Social Engineering


Published on

Published in: Technology
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Engineering

  1. 1. AgendaWhat is it?Real life casesTraits ExploitedPhishingMethodologyScenariosTricks of the TradePhysical Pen testing?DefensesDemo!
  2. 2. Watch it!Human Link is the weakest in the Security ChainPerceptionAuthority, Slow Response, Fear & Anxiety FilesJames Bond!
  3. 3. Engineering the Socials &The RestManipulation of Human Trust (and Traits) to elicit information. Thiscould be further used to directly/indirectly steal data, identity,money, etc., get access to systems, further manipulate others, forfinancial gain or otherwise.A combination of the standard security checks was identified byengineering and ethically manipulating the processes, trust levelsand human aspect of day to day operations in the company.Modes:• Human Based• Computer Based
  4. 4. Traits Exploited[Generally.. ;P]Helplessness ThroughGuilt SituationsAnxiety UrgencyFear[Authority] Impersonation- Partially Known FactorsTrust PersuasionMoral Duty RequestHelpfulness Orders/DemandCooperation ..Delegated Responsibility Technology[Modems, Malware, OSINT, Exploits, Phishing, Spoofing, Websites, other computer based techniques and Help Desk ;) ]
  5. 5. Phishing - Vishing2003 saw the proliferation of a phishing scam in which users received e-mailssupposedly from eBay claiming that the users account was about to besuspended unless a link provided was clicked to update a credit card(information that the genuine eBay already had). Because it is relativelysimple to make a Web site resemble a legitimate organizations site bymimicking the HTML code, the scam counted on people being tricked intothinking they were being contacted by eBay and subsequently, were goingto eBays site to update their account information. By spamming largegroups of people, the "phisher" counted on the e-mail being read by apercentage of people who already had listed credit card numbers with eBaylegitimately, who might respondPhone Phishing (IVRs)A typical system will reject log-ins continually, ensuring the victim entersPINs or passwords multiple times, often disclosing several differentpasswords.(courtesy – Wikipedia)
  6. 6. Barge In!Fake IDFake Authorization LetterUniform?RecorderVideosBag?Suit Up!
  7. 7. TargetAsset Identification – Information?No I don’t have a GunDiversion theft - "going straight out" or "urgently required somewhere else".Passive - Tailgating, Eavesdropping, ShouldersurfingBaitingCold CallingBackdoors, Rootkits, keyloggersDevice!
  8. 8. Catch Me if you canFrank AbegnaleVistor LustigKevin MitnickBadir Brothers – AgainMike Ridpath
  9. 9. Frank William AbagnaleNotorious in the 1960s for passing $2.5 million worth of meticulously forgedchecks across 26 countries over the course of five years, beginning when hewas 16 years oldHe attained eight separate identities as an airline pilot, a doctor, a U.S.Bureau of Prisons agent, and a lawyer. He escaped from police custody twice(once from a taxiing airliner and once from a U.S. federal penitentiary
  10. 10. CasesLustig had a forger produce fake government stationery for himInvited six scrap metal dealers to a confidentialThere, Lustig introduced himself as the deputy director-general of theMinistry of Posts and Telegraphs.Lustig told the group that the upkeep on the Eiffel Tower was so outrageousthat the city could not maintain it any longer, and wanted to sell it for scrap.Due to the certain public outcry, he went on, the matter was to be keptsecret until all the details were thought out. Lustig said that he had beengiven the responsibility to select the dealer to carry out the task. The ideawas not as implausible in 1925 as it would be today.Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustigkept Capones money in a safe deposit box for two months, then returned itto him, claiming that the deal had fallen through. Impressed with Lustigsintegrity, Capone gave him $5,000. It was, of course, all that Lustig was after
  11. 11. Cases Contd..1st Source Information Specialists Illinois became the first state to sue an online records broker when AttorneyGeneral Lisa Madigan sued 1st Source Information Specialists, Inc., on 20January, a spokeswoman for Madigans office said. The Florida-basedcompany operates several Web sites that sell mobile telephone records,according to a copy of the suit. The attorneys general of Floridaand Missouri quickly followed Madigans lead, filing suit on 24 and 30January, respectively, against 1st Source Information Specialists and, inMissouris case, one other records broker – First Data Solutions, Inc.
  12. 12. Involves - C*****S****Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping,stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs,badges, etc]Perimeter SecurityGeneral IntelligenceEmails, Phishing, Websites,OSINT[social networks, forums, portals, public knowledge]ResearchSocial Engineering ;)..TRUST
  13. 13. Scenarios - 1 Social Engineering“They asked a janitor for agarbage pail in which to placetheir contents and carried all ofthis data out of the building intheir hands. ” LUCKYou have won “ 100000$”!
  14. 14. what I call a chain reactionMr. Smith:Hello?Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some diskspace constraints, we’re going to be moving some user’s home directories toanother disk at 8:00 this evening. Your account will be part of this move, and willbe unavailable temporarily.Mr. Smith:Uh, okay. I’ll be home by then, anyway.Caller:Good. Be sure to log off before you leave. I just need to check a couple ofthings. What was your username again, smith?Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they?Caller:No sir. But I’ll check your account just to make sure. What was thepassword on that account, so I can get in to check your files?Mr. Smith:My password is tuesday, in lower case letters.Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check youaccount and verify all the files are there.Mr. Smith:Thank you. Bye.[- Taken from Melissa Guenther]
  15. 15. DefensesLeast Privileges Layered SecurityPassword PolicyAccess ControlsSafe Disposal PhysicalRemovable Device Policy ProcessLatest Set UpContent Management andfiltering TechChange ManagementMonitoringAwareness
  16. 16. References