CIS 5370 - Computer Security Kasturi Pore Ravi Vyas
<ul><li>Public Definition from wikipedia.org </li></ul><ul><li>“ Social engineering is the art of manipulating people into...
<ul><li>Kevin Mitinic was incarcerated in February1995 with more 25 charges. </li></ul><ul><li>In his book “Art of decepti...
<ul><li>Three Israli brothers: Ramy, Muzher, and Shadde Badir had 44 charges against them. </li></ul><ul><ul><li>Telecommu...
<ul><li>On September 16, 2008 an internet activist group 'anonymous‘gained access to governor Palin's email account  [emai...
<ul><li>Its easier to ask the user instead of hacking the system </li></ul><ul><li>With the exponential increase in techno...
VS
<ul><li>Humans  </li></ul><ul><ul><li>We are emotionally weak and like to help </li></ul></ul><ul><ul><li>We easily succum...
<ul><li>Information is readily and easily available  </li></ul>
<ul><li>First attain easily available data </li></ul><ul><li>Use it to fake authority  </li></ul><ul><li>Attain more confi...
<ul><li>Pretexting </li></ul><ul><ul><li>Creating a scenario that does not exist in an attempt to pressure a victim in lea...
<ul><li>Phishing:  </li></ul><ul><li>The attacker typically sends an email that appears to come from a legitimate source l...
<ul><li>IVR or phone phishing:  </li></ul><ul><li>The attacker created a very legitimate sounding copy of an organization’...
<ul><li>Trojan horse:  </li></ul><ul><li>They take advantage of the greed and curiosity of people to propagate malware. Th...
 
 
 
<ul><li>Baiting:  </li></ul><ul><li>These are like physical Trojan horses. The attacker leaves malware infected physical m...
<ul><li>Online Social Engineering </li></ul><ul><ul><li>Users repeat a single password for all their accounts </li></ul></...
<ul><li>Reverse social engineering </li></ul><ul><ul><li>Make people come to you instead of you </li></ul></ul><ul><ul><li...
<ul><li>Physical protection </li></ul><ul><li>Security policies that separate documents into different levels or compartme...
<ul><li>Goodchild, J. (2008, Nov).  Social Engineering: 8 Common Tactics . Retrieved Nov 2008, from NetworkWorld:  http://...
<ul><li>VP contender Sarah Palin hacked  http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked </li></ul><ul><li>Three...
 
Upcoming SlideShare
Loading in...5
×

PPT

572

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
572
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Charges included Fraud , Trying to obtain property on false pretenses , Obtaining unauthorized access to computers , stealing copying proprietary software Nokia, Motorola, Sun,novell , Netcom , Univ of S California
  • All this when they were all blind &apos;I need to get in to do a repair. You need to give me the number and password.&apos; Sometimes they succeeded, or else they&apos;d get only the number and try to break the password by using proprietary programs.&amp;quot; At other times, a secretary would simply key in the code, providing what seemed like onetime access but actually enabling the brothers to hear touch tones and translate them into numbers they could then use whenever they pleased.
  • Only 2 zipcodes in Wassila Place where you met your husband : wassila high
  • Humans characteristics – believe easily, helpful nature, cannot detect lies due to bias towards truth and stereotypical thinking, do not analyze the facts and uses cues instead like averting the gaze, shifting the posture, shrugging, pausing, speaking quickly, less complex and less specific content, uncertainty etc. Defense mechanisms – single loop security policies, still involve humans, victim will never suspect attacker and hence will never trigger his training.
  • Signature form wikipedia
  • Typically over the phone. Impersonate some person with authority e.g. co-workers, bank officials, police, tax authorities, insurance agents etc. A social engineer will phone the help desk and claim to be the manager and demand why he cannot login with his user ID and password. Since most US companies will authenticate a client by asking only his SSN, date of birth or mother’s maiden name, is method is very effective and continue to be a threat. When you are impersonating a co-worker: &amp;quot;The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say &amp;quot;Oh, my other line is ringing, hold on,&amp;quot; and put them on hold. &amp;quot;The person being scammed hears that familiar company music and thinks: &apos;Oh, he must work here at the company. That is our music.&apos; You get a call you in the middle of the night: ‘ Have you been calling Egypt for the last six hours?’ ‘ No.’ ‘ Well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that... I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&amp;T card number and PIN and then I’ll get rid of the charge for you.’
  • This email will usually have a link to some fraudulent website which looks authentic and has a form asking for all your information like address, PIN etc. This attack so easy because it is very simple to create a website which resembles the original organization’s website by reproducing the HTML code. The attack’s is successful even if a very small percentage of the total users reply to the email.
  • In more advanced cases, the victim is transferred to the attacker in the form of a customer service representative to gain more information.
  • This recent spam run looks fairly legit, it even comes with a tag line (”More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign. Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to: Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3). Both varieties though, appear to point to the download of the same file, get_flash_update.exe , in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ . This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW .
  • This recent spam run looks fairly legit, it even comes with a tag line (”More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign. Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to: Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3). Both varieties though, appear to point to the download of the same file, get_flash_update.exe , in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ . This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW .
  • This recent spam run looks fairly legit, it even comes with a tag line (”More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign. Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to: Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3). Both varieties though, appear to point to the download of the same file, get_flash_update.exe , in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ . This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW .
  • This recent spam run looks fairly legit, it even comes with a tag line (”More videos. More news. More people saying: I just saw it in CNN.com”) in the footer area, perhaps to make it appear that the email is pushing a genuine CNN campaign. Clicking links in the email, of course, leads to malware. Users should be wary of the following redirections that this spam’s click trail leads to: Users are redirected to the pages above. Yesterday, we found plenty of links with the string “cnnvideo.html” tailing the ends of the download URLs (see Figure 2). Today, we’re seeing plenty ending with “/news/” (see Figure 3). Both varieties though, appear to point to the download of the same file, get_flash_update.exe , in order to view the videos referred to in the spammed email. Trend Micro detects the file downloaded as TROJ_TIBS.CSZ . This malware downloads two other malicious files detected as TROJ_RENOS.AGU and TROJ_MUTANT.EW .
  • CD with the label ‘salary of top executives’
  • Physical protection: Have IDs verified before entry into the building, physically lock some documents, shred useless ones, bulk erase magnetic media, protect all machines with appropriate passwords, tight baggage security, escort all guests. Employee training - remove the responsibility of making decisions regarding the attacker’s requests from the employees. If the requested action is prohibited by policy, the employee has no choice but to deny the attacker&apos;s request. Training should start from the lowest levels in the organization. No hardware or software can defend a system from an individual telling a convincing lie.
  • PPT

    1. 1. CIS 5370 - Computer Security Kasturi Pore Ravi Vyas
    2. 2. <ul><li>Public Definition from wikipedia.org </li></ul><ul><li>“ Social engineering is the art of manipulating people into performing actions or divulging confidential information” </li></ul><ul><li>Gartner Research Group : </li></ul><ul><li>“ the manipulation of people, rather than machines, to successfully breach the security systems.” </li></ul>
    3. 3. <ul><li>Kevin Mitinic was incarcerated in February1995 with more 25 charges. </li></ul><ul><li>In his book “Art of deception” he stated he did not use any hacking tools or software programs but used social engineering to obtain the passwords and secrets. </li></ul>
    4. 4. <ul><li>Three Israli brothers: Ramy, Muzher, and Shadde Badir had 44 charges against them. </li></ul><ul><ul><li>Telecommunications fraud </li></ul></ul><ul><ul><li>Theft of computer data </li></ul></ul><ul><ul><li>Impersonation of a police officer </li></ul></ul><ul><li>Damages around $2 million </li></ul>
    5. 5. <ul><li>On September 16, 2008 an internet activist group 'anonymous‘gained access to governor Palin's email account [email_address] . </li></ul><ul><li>[email_address] DOB 2/11/64 ZIP 99687 </li></ul>
    6. 6. <ul><li>Its easier to ask the user instead of hacking the system </li></ul><ul><li>With the exponential increase in technology it is becoming harder to hack in to systems </li></ul>
    7. 7. VS
    8. 8. <ul><li>Humans </li></ul><ul><ul><li>We are emotionally weak and like to help </li></ul></ul><ul><ul><li>We easily succumb to pressure </li></ul></ul><ul><ul><li>We cant correctly judge if someone is lying – bias towards truth and stereotypical thinking </li></ul></ul><ul><li>Current defense mechanisms </li></ul><ul><ul><li>Security policies – single loop </li></ul></ul><ul><ul><li>Employee training </li></ul></ul><ul><li>Security policies </li></ul><ul><ul><li>Has humans involved in creation </li></ul></ul><ul><ul><li>Are not updated </li></ul></ul><ul><ul><li>Are not followed </li></ul></ul>
    9. 9. <ul><li>Information is readily and easily available </li></ul>
    10. 10. <ul><li>First attain easily available data </li></ul><ul><li>Use it to fake authority </li></ul><ul><li>Attain more confidential information </li></ul><ul><li>Feedback loop - result of each action is fed back to get a better result in the next action </li></ul><ul><li>Final deadly attack on obtaining enough information </li></ul><ul><li>Devise attacks to minimize reaction and weaken security </li></ul>
    11. 11. <ul><li>Pretexting </li></ul><ul><ul><li>Creating a scenario that does not exist in an attempt to pressure a victim in leaking information </li></ul></ul><ul><ul><li>Generate cues to build the victim’s trust </li></ul></ul>
    12. 12. <ul><li>Phishing: </li></ul><ul><li>The attacker typically sends an email that appears to come from a legitimate source like a bank or credit card company, asking to verify some information and warns of dire consequences if action is not taken </li></ul>
    13. 13. <ul><li>IVR or phone phishing: </li></ul><ul><li>The attacker created a very legitimate sounding copy of an organization’s IVR(Interactive voice response) system. The attacker will send an email urging people to call on the toll free number to verify information. On calling, they will readily give their information </li></ul>
    14. 14. <ul><li>Trojan horse: </li></ul><ul><li>They take advantage of the greed and curiosity of people to propagate malware. They come as email attachments with attractive subject lines which, when opened introduce a virus in the system </li></ul>
    15. 18. <ul><li>Baiting: </li></ul><ul><li>These are like physical Trojan horses. The attacker leaves malware infected physical media like CD ROM with legitimate but curious labels around the workplace which when inserted by any attacker will cause the system to be infected. </li></ul>
    16. 19. <ul><li>Online Social Engineering </li></ul><ul><ul><li>Users repeat a single password for all their accounts </li></ul></ul><ul><ul><li>attacker sends an email to sign up for some interesting site or some important update asking for a username and a password </li></ul></ul>
    17. 20. <ul><li>Reverse social engineering </li></ul><ul><ul><li>Make people come to you instead of you </li></ul></ul><ul><ul><li>Attacker sabotages a network, causing a problem </li></ul></ul><ul><ul><li>Advertise that he is the appropriate person to fix the problem </li></ul></ul><ul><ul><li>When he comes to fix the network problem, he requests of information from the employees </li></ul></ul>
    18. 21. <ul><li>Physical protection </li></ul><ul><li>Security policies that separate documents into different levels or compartments, separation of duty, double loop </li></ul><ul><li>Employee training </li></ul><ul><li>Lie detectors </li></ul>
    19. 22. <ul><li>Goodchild, J. (2008, Nov). Social Engineering: 8 Common Tactics . Retrieved Nov 2008, from NetworkWorld: http://www.networkworld.com/news/2008/110608-social-engineering-eight-common.html </li></ul><ul><li>Granger, S. (2001, Dec). Social Engineering Fundamentals, Part I: Hacker Tactics . Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1527 </li></ul><ul><li>Granger, S. (2002, Jan). Social Engineering Fundamentals, Part II: Combat Strategies . Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1533 </li></ul><ul><li>Jose J. Gonzalez, J. M. (2006). A Framework for Conceptualizing Social Engineering. CRITIS 2006, LNCS 4347 , 79-90. </li></ul><ul><li>Wikipedia. (n.d.). Social engineering (security) . Retrieved Nov 2008, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security) </li></ul>
    20. 23. <ul><li>VP contender Sarah Palin hacked http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked </li></ul><ul><li>Three Blind Phreaks http://www.wired.com/wired/archive/12.02/phreaks_pr.html </li></ul><ul><li>U.S. vs. Mitnick and DePayne http://www.cnn.com/SPECIALS/1999/mitnick.background/indictment/page01.html </li></ul><ul><li>New Trojan Bait: CNN Videos http://blog.trendmicro.com/new-trojan-bait-cnn-videos/ </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×