Social Penetration - Mike Murray and Mike Bailey

1,927 views
1,786 views

Published on

Advanced exploitation on social networks. Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,927
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social Penetration - Mike Murray and Mike Bailey

  1. 1. Social Penetration Mike Bailey Mike Murray
  2. 2. Social Engineering: The practice of obtaining confidential information by manipulating users. Source: Wikipedia
  3. 3. Social Media Applications are “applications that inherently connect people and information in spontaneous, interactive ways” Mark Drapeau and Linton Wells National Defense University (NDU)
  4. 4. The Tipping Point http://1.media.tumblr.com/iNIi9iwtqk9wp2rxEL7NpIPVo1_500.jpg http://www.blogohblog.com/wp-content/pop/2008/03/facebook_chart.gif
  5. 5. The Vulnerability Cycle Human / Network Organization Service / Client Server Application
  6. 6. Getting Penetrated • Three Main Issues – We leak information – We are vulnerable to each other – The web browser
  7. 7. Information Leakage
  8. 8. Information Leakage • Intentional or Ignorance • We leak a million things – Images – GPS Coordinates – Picnic Flyers – Group Messages/Conversations – Job Postings • If you can imagine it, you can find it.
  9. 9. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  10. 10. User Vulnerability
  11. 11. Only two things are infinite: the universe and human stupidity. And I'm not sure about the former. - Albert Einsten 12
  12. 12. Human Vulnerability • Humans are social creatures • Human nature makes us vulnerable to each other • Social engineers exploit weaknesses in human nature to obtain information or access
  13. 13. The Critical Faculty • The hypnotist’s term for the part of the mind that acts as the rational alert system – Allows the human to act on largely unconscious process – Things raise to conscious awareness based on CF activation • This suggests that all SE success is CF-related – Avoid activating critical-faculty – We want the person to execute a task that is inappropriate, yet fail to raise the CF alert to conscious awareness 14
  14. 14. The Military Experiments Would Military officers disobey a direct order under hypnosis?
  15. 15. Success in Social Engineering Create a context that ensures that the behavior we want is completely appropriate.
  16. 16. The Basics • This is third grade English class: – Spelling – Grammar – Punctuation • Most CF-activation is here – Taught as base of much Sec Awareness Training © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  17. 17. Awareness • Words are meaningless without awareness of what is working – Your awareness of others acts as a compass – You need to see and hear the effect of your words • Main components of awareness in face-to-face – Body language – Facial expressions – Language Tone • How do we do this in technological social engineering? © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  18. 18. Tone Analysis of Writing • As native speakers of English, we infer auditory tone into written word. • Two main components: – Word choice – Punctuation • Simple example © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  19. 19. Tone in SE • Back to the prime rule – Tone needs to be natural and appropriate. • Every situation has a tone and a feel for the writing that is unlikely to activate the CF. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  20. 20. Actual Email from TD Hello Michael Murray, I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write. If you currently have an active EasyWeb profile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust. For immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you should be able to view your entire personal portfolio via EasyWeb.
  21. 21. The Elements of Influence • Cialdini and others have found that creating a frame with certain elements can enhance influence – Reciprocity – Authority – Social Proof – Confirmation – Scarcity / Urgency – Emotional / Amygdala hijack – Confusion • Inserting these elements within a frame can strengthen influence – These are natural human responses – We use these responses to create a context for influence © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  22. 22. Confirmation • Confirmation Bias – That which confirms what we already believe, we tend to believe. – That which fails to confirm what we already believe, we tend to ignore. • The brain LITERALLY turns off – No CF activation © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  23. 23. During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men-- half self-described as "strong" Republicans and half as "strong“ Democrats--were tasked with assessing statements by both George W. Bush and John Kerry in which the candidates clearly contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical of Kerry as Democratic subjects were of Bush, yet both let their own candidate off the hook…. The neuroimaging results, however, revealed that… "We did not see any increased activation of the parts of the brain normally engaged during reasoning" From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf
  24. 24. Confirmation in SE • Signal Theory – Branch of economics relating to the messages passed by inference – E.g. A CEH is a signal that you have chosen the path of an EH • We need to give appropriate signals – Tone – Language – Appearance © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
  25. 25. Back to TD Hello Michael Murray, I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write. If you currently have an active EasyWeb profile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust. For immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you should be able to view your entire personal portfolio via EasyWeb. Best regards, Debra Matsumoto Internet Correspondence Representative ________________________________________ TD Canada Trust 1-866-222-3456 http://www.tdcanadatrust.com Email: customer.service@td.com TDD (Telephone Device for the Deaf) 1-800-361-1180 This email is directed to, and intended for the exclusive use of, the addressee indicated above. TD Canada Trust endeavours to provide accurate and up-to-date information relating to its products and services. However, please note that rates, fees and information are subject to change.
  26. 26. We create relationships through trading value. Temporary inequality creates powerful bonds.
  27. 27. Reciprocity == Investment • The act of exchanging value – I can do something for you – You can do something for me. • Both acts strengthen our bond. – We become more invested in the relationship – The more invested a person feels, the more likely they are to be influenced by the relationship • This is the Nigerian scam’s overwhelming power 32
  28. 28. Scarcity • People will take almost any opportunity for their own gain – Especially if the opportunity seems scarce – If we have to hurry, the amygdala takes over • This is a marketing tactic – Infomercials – Scams 34
  29. 29. “If you call in the next 15 minutes…” Ron Popeil
  30. 30. Web Browsers
  31. 31. Web Browsers • Malicious Links • Credential Theft • XSS • CSRF • Abusing websites, not systems
  32. 32. So much more we could discuss… So little time. Keep an eye on: MadSecInc.com Email us: mmurray@madsecinc.com mbailey@madsecinc.com

×