social engineering : to err is human
DESCRIPTION
null Pune Chapter - September 2012 MeetTRANSCRIPT
What is it?
Real life cases
Traits Exploited
Phishing
Methodology
Scenarios
Tricks of the Trade
Physical Pen testing?
Defenses
Game
Demo!
Agenda
Human Link is the weakest in the Security Chain
Perception
Authority, Slow Response, Fear & Anxiety
http://www.youtube.com/watch?v=q7V4U2RUaeg&feature=related
Hackers
Mentalist
Rockford Files
James Bond!
Watch it!
Manipulation of Human Trust (and Traits) to elicit information. This could be further used to directly/indirectly steal data, identity, money, etc., get access to systems, further manipulate others, for financial gain or otherwise.
A combination of the standard security checks was identified by engineering and ethically manipulating the processes, trust levels and human aspect of day to day operations in the company.
Modes:
• Human Based
• Computer Based
Engineering the Socials &The Rest
Through
Situations
Urgency
Impersonation- Partially Known Factors
Persuasion
Request
Orders/Demand
..
Technology[Modems, Malware, OSINT, Exploits, Phishing, Spoofing, Websites, other computer based techniques and Help Desk ;) ]
Helplessness
Guilt
Anxiety
Fear[Authority]
Trust
Moral Duty
Helpfulness
Cooperation
Delegated Responsibility
Traits Exploited[Generally.. ;P]
2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond
Phone Phishing (IVRs)
A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords.
Phishing - Vishing
Fake ID
Fake Authorization Letter
Uniform?
Recorder
Videos
Bag?
Suit Up!
Barge In!
Asset Identification – Information?
No I don’t have a Gun
Diversion theft - "going straight out" or "urgently required somewhere else".
Passive - Tailgating, Eavesdropping, Shouldersurfing
Baiting
Cold Calling
Backdoors, Rootkits, keyloggers
Device!
Target
Frank Abegnale
Vistor Lustig
Kevin Mitnick
Badir Brothers – Again
Mike Ridpath
Catch Me if you can
Notorious in the 1960s for passing $2.5 million worth of meticulously forged checks across 26 countries over the course of five years, beginning when he was 16 years old
He attained eight separate identities as an airline pilot, a doctor, a U.S. Bureau of Prisons agent, and a lawyer. He escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary
Frank William Abagnale
Lustig had a forger produce fake government stationery for him
Invited six scrap metal dealers to a confidential
There, Lustig introduced himself as the deputy director-general of the Ministry of Posts and Telegraphs.
Lustig told the group that the upkeep on the Eiffel Tower was so outrageous that the city could not maintain it any longer, and wanted to sell it for scrap. Due to the certain public outcry, he went on, the matter was to be kept secret until all the details were thought out. Lustig said that he had been given the responsibility to select the dealer to carry out the task. The idea was not as implausible in 1925 as it would be today.
Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustigkept Capone's money in a safe deposit box for two months, then returned it to him, claiming that the deal had fallen through. Impressed with Lustig'sintegrity, Capone gave him $5,000. It was, of course, all that Lustig was after
Cases
1st Source Information Specialists
Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.
Cases Contd..
Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping, stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs, badges, etc]
Perimeter Security
General Intelligence
Emails, Phishing, Websites,
OSINT[social networks, forums, portals, public knowledge]
Research
Social Engineering ;)
..
TRUST
Involves - C*****S****
“They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. ”
You have won “ 100000$”!
Scenarios - 1Social Engineering
LUCK
Mr. Smith:Hello?
Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily.
Mr. Smith:Uh, okay. I’ll be home by then, anyway.
Caller:Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith?
Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they?
Caller:No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files?
Mr. Smith:My password is tuesday, in lower case letters.
Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there.
Mr. Smith:Thank you. Bye.
[- Taken from Melissa Guenther]
what I call a chain reaction
Layered Security
Defenses
Physical
Process
Tech
Least Privileges
Password Policy
Access Controls
Safe Disposal
Removable Device Policy
Latest Set Up
Content Management and filtering
Change Management
Monitoring
Awareness
http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics
https://www.trustedsec.com/
http://en.wikipedia.org/wiki/Social_engineering_(security)
http://www.social-engineer.org/se-resources/
References