social engineering case study by wasim halani

31
Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.

Upload: nu-the-open-security-community

Post on 08-Jun-2015

1.683 views

Category:

Technology


3 download

TRANSCRIPT

Page 1: Social Engineering Case Study by Wasim Halani

Exploiting the human weaknesswww.niiconsulting.com

Presentation by: Wasim ‘washal’ HalaniNetwork Intelligence India Pvt. Ltd.

Page 2: Social Engineering Case Study by Wasim Halani

Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services,

solutions and products in the IT Governance, Risk Management, and Compliance space. Our

professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the

right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are

the strongest testimony to the quality of our services!

Page 3: Social Engineering Case Study by Wasim Halani

Information security at every organization is one of the most important aspects!

It is people who handle this information

Social Engineering is exploiting the weakness link – the employees

www.niiconsulting.com

Page 4: Social Engineering Case Study by Wasim Halani

“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.”

[Source: Wikipedia]

www.niiconsulting.com

Page 5: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 6: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 7: Social Engineering Case Study by Wasim Halani
Page 8: Social Engineering Case Study by Wasim Halani
Page 9: Social Engineering Case Study by Wasim Halani

Wordpress vulnerability on the blogs of their websites

Kevin ‘don’t call me a security expert’ Mitnick

Dan ‘I smile when I am hacked’ Kaminsky

www.niiconsulting.com

Page 10: Social Engineering Case Study by Wasim Halani
Page 11: Social Engineering Case Study by Wasim Halani

Phishing Baiting Identity Theft Dumpster Diving Email Scams Use of Authority Request for Help Indulging Curiosity Exploiting Greed=Abuse of Trust

www.niiconsulting.com

Page 12: Social Engineering Case Study by Wasim Halani

IT/ITES Company Two offices About 400 – 500 employees We had previously conducted other security

projects for them Guards were familiar with us We also knew a few people from our previous

projects

www.niiconsulting.com

Page 13: Social Engineering Case Study by Wasim Halani
Page 14: Social Engineering Case Study by Wasim Halani

Only 3 people in the organization aware of the exercise

Obtain ‘get-out-of-jail-free’ card! Bought a spy pen-cam Create fake authorization letters◦ Fake letterhead (thank-you Photoshop)◦ Fake signatures◦ Fake content

Understand the organization’s process flow Obtain employee list Define ‘targets’

Page 15: Social Engineering Case Study by Wasim Halani

Security Auditor◦ Surprise audit on behalf of Government Agency◦ Chinese attacks on Indian institution (same-day

newspaper headlines ) College Student◦ Research project

Customer◦ Call-center

Phishing Social Networking

Page 16: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 17: Social Engineering Case Study by Wasim Halani

Visit the office Convince the guard to let me in for the

surprise security audit◦ “It won’t be a surprise if you tell anyone”

Once again we interviewed people◦ Some suspicious◦ Reading is not verifying

Dumpster diving

www.niiconsulting.com

Page 18: Social Engineering Case Study by Wasim Halani

Gain unauthorized access Stay back late, after almost all employees left◦ Photograph the office

‘Steal’ sensitive documents◦ From open drawers

Check personal folders kept on desks

Page 19: Social Engineering Case Study by Wasim Halani
Page 20: Social Engineering Case Study by Wasim Halani

Sensitive information on technologies used Network architecture revealed Lot of technical information revealed to

“college student” doing a project, as well as journalist

Found bundle of official letter heads in store-room

Gained access to the Server Rooms

www.niiconsulting.com

Page 21: Social Engineering Case Study by Wasim Halani
Page 22: Social Engineering Case Study by Wasim Halani

We registered a domain with a single letter difference◦ Registered email accounts

Prepared a ‘Employee Complaint/Feedback Form’◦ Company header, styling etc.

Sent out mails to on behalf of HR person Employees are asked to enter their

‘credentials’ to log in to the system The final page has a PDF that is to be

downloaded as a ‘unique token number’

www.niiconsulting.com

Page 23: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 24: Social Engineering Case Study by Wasim Halani

About 10 users entered their credentials which we captured

No one downloaded the PDF Took about 10-15 mins. for HR dept. to be

alerted◦ They sent out an email denying the fake email

One employee had a discussion with HR and responded back to our email address

www.niiconsulting.com

Page 25: Social Engineering Case Study by Wasim Halani

Linkedin◦ Fake employee profile Searched for people not listed in the network◦ Joined the company ‘network’◦ Sent out invites

Facebook◦ Multiple fake profiles Added each other as friends

www.niiconsulting.com

Page 26: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 27: Social Engineering Case Study by Wasim Halani
Page 28: Social Engineering Case Study by Wasim Halani

Turns out they had a new employee Everyone thought his was the ‘fake’ profile Very difficult to identify the real profile ‘Attractive’ profiles receive friend requests

www.niiconsulting.com

Page 29: Social Engineering Case Study by Wasim Halani

www.niiconsulting.com

Page 30: Social Engineering Case Study by Wasim Halani

Confidential…

www.niiconsulting.com

Page 31: Social Engineering Case Study by Wasim Halani

Contact: [email protected] http://www.niiconsulting.com @washalsec

www.niiconsulting.com