2. Agenda
What is it?
Real life cases
Traits Exploited
Phishing
Methodology
Scenarios
Tricks of the Trade
Physical Pen testing?
Defenses
Game
Demo!
3. Watch it!
Human Link is the weakest in the Security Chain
Perception
Authority, Slow Response, Fear & Anxiety
http://www.youtube.com/watch?v=q7V4U2RUaeg&feature=related
Hackers
Mentalist
Rockford Files
James Bond!
4. Engineering the Socials &
The Rest
Manipulation of Human Trust (and Traits) to elicit information. This
could be further used to directly/indirectly steal
data, identity, money, etc., get access to systems, further
manipulate others, for financial gain or otherwise.
A combination of the standard security checks was identified by
engineering and ethically manipulating the processes, trust levels
and human aspect of day to day operations in the company.
Modes:
• Human Based
• Computer Based
5. Traits Exploited[Generally.. ;P]
Helplessness Through
Guilt Situations
Anxiety Urgency
Fear[Authority] Impersonation- Partially Known
Factors
Trust
Persuasion
Moral Duty
Request
Helpfulness
Orders/Demand
Cooperation
..
Delegated Responsibility
Technology[Modems, Malware,
OSINT, Exploits, Phishing, Spoofing,
Websites, other computer based
techniques and Help Desk ;) ]
6. Phishing - Vishing
2003 saw the proliferation of a phishing scam in which users received e-mails
supposedly from eBay claiming that the user's account was about to be
suspended unless a link provided was clicked to update a credit card
(information that the genuine eBay already had). Because it is relatively
simple to make a Web site resemble a legitimate organization's site by
mimicking the HTML code, the scam counted on people being tricked into
thinking they were being contacted by eBay and subsequently, were going
to eBay's site to update their account information. By spamming large
groups of people, the "phisher" counted on the e-mail being read by a
percentage of people who already had listed credit card numbers with eBay
legitimately, who might respond
Phone Phishing (IVRs)
A typical system will reject log-ins continually, ensuring the victim enters
PINs or passwords multiple times, often disclosing several different
passwords.
8. Target
Asset Identification – Information?
No I don’t have a Gun
Diversion theft - "going straight out" or "urgently required somewhere else".
Passive - Tailgating, Eavesdropping, Shouldersurfing
Baiting
Cold Calling
Backdoors, Rootkits, keyloggers
Device!
9. Catch Me if you can
Frank Abegnale
Vistor Lustig
Kevin Mitnick
Badir Brothers – Again
Mike Ridpath
10. Frank William Abagnale
Notorious in the 1960s for passing $2.5 million worth of meticulously forged
checks across 26 countries over the course of five years, beginning when he
was 16 years old
He attained eight separate identities as an airline pilot, a doctor, a U.S.
Bureau of Prisons agent, and a lawyer. He escaped from police custody twice
(once from a taxiing airliner and once from a U.S. federal penitentiary
11. Cases
Lustig had a forger produce fake government stationery for him
Invited six scrap metal dealers to a confidential
There, Lustig introduced himself as the deputy director-general of the
Ministry of Posts and Telegraphs.
Lustig told the group that the upkeep on the Eiffel Tower was so outrageous
that the city could not maintain it any longer, and wanted to sell it for scrap.
Due to the certain public outcry, he went on, the matter was to be kept
secret until all the details were thought out. Lustig said that he had been
given the responsibility to select the dealer to carry out the task. The idea
was not as implausible in 1925 as it would be today.
Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustig
kept Capone's money in a safe deposit box for two months, then returned it
to him, claiming that the deal had fallen through. Impressed with Lustig's
integrity, Capone gave him $5,000. It was, of course, all that Lustig was after
12. Cases Contd..
1st Source Information Specialists
Illinois became the first state to sue an online records broker when Attorney
General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20
January, a spokeswoman for Madigan's office said. The Florida-based
company operates several Web sites that sell mobile telephone records,
according to a copy of the suit. The attorneys general of Florida
and Missouri quickly followed Madigan's lead, filing suit on 24 and 30
January, respectively, against 1st Source Information Specialists and, in
Missouri's case, one other records broker – First Data Solutions, Inc.
13.
14. Involves - C*****S****
Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping,
stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs,
badges, etc]
Perimeter Security
General Intelligence
Emails, Phishing, Websites,
OSINT[social networks, forums, portals, public knowledge]
Research
Social Engineering ;)
..
TRUST
15. Scenarios - 1
Social Engineering
“They asked a janitor for a
garbage pail in which to place
their contents and carried all of
this data out of the building in
their hands. ”
LUCK
You have won “ 100000$”!
16. what I call a chain reaction
Mr. Smith:Hello?
Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk
space constraints, we’re going to be moving some user’s home directories to
another disk at 8:00 this evening. Your account will be part of this move, and will
be unavailable temporarily.
Mr. Smith:Uh, okay. I’ll be home by then, anyway.
Caller:Good. Be sure to log off before you leave. I just need to check a couple of
things. What was your username again, smith?
Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they?
Caller:No sir. But I’ll check your account just to make sure. What was the
password on that account, so I can get in to check your files?
Mr. Smith:My password is tuesday, in lower case letters.
Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check you
account and verify all the files are there.
Mr. Smith:Thank you. Bye.
[- Taken from Melissa Guenther]
17.
18. Defenses
Least Privileges Layered Security
Password Policy
Access Controls
Safe Disposal
Physical
Removable Device Policy
Process
Latest Set Up
Content Management and
filtering
Tech
Change Management
Monitoring
Awareness