social engineering
TRANSCRIPT
Information Systems 365/765Information Systems Security and Strategy
Lecture 7Social Engineering
Lecture 7
Today’s Chocolate Bar
• Nestle Crunch, created in 1938
• Current slogan is “For the kid in you”….BORING
• Bunch-a-crunch controversy
• "Betcha Can't Crunch This!"
WARNING
• I use REAL people as examples in this presentation
• I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
Social Engineering
• No matter how many security measures you introduce, there is one which proves to be the most challening…
• How do we secure human beings?
Social Engineering Defined
• The use of psychological tricks in order to get useful information about a system
• Using psychological tricks to build inappropriate trust relationships with insiders
Kevin Mitnick
• World’s most famous Social Engineer
• “The weakest link in the security chain is the human element”
• Half of his exploits involved using social engineering
• See the master in action!
Social Engineering• Social Engineering goes back
to the first lie ever told and will continue into the future.
• Social Engineering is successful because people are generally helpful, especially to those who are:
• Nice• Knowledgeable• Insistent
Three Primary Methods of Social Engineering
• Flattery• Authority Impersonation• Threatening Behavior
Helpful By Default
• We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“
• Industrial Espionage• Revenge• Just for fun
How Does It Happen?
• “An ounce of prevention is worth a pound of cure!”
• The Social Engineer uses simple information found online, or by making a basic phone call into the office
• That stuff really isn’t that easy to get…Don’t be dramatic!
Let’s Setup a Case Scenario Using a Method Called
Pretexting• Meet Angry Cow• Computer Science Student at
UW-Madison• Angry Cow just got an eviction
notice
Case Continued – Simple Public Information is Found
• Angry Cow lives at the Regent
• The Regent’s website indicates that it is owned by Steve Brown Properties
• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
Next – Finding A Way In…
• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information
• Poor controls over data sharing• Lots of important information there
that might not seem important, but could be his first step in…
• Go to Facebook and search:“Steve Brown Apartments” to find an
appropriate unknowing accomplice
Let’s See – Danielle Treu
• Born July 24, 1988• Enjoys playing in the rain,
drinking coffee and spending money
• Works at Subway and as a Resident Assistant for Steve Brown Apartments
Let’s See – David Klabanoff
• Born April 21, 1979• Likes Star Wars and
The Muppet Movie• Is a Concierge for
Steve Brown Apartments
Let’s See – Andrew Baldinger – I think I might know this guy!
• March 30, 1986• Likes kayaking,
exploring, and getting lost
• Lives at the Regent
• Works as a Technology Support Specialist for Steve Brown Apartments!
Let’s Start with Danielle Treu
• Her Facebook profile is public, but she is intelligent. She keeps her contact information private
• But, her profile does say that she attends UW-Madison…
• I wonder if they have some more public information about her
The Research, Phase II• I’m so thankful for the UW
Whitepages!• Remember, this is PUBLIC
information!• I got her email address!
Establishing the Trust• Danielle talks to David, and
since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew
• Angry Cow shows up later that day, David is expecting him
• Angry Cow identifies himself as Andrew and asks David for key to server room
The Hack
• Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username)
• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
Summary of This Example
• Search for public information about your target, using both official and unofficial sources
• Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow!
• Built a credible story• Based on PRETEXTING
Let’s Watch Another Example
• Silence of the Lambs Movie scene
• Notice how they both establish trust through the use of kindness or perceived kindness
How to Keep Social Engineering From Working
• Administrators need to:• Establish Policies• Train Employees• Run Drills• Office Workers:• Need to be aware of Social
Engineering tactics• Follow policies
Let’s Watch the AT@T Internal Social Engineering Training
Video• Which Social Engineering
techniques can you identify in the video? (Flattery, Authority, Threats)
• How would you CLASSIFY this video (remember Data Classification)
• What is going on at AT&T?
Pretexting• Pretexting is the
act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
Pretexting
• It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Is This Really a Threat to Businesses? PRETEXTING
• So far, this just looks like a technique employed by angry individuals.
• Did you know that Hewlett Packard regularly engaged in Social Engineering?
• They used the method of PRETEXTING in order to get phone records
• Let’s watch the testimony of Patricia Dunn, Director of HP
Pretexting Will Likely Continue• As most U.S. companies still
authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.
• Pretexting is the most common form of Social Engineering
Phishing
• Phishing is the use of email as a means to extract personal information from a user
• A variant is called IVR Phone Phishing
Phishing Continued
• Direct you towards bogus (fake) websites
• Purpose is to harvest information
• PayPal example – I don’t even have a PayPal account!
• Use common sense!• Don’t click on links directly!• Phishing Filter!
TROJAN HORSE
• Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed
• Usually arrives in the form of an email with an attachment
• ILOVEYOU virus is an example of a Trojan Horse
• Adware hiding inside downloads is another example
Road Apples• Road Apples are also known as
Baiting• Uses physical media and relies on
the curiosity or greed of the victim
• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries
• Autorun on inserted media
Quid Pro Quo• Means “something for
something”• A person contacts people one
by one, until he/she finds a person with a problem
• When they find a person, they “fix” their problem by introducing malware to their machine
Summary – Today’s Take Aways
• Social Engineering involves manipulating others to get access
• Main techniques are: Flattery, Authority, Threatening
• Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
Ways to Combat Social Enginering
• Good security policy• Make sure your employees
understand dangers and threats
• Make sure employees understand what Data Classification means and what type of information you publicly give away