Information Systems 365/765Information Systems Security and Strategy

Lecture 7Social Engineering

Lecture 7

Today’s Chocolate Bar

• Nestle Crunch, created in 1938

• Current slogan is “For the kid in you”….BORING

• Bunch-a-crunch controversy

• "Betcha Can't Crunch This!"

Warning

WARNING

• I use REAL people as examples in this presentation

• I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums

Social Engineering

• No matter how many security measures you introduce, there is one which proves to be the most challening…

• How do we secure human beings?

Social Engineering Defined

• The use of psychological tricks in order to get useful information about a system

• Using psychological tricks to build inappropriate trust relationships with insiders

Kevin Mitnick

• World’s most famous Social Engineer

• “The weakest link in the security chain is the human element”

• Half of his exploits involved using social engineering

• See the master in action!

Social Engineering• Social Engineering goes back

to the first lie ever told and will continue into the future.

• Social Engineering is successful because people are generally helpful, especially to those who are:

• Nice• Knowledgeable• Insistent

Three Primary Methods of Social Engineering

• Flattery• Authority Impersonation• Threatening Behavior

Helpful By Default

• We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“

• Industrial Espionage• Revenge• Just for fun

How Does It Happen?

• “An ounce of prevention is worth a pound of cure!”

• The Social Engineer uses simple information found online, or by making a basic phone call into the office

• That stuff really isn’t that easy to get…Don’t be dramatic!

Let’s Setup a Case Scenario Using a Method Called

Pretexting• Meet Angry Cow• Computer Science Student at

UW-Madison• Angry Cow just got an eviction

notice

Case Continued – Simple Public Information is Found

• Angry Cow lives at the Regent

• The Regent’s website indicates that it is owned by Steve Brown Properties

• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid

Next – Finding A Way In…

• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information

• Poor controls over data sharing• Lots of important information there

that might not seem important, but could be his first step in…

• Go to Facebook and search:“Steve Brown Apartments” to find an

appropriate unknowing accomplice

Let’s See – Danielle Treu

• Born July 24, 1988• Enjoys playing in the rain,

drinking coffee and spending money

• Works at Subway and as a Resident Assistant for Steve Brown Apartments

Let’s See – David Klabanoff

• Born April 21, 1979• Likes Star Wars and

The Muppet Movie• Is a Concierge for

Steve Brown Apartments

Let’s See – Andrew Baldinger – I think I might know this guy!

• March 30, 1986• Likes kayaking,

exploring, and getting lost

• Lives at the Regent

• Works as a Technology Support Specialist for Steve Brown Apartments!

Let’s Start with Danielle Treu

• Her Facebook profile is public, but she is intelligent. She keeps her contact information private

• But, her profile does say that she attends UW-Madison…

• I wonder if they have some more public information about her

The Research, Phase II• I’m so thankful for the UW

Whitepages!• Remember, this is PUBLIC

information!• I got her email address!

Primary Contact

Establishing the Trust• Danielle talks to David, and

since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew

• Angry Cow shows up later that day, David is expecting him

• Angry Cow identifies himself as Andrew and asks David for key to server room

The Hack

• Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username)

• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid

Summary of This Example

• Search for public information about your target, using both official and unofficial sources

• Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow!

• Built a credible story• Based on PRETEXTING

Let’s Watch Another Example

• Silence of the Lambs Movie scene

• Notice how they both establish trust through the use of kindness or perceived kindness

How to Keep Social Engineering From Working

• Administrators need to:• Establish Policies• Train Employees• Run Drills• Office Workers:• Need to be aware of Social

Engineering tactics• Follow policies

Let’s Watch the AT@T Internal Social Engineering Training

Video• Which Social Engineering

techniques can you identify in the video? (Flattery, Authority, Threats)

• How would you CLASSIFY this video (remember Data Classification)

• What is going on at AT&T?

Pretexting• Pretexting is the

act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.

Pretexting

• It's more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.

Is This Really a Threat to Businesses? PRETEXTING

• So far, this just looks like a technique employed by angry individuals.

• Did you know that Hewlett Packard regularly engaged in Social Engineering?

• They used the method of PRETEXTING in order to get phone records

• Let’s watch the testimony of Patricia Dunn, Director of HP

Pretexting Will Likely Continue• As most U.S. companies still

authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.

• Pretexting is the most common form of Social Engineering

Phishing

• Phishing is the use of email as a means to extract personal information from a user

• A variant is called IVR Phone Phishing

Phishing Continued

• Direct you towards bogus (fake) websites

• Purpose is to harvest information

• PayPal example – I don’t even have a PayPal account!

• Use common sense!• Don’t click on links directly!• Phishing Filter!

TROJAN HORSE

• Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed

• Usually arrives in the form of an email with an attachment

• ILOVEYOU virus is an example of a Trojan Horse

• Adware hiding inside downloads is another example

Road Apples• Road Apples are also known as

Baiting• Uses physical media and relies on

the curiosity or greed of the victim

• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries

• Autorun on inserted media

Quid Pro Quo• Means “something for

something”• A person contacts people one

by one, until he/she finds a person with a problem

• When they find a person, they “fix” their problem by introducing malware to their machine

Summary – Today’s Take Aways

• Social Engineering involves manipulating others to get access

• Main techniques are: Flattery, Authority, Threatening

• Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo

Ways to Combat Social Enginering

• Good security policy• Make sure your employees

understand dangers and threats

• Make sure employees understand what Data Classification means and what type of information you publicly give away

Most Important Gem of Wisdom in Defeating Social Engineering

• Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request

• For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail