Penetration testing is a little bit more complex in this age that everyone is trying to implement tough security on their systems and the time to perform the test is significantly reducing. When you start a penetration test you want to be quick and effective and most of all go unnoticed. In this article we are going to discuss how shoulder surfing can be used in hacking and why it is an effective method, also we will talk about mitigations.
Just as you see in the picture below,
it is simply looking over the shoulders of a computer user or as someone enters their
credentials in an access device.
Why is it effective?
With improvements in technology systems
are being encrypted with very strong encryption. For example, it is now very
easy to encrypt laptops with up to 512bit encryption standards. Although that is not really the case with the
vast majority of computer and mobile device users, systems and devices are now
more secure than ever before.
One could crack those encryptions easily,
but it would take a lot of time, talking about hundreds of years and even
more. To gain access you could just walk
up to the target and ask for the password, but believe they cannot just tell
you the password unless of course they were drugged or drunk. So by looking
over the shoulders you could obtain the password and use at a letter time. What
makes this very effective is that people still use the same password for many
different accounts. Get one password you've got access to many places. Unlike
using password cracker or trying to brute force, you get instant results. Once
you get the password or pin, you can use it. And it is the easiest hack, anyone
can pull it off.
The challenge!
You would need physical access, well in
many cases business executives use their laptops even in public places like
coffee shops and sitting close to them can afford a chance to obtain a password
by sight. If it is access control at a door once you get the pin you could use
it another occasions, for example if you
want to plant an evil twin device in an office building. I find it hard to watch someone type and get
the password, but with a body cam or a hidden camera you can still get a
password, with the video recording you could view it in slow motion and get the
keys to whatever you want.
On mobile devices.
Your eyes can help you hack a mobile
device. More than once I have gained access to my friends’ devices, how did I
do it? In some mobile platforms using a lock pattern is an option and I find
that many people love using the lock pattern and not a pin or password. In
touch screen devices that comes to the advantage of the hacker. Holding the
device in an angle will reveal the last drawn pattern. This is because of the
prints left but the users’ finger. What makes it easy is that if the pattern
was Z for example, it could only be drawn in one of two directions so at most 2
attempts and you are in. You will be amazed how much information you can get
from a mobile device in your pentesting exercise. A caution though, some devices use the front facing camera to
capture the face of one attempting to unlock it, you could just mask the camera
and work with ease.
Mitigations
Just saying excuse me, when typing your
password or entering your pin.
Using multi factor authentication
Using biometrics for authentication,
this is even available on mobile devices.
Type your password or enter your pin
fast
On mobile devices with touch screens,
use a pin or password instead of a lock pattern
 |
| You could do this. LOL! |
No comments:
Post a Comment