Social engineering means different things to different people. If you're a conman on a street corner, social engineering is a way to get money out of unsuspecting punters and steal goods.
If you're in a pub, it's a way to ensure that you're served first. If you're a magician, it can form the basis of an act. If you're a salesman, it's a way to get more sales.
But if you're a hacker, social engineering is far more: it enables you to get whatever you want from people. You can have them give you passwords, credit card details, and even access to secure places.
Many other cyber-attacks require an element of social engineering, and the techniques used are as advanced as other areas of online crime. At their heart is the basic human tendency to trust authority, and that trust sometimes comes at a very high price, as increasing numbers of people are discovering.
Microsoft calling
There's a new social engineering attack doing the rounds, which is designed to get you to give away all the details required to use your credit card online. Interestingly, it doesn't exploit your use of your computer at all, merely pretending that there's a problem with it.
The attack begins with an unexpected phone call, and it's a great way to learn about just how devious social engineering attacks can be and arm yourself against it and similar approaches.
All successful social engineering hacks begin with a process called pretexting. This creates a believable reason for the attacker making initial contact. Fear and greed are major human motivating factors, so the pretext is usually designed carefully to set the scene by giving the person being attacked the feeling that they've either inadvertently done something terribly wrong, or that they're in danger on missing out on something of value.
The new scam begins with a call supposedly from your ISP or even Microsoft itself. It seems obvious in the cold light of day that Microsoft isn't about to begin calling individual home users, and won't necessarily know who those users are, but a carefully crafted pretext for the call can make everything seem to be innocent and entirely reasonable.
Simply calling a random number from the phone book and insisting you're from Microsoft isn't enough to make the scam work, however. The call needs to be set in a believable context. This is achieved by playing a recording of a busy office in the background while the call is being made. The victim naturally assumes that the background noise is real, perhaps from a large call centre, which lends the situation an air of authenticity.
The caller must also appear to be in authority. The caller explains that Microsoft has had complaints that the victim's computer has been sending out spam, or perhaps worse. He might even give some examples and ask the victim to state truthfully if he or she has any knowledge of what's going on. The fear that a statement like this can generate in the minds of those not well versed in online security can be enough to gain their complete compliance with whatever instructions follow.
Fear factor
After ramping up the fear of inadvertently doing something wrong, the attacker phrases his instructions to sound like an easy way out of the situation. He says that it doesn't matter because he can fix the problem almost immediately.
With the victim's permission, he can access the troublesome computer and remove the supposed malware, further explaining that to keep things legal, he needed to call to gain the victim's permission. In a situation like this, the naïve computer user is highly likely to accept this apparently easy and official way out of a sticky situation. To the attacker, however, this sign of compliance indicates that the victim is under his influence.
To further cement the belief in the authenticity of the call, and to deepen the control he exercises, the attacker may ask the victim to open a command line, display the machine's IP address using the ipconfig command, and to call it out to confirm that the right computer is to be accessed before proceeding. The fact that this IP address is local to the victim's ISP and cannot be seen by the wider internet further proves to the attacker that the victim is both clueless and compliant.
There are then a couple of minutes of apparent typing as the attacker claims to be accessing the victim's PC, possibly uploading anti-malware software, cleaning the system, and confirming that everything is in order. The attacker then gets to the real purpose of his call: the fee.
He explains that the victim will, unfortunately, have to bear the cost for the service he's just provided. After all, it was the user who let his PC get into such a terrible state. It'll be nothing expensive, just a few pounds for the engineer's time. However, he explains, the victim can make a saving on this bill by paying now, over the phone. All he needs is a credit card. You can guess the rest.
The victim believes his computer has been fixed and that Microsoft is wonderful for doing so – right up until he receives his next credit card statement. The assumption of trust in the person asking for information, established through careful attention to detail on the part of the attacker, allied to ignorance of the realities of online life, make this a social engineering attack that we're sure to see far more of over the coming years.
Indeed, one of the hallmarks of the information age is the way in which malicious activity evolves and develops over time. Old hacks never die, they simply evolve, and social engineering is no exception.
Call for help
Some social engineering attacks don't have to be so well planned, just carefully targeted. In Japan, one particularly successful form of attack is becoming big business by cynically targeting elderly victims with a blunt demand.
It begins when the victim receives a frantic phone call. "It's me! I'm in trouble and I need you to transfer some money quickly," is the type of call no parent or grandparent ever wants to receive. For an elderly relative, it can be horrifying.
As with the Microsoft phone attack, the attacker offers an immediate way out of the problem. Transfer several thousand Yen to a wire transfer service or bank account and everything will be fine.
Despite its bold simplicity, the 'Hey, it's me!' attack gains in popularity every year. According to Symantec, the Japanese National Police Agency recorded 20,000 cases in 2008 – up from 17,930 in 2007. In some areas, police officers have even been assigned to ATMs to warn people about the problem.
The Japan Times first reported the problem back in 2003. In that year alone, 2,768 victims parted with 2.26 billion Yen (about £17 million).
Social engineering is a kind of oil that lubricates the wheels of many online scams, from phishing to Ebay cons. By crafting a situation to appear as authentic and as urgent as possible, such techniques can be used to get whatever you want, and this extends to gaining physical access to areas from which you might otherwise be barred.
The key is to appear as if you're supposed to be there by preying on the assumption of others.
Direct access
The simplest method is simply to tailgate someone. That is, to have someone hold an otherwise secure door open for you while you follow them through it on the pretext of having left your security pass inside.
A classic method of carrying out this attack is to find out where a company's smokers go to indulge in their habit. Simply hanging around holding a lit cigarette (no need to inhale if you don't smoke) can be enough to establish you as someone with a right to be there.
When someone makes a move to return to the building, simply patting your pockets, uttering an expletive and asking if they can let you in is usually enough to gain access. The lesson here is never to let anyone into a building who isn't personally known to you.
Give and take
Another social engineering attack, called a quid pro quo (Latin for 'something for something'), can offer instant access to a company's systems, passwords and other information – as long as the attacker seems to be giving something in return.
A very popular form of this attack is common in the US. The attacker, having discovered the range of direct dial numbers for the target company, will call each of them in a random order under the pretext of being from the IT department and returning a call to the help desk.
The idea is that eventually he'll stumble on someone who really does need help with an IT problem. The victim is more than happy to do whatever the caller says in exchange for the quid pro quo immediate fix – including turning off antivirus protection, then downloading and installing malware to their PC in the guise of setting up software patches.
Weeding out social engineers from legitimate callers is simple. The golden rule is: if what you hear seems too good or convenient to be true, it usually is. If you're in any doubt that you're dealing with a legitimate caller, especially if you received the call unexpectedly and the person at the other end is demanding a high level of personal detail, don't become angry or abusive, especially if you have caller ID and the caller has withheld their number.
A better idea is to say you're busy, ask for a phone number and say you'll call them back at a time convenient to you. If the person at the other end is making a legitimate enquiry, he or she will be more than willing to give you their contact details and a problem number as a reference. If the caller makes excuses, or insists on the required information being given immediately, you know you're likely to be talking to a social engineer.
In situations like this, state your suspicions calmly and clearly, then wait silently for a reply. It's likely that the line will go dead as the scammer realises that the game is up.
 |  |
Read More ...
Buying Guide: Mac mini vs iMac: which is the best value?
The price difference between Apple's cheapest and most expensive Macs is huge. The Mac mini costs £649, but if you've lots to spend and you configure your Mac of choice at the online Apple store, you could spend tens of thousands. We're not going that crazy here. For this technological take on David versus Goliath, we're pitching the Mac mini against the iMac, the top-of-the- range 27-inch model with a 256GB solid-state drive alongside its off-the-shelf 1TB hard drive. It's an intriguing battle.
Both machines are consumer-oriented, unlike the Mac Pro which is more of a business computer. And although the iMac is obviously far more powerful, at £2,249, it's also a lot more expensive. If money was no object it would demolish the far cheaper Mac mini, but as it stands, it must work really hard to justify the £1,600 price difference. So which Mac offers better value for money?
The Mac mini, with its (relatively) low price and a performance that's fine for day-to-day computing, or the mighty top-of-the-range iMac, boasting incredible power, a gorgeous display and a solid-state drive? We devised a series of tests to put them through their paces.
Apple's entire iMac range has now moved to Intel's new Core-i series chips. The one on test here has an immensely powerful quad-core 2.8GHz Core i5 processor with some significant performance enhancing features.
Turbo Boost, which is lacking on the Core i3 chips used by the rest of the iMac range, shuts down inactive cores and boosts the power of active ones for increased clock speed. Also, an integrated memory controller limits the time the CPU spends waiting for data to arrive.
Unfortunately for the Mac mini, a legal dispute prevents Nvidia graphics chipsets from being integrated into Core-i processors, and the mini's small form factor makes it impossible to include discrete graphics. As a Core i3 processor without a discrete GPU would be a backwards step in graphics power, Apple was forced to stick with the older Core 2 Duo processor in the Mac mini, opting for a 2.4GHz version with the mid-2010 release.
For our first test, we used the popular benchmarking utility Xbench to see how the processors compared. Xbench can test a wide range of Mac ecosystems such as hard drives, memory, threads and OpenGL, but here we restricted it to benchmarking the processor.
Taking the average of three tests, the iMac scored 225.36, with the Mac mini coming in at 170.9. A convincing win for the iMac, but considering the price difference, the mini was far from disgraced.
Raw benchmarks can be a little nebulous, so we next tried a real-world test. After downloading the popular – and extremely processor-intensive – video conversion utility Handbrake, we encoded a five-minute test video using its Apple TV output settings.
The iMac managed it in 175.5 seconds, whereas the Mac mini took 520 seconds, almost three times as long. But given the iMac costs almost three and a half times as much as the mini, Apple's small form factor Mac once again held its own.
Glorious graphics
On paper, the iMac's graphical capabilities roundly trounce the Mac mini's. Its ATI Radeon 5750 with 1GB of onboard GDDR5 SDRAM is a significant step up from the HD 4850 with 512MB used by the previous generation's top-of-the-range iMac.
As the mini doesn't have room on the logic board for discrete graphics, it uses an integrated Nvidia GeForce 320M chipset. This isn't such a weak option. The 320M is currently the fastest integrated graphics solution available, and it's up to twice as fast as the Nvidia GeForce 9400M used before.
We tested with Cinebench 11.5, a tool that gives comparable ratings for 3D rendering. Again taking the best of three tests, in order to focus on the graphics card we recorded the OpenGL score rather than the CPU benchmark we use for our graphs in Mac reviews. This test renders a complex 3D scene using almost a million polygons and a range of advanced graphical effects.
The Mac mini achieved an average running speed of 11.57 frames per second, which is pretty good considering the complexity of the scene being rendered. The iMac, however, scored a smooth 32.07FPS – almost three times the rate offered by the mini.
It's a similar story with our test game, Doom 3. After setting the screen resolution to 1024x768 pixels and cranking graphical effects to Ultra Quality, the Mac mini ran it at an average of 54.2FPS, which is far from shabby. But the iMac managed a scorching 185.3FPS, almost three and a half times as quick as the mini.
This figure is on a par with their comparative costs, but hard-core gamers will appreciate the super-speedy frame rates offered by the iMac. Everything feels snappier and more responsive.
So the Mac mini is no slouch in the graphics department, but for high-intensity tasks such as gaming and rendering, you likely want an iMac.
A study in storage
The Mac mini has a standard 320GB hard drive, with the iMac offering a 1TB hard drive and an extra 256GB solid-state drive used as the boot volume. This SSD is the main reason our test iMac costs so much, adding £600 to the price of the off-the-shelf, 2.8GHz Core i5 machine. Clearly it's not cheap, but is it worth it?
We fired up a copy of QuickBench to test the speeds of the two Mac's boot volumes – in other words, the Mac mini's 320GB, 5400rpm hard drive, and the iMac's 256GB solid-state drive. Unsurprisingly, the iMac's SSD proved faster, but the degree by which it outpaced its rival was aggravated by the Mac mini's relatively slow hard drive. At 5400rpm, it's substantially slower than the secondary 1TB 7200rpm HDD used in the iMac.
The iMac's solid-state drive outpaced the Mac mini's hard drive by over 250% in the sequential read and write tests. In the random read/write tests, which are more relevant to the real world, it was 830% and 628% faster respectively.
Naturally, applications launched a lot faster on the iMac, with the iWork apps bouncing only once in the Dock before opening. On the mini, they took between two bounces (Pages) and 10 (Numbers).
To test the iMac further, we tried opening iPhoto, iCal, Address Book, Safari and all three iWorks apps simultaneously. They opened just as quickly. Watching seven icons bounce once as the screen fills with windows is surreal. You see a lot less of the dreaded beach ball when using the iMac, especially if you regularly have lots of applications open at the same time.
On display
When comparing monitors, you might expect a clear win for the iMac, as the mini doesn't have one. But could this be an advantage?
The 27-inch iMac's screen is a gorgeous IPS display, with excellent viewing angles and a 16:9 aspect ratio. Its pixel resolution of 2560x1440 is beyond HD, and its LED backlighting brings it to full brightness as soon as you switch it on.
But the mini has a HDMI port, and is supplied with an adapter so you can connect it through DVI instead if you wish. This means it can be connected to pretty much any modern display. It can be any size – as cheap or as expensive as you like – and if you don't like glossy screens, you can opt for a matte display.
The iMac is only supplied with a glossy screen; there isn't even a custom option for matte, which is especially galling considering every MacBook Pro except the 13-inch model has an anti-glare option.
There's nothing wrong with the iMac's screen; quite the opposite, in fact. But if it isn't to your personal tastes, or if you already have a monitor going unused, the Mac mini's lack of a supplied display could work in its favour.
Wired for sound?
Both of our machines have built-in audio, but they're both pretty bad. Using iTunes on the iMac, our test music sounded tinny and lacking in bass and depth. There was no great stereo separation, and it did nothing to shape the sound. It was the same story on the Mac mini, just with no stereo separation at all.
Naturally, if you're only going to use your computer for web surfing, email and basic computing tasks, the internal audio might be sufficient for your needs. But if you plan to put your machine to any sort of multimedia use such as music or video, you should invest in external speakers.
A host of extras?
The iMac offers everything you need to get your computer up and running, but the mini only gives you a base Mac – you must add any required peripherals yourself. And some of them are definitely required. You won't get far without a keyboard and mouse, and unlike the iMac, the mini has no built-in iSight webcam.
Yet what we said about monitors also applies here, perhaps even more so. You might well have a spare mouse or keyboard lying around unused, and even if you do need to go out and buy something, with the Mac mini, you get to choose what you use.
Apple keyboards and the Magic Mouse are, of course, available from your local Apple store, but you don't have to go down the Apple route – not everyone likes the Magic Mouse. If you'd prefer a more traditional design with two buttons and a scroll wheel, chances are you can find one for less than half the price of the mouse that's bundled with the iMac.
You could even forego the mouse altogether and opt for an alternative navigation device, such as a trackball, Magic Trackpad, or even a graphics tablet and stylus!
So is a Mac mini better value than an iMac? Ultimately, yes. As our tests showed, on a price-to- performance ratio, Apple's small form-factor machine certainly holds its own against a high-end iMac with a costly solid-state drive. It's very capable for its size, and more than powerful enough for day-to-day computing tasks such as email, web surfing and word processing.
The mini enjoys a couple of key advantages over the iMac too. It has a HDMI-out port, making it ideal as a living-room media centre Mac, and its size means it's extremely portable, especially now the power supply is built into the casing. If you really wanted you could set up a monitor and keyboard at home and at work, and carry the mini between them with ease. You certainly wouldn't want to do this with a 27-inch iMac!
Yet if you crave that all-in-one experience, or you really want to play the latest 3D games then the iMac is clearly the machine of choice - the mini just can't complete as a games machine. Whether you buy a Mac mini or a top-of-the-range iMac or something in between is entirely up to you.
We hope we've gone some way towards making up your mind. Don't discount the mini just because it's small. And don't forget the MacBook range, too! All Macs have their strengths and weaknesses, and their own role to play in Apple's Mac line-up.
| |
Read More ...
Review: Scrivener 2.0
Plenty of writing tools exist, but few are specifically designed for writers. Even fewer are developed by a writer, but Scrivener is a rare exception, designed by Keith Blount to plug a perceived gap in the market. Rather than joining Pages and Word in the headlong rush towards desktop-publishing-style layouts within word processors, it instead arms you with powerful tools that prove hugely beneficial for dealing with complex and lengthy writing projects.
Although you can use Scrivener to bash out reams of copy in a linear fashion, doing so misses the point. The application is also good for cobbling together articles, scripts and essays.
Built-in templates get you started with various kinds of projects, each providing a structural overview in the Binder sidebar; here, you can add further folders and text files, rearranging them by drag-and-drop. When you're done, your masterpiece can be exported in various formats, using Scrivener's initially baffling but nonetheless powerful Compile sheet.
With the writer in mind
At this point, Scrivener probably sounds like a user-friendly outline view in Pages or Word, but its other features take it far beyond those products when it comes to project management. You can dump all manner of research into the Binder, including images, text files and web pages.
Furthermore, the folders within can have context-sensitive icons applied (characters, locations and so on).
Scrivener's views are also well-suited to the process of writing – you can pick between composite, outline, corkboard or Page views. The last of those is new, and is particularly useful for scriptwriters.
Outline and corkboard have been upgraded; the former now boasts sortable columns, which offer more than a dozen titles (such as Progress and Status) and the corkboard – a digital index board for sub-document synopses and other notes – now provides a free-form mode. This alone will justify Scrivener's $25 (£17) upgrade fee for many, since it provides a wonderfully tactile way to rearrange a project's documents.
Also a new Collections feature in the Binder provides further scope for experimenting with alternate structures, without affecting your main project.
The more you explore Scrivener 2.0, the more you find. Often, you'll think "I wish there was a writing app that could do…" and you'll find Scrivener does it: snapshots with revision comparison; automated backups and sync with mobile apps such as Dropbox; a full-screen mode; quick reference panels (think Quick Look, but with editable content); splitpane viewing; user-definable count targets. It's all there, and, amazingly, it's generally pretty easy to access and use, along with being really robust and stable.
Essential app
As with the original Scrivener, the latest version is perhaps an acquired taste – more so with the new features adding another layer of complexity.
But then this app has never been about appealing to the masses – if you're looking to bang out a letter, stick with Pages; but if you want the best tool around for organising thoughts and writing projects, Scrivener is a no-brainer purchase.
Related Links
| |
Read More ...
1 comment:
too much knowledge makes hacker!
Post a Comment