Exploiting the human weakness
         www.niiconsulting.com



     Presentation by: Wasim ‘washal’ Halani
         Netwo...
Network Intelligence, incorporated in 2001, is a
 committed and well-recognized provider of services,
   solutions and pro...
   Information security
    at every organization
    is one of the most
    important aspects!

   It is people who
   ...
“Social Engineering is the act of manipulating
  people into performing actions or divulging
  confidential information, r...
www.niiconsulting.com
www.niiconsulting.com
   Wordpress vulnerability on the blogs of their
         websites

Kevin ‘don’t call me a security expert’ Mitnick




 ...
 Phishing
 Baiting
 Identity Theft
 Dumpster Diving
 Email Scams
 Use of Authority
 Request for Help
 Indulging Cu...
   IT/ITES Company
   Two offices
   About 400 – 500 employees
   We had previously conducted other security
    proje...
   Only 3 people in the organization aware of
    the exercise
   Obtain ‘get-out-of-jail-free’ card!
   Bought a spy p...
   Security Auditor
    ◦ Surprise audit on behalf of Government Agency
    ◦ Chinese attacks on Indian institution (same...
www.niiconsulting.com
   Visit the office
   Convince the guard to let me in for the
    surprise security audit
    ◦ “It won’t be a surprise...
   Gain unauthorized access
   Stay back late, after almost all employees left
    ◦ Photograph the office
   ‘Steal’ s...
   Sensitive information on technologies used
   Network architecture revealed
   Lot of technical information revealed...
   We registered a domain with a single letter
    difference
    ◦ Registered email accounts
   Prepared a ‘Employee Co...
www.niiconsulting.com
   About 10 users entered their credentials
    which we captured
   No one downloaded the PDF 
   Took about 10-15 mi...
   Linkedin
    ◦ Fake employee profile
      Searched for people not listed in the network
    ◦ Joined the company ‘ne...
www.niiconsulting.com
   Turns out they had a new employee
   Everyone thought his was the ‘fake’ profile
   Very difficult to identify the r...
www.niiconsulting.com
   Confidential…




                     www.niiconsulting.com
Contact:
 wasim.halani@niiconsulting.com
 http://www.niiconsulting.com
 @washalsec



                         www.niic...
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
Upcoming SlideShare
Loading in …5
×

Social Engineering Case Study by Wasim Halani

1,918 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,918
On SlideShare
0
From Embeds
0
Number of Embeds
37
Actions
Shares
0
Downloads
53
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social Engineering Case Study by Wasim Halani

  1. 1. Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  2. 2. Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  3. 3.  Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  4. 4. “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  5. 5. www.niiconsulting.com
  6. 6. www.niiconsulting.com
  7. 7.  Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  8. 8.  Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  9. 9.  IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  10. 10.  Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  11. 11.  Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  12. 12. www.niiconsulting.com
  13. 13.  Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  14. 14.  Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  15. 15.  Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  16. 16.  We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  17. 17. www.niiconsulting.com
  18. 18.  About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  19. 19.  Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  20. 20. www.niiconsulting.com
  21. 21.  Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
  22. 22. www.niiconsulting.com
  23. 23.  Confidential… www.niiconsulting.com
  24. 24. Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

×