Dr. Shawn P. Murray was invited to the National Security Institute in April 2012 to present current topics related to social engineering and the threats they pose to organizations and their sensitive information. This presentation analyzes the principles of social engineering tactics as they relate to technology and security practices. Dr. Murray is a well known Cyber Security professional and has presented at various conferences regarding Cyber Security and Information Assurance topics.
2. Agenda
•
•
•
•
•
•
Social Engineering Defined
Who Are Social Engineers?
Famous Social Engineers
Computing Age
– Phishing
– Spear Phishing
– Whaling
– Hacking & Exploits
Countermeasures
– Training, Training, Training!
Resources for security professionals
– Publications
– Websites
– Technical (Tools)
3. What is Social Engineering?
According to the www.Social-Engineer.org site
• “Social Engineering is defined as the process of deceiving
people into giving away access or confidential
information.”
• Wikipedia defines it as: "is the act of manipulating people
into performing actions or divulging confidential
information. While similar to a confidence trick or simple
fraud, the term typically applies to trickery or deception
for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never
comes face-to-face with the victim."
• “Although it has been given a bad name by the plethora
of "free pizza", "free coffee", and "how to pick up chicks"
sites, aspects social engineering actually touches on
many parts of daily life.”
• “Many consider social engineering to be the greatest risk
to security.”
Source: http://www.social-engineer.org/framework/Social_Engineering_Defined
4. Who are Social Engineers?
By Trade:
• Detectives
• Special Agents
• Lawyers
• Sales professionals
• Recruiters
• Doctors
• Psychologists
• Any profession that uses
human subjects to elicit
information or to modify
behavior
By Relationships
• Children
• Parents & Grandparents
• Spouses
• Friends
Bad Guys
•
•
•
•
•
Scam artists or Cons
Cyber criminals
• Hackers
• State actors
Foreign governments
Disgruntled Employees
• Insider Threat
Identity Thieves
• Social Programs
• Medical ID Theft
• Banking & Insurance
• Impersonation
5. Prominent Social Engineers
At age 12, Kevin Mitnick used social engineering to bypass the
punchcard system used in the Los Angeles bus system. After a
friendly bus driver told him where he could buy his own ticket
punch, he could ride any bus in the greater LA area using
unused transfer slips he found in the trash.
Social engineering became his primary method of
obtaining information, including user names and
passwords and modem phone numbers
Mitnick gained unauthorized access to his first computer network in
1979, at 16, when a friend gave him the phone number for the Ark,
the computer system Digital Equipment Corporation (DEC) used for
developing their RSTS/E operating system software which he stole.
He was charged with and convicted of the crime in 1988.
Hacked into Pacific Bell voice mail computers. After a warrant was
issued for his arrest, Mitnick fled, becoming a fugitive for 2 ½ years.
According to the U.S. Department of Justice, Mitnick gained
unauthorized access to dozens of computer networks while he was a
fugitive. He cloned cellular phones to hide his location and, among
other things, copied valuable proprietary software from some of the
country's largest cellular telephone and computer companies.
6. Prominent Social Engineers
•
Frank William Abagnale, Jr. is an American security
consultant known for his history as a former confidence
trickster, check forger, impostor, and escape artist. He
became notorious in the 1960s for passing $2.5 million worth
of meticulously forged checks across 26 countries over the
course of five years, beginning when he was 16 years old.
•
In the process, he became one of the most famous impostors
ever, claiming to have assumed no fewer than eight separate
identities as an airline pilot, a doctor, a U.S. Bureau of Prisons
agent, and a lawyer. He escaped from police custody twice
(once from a taxiing airliner and once from a U.S. federal
penitentiary), before he was 21 years old.
•
He served fewer than five years in prison before starting to
work for the federal government. He is a consultant and
lecturer at the academy and field offices for the FBI. He also
runs Abagnale & Associates, a financial fraud consultancy
company
Source: http://en.wikipedia.org/wiki/Frank_William_Abagnale y
7. Top Security Risks
according to SANS
•
•
•
•
Priority One: Client-side software that remains unpatched.
Priority Two: Internet-facing web sites that are vulnerable.
Operating systems continue to have fewer remotely-exploitable
vulnerabilities that lead to massive Internet worms.
Rising numbers of zero-day vulnerabilities
8. Phishing
Planning. Phishers decide which business to target and determine how to get email addresses for the customers of that business. They often use the same massmailing and address collection techniques as spammers.
Setup. Once they know which business to spoof and who their victims are, phishers
create methods for delivering the message and collecting the data. Most often, this
involves e-mail addresses and a Web page.
Attack. This is the step people are most familiar with -- the phisher sends a phony
message that appears to be from a reputable source.
Collection. Phishers record the information victims enter into Web pages or popup
windows.
Identity Theft and Fraud. The phishers use the information they've gathered to
make illegal purchases or otherwise commit fraud. As many as a fourth of the
victims never fully recover [Source: Information Week].
If the phisher wants to coordinate another attack, he evaluates the successes and
failures of the completed scam and begins the cycle again
Source: by Tracy V. Wilson (www.howstuffworks.com)
9. Spear Phishing
Spear phishing is an e-mail spoofing fraud attempt that targets a specific
organization, seeking unauthorized access to confidential data. Spear phishing
attempts are not typically initiated by "random hackers" but are more likely to be
conducted by perpetrators out for financial gain, trade secrets or military information
As with the e-mail messages used in regular phishing expeditions, spear phishing
messages appear to come from a trusted source. Phishing messages usually
appear to come from a large and well-known company or Web site with a broad
membership base, such as eBay or PayPal. In the case of spear phishing, however,
the apparent source of the e-mail is likely to be an individual within the recipient's
own company and generally someone in a position of authority
Visiting West Point teacher and National Security Agency expert Aaron Ferguson
calls it the "colonel effect." To illustrate his point, Ferguson sent out a message to
500 cadets asking them to click a link to verify grades. Ferguson's message
appeared to come from a Colonel Robert Melville of West Point. Over 80% of
recipients clicked the link in the message. In response, they received a notification
that they'd been duped and warning that their behavior could have resulted in
downloads of spyware, Trojan horses and/or other malware.
Source: by Search Security.com (http://searchsecurity.techtarget.com)
10. Whaling
Whaling is a form of spear phishing that occurs when a scammer targets an
organization and sends personalized emails to a specific executive officer or senior
manager. Emails refer to fake but critical business matters, such as a legal
subpoenas or customer complaints.
Emails may appear to have been sent from a trustworthy source such as an
employer or staff member within the organization. Email addresses may be similar
(but not identical) to an address you are familiar with.
The scammer’s aim is to convince you that the email requires urgent action by
following a link to a fake website or opening a malware-infected attachment. When
you visit the fake, but convincing website, it will ask you to do one or more of the
following:
• enter confidential company information and passwords
• provide financial details or enter them when making a payment for a fake software
download.
If financial details are provided, the scammer will use them to commit fraud.
Alternatively, if you open an email attachment, it will download malware onto your
computer. Malware can record your key strokes, passwords and other company
information, allowing the scammer to access it when you go online.
Source: http://www.scamwatch.gov.au/content/index.phtml/itemId/829460
11.
12. File Sharing & Cloud Storage
Hackers use popular sites
where anonymous accounts
can be created and used to
store or distribute hack
exploits.
13. Tools - Back Track
•
The Back Track distribution originated from the Linux counterparts
WHAX and Max Moser's Auditor Security Collection - "The Swiss Army
Knife for security assessments".
•
Both where focused on Linux-based penetration tests. While WHAX
was packed with more features, Auditor was based on structure and
stability. Auditor featured well-laid-out menus for its collection of over
300 tools for troubleshooting, network and systems-fortifying.
•
Its user-friendliness resulted in enhanced usability for penetration
testing which led to the formulation of the Back Track security testing
distribution. The Auditor Security Collection was a Live CD based on
Knoppix.
Source http://www.remote-exploit.org/articles/backtrack/index.html
14.
15. Training, Training, Training!
•
Education
– Degrees are available in computer forensics and Information
Assurance
– Federal Government have resources within their agencies
– Department of Defense
• DISA
• JKO, AKO
– NSA
• Coordinate through your government sponsors
• Excellent pentest training
– READ! Collaborate! Network!
– Join Local Chapters of Security Organizations
17. Publications
•
Social Engineering: The Art of Human Hacking by Chris Hadnagy
•
The Art of Deception: Controlling the Human Element of Security
by Kevin Mitnick
•
What Every BODY is Saying: An Ex-FBI Agent's Guide to SpeedReading People by Joe Navarro
•
Social Engineering: Hacking The Human Mind an article in Forbes Magazine
by Eric Savitz, Forbes Staff (March 29, 2012)
18. Websites
recommending technical tools
Social-Engineering-Toolkit
http://www.youtube.com/watch?v=9f2ANmI2-RI
Social-Engineering Toolkit (SET)
http://www.offensive-security.com/metasploit-unleashed/SET
The Metasploit Project is an open-source, computer
security project which provides information about
security vulnerabilities and aids in penetration testing
and IDS signature development.
http://www.metasploit.com/
SANS Institute
http://www.sans.org/top-cyber-security-risks/
Social Engineer.org
http://www.social-engineer.org/