Conference about Social Engineering (by Wh0s)
•Download as PPTX, PDF•
1 like•698 views
Introduction to Social Engineering. By Marta Barrio Marcos and Daniel González Gutiérrez.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Conference about Social Engineering (by Wh0s)
Similar to Conference about Social Engineering (by Wh0s) (20)
Recently uploaded
Recently uploaded (20)
Conference about Social Engineering (by Wh0s)
- 1. Marta Barrio Marcos Daniel González Gutiérrez
- 2. Summary • What is Social Engineering? • Techniques • Why are we vulnerable? • Famous Social Engineers • Conclusions
- 3. What is SE? “Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.” Kevin Mitnick
- 4. What is SE? Psychological manipulation Goals: • Performing actions • Divulging confidential information • Confidence trick for the purpose of information gathering, fraud, or system access
- 5. What is SE? Life Cycle: 1. Footprinting 2. Establishing Trust 3. Psychological Manipulation 4. The Exit
- 6. Footprinting Accumulating information: • Target • Environment Such as: • List of employee and phone numbers • Organization Chart • Location information Software tools: • Maltego • SET • Creepy
- 9. Establishing Trust Develop a relationship with the target Generate trust Confidential information
- 10. Psychological Manipulation Manipulate the trust Penetrate into the system easily Next Target / Exploiting the actual system
- 11. The Exit • Clear Exit • Avoid Suspicion • Not to leave any proof of his visit: • Trace-back to his real identity • Link him to the unauthorized entry into the system in the future
- 12. Techniques • Goal: Get Information • Techniques: • Shoulder Surfing • Impersonation • Phishing • Reverse Social Engineering • Dumpster Diving • Trojan Horses • Surfing Online Contents
- 13. Shoulder Surfing • Direct observation technique (looking over someone’s shoulder): • Passwords • Security Codes • PINs
- 14. Impersonation The social engineer plays the role of someone you are likely to trust. • Roles: • IT support • Fellow employee • Someone in authority • They use: • Uniforms • ID badge • Insider information • Names and details abut employees
- 15. Phishing • False websites/emails • Look like the originals • Deceive users • Get private information • Get benefit
- 16. Phishing *From infography in www.ThreatSim.com
- 17. Phishing
- 18. Phishing
- 19. Reverse Social Engineering The attacker convinces the target that he has a problem and the attacked is ready to help to solve the problem. • Sabotage: the attacker corrupts the system or give it an appearance of being corrupted. • Marketing: the only person who can solve the problem is the attacker. • Support: he gains the trust of the target (access to sensitive information).
- 20. Dumpster Diving Garbage Picking • Find items that may prove useful:
- 21. Trojan Horses Malware program with malicious code. • Download a malicious file to the system. • Open a backdoor. • Access to the victim machine.
- 22. Trojan Horses
- 23. Surfing Online Contents Emails; Phone numbers; Employers names… • Whois • Official website • Forums • Software Tools
- 24. Why are we vulnerable? • Why are we vulnerable to SE? 1. We all want to help 2. The first move is always trusted the others 3. We hate to say “no” 4. We all love that we praise
- 25. Why are we vulnerable? “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.” Gene Sparfford, expert in computer security. “You can always convince someone to turn it on.” Social Engineering.
- 26. Famous Social Engineers Kevin Mitnick “The World’s Most Wanted Hackers” • 15 years old: he could ride any bus (free) • 1981: COSMOS, Pacific Bell • Arrested in 1981, 1983, 1987, 1995 • Author of “The art of deception”
- 27. Famous Social Engineers Christopher Hadnagy • www.social-engineer.org • Work in backtrack • Author of: • Elicitation • Pretexting • Micro expressions • Tools of the Social Engineer
- 28. Conclusions 1 Importance of Information 2 The biggest vulnerability are… Common Sense US
- 29. DEMOS • Demo 1: Stealing credentials in facebook • Demo 2: Exploit a vulnerability in a computer and get total control To… CONTROL YOUR SYSTEM
Editor's Notes
- Hola, como ha dicho Dani yo voy a hablaros de Ingeniería Social
- Estos son los puntos que voy a tratar durante la presentación, en primer lugar se verá el concepto de “ingeniería social”, veremos las técnicas más utilizadas en ingeniería social, explicaremos las razones que nos hacen tan vulnerables a este tipo de ataques, tras esto se van a mostrar dos ingenieros sociales famosos y por último las conclusiones de la presentación.
- Esta es una cita de Kevin Mitnick, en la que define lo que es la ingeniería social. La ingeniería social utiliza la manipulación la influencia y el engaño para conseguir obtener de una persona información privilegiada de una organización para realizar una determinada petición o solicitud, que consiste por lo general en la divulgación de información o la realización de algún tipo de acción que beneficie al atacante.
- Entonces ¿qué es la IS? Principalmente se basa en la manipulación psicológica de otras personas para obtener beneficio. Los objetivos de la IS son: -Realización de acciones. Por ejemplo si nuestro objetivo como ingenieros sociales es que una máquina esté encendida en un determinado momento tendremos que buscar la manera de que alguien la encienda por nosotros. -Divulgación de información confidencial. En un hotel, convenceríamos al recepcionista de que conocemos a un determinado huésped para darnos su número de habitación. -Realizar un truco en el que intervenga la confianza del objetivo con el objetivo de recopilar información, realizar fraude u obtener acceso al sistema.
- La IS se puede considerar un proceso, y como todo proceso tendrá un ciclo de vida asociado. El ciclo de vida se compone de 4 fases: Footprinting Establecer confianza con el objetivo Manipulación psicológica La salida
- Footprinting siguiendo la definición de la wikipdia es una técnica que consiste en la obtención de información sobre sistemas informáticos y las organizaciones a los que pertenecen Consiste en obtener toda la información posible tanto del objetivo que suele ser una organización como del ambiente en el que se encuentra. Vamos a ver unos ejemplos de las información que podemos obtener y que puede ser de utilidad para el proceso: -Lista de todos los empleados y sus números de teléfono, incluso su horario, que nos será de gran utilidad. -Organigrama de la empresa, que nos dará conocimiento de que personas son consideradas como autoridad y cuales no de cara a preparar una estrategia. -Información de la localización de todas las sedes de la organización. Si bien, la búsqueda de toda esta información no será manual ya que actualmente exixten numerosas herramientas que automatizarán gran parte del proceso como: -Maltego, recolecta gran cantidad de información pública de la organización como -SET, Social engineering toolkit, herramienta que automatiza diversos tipos de ataques, de la que veremos alguna funcionalidad en la demo. -Creepy, herramienta OSINT de geolocalización, como herramienta OSINT recolecta la información que se encuentra pública en internet relativa a localización y nos la centraliza en una interfaz pintada sobre un mapa. L información procede de varias redes sociales como twitter o instagram.
- Esta captura es un breve ejemplo de la aplicación Maltego, con solo tres sencillas búsquedas sobre el dominio “upm.com” como veis se muestran un par de servidores, uno de ellos de correo, y se listan una serie de correos electrónicos, esta herramiente es bastante potente y una vez que se fije un objetivo nos proporcionará gran cantidad de información.
- En esta ocasión vemos una prueba de concepto con la herramienta Creepy, para ello se ha hecho una búsqueda de un usuario de twitter, y ha dado como resultado dos localizaciones como se puede observar en el mapa.
- La siguiente fase del proceso consiste en establecer la confianza con el objetivo, para ello se siguen tres pasos: Desarrollar una relación con el objetivo Generar la confianza partiendo de la relación previamente establecida. Por último, una vez que se tiene la confianza es el momento de obtener la información confidencial
- La tercera fase es una de las más importantes, es la manipulación psicológica: Primero se manipulará la confianza que hemos ganado en la fase anterior Gracias a eso, conseguiremos entrar en el sistema de manera sencilla. Una vez que lo conseguimos podemos pasar al siguiente objetivo o explotar el sistema actual al máximo.
- Por últimoesta la fase de salida, la cual consiste en la salida del sistema o de la organización. Los IS tienen que ser muy cuidadosos y tienen tres reglas: Tienen que realizar una salida limpia sin dejar rastro. Se ha de evitar toda sospecha de que se esté involucrado en la entrada al sistema. Por último no se debe dejar ninguna prueba de la estancia, ya sea digital o física: Para ello no debe dejar rastro que permita establecer una traza hasta la identidad real. Nada que le relacione con posibles futuras entradas desautorizadas al sistema, por ejemplo, si ha dejado una puerta trasera para poder acceder al sistema las veces que quiera.
- After all this concepts we can have one conclusion the main goal is to get information about the target. Now, we are going to see, how we can get this infomation? There are several techniques like: Shoulder Surfing Impersonation Phishing Reverse Social Engineering Dumpster Diving Trojan Horses Surfing Online Contents Let’s see it
- The name explain what it is, If you observe over someone’s shoulder and the person doesn’t be careful we can see his or her password and then… access to his system.
- Be other peson with other personality They assume roles from other people, like actors, to deceive you As actors, they can use complements like uniforms, insider information, ID badges… *Deceive (engañar)
- Other technique… phising, everybody know what it is, isn’t it? False emails and websites The problem is that they look like the orinigals, or not, but we can know if it they are originals if we observe it. They try to deceive users to get provate information an with this information get benefit for themselves. Phishing is one of the more effectives attacks, because some people do not even know how to recognize it and believe everything that appears on the Internet.
- Here are some facts about phishing last year. There was four more phishing attacks that in the previous year. 95% of espionage attacks involve phising 29% of breaches used social engineering, of those breaches, phishing was used as the attacker vector in the 79% 80% likelihood of getting at least 1 target to click a phish if you run a campaign twice And here we can see the benefits that can have with this phishing campaigns, If they send 1 million of emails, only with 5.000 of clicks they can get a thousand of data banks, imagine 10€ per person… they have 10.000€ ready to use… **Contar el caso del hombre SPAM. I think that If we teach others how to identify this type of attack, we can reduce these numbers. How do you do it? How can we detect this kind of emails o false websites? *Datos sacados del reporte anual de Verizon y de la infografía de www.ThreatSim.com
- ROBERT SOLOWAY **Contar el caso del hombre SPAM. I think that If we teach others how to identify this type of attack, we can reduce these numbers. How do you do it? How can we detect this kind of emails o false websites? *Datos sacados del reporte anual de Verizon y de la infografía de www.ThreatSim.com
- We are going to see 2 real examples from ING Bank, first we have an email The first thing that we should see is the "from" mail, in this case we have account@ing.be, ok we can think that is original because the domain apparently is good. Now, we see the body of the mail, they speak about improve security, can we trust it? continue reading, they say "sécurité totale", and we have a link with a form that we should complete with our data because it is "sécurite totale". If we read the link... it does not has good appearance, no say ing anywhere, lets click on it... Ok, now we can complete the form, with all our data, ING ID, the credit card, our PASWORD... This is a fake web, but as you can see it looks like an ING page. Now they can send us a mail with a BIG THANK YOU for our cooperation.
- Reverse Social Engineering: The attacker convinces you that you are the only one that can help you Three techniques: -Sabotage -Marketing -Support
- Be careful about what you throw away. It can contain useful information.
- Is a program that executes malicious code. Three common actions: Download the file Open a backdoor Get access to the victim machine **3 pendrives en el parking **Congreso de seguridad
- Where can we get information? INTERNET, we have a lot of resources in the web, social networks, applications, mails… Whois: Information about servers Official website Forums Software tools *Meter captura de Whois
- We have four rules that explain why we are vulnerable? 1. wanto to help: If we can help anybody we will do it. 2. trusted the others: 3. Hate to say “no”: Why? Because we like to be kind and a yes is more kind than a no 4. We praise (alabanza): Everybody likes that others say thank you.
- Observ this quotes: The first one: what do you think? Is it secure? What can answer a social engineer?
- -Access to Shimomura’s computer. Security expert and a hacker but he was a good boy, Puesto en libertad en 2002 He founded: http://mitnicksecurity.com/
- Other famous social engineer We founded social.engineer.org, with all information abour social engineering He worked in backtack, Linux OS based in security and pentesting. Author of…: It explain others concetps of social engineering like pretexting micro expressions: study the fce expressions. explain some useful tools
- *Poner imagen del tio sam xD