social engineering 101 or the art of how you got … · social engineering 101 or the art of ......
TRANSCRIPT
@NTXISSA
Social Engineering 101 or The Art of
How You Got Owned by That Random
Stranger
Steven Ha/ield aka @drb0n3z
Security Systems Senior Advisor
Dell
4/25/2015
@NTXISSA
About Me
• 8 year Army veteran
• Currently studying for Bachelors of Science
in CyberSecurity at UMUC
• 4 year Security Goon at DEF CON
• 3 year Social Engineer Village volunteer at
DEF CON
• 1 year Security staff at Derbycon
NTX ISSA Cyber Security Conference – April 24‐25, 2015 2
@NTXISSA
Social Engineering 101
• DefiniXons
• History
• Social Engineering Framework
• SET – Social Engineering Toolkit
• Categories
• Examples
• ProtecXon
• Resources
• QuesXons
NTX ISSA Cyber Security Conference – April 24‐25, 2015 4
@NTXISSA
DefiniEon
• Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple.
• We define it as, “Any act that influences a person to take an ac2on that may or may not be in their best interest.” We have defined it in very broad and general terms because we feel that social engineering is not always negaXve, but encompasses how we communicate with our parents, therapists, children, spouses and others.
NTX ISSA Cyber Security Conference – April 24‐25, 2015 5
hdp://www.social‐engineer.org/
@NTXISSA
DefiniEon
• Social engineering is the art of manipulaXng people so they give up confidenXal informaXon. The types of informaXon these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank informaXon, or access your computer to secretly install malicious sofware–that will give them access to your passwords and bank informaXon as well as giving them control over your computer.
NTX ISSA Cyber Security Conference – April 24‐25, 2015 6
hdp://www.webroot.com/us/en/home/resources/Xps/online‐shopping‐banking/secure‐what‐is‐social‐engineering
@NTXISSA
History
• The term sociale ingenieurs was introduced in
an essay by the Dutch industrialist J.C. Van
Marken in 1894. The idea was that modern
employers needed the assistance of specialists
—"social engineers"—in handling
the human problems of the planet, just as they
needed technical experXse (ordinary engineers)
to deal with the problems of dead mader
(materials, machines, processes). …
NTX ISSA Cyber Security Conference – April 24‐25, 2015 8
@NTXISSA
Social Engineering Framework
• Social Engineering Defined
• Categories of Social Engineers • Hackers
• PenetraXon Testers
• Spies or Espionage
• IdenXty Thieves
• Disgruntled Employees
• InformaXon Brokers
• Scam ArXsts
• ExecuXve Recruiters
• Sales People
• Governments
• Everyday People
NTX ISSA Cyber Security Conference – April 24‐25, 2015 9
• Why Adackers Might Use Social Engineering
• Typical Goals
• The Adack Cycle
• Common Adacks • Customer Service
• Delivery Person
• Phone
• Tech Support
• Real World Examples • Con Men
• Crime VicXms
• Phishing
• PoliXcians
@NTXISSA
• The Social‐Engineer Toolkit (SET) was created and wriden by the founder of TrustedSec. It is an open‐source Python‐driven tool aimed at penetraXon tesXng around Social‐Engineering. SET has been presented at large‐scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social‐engineering penetraXon tests and supported heavily within the security community.
• The Social‐Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological adacks in a social‐engineering type environment. TrustedSec believes that social‐engineering is one of the hardest adacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, “Metasploit: The PenetraXons Tester’s Guide” wriden by TrustedSec’s founder as well as Devon Kearns, Jim O’Gorman, and MaX Aharoni.
NTX ISSA Cyber Security Conference – April 24‐25, 2015 10
SET – Social Engineer Toolkit
@NTXISSA
Examples ‐ Common
• Customer Service
• Delivery Person
• Phone
• Tech Support
• Con Men
• Crime VicEms
• Phishing
• PoliEcians
NTX ISSA Cyber Security Conference – April 24‐25, 2015 13
@NTXISSA
Examples ‐ Real World
• The Overconfident CEO
In one case study, Hadnagy outlines how he was hired as an SE
auditor to gain access to the servers of a prinXng company which had
some proprietary processes and vendors that compeXtors were afer.
In a phone meeXng with Hadnagy's business partner, the CEO
informed him that "hacking him would be next to impossible"
because he "guarded his secrets with his life.”
"He was the guy who was never going to fall for this," said Hadnagy.
"He was thinking someone would probably call and ask for his
password and he was ready for an approach like that.” …
NTX ISSA Cyber Security Conference – April 24‐25, 2015 14
hdp://www.csoonline.com/arXcle/2126983/social‐engineering/social‐engineering‐‐3‐examples‐of‐human‐hacking.html
@NTXISSA
Examples ‐ Real World
• The theme‐park scandal
The target in this next case study was a theme park client that was concerned about
potenXal compromise of its XckeXng system. The computers used to check‐in patrons also
contained links to servers, client informaXon and financial records. The client was concerned
that if a check‐in computer was compromised, a serious data breach might occur.
Hadnagy started his test by calling the park, posing as a sofware salesperson. He was
offering a new type of PDF‐reading sofware, which he wanted the park to try through a trial
offer. He asked what version they were currently using, got the informaXon easily, and was
ready for step two. …
NTX ISSA Cyber Security Conference – April 24‐25, 2015 15
hdp://www.csoonline.com/arXcle/2126983/social‐engineering/social‐engineering‐‐3‐examples‐of‐human‐hacking.html
@NTXISSA
Examples ‐ Real World
• The hacker is hacked
Hadnagy gives a third example showing how social engineering was used for defensive
purposes. He profiles 'John,' a penetraXon tester hired to conduct a standard network pen
test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network
compuXng) server, a server that allows control of other machines on the network.
He was documenXng the find with the VNC session open when, suddenly, in the background,
a mouse began to move across the screen. John new it was a red flag because at the Xme of
day this was happening, no user would be connected to the network for a legiXmate reason.
He suspected an intruder was on the network. …
NTX ISSA Cyber Security Conference – April 24‐25, 2015 16
hdp://www.csoonline.com/arXcle/2126983/social‐engineering/social‐engineering‐‐3‐examples‐of‐human‐hacking.html
@NTXISSA
Examples ‐ Real World
• Price‐Matching Scam
NTX ISSA Cyber Security Conference – April 24‐25, 2015 17
@NTXISSA
Examples ‐ Real World
• Evil Maid aQacks
NTX ISSA Cyber Security Conference – April 24‐25, 2015 18
@NTXISSA
Examples ‐ Real World
• Stuxnet
…
Stuxnet – delivered via USB sXcks lef around the Iranian site in a
classic "social engineering" adack – used unpatched Windows
vulnerabiliXes to get inside the SCADA at Iran's Natanz enrichment
plant. It then injected code to make a PLC speed up and slow down
centrifuge motors – wrecking more than 400 machines. Siemens
made both the SCADA (WinCC) and the PLC (S7‐300) adacked by
Stuxnet.
…
NTX ISSA Cyber Security Conference – April 24‐25, 2015 19
hdp://www.newscienXst.com/arXcle/dn20298‐stuxnet‐analysis‐finds‐more‐holes‐in‐criXcal‐sofware.html
@NTXISSA
Examples ‐ Real World
• Sing‐o‐gram ‐ Michelle from SE crew
…
Next, Chris and I packed our dark glasses and super‐spy cameras and headed to the client’s
locaXons. Four buildings, three days, two states, no sleep. This parXcular client faces some
big challenges when it comes to physical plant security, not the least of which is sharing
buildings with other companies and retailers open to the general public. Despite having a
great physical security team and RFID badging, we were able to gain access to most of their
secured locaXons pretexXng as inspectors and yes, a singing telegram (I’ll let you guess who
got to do that one). We didn’t really need to do a lot of sneaky stuff; we took advantage of
high traffic Xmes and locaXons, acted like we belonged there, and exploited people’s general
helpfulness. Using these principles, we accessed areas such their corporate mailroom, NOC,
and execuXve offices and roamed freely without ever being stopped.
…
NTX ISSA Cyber Security Conference – April 24‐25, 2015 20
hdp://www.social‐engineer.org/newsleder/social‐engineer‐newsleder‐vol‐05‐issue‐57/
@NTXISSA
Examples ‐ Real World
• News Reporter ‐ “Bob”
“I've goden myself into a building by claiming to be interviewing
them for a blog and then spending all day taking pictures and
plugging flashdrives in to “print stuff“”
NTX ISSA Cyber Security Conference – April 24‐25, 2015 21
@NTXISSA
ProtecEon
• Obviously, never give out confidenXal informaXon.
• Safeguard even inconsequenXal informaXon about yourself.
• Lie to security quesXons, and remember your lies.
• View every password reset email with skepXcism.
• Watch your accounts and account acXvity.
• Diversify passwords, criXcal services, and security quesXons.
NTX ISSA Cyber Security Conference – April 24‐25, 2015 22
@NTXISSA
Resources
• hdp://www.social‐engineer.org/
• hdps://www.social‐engineer.com/
• hdps://www.trustedsec.com/social‐engineer‐toolkit/
• hdp://www.amazon.com/Christopher‐Hadnagy/
• hdp://www.social‐engineer.org/category/podcast/
• DEFCON 23 CTF
• hdp://www.derbycon.com/
• hdp://defcon.org/
• hdp://www.amazon.com/Joe‐Navarro/
NTX ISSA Cyber Security Conference – April 24‐25, 2015 23