Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blue team responses to people who "hack like a girl"

3,026 views

Published on

Social Engineering Scenarios from SpiceHeads on Spiceworks!

Published in: Technology
  • Be the first to comment

Blue team responses to people who "hack like a girl"

  1. 1. Blue Team responses to people who “hack like a girl” Kate Brew @securitybrew AlienVault Co Founder C1ph3r_Qu33ns Charisse Castagnoli Websense Co Founder C1ph3r_Qu33ns
  2. 2. Blue Team responses to people who “hack like a girl” First: What Does “Hack Like A Girl” Mean? Social Engineering (SE) is huge attack vector & very effective SE doesn’t require detailed system knowledge or programming skills Women are traditionally not viewed as a “threat” – IT more likely to be sympathetic & nice Making women potentially quite effective at SE Note: ” “Hack Like A Girl” is not an insult
  3. 3. What is Social Engineering Social engineering is the art of manipulating people so they give up confidential information. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. Source: Webroot.
  4. 4. Why does Social Engineering work? Research has shown that most people respond to specific social queues: Authority You must to this because I am an authority over you Boss to subordinate Teacher to student Commander to infantry Obligation You should help me because I did this for you Remember when I finished your assignment for you Responsibility People trained/conditioned to assist Customer service, Nursing, Cultural Cultural Responsibility Keiretsu, Cartels, Cultural norms Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it
  5. 5. RED TEAM - US • We present a scenario (many of these are real world scenarios) • Thanks to the SPICEHEADS who contributed the scenarios!! Gamification of Social Engineering Scenarios BLUE TEAM - AUDIENCE Respond with ways to defeat this scenario 1 point for remediation 1 point for defense extra point for identifying the social pressure point
  6. 6. How we are going to play the game We present an SE scenario Audience responds with ways to defeat this SE Best Answer gets a prize At the end we award MVP Awards (2 $50 Amazon Gift Cards)
  7. 7. Spearphishing This is Ralph Simmons, your daughter’s school principal. You need to come pick your child up ASAP, as there has been an incident with her and another student. To see a copy of the incident report we put on file, Click Here! Respectfully, Mr. Simmons Fake School Principal
  8. 8. Jack their Software (Jacking public information) Contact a finance software vendor. Get a list of references from them. Contact people on that list claiming to be part of a support team doing updates on the software via a remote connection. If they grant you that connection, you have their finance system.
  9. 9. But I *really* need that app! I know I’m not supposed to have it, but if I don’t get that app I’m going to Miss a deadline Be reprimanded Get fired I promise I’ll delete is as soon as this assignment is done
  10. 10. Have your kid stick a flash drive in target Nobody suspects cute little kids. So you take your kid into a bank or other place with something to steal. While you are conducting business, you have them stick the flash drive into the target.
  11. 11. Impersonating IT This one works great if you are an evil insider with remotes sites where people don’t know you’re not from IT. You badge in, then find a likely target. You go over to them and indicate that your network security monitoring system has indicated their system has malware. You ask them to leave you logged in and go get a coffee.
  12. 12. FedEx / Coffee / Water refill dude/dudette Even without a badge, these delivery folks are allowed in without a second thought. They can bring in a device to break into the corporate wireless network.
  13. 13. Poor Grandma! Hello Mr./ Mrs. Suchandsuch. This is {insert fake name here} calling from XYZ Advanced Care facility. Your mother/father has taken a spill & needs to go to the hospital. We just need to confirm your insurance & billing info so that we can facilitate his/her transport & treatment there.
  14. 14. Trickery to Steal Laptops Look on internet for Oil and Gas company directory and get a persons name. For example: http://www.kanataenergy.com/team.html  Put on suit and show up at lunch and mumble to reception like you own the place, "I'm just heading in to my meeting with Randy Hughes"... Steal laptops from open offices, Walk out.
  15. 15. This one requires programming, but sooo fun!
  16. 16. Emails claiming to be voicemail Damn emails that claim to be a voicemail, even though the company has never never never ever, gotten their voicemails via email and someone opened it.
  17. 17. “Helpful” Evil Co-workers The human firewall is the most important part of a security equation, because attacks happen anywhere. Even from that nice guy Bob who helped Mary in Accounting speed up her PC.
  18. 18. Scary Phishing Your transaction for your MasterCard for the total of $3,576.43 has been approved. Please see attachment for your receipt. Attachment - invoice.pdf.exe
  19. 19. Just mean! We had a semester long project where we were to secure a machine (linux) and try to hack another team in the sandbox and couldn't physically touch their machine. Group leaders received an email from the "teacher" saying over the semester break servers were going to be switched out and she needed all the team’s passwords. Unfortunately my group leader fell for it, and it was another team spoofing the instructors email.
  20. 20. Password Reuse Create a web site offering something incredible (new social media site, free software, whatever.) Require the user to submit a username and password for login. Use that information on larger sites (Facebook, twitter, gmail, etc) and see if they use the same login credentials across all services, as so many people do.
  21. 21. Microsoft Tech Support phone scam You all know this one, but check out this response: I had those guys call me. I have this POS 4G ethernet box I use when I travel, and a VM of windows 10 running on one of the old junkers we restored and upgraded with spare parts, so I decided to let them on. The VM was part of test lab, where we were testing lock down policies and software compatibility. They had a heck of a time, I was cracking up laughing. I eventually just said, "sorry, but I've been effing with you, but I'm getting hungry so I'm going to go." Then he proceeded to call back, "sorry, but we seemed to get disconnected, if you could go back to the lady page and start over..."
  22. 22. Thumb drive giveaway! Post a couple of young women with scantly clad dresses at a conference, offering 4GB USB thumbdrives (quite alot back then!). People were jacking up those USB thumbdrives in their enterprise computers, without knowing that it had a crafted app that was sending every file they opened onto outside; worse it also permitted remote access, so even the IT administrators computers were compromised (the CTO laptop was one them). The young women placed outside of the enterprise strategy worked because the majority of workers were men and they didn't even notice the strangeness of strangers offering them thumbdrives for no reason.
  23. 23. Demark closet Hi I’m from the phone or cable company and need access to your demark closet. receptionists usually let them in What makes it totally believable is for that utility company worker to scowl and act like they would rather be anywhere but your office. And, if the receptionist calls the IT staff, tell them that you are HERE because another customer over THERE has issues with their T-1 line, and they believe there may be cross-talk between one of your T-1 lines an this other customer's lines. If you know that you now use fiber only, they can still claim that this is a T-1 that was supposed to be de-commissioned but they failed to do it properly, and that is why you have had ongoing problems on your phone bill...
  24. 24. Anti-Virus – Over-trusting I used to work for a well-known anti-virus company. I did the business technical support for all customers around the globe. To remove viruses we had to remotely log into the computers at the company. The I.T people would quite often log you in and then tell you they were going on lunch, or going home and ask you to shut down when you are finished. Never thought about it at the time but it was basically a wide open door to the company’s data. It’s not like we were just logged on, we were logged on with the IT persons credentials and authorised to auto log on after reboot!!!
  25. 25. Spear-phishing Execs During pen test at trading company, client was tighter Kim Kardashian's latex Catwoman outfit. Hammering the routers, DNS, firewalls, and all other tech yields nothing of value. The social engineering group (SEG) digs in. They easily find the name of the CFO. They find her facebook, LinkedIn, and twitter pages. The see what her likes and dislikes are, and more importantly, the causes she supports. They dig more and come up with a list containing a substantial number of the employees They craft a web site. They craft a nice email in the CFO's name asking for them, if they want, to click on this link to donate money to one of her pet causes. They send it to all the employees. Two of them click the link, one a low-level employee and the other one of the people who deals with trades. The link silently installs a keylogger. All data - password, accounts, etc.- from the trader is now compromised.
  26. 26. Fake IM from Co-Worker Send an IM from an account that looks like a coworker’s saying "This link does not work for me. Could you try it before I call and bother IT?" malicious link here
  27. 27. The Server Room Bring a Pepsi into the server room. Spill it all over. Or, take a huge magnet in your purse and lean on some of the servers.
  28. 28. PopUps complaining of malware Popups that tell the user their computer is infected and needs to be fixed... simply download this software to fix it. Well, looks like that didn't quite work.... and it is a much bigger problem then we originally thought.... but if you pay us it will work! So pay us now and it will all be fixed! So many relatives that have fallen for this one... and a few friends. *Le Sigh*
  29. 29. Wirefraud Phishing From: Date: February 26, 2015 at 11:07:36 AM CST To: Subject: Cancelled Wire Money Transfer. Dispute Number 932453 The Wire transfer (ID: J217485011), recently sent from your online bank account, was aborted by the Electronic Payments Association. Canceled transfer Transfer Case ID 113548 Total Amount 3798.61 USD Sender contact name@domain.com Reason for rejection See attached file The Email contained several links to the virus VBA/TrojanDownloader.Agent.IY trojan, not only in the attachment, but linked in the sender's address.
  30. 30. Obamacare Phishing The best social engineering is one that uses the government and people's inherent greed and ignorance of the law. This is what makes financial scams so effective. Use snail mail and a fake PO Box. "I'm from the IRS. You didn't claim your $5,000 Obamacare bonus refund. Since you didn't use all of your free healthcare money for 2014, you have a choice of rolling it over or having it added to your tax refund. If you don't reply in two weeks, this claim will expire." Then generate a fake tax form and have them fill out what ever information you need from them. 90% of people will want a check. Have them submit the form using a faked website. Using Obamacare in the scam is good because people don't know squat about the law. There was a recent report on the enrollment date being pushed back because people didn't know about the fine. So ignorance is high on this complicated law.
  31. 31. D’Oh LinkedIn Go to LinkedIn and connect with someone. Offer them a fake, high paying job. Require they fill out a form before on-site interview. Collect all info, including SSN.
  32. 32. Citrix For a company using Citrix with a web portal at: https://www.somecompany.com/Citrix/Metaframe/default.aspx You register dynamic dns domain like com.ntdll.net. Add a host www.somecompany to that domain and clone their citrix web portal. Have your fake site save the credentials and pass them on to the real citrix portal so they can actually log in. So the phishing site you set up is: https://www.somecompany.com.ntdll.net/Citrix/Metaframe/default.aspx Then craft an email with a link showing the real domain but actually going to your phishing page: Hello, As many of you have probably noticed there have been some performance issues with using citrix remotely. We've been working hard to resolve the issue and are pleased to say we've finally upgraded our Citrix servers. Everything should be running much smoother now. The new Citrix portal just needs you to log in to help migrate your profile over to the new server. Please log in within the next 24 hours so we can get everyone migrated over and running on the new system. For your convenience I've included the link below. https://www.somecompany.com/Citrix/Metaframe/default.aspx Thanks, IT Department Some Company Chances are if they do click your link and see the url they won't be too suspicious because at first glance it looks very much like the real link.
  33. 33. Common Denominator: “Expect the Unexpected”

×