The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
Report
Jan. 14, 2017•0 likes•2,019 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Check these out next
The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
Jan. 14, 2017•0 likes•2,019 views
2 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Report
Technology
Talk in The Social-Engineer Village at DEF CON 24 http://www.social-engineer.org/social-engineer-village/ [Overview] As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.
Recommended
Understanding Intersectionality in a High School English ClassKristinaOng1
BSides Rhode Island 2013 - Bite the Wax Tadpole (with Katrina Rodzon)Mike Murray
OAuth2.0によるWeb APIの保護Naohiro Fujie
capybara で快適なテスト生活をRyunosuke SATO
HLSについて知っていることを話しますMoriyoshi Koizumi
Shaping and Shifting Cultural Perceptions of Disability AbroadCIEE
The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
- Does Cultural Differences Become a Barrier for Social Engineering? TOMOHISA ISHIKAWA scientia.admin@gmail.com www.scientia-security.org
- >> WHO AM I ? Tomo (Tomohisa Ishikawa) • Japanese Security Consultant (7 years experience) • ESL (English as a Second Language) • A Doctoral Program Student • Currently in insurance company in Philadelphia • CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH Specialized Area • Penetration Test • Incident Response • Vulnerability Management • Security Awareness & Education
- Background Social Engineering is remarkable attack vectors now • HBGary hacked by Anonymous • CloudFlare hacked by UGNazi • Mat Honan (WIRED Journalist) • Naoki Hiroshima (Stealing Twitter Username “@N”) • CIA Director hacked by CWA (Crackas with Attitude) • BEC (Business Email Compromise) Is it popular in Japan ?? • Spear phishing email attack is popular • but…not so active compared with U.S. such as BEC
- My Research Questions: Does Cultural Difference become a barrier for SE? • If culture works as the barrier, “Cultural Defense” will be one of the solutions. • The design of organization, corporate culture, business process will be the effective method against SE.
- Additional Notes: Why is the idea of “cultural defense” so important?
- https://isc.sans.edu/diary/Managing+CVE-0/10933
- Additional Notes: Why is the idea of “cultural defense” so important? • CVE-0 ( No patch Tuesday for Human Being )
- Disclaimer I AM NOT … • A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc… Any opinions offered are … • my opinion, hypothesis and thought based on a few my examples • NOT those of my employers. Focus on the difference between Japan and U.S I may be biased because… • 28 yrs experience in Japanese Culture (Guru) • 8 months experience in U.S. culture (Beginner or Intermediate) It is NOT conclusion, and I would like to start the discussion • Welcome constructive criticism and opinion
- Disclaimer I DO NOT want to discuss the advantage or disadvantage of each culture • I would like to respect both cultures • Only discuss the defensive workability against SE attack I welcome the question and comment, but • PLEASE PLEASE speak slowly and easily
- 1. What is Culture? Cultural Difference?
- Cultural Difference? The Size
- Cultural Difference? The Size US S-Size JP L-Size
- Cultural Difference? The Punctuality
- Cultural Difference? The Pokemon Go indicator
- FYI : Steve’s POV
- Again, What is Culture? Cultural Difference?
- Wikipedia say…
- What is Culture? A lot of Definition is available The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
- What is Culture? A lot of Definition is available The Definition of E.B.Tylor • “that complex whole which includes knowledge, belief, art, morals, law, custom and any other capabilities and habits acquired by man as a member of society”
- What is Cultural Difference? Hofstede's cultural dimensions theory • He had comprehensive analysis for IBM employees, and he proposed six dimensions to characterize the culture • DataSet : http://www.geerthofstede.nl/dimension-data-matrix
- Hofstede's cultural dimensions theory INDEX DETAILS PDI Power Distance Index IDV Individualism vs. collectivism MAS Masculinity vs. femininity UAI Uncertainty avoidance index LTO Long-term orientation IVR Indulgence versus restraint 0 10 20 30 40 50 60 70 80 90 100 PDI IDV MAS UAI LTO IVR Cultural Differences by Hofstede Indicator Japan U.S.A. JPN USA DIFF PDI 54 40 14 IDV 46 91 45 MAS 95 62 33 UAI 92 46 46 LTO 88 26 62 IVR 42 68 26
- Hofstede's cultural dimensions theory From this Data Item Diff Japan U.S.A LTO 62 Long Term Oriented Short Term Oriented UAI 46 Hate uncertainly Accept Risk IDV 45 Collectivism Individualism
- 2. Social Engineering and Cultural Difference
- If you are NOT familiar with SE
- Today we are discussing… OSINT Tailgating Vishing Remittance Scam (Supplementary)
- 2. Social Engineering and Cultural Difference ~2-1 : OSINT~
- OSINT Open Source Intelligence • Collecting necessary information by using public resource for SE Cultural Defense Workability of JP Culture: • Japan prefer anonymity in the Internet • It means that the difficulty of OSINT in JP is high. MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications) • 6 countries (JP, US, UK, FR, SK, SGP) comparison • http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf
- OSINT – Cultural Defense MIC 2014 Research • The US tend to use Real Name, but JP prefers to use false name 10.1 12.6 30.2 17.8 20.8 15.5 22 24.3 26.7 19.7 29.8 67 7.8 28.1 18.1 25.3 1.5 16.6 2.5 18.1 1.2 3.9 2.2 3.9 2.7 5.4 2 6 2.3 4.6 58.9 16.5 59.8 50.2 58.4 53.8 74.5 53.1 68.5 57.6 0 10 20 30 40 50 60 70 80 90 100 JP US JP US JP US JP US JP US FBTwitterChatSNSBBSBlog Use of false names versus real names on SNS Use False Name Use Real Name Use Both (multiple acount) Not User
- OSINT – Cultural Defense MIC 2014 Research • 66.3% of JP have antipathy against disclosing real name (US: 35.9%) 15.9 41.7 13.1 23.2 24.6 22.8 24.8 13.7 28.3 22.4 12.7 22.2 13.7 7.3 13.6 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP U.S. The Antipathy against disclosing real name Strong Moderate Nuetral/Neither Not much No
- OSINT – Cultural Defense MIC 2014 Research • Approximately 60% of JP and US people feel the risk of being identified even though they use false name 20.2 16.5 24.4 39.1 43.7 36.9 29.9 26.5 27.4 10.8 13.3 11.3 0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0 Total JP US Awareness of The Risk of Being Identified with Anonymous Use High Possiblity Some Possiblity Low Possiblity Almost No Possiblity
- 2. Social Engineering and Cultural Difference ~2-2 : Tailgating~
- Tailgating Tailgating • Breaking physical access control by using pretexting • Ex) Pretending to be a “FedEx guy” or “pest control guy” • Ex) Pretending to be a freshman, WFH employee, employee in different branch Cultural Defense Workability of JP Culture: • Japanese culture is detective environment • Office Layout • Working Style Culture
- Tailgating – Cultural Defense Office Layout • US : Cubicle • JP : Flat Desk
- Tailgating – Cultural Defense Why does it work as a defense? • Easy to identify the stranger or attackers • Know the usual behavior (baseline) of colleagues and other vendors
- Tailgating – Cultural Defense Working Style Culture • Before that, let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular
- Company Welcoming Ceremony @ April 1st
- Tailgating – Cultural Defense Working Style Culture • Let’s look at the working style difference U.S.A Japan Working Style • WFH is popular • WFH is NOT popular Employment Mobility • High Mobility • Join frequently, leave frequently • Low Mobility • JP company do not like mid-carrier recruiting • Stay one companies +10 years New Graduate Job Hunting • Apply to “Job” • Specialist Oriented • Apply to “Company” • Generalist Oriented • Join into the company on April 1st • 2-4 month Bootcamp Training (Project works) • Company assigned the division (=Job) • Job rotation is popular It creates strong informal connection btw colleagues.
- Tailgating – Cultural Defense Why does it work as a defense? • New guys or stranger = easy to identify • Informal connection will work as the verification method • It may be difficult to create workable pretexting
- 2. Social Engineering and Cultural Difference ~2-3 : Vishing~
- Vishing Vishing • Phishing attack by using Phone Call • Ex) pretending to be a “computer support” guy • Ex) pretending to be people in WFH / another branches Cultural Defense Workability of JP Culture: • Working Style • Decision Making Process
- Vishing – Cultural Defense Working Style • WFH is not popular • Outsourcing is not so popular • The employee have strong informal connection Why does it work as a defense? • Pretexting may be hard • If the phone call is suspicious, it is possible to ask the question by using the informal network of colleague. (validation function)
- Vishing – Cultural Defense Phone Call Handling • When your colleague get the phone call... • In Japan, freshman or administrative staff take the phone within 3 ringing Why does it work as a defense? • Share the contents through the process (flat desk will be helpful) • Freshman or administrative staff can create the baseline
- Vishing – Cultural Defense Decision Making Process • US If boss said Yes, it is done • JP prefer the consensus (many escalation flow to decide) Why does it work as a defense? • Various validation function by the process, especially for financial settlement
- 2. Social Engineering and Cultural Difference ~2-5 : Remittance Scam~
- I give the couple of examples about Japanese (business) cultures & it’s workability.
- I give the couple of examples about Japanese (business) cultures & it’s workability. However, it does not necessarily means Japanese cultures and people are tolerant for social engineering.
- Scams to elderly people are serious problems in Japan and we see a lot of SE techniques.
- Scenarios: Step 1 Victim Attacker (Police Officer A)
- Scenarios: Step 1 Victim Attacker (Police Officer A) • We arrest the scam group.
- Scenarios: Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name.
- Scenarios: Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing.
- Scenarios: Step 1 Victim Attacker (Police Officer A) • We arrest the scam group. • They have the name list for a future attack, and it include your name. • They also committed cloning of credit card, and your credit card has the possibility of abusing. • We investigate this case with FSA and FSA staff will contact you. FSA : Financial Service Agency
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A)
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A Attacker (Police Officer A)
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card Attacker (Police Officer A)
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. Attacker (Police Officer A)
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused Attacker (Police Officer A)
- Scenarios: Step 2 Victim FSA : Financial Service Agency Attacker (FSA Staff) • You got the phone call from police officer A • We investigate the malicious usage of your credit card • Please tell me last 4 digits and expired date. We will match up with our database. • Umm…abused • We will start the process to issue new card and FSA staff go to your home to pick up it. Attacker (Police Officer A)
- Scenarios: Step 3 Victim FSA : Financial Service Agency Attacker (FSA Staff) Attacker (Police Officer A) Attacker (FSA Staff) • Pick Up
- 3. Wrap -Up
- Wrap-Up Does Cultural Difference become a barrier for SE? • I think YES. • But it is the beginning of my first thought, and I think I need further discussion • Also, from attacker’s perspectives, the adjustment of pretexting to specific culture will be effective. The design consideration of culture, business process may help to avoid the social engineering
- Thank You!! If you have any questions, please feel free to contact me Contact Info • Email scientia.admin@gmail.com • JP Blog www.scientia-security.org • EN Blog blog.scientia-security.org (Coming Soon)