white paper hacking the human
TRANSCRIPT
-
8/10/2019 White Paper Hacking the Human
1/6
Hackin
DennisS
Introduc
Socialen
torespe
engineer
technica
onsome
thevicti
Socialen
accesst
data,all
Dimensi
attacksa
Occasion
system;
Thefirst
necessar
oreven
andsho
thendec
distinct
theHum
chlessman,
tion:
gineeringh
tabilityunt
ingdisciplin
roadblocks
thingmuch
strust.
gineersare
informatio
ofwhichca
nalResear
reforfinan
ally,social
owever,th
fewsteps
o
yresearch.
overnment
ldersurfing
ideonthe
pproaches,
an
CISSP,CISA
sbeen
des
lKevinMit
e.Thehack
togainacc
different:th
motivated
naboutan
beusedfo
hand
publi
ialgain,foll
ngineersw
esearemor
any
social
Ofcourse,t
agencies.
. Basedon
ostefficien
ofwhichI
ribedas
th
ickbecame
rdepends
sstothed
einherent
ybasically
rganization
rfinancialg
hedin
Sep
owedclose
nttomake
eoftengoal
ngineering
ereisnola
esearchme
hetargeta
tmethodo
illdiscusst
Page1
uglystep
famousfor
ntheabilit
siredinfor
esireofpe
hesamethi
,informatio
in.Asurve
ember201
lybyaccess
apoliticals
sofhacker
projectare
ckoftarget
thodsinclu
dresultso
attack.Soc
ree:pretex
sisterof
ha
hisexploits
ytounders
ation.But
pletobeh
ngsthatm
nsystems
of853IT
indicates
topropriet
tatemento
groupssuch
toselect
at
s;theycan
edumpste
ftheresear
ialengineer
tcalls,phis
ckingand
w
andsucces
andandcir
thesociale
elpfulandt
tivatehack
rnetwork,
rofessional
1%of
socia
ryinforma
provethey
asAnonym
arget,then
eindividua
rdiving,int
h,thesoci
ingattacksi
ing,andim
asnot
eleva
s,inthesoc
cumventth
gineerdep
eabilityto
rs. Theyw
rcustomer
conducted
lengineerin
ionat46%.
canbreak
ousorLulz
performth
ls,corporati
rnetsearch
lengineer
ncludesev
personatio
ted
ial
nds
gain
ant
by
g
the
ec.
ons,
es,
ust
ral
.
-
8/10/2019 White Paper Hacking the Human
2/6
HackingtheHuman Page2
SocialEngineeringAttackvectors:
PretextCalls:
Pretextcallsprovideanonymity,andcanbeperformedfromanylocationintheworld.
Contineo
defines
pretext
calling
as:
Theactofcreatingandusinganinventedscenario(thepretext)topersuadeatargeted
victimtoreleaseinformationorperformanaction,andwhichistypicallydoneoverthe
telephone.
Letslookatacoupleofwellknownattacksusingpretextcalls: Anindividualpretendstobean
employeefromthehelpdesk.Fromresearchalreadyperformed,thesocialengineerdrops
namesandtitlestheemployeeisfamiliarwith,validatingtheiridentityandrelievingany
apprehensiontheemployeemayhave. Thesocialengineerneedstotestsomesystem
changesrecentlyperformedandrequeststheemployeeenterhispasswordtoverifythetest
workedcorrectly.
After
the
employee
enters
the
password,
the
social
engineer
feigns
aproblem
andaskstoverifytheinformationenteredbytheemployee,andbecausetheemployeewants
tobehelpful,heprovidesthepassword.Behold,thesocialengineernowhasacurrent
passwordintothesystemandtheemployeeisnomorethewiser.Thesocialengineerendsthe
callsayingtherearesomecorrectionstobemadeandthankstheemployeeforthehelp.Kevin
Mitnickwasanexpertatthistypeofsocialengineeringandhadgreatsuccessusingitagainst
PacificBelltogainaccesstotheirsystems.
Anotherexampleinvolvesfinancialinstitutionsandtheperpetratorpretendingtobea
customer.Withverylittleinformationthesocialengineercangatherpersonalaccount
informationthatcanbeusedlaterforfinancialgain.Irecentlycompletedaseriesofpretext
callsforasocialengineeringtestandwasamazedatmysuccess.Iwasprovidedsomebasic
customerinformation,nothingthatcouldnotbeobtainedbyshouldersurfingorviainternet
searches,forinstanceanaccountnumber,aphonenumber,address,ordateofbirth.Without
socialsecuritynumberormothersmaidenname,orindividualaccountcodesusedforsecurity
purposes,andhavingnoknowledgeofrecentaccountactivity,Iwasabletoacquirecurrent
accountinformationbyprovidingacombinationoftheaccountnumber,theaddressandthe
phonenumber.Thisinformationisconsideredpublicandnotsatisfactoryasameansof
verifyingthecustomersidentityoverthephone.
Onapersonalnote,Irecentlyreceivedaphonecallathomeinwhichthepersonontheother
endrepresentedanorganizationseekinginformationaboutafamilymember.Theystatedthey
hadmyfamilymemberssocialsecuritynumberandaskedmetoverifyit.Ifthishappenstoyou
dontdoit!Chancesareitisapretextcallgatheringinformation,andintodaysenvironment
donttakethebait.
-
8/10/2019 White Paper Hacking the Human
3/6
Hackingt
Phishing
Webope
establish
informat
whereh
security,
phishing
ofphishi
Oneoft
Microso
message
Althoug
Alongwi
canbea
forsure
Awarenesocialen
1.
L
a
t
s
heHuman
:
diadefines
edlegitima
ionthatwill
is
asked
to
andbanka
emailsare
ngattacksa
emostsuc
tOutlook2
similartot
thisisnot
ththetech
simpleast
hesiteistr
ssof
severa
gineeringa
okforbad
reverycare
esetypes
am.
hishingas
eenterpris
beusedfor
update
per
countnum
stillthelea
ppearstob
essfuldefe
07ornew
eonebelo
bigredf
icaladvanc
ellingusers,
sted.
lcommon
c
tacks.
grammaror
fulwhatget
fmistakes,
heactofse
inanatte
identityth
sonalinfor
ers.Thesu
ingsource
decliningf
sesagainst
risbeingu
tobedisp
lag,itisabi
sthatiden
Dontclic
haracteristi
misspelled
spublished
rtheema
ndingane
pttoscam
ft.Theem
ation,such
rveyperfor
fsocialen
orseveralr
phishingis
ed,emails
layed.
pinkflaga
ifypotenti
linksthata
sof
phishin
words.Prof
inemailsr
ildoesnotl
ailtoaus
theuserin
aildirectst
as
passwor
edbyDim
ineeringth
asons.
improveme
withlinksi
ndtherece
lphishinge
reincluded
gemails
is
essionalor
presenting
okprofessi
rfalselycla
osurrender
eusertovi
ds,credit
ca
ensionalRe
eats,altho
nttoemail
themwill
ivershould
mails,train
inemails,
alsohelpful
anizations
theircomp
onal,bewa
P
imingtobe
ingprivate
sitaWebsi
rd,social
earchsho
ghthesucc
software.I
rompta
ayattentio
ingiscritica
nlessyouk
in
recognizi
ndcompan
ny.Ifyoun
eitcouldb
age3
an
e
s
ess
n.
l;it
now
ing
ies
otice
a
-
8/10/2019 White Paper Hacking the Human
4/6
Hackingt
2. B
o
t
3. T
li4.
S
a
Awarene
mostor
ongoing
Imperso
Thestric
phishing.
facetof
utilityw
Thereis
onecan
ofaReal
imperso
byimper
dollars.
mostint
artofim
heHuman
ewareoflin
verthelink
atlinkscan
heemailh
nk,
your
accpoofingale
ndlogosto
ssandtrain
anizations.
socialengin
ation:
testdefiniti
However,i
cesituatio
rkertogai
book,late
avebyimp
Fake. Itis
atedanair
sonatingth
ewaseven
heUnitedS
personation
ksinemail
andconfirm
leadtoexe
sathreati
ount
will
begitimatewe
influenceyo
ingemploy
Dimension
eeringtraini
nofthew
nthisconte
,notviae
accesstoa
madeinto
ersonating
thestoryo
inepilot,a
seindividu
tuallycaugh
tates.Ireco
.
.Ifyousee
thelinkad
cutablefile
it.Ifyoud
disabled,
obsite.This
utosuccu
esabouts
lResearch
ngforempl
rdimperso
xtIamusin
ailorthep
buildingfo
amovie,w
therpeopl
aconman
octor,and
als.During
tandspent
mmendrea
linksinane
ressisthel
,whichyou
ntperfor
access
reeansthep
btotheph
cialengine
howsonly
oyees.
ationwoul
thewordt
hone.Ane
thepurpos
ichprovide
.Itiscalled
namedFran
alawyer. H
iscareerh
approxima
dingthebo
maildont
locationyo
neverwan
someacti
oved,
or
a
hishersincl
ishingattac
ringattack
6%ofsurv
dincludeth
omeanma
amplewou
eofgatheri
sanexcelle
,CatchM
kAbagnale
ewasable
fraudulent
elysixyear
kforsome
clickonit,
wanttovis
toclickon.
n,suchasc
isit
from
thdeofficiall
k.
isstillnot
yresponde
eactofpre
querading
ldbeprete
nginformat
ntexample
IfYouCan:
whothroug
otravelall
lyacquired
injail,som
verygoodi
P
oveyour
it.Alsobea
lickingont
FBI,
etc.
ookinggrap
prioritywi
ntshave
extcalling
ssomeone
dingtobe
ion.
fthesucce
TheTrueSt
houthiscar
verthewo
vertwomi
einEurope
sightintot
age4
ouse
ware
e
hics
h
nd
ina
ss
ory
eer
rld
llion
but
he
-
8/10/2019 White Paper Hacking the Human
5/6
Hackingt
Imperso
employe
mailwh
Evenifi
Forexa
identific
Conclusi
WillieSu
answeri
is. Byt
theinfor
prevent
success
manage
compani
recogniti
shouldi
below.T
Finally,I
include
heHuman
atingsome
doftenbyt
taketheri
personatin
ple,visitor
tionbadge
on:
tton,aproli
gthequest
esametok
mationis.T
ocialengin
f
social
engent.Asind
esnotactiv
on,reporti
cludethee
rainingsho
wanttome
usinessdis
oneelsere
hesocialen
ksinvolved
gisnotuse
signin
shee
allworkto
ficbankrob
ion,Whyd
en,organiz
hatbeingsa
eringattac
ineering.
Tricatedinth
lytraining
g,andstep
ntireorgani
ldalsoinclu
ntiontheco
uption,cus
uiresalot
gineer.IfIc
inafaceto
often,con
ts,an
escor
protectthe
berfromth
oyourobb
tionsareta
id,organiza
ks.Howeve
ining
needchartabo
mployees.
takenwhe
ation,espe
declearve
stsofsocial
omeroutla
fconfidenc
nachievet
faceencou
trolsstillne
policy
for
organizatio
late1920s
nks?bys
rgetedbys
tions,andi
,thereare
to
be
imple,trainingi
Athorough
nanattacki
ciallynewe
ificationpr
engineerin
s,revenue
e,moxie,a
hesamego
ter.
edtobein
endorsand
n.
through19
ying,Beca
cialengine
somecase
tepsthatc
mented
answoefullyl
trainingpr
isidentified
mployees,
ceduresus
attacks.Th
lost,labor,
drisk,whic
alsoverthe
lacetomiti
visitors,an
52,isaccre
usethatis
rsbecause
individuals,
nbetaken
d
supporteckingwith
gramwilli
andmosti
sindicated
edtoidenti
eyarenot
ndothero
P
hiswhyiti
phoneorvi
gatetheris
temporar
itedwith
herethem
thatiswhe
arenotgoi
toreducet
by
senior
4%of
clude
portantlyi
bythechar
ycustomer
heap.Ther
erhead,all
age5
not
ae
s.
oney
e
gto
e
.
isks
of
-
8/10/2019 White Paper Hacking the Human
6/6
Hackingt
whichh
Socialen
often,b
DennisS
informat
remedia
Formor
www.co
Referen
SocialEn
http://w
tactics
Microso
http://w
TheRisk
Perform
http://w
Catch
Originall
TheArt
heHuman
vehardan
gineeringis
titisareal
hlessman,
ionsecurity,
ionconsulti
informatio
tineotech.c
es:
gineeringF
w.symant
t.com
w.micros
ofSocialEn
dbyDime
w.checkp
eIfYouCa
published
ofDeceptio
softcosts
notasglam
threatthat
ISSP,CISA,
ITauditing,
ng.
,pleaseco
om.
ndamental
c.com/con
ft.com/sec
gineeringo
sionalRese
int.com/pr
:TheTrue
NewYork:
nbyKevin
ssociated
orousasha
shouldnot
isanaudito
vulnerabili
tactContin
,PartI:Ha
ect/article
rity/online
Informatio
rchsponso
ss/downlo
toryofaR
rossetand
Mitnikand
iththem.
ckingandy
eignored.
randconsu
yassessme
eoat(509)
kerTactics:
/socialengi
privacy/phi
nSecurity:
redbyChec
ds/sociale
alFakeby
Dunlapc19
WilliamLSi
udontrea
tantatCon
ntandpene
470100,o
by Sarah G
ineeringfun
hingsympt
surveyofI
kPointSoft
gineering
FrankAbag
0
on,Wiley
daboutitin
tineo.Hesp
trationtesti
rvisituson
ranger
damentals
oms.aspx
TProfessio
wareTechn
urvey.pdf
nalewithSt
PublishingI
P
thenewsv
ecializesin
ng,and
thewebat
partihacke
als:
ologies.
anRedding:
c.
age6
ery
r