SlideShare ist ein Scribd-Unternehmen logo

The art of deceiving humans a.k.a social engineering

Als PPTX, PDF herunterladen
Suraj Khetani
Suraj Khetani

The most used attack vector by hackers: Social engineering

Technologie
1 von 17
The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
#uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
Live Demo - OSINT
Case Study – Phishing Assessment
Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
Phishing page
Phishing mail
Creating a phishing page which logs user credentials – Live Demo
Creating a malicious office document to compromise an end user – Live Demo
Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL

Empfohlen

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
Introduction to hackers
Introduction to hackersIntroduction to hackers
Introduction to hackers
Harsh Sharma
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
Ollie Whitehouse
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
Jeremiah Tillman
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber security
Hagerstown Chamber Business Expo
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
 
Social Engineering
Social Engineering Social Engineering
Social Engineering
Mirna Hanna
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
 

Empfohlen

ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
Xavier Mertens
 
Introduction to hackers
Introduction to hackersIntroduction to hackers
Introduction to hackers
Harsh Sharma
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
Ollie Whitehouse
 
OSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gatheringOSINT: Open Source Intelligence gathering
OSINT: Open Source Intelligence gathering
Jeremiah Tillman
 
Drooger, jack cyber security
Drooger, jack cyber securityDrooger, jack cyber security
Drooger, jack cyber security
Hagerstown Chamber Business Expo
 
Computer crimes and forensics
Computer crimes and forensics Computer crimes and forensics
Computer crimes and forensics
Avinash Mavuru
 
Social Engineering
Social Engineering Social Engineering
Social Engineering
Mirna Hanna
 
Refugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on SecurityRefugees on Rails Berlin - #2 Tech Talk on Security
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
 
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Techsylvania
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
PRESENTATIONSFORESL
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
silambarasansam
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
NickHarris84
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tactics
Fariha Khudzri
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
NickHarris84
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by Rudy
Udieh Moody
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam hussein
Eslam Hussein
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
Muhanned Alaqili
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
arohan6
 
Ethical Hacking (basics)
Ethical Hacking (basics)Ethical Hacking (basics)
Ethical Hacking (basics)
DeepHaria4
 
Types of Hacker
Types of Hacker Types of Hacker
Types of Hacker
Mukund Kumar Bharti
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking Presentation
AmbikaMalgatti
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
baabtra.com - No. 1 supplier of quality freshers
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
John Intindolo
 
Hacking
HackingHacking
Hacking
Shukla Aakash
 
Forensics intro
Forensics introForensics intro
Forensics intro
test tt
 
What is Hacking? AND Types of Hackers
What is Hacking? AND Types of HackersWhat is Hacking? AND Types of Hackers
What is Hacking? AND Types of Hackers
infosavvy
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest link
Flaskdata.io
 
OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
anonymousanonymous428352
 
OWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfOWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdf
netisBin
 

Weitere ähnliche Inhalte

Was ist angesagt?

Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Techsylvania
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tactics
Fariha Khudzri
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by Rudy
Udieh Moody
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
John Intindolo
 
Forensics intro
Forensics introForensics intro
Forensics intro
test tt
 

Was ist angesagt? (20)

Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
Karel Obluk (Evolution Equity Partners) - Cybersecurity: Challenges and Oppor...
 
Top 10 most famous hackers of all time
Top 10 most famous hackers of all timeTop 10 most famous hackers of all time
Top 10 most famous hackers of all time
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
 
Common hacking tactics
Common hacking tacticsCommon hacking tactics
Common hacking tactics
 
Resume harris 19
Resume harris 19Resume harris 19
Resume harris 19
 
Computer Hacking by Rudy
Computer Hacking by RudyComputer Hacking by Rudy
Computer Hacking by Rudy
 
Introduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam husseinIntroduction Ethical hacking by eslam hussein
Introduction Ethical hacking by eslam hussein
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Ethical Hacking (basics)
Ethical Hacking (basics)Ethical Hacking (basics)
Ethical Hacking (basics)
 
Types of Hacker
Types of Hacker Types of Hacker
Types of Hacker
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking Presentation
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_IntindoloISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
 
Hacking
HackingHacking
Hacking
 
Forensics intro
Forensics introForensics intro
Forensics intro
 
What is Hacking? AND Types of Hackers
What is Hacking? AND Types of HackersWhat is Hacking? AND Types of Hackers
What is Hacking? AND Types of Hackers
 
Homeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest linkHomeland Security - strengthening the weakest link
Homeland Security - strengthening the weakest link
 

Ähnlich wie The art of deceiving humans a.k.a social engineering

Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
Charles Lim
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 

Ähnlich wie The art of deceiving humans a.k.a social engineering (20)

OpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptxOpenSourceIntelligence-OSINT.pptx
OpenSourceIntelligence-OSINT.pptx
 
OWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdfOWASP_OSINT_Presentation.pdf
OWASP_OSINT_Presentation.pdf
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
General Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & EthicalGeneral Aware Ness On Cyber Security & Ethical
General Aware Ness On Cyber Security & Ethical
 
Advanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU InvestigatorsAdvanced Research Investigations for SIU Investigators
Advanced Research Investigations for SIU Investigators
 
OSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligenceOSINT- Leveraging data into intelligence
OSINT- Leveraging data into intelligence
 
Owasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudiniOwasp osint presentation - by adam nurudini
Owasp osint presentation - by adam nurudini
 
Osint
OsintOsint
Osint
 
Cyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moimaCyber security talks 2019 by theko moima
Cyber security talks 2019 by theko moima
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - Public
 
Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence community
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
osint - open source Intelligence
osint - open source Intelligenceosint - open source Intelligence
osint - open source Intelligence
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
internet
internetinternet
internet
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Osint presentation nov 2019
Osint presentation nov 2019Osint presentation nov 2019
Osint presentation nov 2019
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
001.itsecurity bcp v1
001.itsecurity bcp v1001.itsecurity bcp v1
001.itsecurity bcp v1
 

Kürzlich hochgeladen

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

The art of deceiving humans a.k.a social engineering

  • 1. The Aart of decieving humans humans a.k.a Social Engineering Suraj Khetani Regional Asscoiate Security Consultant Gulf Business Machines
  • 2. #uname -a • Security Consultant – 3.5 years experience • Certifications: OSCP, OSWP, CCNP Route/Switch, CCNA-S, CCNA • 3rd Place at Social Engineering CTF at Nullcon 2017 • Discovered 12 0-day’s on Oracle E-Business Suite • Article: “How I used google dorks to find 0 days” Hobbies • Learner/Researcher • Current research interests: Deserialization vulnerabilities, IoT stuff, electronic security • Former Hip-hop Dance instructor • Fitness Enthusiast and cricket lover; Played for UAE under-14
  • 3. Topics • Social engineering and its different types • Open Source Intelligence Gathering (OSINT) and how it can be used in Social engineering • Live demo - OSINT • Case Study - Phishing assessment • Live demo - Creating a phishing page • Live demo - Creating a malicious Microsoft office document • Defenses
  • 4. What is Social Engineering “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access” – Source Wikipedia
  • 5. Requirements for Social Engineering • Information about the person or about the organization being targeted to create what is something called a pretext. • OSINT • Pretext
  • 6. What is OSINT • Open Source Intelligence (OSINT) – data that can be collected from publicly available sources. • Media: newspapers, magazines, radio, television, and computer- based information. • Web-based communities and user-generated content: social- networking sites, video sharing sites, wikis, blogs, and folksonomies. • Public data: government reports, official data such as budgets, demographics, hearings, legislative debates, press conferences, speeches, marine and aeronautical safety warnings, environmental impact statements and contract awards.
  • 7. Pretext • It is an invented or fabricated scenario that uses the gathered information to target the users in various form of social engineering attacks.
  • 8. Different types • Phishing • Baiting - uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware- infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.) • Vishing - It is described as the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. • Tailgating - An attacker, seeking entry to a restricted area secured by unattended, electronic access control, e.g. by RFID card,
  • 9. OSINT tools • Google hacking database (GHDB) – used to find exploitable targets and potentially sensitive data using google search engine • PassiveRecon – Firefox addon to automate google hacking and perform dns recon • Dnsdumpster – enumerating/mapping subdomains and gathering IPs • FOCA – meta data analyzer • Datasploit – uses various search engine APIs to gather information. • Shodan - Search engine for Internet-connected devices.
  • 10. Live Demo - OSINT
  • 11. Case Study – Phishing Assessment
  • 12. Requirements • Pretext • Users email address • Portal to be phished • Phishing domain and hosting website • Email Signatures • Font and color of email • Non assertive, non compelling email with no grammatical mistakes
  • 15. Creating a phishing page which logs user credentials – Live Demo
  • 16. Creating a malicious office document to compromise an end user – Live Demo
  • 17. Defenses • Run security awareness campaigns on a regular basis • Always check the source if you find any thing fishy about the phone call or email. Weakest point of a social engineer is that the source does not exist • Always update software and apply missing patches • Always hover over links to check for the exact URL

Hinweis der Redaktion

  1. Eg: Metadata collected from uploaded documents reveal information like users, third party software, hardware,