the other hand if the link downloaded the file, he would have to open it/run it. So I am really not sure how they have done it. Probably was oversimplified in this video
He could just as easily asked the operator to try an download a program to see if it works on his computer instead of leading him to a phishing website.
Chuck Norris If it was that easy cybercrime statistics would be exponential.. Software bugs that can be leveraged are world-class-hard which is why bounties are so high and so sporadically claimed.. Social-engineering is very hit and miss that's why in the rare instances it works it usually doesn't get the attacker that far in to infrastrucure before getting response. The headlines you see every month or two are like one out of tens of thousands for that months. At the very least.
nigga browser exploitation is trivial. just because people aren't partcipating in pwn2own or whatever fucking competition doesn't mean there aren't hundreds of fucking exploits being vantaged in the wild. computer security is a fucking joke. a 120k line program isn't ever going to be secure unless the entire fucking world audits it and every modification made is signed off on by every1
yeah that's why world class hackers are digging in to nvidia driver code looking for sandbox escapes.. Stuff people pay bounties on is way bigger than 120k lines..
That's unrealistic. If that IT guy simply visited the site without downloading anything and the companies corporate IT is even slightly up to date, there's no way he gained access to the computer just by opening a website... Either they're making up a story or the IT guy had automatic downloads enabled in his browser which resulted in him catching a drive by download. However no one working in IT should have automatic downloads enables anyway...
Ahhh yes because hackers aren't masterminds. You have no clue what you're talking about. It definitely IS possible, and it's not about having "automatic downloads" enabled.
I agree with this comment, unless that IT guy has a fully disabled firewall and has all the network ports in his pc fully open and unsecured, there is no way just entering a website would get you hacked.
I see a lot of off comments here, this man is bringing awareness, and considering just how many people and companies are affected every day, I support this work, and will now invite him to appear as a speaker at out awareness summit, well done.
The second guy has a very thoughtful perspective on life. I think that is honorable. And well...we can be happy a big amounth of "hackers" are white hats. Makes life for the bad guys all the more difficult :-)
You probably don't know what hacking is, there is 3 types of hackers, black hat hackers which as you said if they are know they are a failure, there is the grey hat they are neutral they hack but they do not steal any money they just do it for fun then there is the white hat like this guy, he helps companies to protect against black hat hackers
not necessarely if I'm gonna be a black hat hacker, (there's 20% chance that I'll be one) and I'm known as for example: *3xploit* (my alias), that doesn't mean that I've failed as long as I am free and anonymous (my real identity isn't known), I'm successful hacker
@cat and lasagna the guy made a rat and that is what was installed on the victims computer the victim never executed the file so how does that work??? It doesn’t so yeah
Apparently the stereotypical hackers use MacBooks with Kali Linux, that is so based. It's a literal Hackintosh, that is the opposite of the definition of Hackintosh, ironically enough.
I've always told the men I've had relationships with, the moment you are unfaithful is the moment you end our relationship. If I've ever felt so disconnected from my partner that I have felt myself drawn even into a hypothetical affair in my mind, I end the relationship. I've been in many abusive relationships (that I ultimately ended) but never once have I been unfaithful. Why? Because no failing relationship is worth sacrificing my morals and integrity for. No matter how it unfolds with a partner, there should be a base level of respect and empathy towards them as a human being. A failed relationship will not pollute your mind and foster insecurities anywhere near as much as being on the receiving end of adultery. I dind't know what was happening all along for years that she's been cheating until I met explore.hacker thanks guys..
I heard an interesting thought experiment recently. If we were to live thousands of years, most of us would eventually become polyamorous. Because, you're bound to eventually meet/know more than one person who you love. And, it's essentially impossible for one person to meet all of your needs indefinitely. I think consensual non-monogamy is underrated.
ha we have been using these techniques since AOL. This is not "Hacking" this is "social engineering" most social engineers suck with real hacking skills, and real hackers suck at social engineering.
This isn't an ordinary hack, by some random person. So it's more LIKELY to succeed. So let's see the mistakes. (our company practices) 1> Having an internal company number means nothing, we ask whose calling and verify that person. 2> If that person has a COMPANY asset. we would log onto that machine only 3> Generally we would not CLICK on any links, before doing so, we would CHECK the link by hovering over it 4> EVEN if we did, we have secure software/AV etc, which WILL and has detected rootkits, trojans etc, so if my machine was infected, IT security would get an alarm and lock us out, and/or our own machine software would do the same. 5> Permissions on the machine would pop up asking for a piece of software to be installed. 6> remoting into another machine we are the other machine, anything I click on, will install on that machine not mine, mine is behind a firewall............ basically a BS article, not realistic, of course companies get hacked, but this example is totally not real world, as a front line IT tech, we generally know everyone we work with and get a feeling for when something is wrong, of course things happen, but this particular example is non-sense. WELL it's American, what else do you expect... You guy's better wake up on your own government messing with you they are the real hackers... PEACE
well, not all companies have AVs some are just too stupid and maybe we could use something like powersploit, to avpid AV? and as security developes, so does exploits just make an invisible 0-day exploit, and u're good to go no AV alarms
Mate, im a bit late here but i know companies today who's ''databases'' are still run on fucking excel spreadsheets. Don't come all high and proud about your startup having good security practices. This is miles more common than you think.
This dude has a strong Dax Shepard voice and I love it
3 года назад
1:49 "to show you this demo, WE'VE AGREED to not use the company's name" this is how you know that neither the journalist nor the company are based within the EU, where GDPR is in place.
Yeah, and you have a picture of Aleks as your profile pic. You also have a username Gravity Sandwich. Also, you failed to punctuate your sentence. Did you fail the fifth grade? Ever read spiderman? It's not aimed towards children.
Hey guys what's up its Scarce here and today we got a lot of news now this ones from David Kennedy you all know who David Kennedy is, a huge channel with 6 subs well he actually managed to hack into a company thats right this guy actually hacked into a company through IT support. That's all guys thanks for watching peace.
That's phishing.... this is more sophisticated. He embedded a trojan inside an on that website so its more like a driveby.... once victim visited that site, a JS script automatically downloaded and executed the payload.
The government and government officials are the biggest hackers. That is why we need such people (hackers) to be able to defend ourselves against those who are trying to control us. Beautiful video. I wish a lot of success in my career.
PLEASE READ { Hire A Private Investigator} Establishing your company’s best defense is much like dealing with natural disasters, the best defense against cybercriminals is being proactive. You won’t know when or how a disaster may hit, but you can minimize the damage and recover quickly if it does. Attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous. Prevention for DDOS attacks and ransomware attacks typically involves setting up and testing backups as well as applying ransomware protection in security tools. Security tools such as email protection gateways are the first line of defence, while endpoints are a secondary defence. Intrusion Detection Systems (IDSs) are sometimes used to detect ransomware command-and-control to alert against a ransomware system calling out to a control server.This type of services requires an expertise and that's where we come in. Alright listen up if you have experienced any of these.. Over the years, attackers have grown creative over the years by requiring payments that are nearly impossible to trace, which helps cybercriminals remain anonymous.Webghost33 on teleegram , is a cyberspace expert and professional cyberspace expert. They can help if you're ever exposed to internet scams and cybersecurity breach such as Business Email Compromise too.They can can help get it restored and track down the person who did it in many cases. Do you want to install spyware on a cellphone, smartphone or computer? Do you know if you have spyware on your computer or mobile devices? Reputation Management? Control your online reputation but removing false information and getting your positive message out. Cyber Stalkers? Don’t be harassed or stalked online. Find the person responsible and put an end to it all. Cheating Spouse? Find out for sure what your spouse is up to with our Digital Investigation services. Perhaps my hacking professionalism has helped in various aspects like; Removing links and posts, eradicate being Cyber Bullied or Cyber Stalked, Locate Missing People, Computer Security Training, Background Checks, Cyber Extortion, Relationships, Nationwide Employment Background Check, Tracking, Online Dating Scams, Cyber Frauds, cyber-espionage, criminal gangs or the pursuit of data. We aim to make all kind online protections for our valuable clients. Reach out on w'app 1 414 909 3913
That's true. I was a victim of scam and someone gave me webghost's contact, i was able to recover my funds from a scammer in South Africa. great and professional hacker. There are scammers and there are hackers. Great hacker will help you recover your funds and hack scammers . webghost33 would help you clear any virus detection and security threat. very good and i have confirmed it
MemoriesDestroyUs Fucking hell there are way too many elitists when it comes to hacking. Bro, "hacking" is LITERALLY just gaining unauthorized access to something. It does not matter how you do it. Even watching somebody type in their password is technically hacking.
well techniqally it is, hacking is a term meaning you gain access to somthing you shouldn't be able to and that what the hacker did and What he did was trick a person to go to a malicious website he created it a bit like spear phishing. Probably used abit of java script to make the victim to download a file that let the hacker to gain access.
Social engineering is something I practice on a daily basis. It is easy, if you know what your doing. You have to have the right mindset. Just because you know how to do it, doesn't mean you can do it effectively.
00:34 Lmfao this "hacker" doesn't even know how to escalate privileges when "getsystem" doesn't work. You can see he just gives up and spawns a shell anyways with shit privileges. And LOL he fuckin' misspelled "getsystem" twice! xD
thats actually unlikely to be the same person. years ago i was interviewed by global news in canada and when the crew came to my house a lot of the stuff was edited and sometimes if things were not shot the way they want they will just have a pair of hands and make it look like its you to the casual viewer. They tell you that they are doing this upfront.
How can he just take over a whole computer from just clicking a link? Clicking links is the entire process of surfing the web. How come malware is always trying to get me to run executables then if just clicking the link was enough? Apparently anyone surfing the web is giving full access to their computer to every website they visit?
Dark is the absence of light. Cold is the absence of heat... Was going to comment that this came from Albert Einstein, but that was a fictional story... Where did this quote come from? lol
It's more smoke than fire. He probably did run a malicious script and gained some control of his browser but no way did he take control of the computer in 2 minutes. Trusting he actually knows thing or two, it's probably the first step to getting full access of the computer and not the last
Good example of the struggle IT staff have. He’s running as an admin on his machine without functional AV as a non admin would have less chance of running code and AV should have picked it up or apps aren’t being patched daily, weekly, monthly as management refuse to allow IT teams to do their jobs so the remote code is using a known exploit. , NO staff in a business including admins should be logged in as admins, everyone should be non admins (zero excuses for this) and admins should elevate any tasks they need to admin. If your IT department and staff aren’t working like this as a basic config, assume you’ve already been hacked or will be
It's not hacking? SE is a form of hacking. If you think you know about hacking you should know that 'employees are weakest part of a business's security' is one of the first things you learn.
That's Dave Kennedy. The dude wrote SET and founded derbycon. He's probably forgets more about hacking in a week than you have ever known. Go back to hackforums.
This is a load of b*, going onto a website does not give anyone access to your computer unless you download something. And that IT guy wouldn't do that just by being told what he was told