Your SlideShare is downloading. ×
Hacker Halted 2009 - Owning People through Technology
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hacker Halted 2009 - Owning People through Technology

437
views

Published on

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
437
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The information security world exists on an incredibly short (20 year) timeframe - Even taking a *REALLY* long view, the entire Infosec industry extends only back as far as the mid-80s - AROUND 20 YEARS.Those were the daysSoftware Vulnerabilities weren’t significant - most based on configuration weaknessOnly a handful of people understood how to exploit technologiesSmall Target Surface - Few internet-connected computersFocus was on phone phreaking and academia Social Engineering reigned supremeMost successful attacks involved social engineeringUnsophisticated controls environmentsFew understood the jargonPolicies encouraged trust over security
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Two Vital DatesOctober 13, 1994Mosaic Netscape 0.9 releasedThe web becomes easy to navigateAugust 24, 1995Windows 95 ReleasedHome computer use proliferates massivelyThe Internet Experiences exponential growthMoney starts to change handsInternet connected computers become a viable targetThis created a target rich environment...Phrack 49 - November 8, 1996.Aleph1 - Smashing the Stack for Fun and ProfitThe first real sophisticated vulnerabilities start to emergeA buffer overflow required knowledge of assembly and coding skillHackers now had to be more technicalReadily available exploit code actually makes breaking in to computers easierThe “golden age” of server hacking begins.1996-2003 - More of the sameMemory attacks become more sophisticatedPolymorphic shell-code designed to evade detective controlsMore advanced use of memory spaces (format strings, integer exploits) Windows XP Service Pack 2 AppearsMicrosoft finally hardens their operating systemsThe world changes overnightSecurity is now baked in to the computer.Server based vulnerabilities disappearAs massive server-based vulnerabilities disappear, client interaction becomes keyThe number of issues continues to increase, but the type of issues starts to change radicallySince 2005No major direct-exploitation worm outbreaksLess than a handful of “remote root” direct exploitation vulnerabilitiesMajor Classes of AttacksDrive-by DownloadExploitation through EmailExploitation through Social Networking SitesPhishing / Pharming / Spear-PhishingWhat’s the similarity?If you said “human interaction”, you get a gold star.
  • Watkins, EstabrooksEstabrooks: “I can hypnotize a man — without his knowledge or consent — into committing treason against the United States”
  • Confirmation – what lawyer would ever use that subject line?
  • Checks on your familyPut trust in you Requests your help
  • Transcript

    • 1.
    • 2. Pwning People through Technology
      Mike Murray
      Hacker Halted USA 2009
      9/24/09
    • 3. Mike Murray
      A decade of experience in penetration testing, vulnerability research and social engineering
      CISO of Foreground Security (ForegroundSecurity.com) - leads penetration tests and security services engagements
      Lead trainer and curriculum developer at Foreground’s training division The Hacker Academy (TheHackerAcademy.com)
      Managing partner of Michael Murray and Associates, where he directs diverse stealth-mode security industry projects.
      Security blogger (Episteme.ca), podcaster, and regular speaker on social engineering, vulnerability management and the human side of security.
      Founder of Information Security Leaders, the leading resource on information security careers (InfoSecLeaders.com)
      Certified Hypnotherapist and Master NLP Practitioner
      3
      3
    • 4. 4
      Only two things are infinite: the universe and human stupidity.
      And I'm not sure about the former.
      - Albert Einsten
    • 5. 5
      Social Engineering:The practice of obtaining confidential information by manipulating users.
      Source: Wikipedia
    • 6. Human Vulnerability
      Humans are social creatures
      Human nature makes us vulnerable to each other
      Social engineers exploit weaknesses in human nature to obtain information or access
      6
    • 7. 7
      That Sounds Familiar
    • 8. 8
      Mesmer
      Erickson
      Elman
      Brown
      Ponzi
      Angel
      Irving
      Abagnale
      Weill
      Houdini
      Jermay
      Con Men
      Magicians
      Hypnotists
    • 9. Why Now?
      9
    • 10. 1985
      1990
      1993
      10
    • 11. Vulnerability Environment:
      August 24, 1995
      November 8, 1996
      October 13, 1994
      1997
      1994
      11
    • 16. Major Vulnerabilities in:
      Major Worms:
      1998
      2000
      2003
      12
    • 30. 2003
      2006
      2009
      13
    • 31. 14
      Human /
      Organization
      Network
      Service /
      Server
      Client
      Application
      The Vulnerability Cycle
    • 32. Penetration Test Success
      We spend a huge amount of time on the exploit
      Books written on XSS, XSRF and buffer overflows
      Very little research on how to get people to exploit themselves
      Nearly all of our tests rely on that ability
      Successful ethical hacking is successful SE
      Far too little SE is discussed
      15
    • 33. The Critical Faculty
      The hypnotist’s term for the part of the mind that acts as the rational alert system
      Allows the human to act on largely unconscious process
      Things raise to conscious awareness based on CF activation
      This suggests that all SE success is CF-related
      Avoid activating critical-faculty
      We want the person to execute a task that is inappropriate, yet fail to raise the CF alert to conscious awareness
      16
    • 34. The Military Experiments
      Would Military officers disobey a direct order under hypnosis?
      17
    • 35. Rule #1 Create a context that ensures that the behavior we want is completely appropriate.
      18
    • 36. 19
      The Three Skills
      Critical Faculty is bypassed through three fundamental skills:
      Artful Communication and Use of Language
      Awareness of the Target
      Frame Control
      The skills are the same when online
      Language
      You must have structure your language to effect control of your target
      Awareness
      You must know how your target will interpret your communication
      Frame Control
      Your ability to control the context of your communication will be the largest component of suppressing the CF
    • 37. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Communication
      The art of communication
      Language is the first skill of the social engineer
      Ability to craft words is first step in influence
      Language is not real
      Incomplete representation of reality
      Incompleteness creates opportunity
      Dual Purpose of Language
      Information Transfer
      Influence
    • 38. Precision
      Information Transfer is hindered by the incompleteness of language
      Deletion
      Distortion
      Generalization
      Presupposition
    • 39. Influence
      Influence is about maintaining agreement
      Avoiding CF activation
      This is about the amygdala
      The goal is to change representation without triggering disagreement
      Disagreement is the mind’s defense against inappropriate influence.
      This is not about rhetorical/logical disagreement
      Agreement allows
      The artful inversion of precision
      Use of deletion, distortion and generalization to maintain agreement
      Sometimes referred to as being “artfully vague”
    • 40. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      The Basics
      This is third grade English class:
      Spelling
      Grammar
      Punctuation
      Most CF-activation is here
      Taught as base of much Sec Awareness Training
    • 41.
    • 42. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Awareness
      Words are meaningless without awareness of what is working
      Your awareness of others acts as a compass
      You need to see and hear the effect of your words
      Main components of awareness in face-to-face
      Body language
      Facial expressions
      Language Tone
      How do we do this in technological social engineering?
    • 43. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Tone Analysis of Writing
      As native speakers of English, we infer auditory tone into written word.
      Two main components:
      Word choice
      Punctuation
      Simple example
    • 44. Due to the mystery surrounding social engineering many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test. However, every time you try to get someone to do something that is in your interest, you are engaging in social engineering. From children trying to get a toy from their parents to adults trying to land a job or score the big promotion, all of it is a form of social engineering.
      Introduction tohttp://www.social-engineer.org
    • 45. Many people are afraid of social engineering due to its mystery. Perhaps they feel they will never be able to accomplish a successful social engineering test. However, you are engaging in social engineering whenever you try to influence someone to act in your interest.
      All of these are forms of social engineering:
      • children trying to get a toy from their parents
      • 46. trying to land a job
      • 47. score the big promotion
      Paraphrased fromhttp://www.social-engineer.org
    • 48. Many people are afraid of social engineering. They fear they won’t succeed at a social engineering test. But you are engaging in social engineering whenever you try to influence someone to act in your interest. Examples:
      • children trying to get a toy from their parents
      • 49. trying to land a job
      • 50. score the big promotion
      Paraphrased fromhttp://www.social-engineer.org
    • 51. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Tone in SE
      Back to the prime rule
      Tone needs to be natural and appropriate.
      Every situation has a tone and a fel for the writing that is unlikely to activate the CF.
    • 52.
    • 53. Actual Email from TD
      Hello Michael Murray,I appreciate your interest in viewing your TD Visa account informationusing EasyWeb. Thank you for taking the time to write.If you currently have an active EasyWeb profile but can not access your TDVisa, you may have 2 separate customer profiles set up with TD CanadaTrust.  For immediate assistance with correcting this situation, Iencourage you to call EasyLine toll free at 1-866-222-3456. A BankingSpecialist can combine your profiles if necessary, provided that thepersonal information on both profiles match. Representatives are available24 hours a day, 7 days a week. If you are not registered for EasyLine,kindly press 2 and then 0 to speak with a representative. The combiningprocess usually takes about two days to complete, and once it is finished,you should be able to view your entire personal portfolio via EasyWeb.
    • 54. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Frame Control
      Cognitive Frames
      Wikipedia: ”the inevitable process of selective influence over the individual's perception of the meanings attributed to words or phrases. Framing defines the packaging of an element of rhetoric in such a way as to encourage certain interpretations and to discourage others”
      The frame is the context in which the content of an interaction occurs
      Physical Frame control
      Transformation
      Extension / Contraction
      Combination
      Amplification / Compression
    • 55. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      The Elements of Influence
      Cialdini and others have found that creating a frame with certain elements can enhance influence
      Reciprocity
      Authority
      Social Proof
      Confirmation
      Scarcity / Urgency
      Emotional / Amygdala hijack
      Confusion
      Inserting these elements within a frame can strengthen influence
      These are natural human responses
      We use these responses to create a context for influence
    • 56. Confirmation
      35
    • 57. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Confirmation
      Confirmation Bias
      That which confirms what we already believe, we tend to believe.
      That which fails to confirm what we already believe, we tend to ignore.
      The brain LITERALLY turns off
      No CF activation
    • 58. During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men--half self-described as "strong" Republicans and half as "strong“ Democrats--were tasked with assessing statements by both George W. Bush and John Kerry in which the candidates clearly contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical of Kerry as Democratic subjects were of Bush, yet both let their own candidate off the hook….
      The neuroimaging results, however, revealed that…
      "We did not see any increased activation of the parts of the brain normally engaged during reasoning"
      From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf
    • 59. © 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
      Confirmation in SE
      Signal Theory
      Branch of economics relating to the messages passed by inference
      E.g. A CEH is a signal that you have chosen the path of an EH
      We need to give appropriate signals
      Tone
      Language
      Appearance
    • 60. Back to TD
      Hello Michael Murray,I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write.If you currently have an activeEasyWebprofile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust.  For immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you should be able to view your entire personal portfolio via EasyWeb.
      Best regards,Debra MatsumotoInternet Correspondence Representative________________________________________TD Canada Trust 1-866-222-3456http://www.tdcanadatrust.comEmail: customer.service@td.comTDD (Telephone Device for the Deaf) 1-800-361-1180This email is directed to, and intended for the exclusive use of, the addressee indicated above. TD Canada Trust endeavours to provide accurate and up-to-date information relating to its products and services. However, please note that rates, fees and information are subject to change.
    • 61.
    • 62.
    • 63. Reciprocity
      42
    • 64. 43
      We create relationships through trading value.
      Temporary inequality creates powerful bonds.
    • 65. Reciprocity == Investment
      The act of exchanging value
      I can do something for you
      You can do something for me.
      Both acts strengthen our bond.
      We become more invested in the relationship
      The more invested a person feels, the more likely they are to be influenced by the relationship
      This is the Nigerian scam’s overwhelming power
      44
    • 66.
    • 67. Scarcity
      46
    • 68. Scarcity
      People will take almost any opportunity for their own gain
      Especially if the opportunity seems scarce
      If we have to hurry, the amygdala takes over
      This is a marketing tactic
      Infomercials
      Scams
      47
    • 69. Ron Popeil
      “If you call in the next 15 minutes…”
    • 70.
    • 71.
    • 72. So much more we could discuss…So little time.Keep an eye on:ForegroundSecurity.comEpisteme.caEmail me: mmurray@episteme.ca

    ×