WARNING• I use REAL people as examples in this presentation• I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
Social Engineering• No matter how many security measures you introduce, there is one which proves to be the most challening…• How do we secure human beings?
Social Engineering Defined• The use of psychological tricks in order to get useful information about a system• Using psychological tricks to build inappropriate trust relationships with insiders
Kevin Mitnick• World’s most famous Social Engineer• “The weakest link in the security chain is the human element”• Half of his exploits involved using social engineering• See the master in action!
Social Engineering• Social Engineering goes back to the first lie ever told and will continue into the future.• Social Engineering is successful because people are generally helpful, especially to those who are:• Nice• Knowledgeable• Insistent
Three Primary Methods of Social Engineering• Flattery• Authority Impersonation• Threatening Behavior
Helpful By Default• We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“• Industrial Espionage• Revenge• Just for fun
How Does It Happen?• “An ounce of prevention is worth a pound of cure!”• The Social Engineer uses simple information found online, or by making a basic phone call into the office• That stuff really isn’t that easy to get…Don’t be dramatic!
Let’s Setup a Case Scenario Using a Method Called Pretexting• Meet Angry Cow• Computer Science Student at UW-Madison• Angry Cow just got an eviction notice
Case Continued – Simple Public Information is Found• Angry Cow lives at the Regent• The Regent’s website indicates that it is owned by Steve Brown Properties• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
Next – Finding A Way In…• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information• Poor controls over data sharing• Lots of important information there that might not seem important, but could be his first step in…• Go to Facebook and search:“Steve Brown Apartments” to find an appropriate unknowing accomplice
Let’s See – Danielle Treu• Born July 24, 1988• Enjoys playing in the rain, drinking coffee and spending money• Works at Subway and as a Resident Assistant for Steve Brown Apartments
Let’s See – David Klabanoff• Born April 21, 1979• Likes Star Wars and The Muppet Movie• Is a Concierge for Steve Brown Apartments
Let’s See – Andrew Baldinger – I think I might know this guy!• March 30, 1986• Likes kayaking, exploring, and getting lost• Lives at the Regent• Works as a Technology Support Specialist for Steve Brown Apartments!
Let’s Start with Danielle Treu• Her Facebook profile is public, but she is intelligent. She keeps her contact information private• But, her profile does say that she attends UW-Madison…• I wonder if they have some more public information about her
The Research, Phase II• I’m so thankful for the UW Whitepages!• Remember, this is PUBLIC information!• I got her email address!
Establishing the Trust• Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew• Angry Cow shows up later that day, David is expecting him• Angry Cow identifies himself as Andrew and asks David for key to server room
The Hack• Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username)• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
Summary of This Example• Search for public information about your target, using both official and unofficial sources• Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow!• Built a credible story• Based on PRETEXTING
Let’s Watch Another Example• Silence of the Lambs Movie scene• Notice how they both establish trust through the use of kindness or perceived kindness
How to Keep Social Engineering From Working• Administrators need to:• Establish Policies• Train Employees• Run Drills• Office Workers:• Need to be aware of Social Engineering tactics• Follow policies
Let’s Watch the AT@T Internal Social Engineering Training Video• Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats)• How would you CLASSIFY this video (remember Data Classification)• What is going on at AT&T?
Pretexting• Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
Pretexting• Its more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
Is This Really a Threat to Businesses? PRETEXTING• So far, this just looks like a technique employed by angry individuals.• Did you know that Hewlett Packard regularly engaged in Social Engineering?• They used the method of PRETEXTING in order to get phone records• Let’s watch the testimony of Patricia Dunn, Director of HP
Pretexting Will Likely Continue• As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mothers maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.• Pretexting is the most common form of Social Engineering
Phishing• Phishing is the use of email as a means to extract personal information from a user• A variant is called IVR Phone Phishing
Phishing Continued• Direct you towards bogus (fake) websites• Purpose is to harvest information• PayPal example – I don’t even have a PayPal account!• Use common sense!• Don’t click on links directly!• Phishing Filter!
TROJAN HORSE• Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed• Usually arrives in the form of an email with an attachment• ILOVEYOU virus is an example of a Trojan Horse• Adware hiding inside downloads is another example
Road Apples• Road Apples are also known as Baiting• Uses physical media and relies on the curiosity or greed of the victim• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries• Autorun on inserted media
Quid Pro Quo• Means “something for something”• A person contacts people one by one, until he/she finds a person with a problem• When they find a person, they “fix” their problem by introducing malware to their machine
Summary – Today’s Take Aways• Social Engineering involves manipulating others to get access• Main techniques are: Flattery, Authority, Threatening• Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
Ways to Combat Social Enginering• Good security policy• Make sure your employees understand dangers and threats• Make sure employees understand what Data Classification means and what type of information you publicly give away
Most Important Gem of Wisdomin Defeating Social Engineering• Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request• For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail