Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NENA 2017 Doxing and Social Engineering

139 views

Published on

PSAPs and their personnel are susceptible to cyber-attack techniques like social engineering and doxing, due mainly to the vast amounts of personal data available on the Internet, in addition to the inherently helpful nature of people. This presentation demonstrates how 9-1-1 professionals may be unknowingly broadcasting information that hackers can use to do damage to people and infrastructure and how PSAPs can mitigate these risks.

Published in: Technology
  • Be the first to comment

NENA 2017 Doxing and Social Engineering

  1. 1. Defending Public Safety From Social Engineering & Doxing
  2. 2. Managing Director – 20/20 Technical Advisors, LLC
  3. 3. Jack Kessler • Founder & Managing Director of 20/20 Technical Advisors, LLC • IT and cybersecurity consulting firm • Based in Indianapolis, IN • Started company in 2010 after working in Fortune 500 & Government contracting • Managing & securing IT infrastructure for 20 years
  4. 4. 20/20 Technical Advisors, LLC • Services Cybersecurity • Penetration testing • Vulnerability assessment • 24X7 security event monitoring • IT security architecture design consulting • Cybersecurity managed services IT Infrastructure – network, voice, managed services, back up/DR
  5. 5. Hackers • Hackers can be good or bad depending on how they use their skills • At their core, they are troubleshooters • Find ways around or thru obstacles to reach their objective • Always looking at how things can be weaponized • Look for ways to exploit human nature
  6. 6. Attack Types • Social Engineering Use of deception to manipulate someone into divulging confidential or personal information for fraudulent behavior • Doxing Term derived from the word documents Researching and publishing of private identifying data about a person on the Internet Published information could also be stolen data
  7. 7. Social Engineering • Motives  Gather information on people for the purpose of doxing  Gain system / physical access to systems or facilities • Steal data • Disrupt operations • Disrupt lives • Prays on human conditions  Peoples’ good nature  Frustration  Fear
  8. 8. Doxing • Hacktivists / Vigilantes Cyber/Physical attacks • Motives Settle a score – Do harm to their target Correct perceived injustice Supporting a cause Nuisance / disrupter Gather data to breach systems
  9. 9. Attack Types • Social Engineering and doxing can be used in conjunction with each other. Use doxing techniques used identify a target for social engineering Use social engineering to gather data to dox someone
  10. 10. Social Engineering • AGARI DATA INC. SURVEY - 2016 200 respondents from a wide range of industries / organizations 60% know they were or believe they were victims of social engineering attacks 65% of those attacked said employees’ credentials were compromised
  11. 11. Social Engineering • DEFCON 2016 - Hackers conference survey Cybersecurity firm surveyed 70 hackers by Nuix 84% stated social engineering was part of their strategy 50% change their attack methodologies • RSA conference 2017
  12. 12. Social Engineering • Examples of social engineering attacks Pretexting Phishing Link manipulation – in phishing attack or website IVR / phone phishing Tailgating – Physical Baiting attacks – USB drives
  13. 13. Social Engineering • Pretexting Pretending to be someone in order to get information or gain access under false pretext Can be physical, phone, or cyber
  14. 14. Social Engineering • Pretexting examples Pretending to be • Government official • Phone carrier installer • Maintenance person • Helpdesk contractor • New employee
  15. 15. Social Engineering • Pretexting defense Policies / Procedures Training employees Physical • Badges • Cameras/scanners / mantraps • Sign in sheets • Contact lists – Who to call
  16. 16. Social Engineering • Pretexting Passwords • Use two factor authentication • IT staffs should NEVER ask for passwords • Train users to understand this Our experience - Highly trained user environments • 30% give out passwords in assessments
  17. 17. Social Engineering • Phishing attacks Usually email or text attacks Asking the target to look at something • Dropbox link, email, website, Youtube link Asks for information Service disruption if not taken care of
  18. 18. Social Engineering • Looks like legitimate email May use same template as something you are used to Subtle difference This is where using gmail.com, yahoo.com, outlook.com email for business email can cause an issue – Easier to spoof
  19. 19. Social Engineering • Phishing email example
  20. 20. Social Engineering • Phishing example Sfsf These sometimes will have links for you to click
  21. 21. Social Engineering • Phone phishing IRS calls Fake collection agents Same objectives Use automated dialing Do not calls lists ineffective
  22. 22. Social Engineering • Phishing defense Train users Include phishing in 3rd party security audits Setup a IT mail box to forward suspect emails / links for review Cloud programs like PhishME to assess staff
  23. 23. Social Engineering • Phishing defense Patch your systems Threat detection tools Anti-virus / advanced malware detection software Intrusion detection systems System backups
  24. 24. Social Engineering • Link manipulation Label on the link different from where it sends you Commonly used in phishing attacks Anyone can do it easily Web-site or email is common use to lure someone
  25. 25. Social Engineering
  26. 26. Social Engineering • Link manipulation example The actual site is malicious Can deliver • Ransomware • Key loggers • Malware
  27. 27. Social Engineering • Link manipulation defense Train users on the attack Show them examples Teach them to scrutinize what they click on and open Yearly 3rd party security testing to include phishing attacks using link manipulation
  28. 28. Social Engineering • Link manipulation defense Patch your systems Threat detection tools Anti-virus / advanced malware detection software Intrusion detection systems System backups
  29. 29. Social Engineering • Tailgating Following someone through a secured door Many times the first person doesn’t check to make sure the person behind them has the right to be in the building Use this to get into the building to do something nefarious • Install a device • Do harm to people or property
  30. 30. Social Engineering • Tailgating Takes advantage of peoples good nature Takes advantage of distracted employees • Defense Train employees Cameras Mantrap
  31. 31. Social Engineering • Baiting attacks Usually a media attack USB thumb drives • 50% of all thumb drives found are plugged in • Never plug a thumb drive found into your computer
  32. 32. Social Engineering • Baiting attacks Rubber duck is a keyboard, not a thumb drive USB lock down software won’t work in 99% of cases
  33. 33. Social Engineering • Baiting defense Train users Never pick up a USB drive and plug it in Use previously mentioned technologies to protect in the event of someone using this attack is successful getting someone to plug a device in
  34. 34. Doxing • Do harm to the target Identity theft Harassment Swatting Physical attack Bullying Stalking Pranking
  35. 35. Doxing • Information commonly released Names Job titles / place of work Phone numbers Government ID numbers (SSN, passport, driver license, etc..) Family members’ information Bank account numbers
  36. 36. Doxing Examples • Boston Bombing – Sunil Tripathi Doxed on websites Reddit and 4Chan Wrong identification News services picked it up Had been missing before the bombing Family was looking for him They were harassed and received death threats Was later found dead in a river
  37. 37. Doxing Examples • Amanda Todd Committed suicide after being cyberstalked and blackmailed Hacker group Anonymous doxed the wrong man Extremely disrupted his life • His place of work was being harassed / he was fired • Had to move across the country • Changed his name
  38. 38. Doxing Examples • Numerous swatting incidents • Celebrities – Doxed Ashton Kutcher – Doxed and swatted Michelle Obama – Credit report, SSN, phone number, credit card
  39. 39. Doxing Examples • Ferguson, MO Anonymous – Threatened law enforcement • “If you attack the protesters, we will attack every computer and server you have. We will dox and release the personal information on every single member of the Ferguson Police Department, as well as any other jurisdiction that participates in the abuse. We will seize all your databases and e-mail spools and release them to the public. You have been warned.”
  40. 40. Doxing • How do they dox? Search engines – usernames, email addresses, any info Cached websites - Google caches websites – old sites don’t go away ASSUME IF YOU POST IT, YOU CAN’T PULL IT BACK Search variations of usernames • Site one userID – bunnylover
  41. 41. Doxing • Social media THIS IS THE BIG ONE Facebook, LinkedIN, Instagram • Contact info, family members, acquaintances • Patterns of behavior – Checks in at Starbucks at 8AM daily • Interests – fan of a sport team, kids little league team • Jobs, colleagues, skills All of this is possible security question answers
  42. 42. Doxing • EXIF Data Data attached to media files – photos, videos GPS data, dates, times, type of camera, phone Social media photo uploads has location in the post
  43. 43. Doxing • Social Media Vet your social media requests Tighten your security controls • Make your family do it too Restrict personal info Untag yourself from photos Settings to approve any tagging Remove 3rd party apps when you buy software / hardware
  44. 44. Doxing • EXIF Data • 22 hours from social media post to bombs on target
  45. 45. Doxing • EXIF Data Do not post phots in real time • Wait until you come back from vacation or back home You can change or remove the data from your media Multiple programs - EXIF Editor is one
  46. 46. Doxing
  47. 47. Doxing • Blogs, forums, message board type sites Many times personal info needed to setup accounts Non-mainstream hobbies open people up to issues Breaches on these types of sites are common and bite users • Slack, Adult Friend Finder, Ashley Maddison,
  48. 48. Doxing • Tools on the Internet The Harvester - Gathers emails, domains, employee names, open ports on devices, banners Shodan – Scans the Internet constantly cataloging information on the devices on the Internet Maltego – mines data from public sources Cree.py – scripts that will work with social media infaces • Gives you data that might not be available through the browser interfaces on those sites
  49. 49. Doxing • Tools on the Internet Facebook stalker • Even if locked down, one friend with loser security settings can give up your info • Data on when you post • Places you frequent
  50. 50. Doxing • Geostalker
  51. 51. Doxing • Public records Government records online • Property tax records • Parcel info • Business filings • Government registrations • Petitions signed • Political donations
  52. 52. Doxing • Data brokers Right there with social media Spokeo, Intellius, Pipl, White Pages, etc.. • Can get basic free info • Current address • Family members Even with free you can piece together a lot of info about someone
  53. 53. Doxing • Data brokers Paid you get a lot more • Schools • Criminal activity • Retail activity - Stores all sell your info By law they must have an opt out Most just need email and phone number
  54. 54. Doxing • Data Brokers Intellius – asks for a copy of your Government issued ID Services are out there to help reduce this foot print and usually have a monthly fee
  55. 55. Doxing • Summary of step to reduce risk Secure your accounts • Strong passwords • Change passwords • 2 factor authentication • Use different accounts and passwords on different sites • Close old accounts • Don’t save data on website (CC info, addresses,
  56. 56. Doxing • Summary of step to reduce risk Turn of location data on your devices, like phones Tighten social media controls Vet you connection requests on social media Beware of free cloud services Shred documents
  57. 57. Crackas With Attitude • Two North Carolina men worked with 3 UK teenagers to hack high level Federal Government officials John Brenan – CIA Director at the time Family members Other high level officials • Used social engineering and doxing • https://www.justice.gov/usao-edva/file/890421/download
  58. 58. Crackas With Attitude • Harassed the targets Posted ATT wireless bills online Posted passport numbers, SSN, phone, address, names of targets Took over ATT, Verizon, Comcast, AOL email, Twitter, and Amazon accounts of the targets At one point called Verizon as the target and as an employee to get them to reset the password to the accounts and give it to them.
  59. 59. Crackas With Attitude • Taunted the targets Texted them with threats and sent pictures of their kids • Stole data from the FBI LEEP portal Doxed 80 Miami police officers Doxed Government and military employees • 34K lines of data from the system
  60. 60. Questions • Thank you! • Jack Kessler  20/20 Technical Advisors, LLC  Managing Director  9640 Commerce Drive  Suite 414  Carmel, IN 46032  PH: 317 249 8100 X. 1001  Email: jack.kessler@2020technical. com I can be found in Booth #449

×