ITI TEST 3 KEY TERMS WEEK 6/7/8
Encryption - a mathematical process that takes a message and makes it unreadable except to a person who has the key to “decrypt” it back into a readable form.
Decryption - make a scrambled message or data understandable.
Key - in cryptography, a piece of data that gives one the capability to encrypt or decrypt a message.
Data “at rest” - data that is stored somewhere; on a mobile device, laptop, server, or external hard drive. When data is at rest, it is not moving from one place to another.
Data “in transit” - information that is moving over a network from one place to another.
VPN (Virtual Private Network) - when you use a VPN, all of your computer’s internet communications are packaged together, encrypted, and then relayed to an organization on the other side of the internet that your computer is securely connected to its network. There, the communications are decrypted, unpacked, and then sent to their destination.
HTTPS (the S stands for “secure”) - uses encryption to better protect the data you send to websites and the information they return to you, from prying eyes.
End-to-End Encryption - protects messages in transit all the way from sender to receiver. It ensures that information is turned into a secret message by its original sender (the first “end”) and decoded only by its final recipient (the second “end”). No one, including the app you are using, can “listen in” and eavesdrop on your activity.
Data - the collection of information, stats, facts, measurements, and descriptions of certain things
Metadata - information about the digital communications one sends and receives. Examples include the subject line of emails, length of conversations, time frame in which a conversation took place, and location when communicating.
OPSEC - the process of protecting information about one’s activities that may be important to a potential adversary. It is a process that seldom goes beyond the digital realm.
SSD - a guide to protecting yourself from electronic surveillance for people worldwide, includes step-by-step tutorials for installing and using a variety of privacy and security tools.
Simple Substitution Cipher - aka monoalphabetic substitution cipher, replaces single letters separately with the ones specified in a ciphertext alphabet, also called substitution alphabet, which is fixed over the entire message. The combination of the plaintext and ciphertext alphabet forms the key of this cipher.
Caesar Cipher - rotates the plaintext alphabet by a fixed number of places. The latter is called the “shift” and forms the key of this cipher.
ROT13 - replaces each letter in a message by its partner 13 characters further along the alphabet. It shifts the plaintext alphabet by half the number of characters in it. ROT13 is often found on social media platforms as a means of hiding spoilers and problem solutions from a casual glance. It provides virtually no cryptographic security.
ROT5 - rotates numbers 0-9, clouding numeric values in a message.
ROT18 - combines ROT13 and ROT5. It rotates letters and numbers separately.
ROT47 - uses all ASCII code points that range from 33 to 126 as the plaintext alphabet and rotates it by 47 characters. It can be used to obfuscate lowercase and uppercase letters, numbers, and punctuation symbols.
ROT8000 - tries to use the full Unicode Basic Multilingual Plane (BMP) category as the plaintext alphabet, which theoretically contains 65,536 characters (or 0x8000 in hexadecimal representation).
Social Engineering - any act that influences a person to take an action that may or may not be in his or her best interests. Social engineering isn’t always negative.
Smishing - stands for SMS phishing or phishing through text messages. With a simple click, one’s credentials could be stolen, malware could be loaded on one’s mobile device, and sometimes both.
Vishing - voice phishing, which has drastically increased as a vector since 2016. It is easy, cheap, and very profitable for the attacker. It is nearly impossible to locate and then catch the attacker with unknown numbers calling from outside the country.
Phishing - the most talked about topic in the world of social engineering. It is a form of attack where attackers impersonate legitimate individuals, organizations, or companies to trick people into providing information like passwords, credit card numbers, or other personal information via email, text messages, or other communication means. It is the most dangerous of the four main vectors (smishing, vishing, phishing, impersonation).
Impersonation - the act of pretending to be someone else which in the context of social engineering would be to deceive people for malicious purposes like stealing someone’s name, date of birth, SSN, and financial information to impersonate them for fraudulent activities such as opening bank accounts, applying for loans, or buying things.
OSINT or Open Source Intelligence - the lifeblood of every social engineering engagement. It is also the piece that should have the most time spent on it which is why it occupies the first and largest piece of the pyramid. Documentation is one piece of OSINT that is rarely addressed.
Pretext Development - based on the findings from the OSINT period, the next step is to begin developing your pretexts. This is a crucial piece that is best done with OSINT in mind. In this phase, you see what changes or additions need to be made to ensure success. This is also when it is clear what props and/or tools are needed.
Attack Plan - having a pretext does not mean you are ready. The next stage is to plan out the three Ws: what, when, and who.
Attack Launch - launching the attack requires preparation but not scripted preparation that would not allow you to be dynamic. The use of an outline is recommended which gives you a path to follow and allows for artistic freedom
Reporting - a report on the attacks is important because it is the very pinnacle that the rest of the pyramid rests on.
Hacktivism - use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.
Aaron Swartz - An agitator for free access to information on the internet who downloaded more than four million articles and reviews onto his laptop computers from a subscription-only digital storehouse. He helped develop RSS and was one of the builders of Reddit.
Encryption - a mathematical process that takes a message and makes it unreadable except to a person who has the key to “decrypt” it back into a readable form.
Decryption - make a scrambled message or data understandable.
Key - in cryptography, a piece of data that gives one the capability to encrypt or decrypt a message.
Data “at rest” - data that is stored somewhere; on a mobile device, laptop, server, or external hard drive. When data is at rest, it is not moving from one place to another.
Data “in transit” - information that is moving over a network from one place to another.
VPN (Virtual Private Network) - when you use a VPN, all of your computer’s internet communications are packaged together, encrypted, and then relayed to an organization on the other side of the internet that your computer is securely connected to its network. There, the communications are decrypted, unpacked, and then sent to their destination.
HTTPS (the S stands for “secure”) - uses encryption to better protect the data you send to websites and the information they return to you, from prying eyes.
End-to-End Encryption - protects messages in transit all the way from sender to receiver. It ensures that information is turned into a secret message by its original sender (the first “end”) and decoded only by its final recipient (the second “end”). No one, including the app you are using, can “listen in” and eavesdrop on your activity.
Data - the collection of information, stats, facts, measurements, and descriptions of certain things
Metadata - information about the digital communications one sends and receives. Examples include the subject line of emails, length of conversations, time frame in which a conversation took place, and location when communicating.
OPSEC - the process of protecting information about one’s activities that may be important to a potential adversary. It is a process that seldom goes beyond the digital realm.
SSD - a guide to protecting yourself from electronic surveillance for people worldwide, includes step-by-step tutorials for installing and using a variety of privacy and security tools.
Simple Substitution Cipher - aka monoalphabetic substitution cipher, replaces single letters separately with the ones specified in a ciphertext alphabet, also called substitution alphabet, which is fixed over the entire message. The combination of the plaintext and ciphertext alphabet forms the key of this cipher.
Caesar Cipher - rotates the plaintext alphabet by a fixed number of places. The latter is called the “shift” and forms the key of this cipher.
ROT13 - replaces each letter in a message by its partner 13 characters further along the alphabet. It shifts the plaintext alphabet by half the number of characters in it. ROT13 is often found on social media platforms as a means of hiding spoilers and problem solutions from a casual glance. It provides virtually no cryptographic security.
ROT5 - rotates numbers 0-9, clouding numeric values in a message.
ROT18 - combines ROT13 and ROT5. It rotates letters and numbers separately.
ROT47 - uses all ASCII code points that range from 33 to 126 as the plaintext alphabet and rotates it by 47 characters. It can be used to obfuscate lowercase and uppercase letters, numbers, and punctuation symbols.
ROT8000 - tries to use the full Unicode Basic Multilingual Plane (BMP) category as the plaintext alphabet, which theoretically contains 65,536 characters (or 0x8000 in hexadecimal representation).
Social Engineering - any act that influences a person to take an action that may or may not be in his or her best interests. Social engineering isn’t always negative.
Smishing - stands for SMS phishing or phishing through text messages. With a simple click, one’s credentials could be stolen, malware could be loaded on one’s mobile device, and sometimes both.
Vishing - voice phishing, which has drastically increased as a vector since 2016. It is easy, cheap, and very profitable for the attacker. It is nearly impossible to locate and then catch the attacker with unknown numbers calling from outside the country.
Phishing - the most talked about topic in the world of social engineering. It is a form of attack where attackers impersonate legitimate individuals, organizations, or companies to trick people into providing information like passwords, credit card numbers, or other personal information via email, text messages, or other communication means. It is the most dangerous of the four main vectors (smishing, vishing, phishing, impersonation).
Impersonation - the act of pretending to be someone else which in the context of social engineering would be to deceive people for malicious purposes like stealing someone’s name, date of birth, SSN, and financial information to impersonate them for fraudulent activities such as opening bank accounts, applying for loans, or buying things.
OSINT or Open Source Intelligence - the lifeblood of every social engineering engagement. It is also the piece that should have the most time spent on it which is why it occupies the first and largest piece of the pyramid. Documentation is one piece of OSINT that is rarely addressed.
Pretext Development - based on the findings from the OSINT period, the next step is to begin developing your pretexts. This is a crucial piece that is best done with OSINT in mind. In this phase, you see what changes or additions need to be made to ensure success. This is also when it is clear what props and/or tools are needed.
Attack Plan - having a pretext does not mean you are ready. The next stage is to plan out the three Ws: what, when, and who.
Attack Launch - launching the attack requires preparation but not scripted preparation that would not allow you to be dynamic. The use of an outline is recommended which gives you a path to follow and allows for artistic freedom
Reporting - a report on the attacks is important because it is the very pinnacle that the rest of the pyramid rests on.
Hacktivism - use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change.
Aaron Swartz - An agitator for free access to information on the internet who downloaded more than four million articles and reviews onto his laptop computers from a subscription-only digital storehouse. He helped develop RSS and was one of the builders of Reddit.