1. Please define the differences between eavesdropping, dumpster diving, & socia
ID: 3678402 • Letter: 1
Question
1. Please define the differences between eavesdropping, dumpster diving, & social engineering in the IT world?
2. Define sidejacking and provide examples.
3. Define phishing and spear-phishing and provide examples.
4. Define online voting.
5. What are the benefits of online voting?
6. What are the risks of online voting?
7. What are the do's and don'ts of password security?
8. What are the legal consequences of computer fraud in America?
9. What are the benefits and disadvantages of globalization?
Explanation / Answer
Social Engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.
Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
Both Dumpster diving and eavesdropping are the techniques used in social engineering.
DUMPSTER DIVING:
Dumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of.
They are looking for user ids, passwords, network diagrams, account numbers, policy numbers, and other confidential information that is thrown in the trash. This can be on a piece of paper, floppy disk, CD, or anything else containing confidential information. The information they find can be just another piece to the puzzle and gets them one step closer to getting the unauthorized access they want.
Eavesdropping:
Eavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics.
Eavesdropping can be very harmful to a company if they do not take the appropriate cautions. The company should train employees on how to avoid eavesdroppers.
2)
Sidejacking refers to the use of unauthorized identification credentials to hijack a valid Web session remotely in order to to take over a specific Web server.
Usually sidejacking attacks are performed through accounts where the user types in their username and password.
Sidejacking attacks work to find a nonsecure sockets layer (SSL) cookie. Usually, websites that have users type in their usernames and passwords are the type that get sidejacked.
Websites that use SSLs don’t have as much of a chance of being sidejacked, but if the webmasters neglect to authenticate the site itself through encryption, SSL use can be negated.
Examples:
The attacker uses a sniffer to capture a valid token session called “Session ID”, then he uses the valid token session to gain unauthorized access to the Web Server.
The attacker can compromise the session token by using malicious code or programs running at the client-side.
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server.
The Man-in-the-Browser attack is the same approach as Man-in-the-middle attack, but in this case a Trojan Horse is used to intercept and manipulate calls between the main application’s executable (ex: the browser) and its security mechanisms or libraries on-the-fly.
3)
Phishing:
An attack that happens frequently is the phishing attack. In a phishing attack we usually get an email that looks like it came from a legitimate source, like from PayPal, our bank, our company, eBay, Face book, Microsoft, our friend, etc. In mail it says that we need to click on some link to go to some website to fix some problem with our account. We click on the link and it brings up a page that looks like a legitimate web page for the organization who sent the email. On that page we have to put in our username and password or some other sensitive information. When we hit submit, our information actually goes to the person who sent the email, not to the institution.
Spear phishing is a more selective and effective scheme than traditional phishing plots. This technique has raised e-scams to a new level and has lately become the go-to choice for many attacks threatening individuals and businesses. Spear phishing is a way of obtaining information through deceptive, more personalized e-mail messages and social engineering that is finely tailored to the target. No longer are the attacks conducted at random, but they are rather focused and persistent effectively to hit a specific victim or group of victims.
Here's one version of a spear phishing attack: The perpetrator finds a web page for their target organization that supplies contact information for the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail to an employee on the contact page that appears to come from an individual who might reasonably request confidential information, such as a network administrator. The email asks the employee to log into a bogus page that requests the employee's user name and password or click on a link that will download spyware or other malicious programming. If a single employee falls for the spear phisher's ploy, the attacker can masquerade as that individual and use social engineering techniques to gain further access to sensitive data.
4)
Internet voting or online voting is often described as remote electronic voting, it describes the possibility to cast the vote over the Internet. The vote is cast in an uncontrolled environment. Such voting channels have been already used in various elections and in political election in Estonia, Switzerland as well as Norway.
5)
6)
The Digital Divide
Internet voting skeptics point out that poor and minority voters have less access to computers and the Internet and so would be less likely to benefit from online voting. Expanding access for well-off voters could increase their participation while doing nothing to improve access for low-income voters who already have little influence in the political process. This digital divide has narrowed considerably since the 1990s, however, and those without home Internet can often get access in workplaces or public libraries.
Election Security
Online voting's technical vulnerabilities could also undermine the integrity and credibility of election systems. When hackers can break into high-security websites or cripple entire computer networks with Denial of Service attacks, voters might not trust reported results. In an influential 2000 report on Internet voting, California's secretary of state argued that "the accuracy of the vote count should be unassailable" but identified several concerns, including ballot secrecy and the need for systems immune to tampering.
Attacks could target availability, confidentiality, or authentication of the system.
• Distributed denial of service attacks (DDoS) can overload servers, preventing voters from registering.
• Intruders could read personal information, submit false information, or even change info on voters.
7)
DO the following:
DON'T do the following:
8)
The Computer Fraud and Abuse Act is both a criminal law and a statute that creates a private right of action, allowing private individuals and companies to sue to recover damages caused by violations of this law.
Because there are numerous different types of computer and internet crimes, there are also a wide range of potential penalties. Some computer crimes have minor penalties associated with them, while more serious crimes can impose significant fines and lengthy prison sentences.
9)
Advantages of Globalization:
Disadvantages of Globalization:
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.