2. Agenda
Facts – Hacking The Mind
What is Social Engineer ?
Why Everyone is Vulnerable ?
Attacking Human Behaviors
Types of Social Engineering
Body Language
Mitigation
3. The Famous - Who Am I Today ?!!!
Every Time I write this slide – I open my history which have been saved before!!!
* Penetration Tester Specialist and Security Researcher at DTS-Solution
* Certified a lot of things (Would there be a difference? )
• Author of WeBzY and XSSYA tools
• Bug Hunter in my Spare Time
* Experienced in Penetration Testing since over 7 years (System - Network –
Web Application – Mobile Application – Physical Pen. Testing & Social
Engineering Assessments )
9. Facts – Hacking The Mind
* Yeeea I Stole a Laptop and get in and out – this not a Social
Engineer
* Social Engineering is not going to an organization and sayin
g“Um an electrician” then ending up with electrician team!
* You should know what you are talking about
10. What is Social Engineer ?
Simply:
The science of making people do what you want not they want
Wikipedia:
Refers to psychological manipulation of people into performing
actions or divulging confidential information.
What I Like:
The science of manipulating people mind & behavior to
preform action of your choice
11. Art of War
* All War is Based on Deception
* When we are able to attack, we must seem unable
* When we are near, we must make the enemy
believe we are far away
(Sun Tzu)
12. Why Everyone is Vulnerable ?
Human Mind has Gaps by default !!
If you think you are not vulnerable because you are not that
stupid person – Think again!!
People who are vulnerable to social engineer not because of
stupidity only.
13. Why Everyone is Vulnerable ?
False Assumptions
If A is true, then B is true; B is true, therefore A must be true
Curiosity
Human Nature Like to know the unknown
Fear
Fear about fake authority
14. Attack Human Behaviors
* Human nature of trust is essential to most social engineer attacks
* Ignorance about Social Engineer and its Impact
* Who Preform SE Attacks may pretend they have authority
And threaten in case non-compliance with their request
* Social Engineer attackers take information by promising something
for nothing
* In case of dispirit or need help – They will help you
* Agree in what you hear – get agreement back ->
lead the discussion
15. Types of Social Engineering
Types of social engineering attacks:
Social engineering can be broken into two common types:
16. Computer Based
Spam Email
Computer based: Uses computer software that attempts to retrieve
the desired information. (Mobile Applications Included)
Pop-up Windows: Run?
Phishing & Spear Phishing
Publishing Malicious AppsFake Security APPS
Instant Chat Messenger
Social Networks
17. Computer Based
Before Social Engineer Engagement
Internet Activity
Matlego
Google/LINKEDIN
theHarvester
Whois
Social Media
Company Last News
Physical Reconnaissance
Visit the Company - (normal Visit as Customer)
Video Surveillance - (Blind Spots)
Entry systems - Exists
Physical Security systems
Company (Customers - Vendors - Competitors)
18. Computer Based
Once Social Engineer Start (After Internet behavior analysis )
Contact through Internet sites activities
Contact employees through social network
Get mails and send spear phishing attacks
Voice Phishing
SMS Spoofing
SET
22. Human Based
Eavesdropping
Human Based: Needs interaction with humans; it means person-to
-person contact and then retrieving the desired information.
Exploit ( Trust – Fear – Help Nature of Humans - Weakness )
Tech Support
Marketing Reverse SE
Piggybacking & Tailgating
Dumpster diving
Shoulder surfing
Voice Phishing
23. Human Based
Scenarios not limited !
* A user with fake ID Ask for sensitive information
* Valuable Customer Offer Solutions
* Technical Support Wait Attack Free Access (R-SE)
* Chat with the smokers But don’t Smoke
* Tailgating
24. Human Based
Real Scenario 1: After working hours Asking one of the office
boy – to open the door for me !!
*Approach is: Social engineer - Goal is: Physical Access
25. Human Based
Real Scenario 2: Piggybacking & Tailgating: They have a door in e
very floor opened by finger print – open for 10 seconds only –
VOIP PWN
27. Human Based
Real Scenario 3 : Chat with Smokers: Offering to find another job
for a Network Engineer
Result
28. Human Based – SE
Reverse Social Engineer
Is a person-to-person attack in which an attacker convinces
the target that he or she has a problem or might have a certain
problem in the future and that he, the attacker, is ready to help
solve the problem.
29. Human Based – Reverse SE
Reverse social engineering Need:
1- A lot of Reconnaissance to understand the internal structure of
the Organization.
2- Impersonate someone in Power whatever you attack (Client –
organization).
30. Body Language
* Human Based – Require to have some skills on Body and Eye
contact language
* You might face un expected contact require immediate Social
engineer attack
31. Body Language
* Micro Expressions: Very useful if you want to engaged with Soci
al Engineer
* Every Culture have it’s own Expressions
* You are able to understand your Country Expression only
* EX: United States of America have more than 80 Expressions
* But there is a universal Expressions we are going to learn about
it
32. Body Language
But First: What is Your First Impression ?
Attacking Old Woman not same as you attack young man
Clothes - Uniform type
Body type
Gender/Age
Ethnicity
Manners/Discipline
Physical Markings
Smell
Teeth
Hands
Interaction
38. Mitigation
* Mitigation: No matter how strict your network security or well
considered your security policy is; The human element at your busin
ess remains vulnerable to hackers. But there are steps you can take t
o better secure your business against social engineering attacks.
* Defense against Social Engineer come in Several Layers
39. Mitigation
1- Basic Layer: Security Policy: Social Engineer target employee who
respond to requests - Information should identified it’s value
- locks, ID’s, paper shredding, and escorting of visitors
2- Learning Layer: Security Awareness: How Employees respond to re
quests – Educate them about Social Engineer Scenarios based on Po
sition – Follow
* Identify what has Value: every time you get an access failure to
your data, You have to be knowing what to do!
40. Mitigation
* Friends are not friends: Social Engineer always try to make relation
s with you to gain trust
* Passwords are Personal: Don’t share your passwords – social engin
eer may try to get password through electronic way
* Uniforms are cheap: Social Engineer will show up pretending he fix
or build something
41. Mitigation
3- Persistence Level: Security Training Against social engineer will be
effective for very short time – Regular Reminders
4- Offensive Level: Incident Response: If someone asks for informati
on that you don't know if you should release, ask your manager. "Ma
ny social engineers will break if off if there's a break in the conversat
ion."