460 likes | 605 Views
CSCD 303 Essential Computer Security Spring 2013. Lecture 5 - Social Engineering2 General Social Engineering Techniques, Scams, Tools Reading: Chapter 13. Overview. Social Engineering Revisited How is Social Engineering Accomplished Different methods of Social Engineering
E N D
CSCD 303Essential Computer SecuritySpring2013 Lecture 5 - Social Engineering2 General Social Engineering Techniques, Scams, Tools Reading: Chapter 13
Overview • Social Engineering Revisited • How is Social Engineering Accomplished • Different methods of Social Engineering • Prevention of Social Engineering • Scams • Different ones • How to guard against them
Kevin Mitnick Famous Social Engineer Hacker • Went to prison for hacking • Became ethical hacker "People are generally helpful, especially to someone who is nice, knowledgeable or insistent."
Kevin Mitnick - Art of Deception Kevin's Book http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X • "People inherently want to be helpful and therefore are easily duped" • "They assume a level of trust in order to avoid conflict" • "It's all about gaining access to information that people think is innocuous when it isn't" • Social engineering cannot be blocked by technology alone
Target And Attack • The basic goals of social engineering are the same as hacking in general: • To gain unauthorized access to systems or information in order to commit • Fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. • Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military / government agencies, and hospitals
An Example • One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. • How did they do it? • By obtaining small amounts of access, bit by bit, from a number of different employees • First, they researched the company for two days before even attempting to set foot on premises
And so on… • Series of Steps • They learned key employees’ names by calling HR • Next, they pretended to lose their key to the front door, and a man let them in • Then they "lost" their identity badges when entering third floor secured area, smiled, and a friendly employee opened the door for them.
And so on… • Strangers knew CFO was out of town, so were able to enter his office and obtain financial data off his unlocked computer • They dug through corporate trash, finding all kinds of useful documents • They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of building in their hands. • Strangers had studied CFO's voice, so they were able to phone, pretending to be CFO, in a rush, desperately in need of his network password • From there, they used regular technical hacking tools to gain super-user access into system
Social Engineering Techniques Social engineers are known to use non-technical tactics to gather information • Dumpster Diving • Baiting • Pretexting • Diversion Theft 10
Social Engineering Techniques Dumpster Diving What are they looking for? Anything that might be valuable to cyber criminals, could be used for blackmail or sale • Research secrets • Project schedules • Collaborator lists • Financial, legal, and licensing information • Personal employee and system information 11
Dumpster Diving http://www.social-engineer.org/framework/How_To_Gather_Information:_Dumpster_Diving • Many original dumpster divers were individuals who were into phone phreaking • These individuals were primarily interested in accessing information about telephone companies such as AT&T and learning structure and operation of their phone systems • Many people simply throw away billing or banking statements that often reveals confidential information such as account and social security identification numbers
Dumpster Diving • Preventing Dumpster Diving • Best way to prevent anyone from seeing your 'private trash' is to shred it. • Paper shredders are inexpensive devices, help eliminate or destroy those important documents that have found their way into trashcan • Corporate policy, if not already in effect, be put in place to state the guidelines for proper handling and disposing of sensitive documents http://social-engineer.org/wiki/archives/DumpsterDiving/CrimeandClues_dumpster_diving.htm
Baiting • Real world Trojan horse • Uses physical media • Relies on greed/curiosity of victim • Attacker leaves a malware infected cd or usb drive in a location sure to be found • Attacker puts a legitimate or curious lable to gain interest • Ex: "Company Earnings 2009" left at company elevator • Curious employee/Good samaritan • User inserts media and unknowingly installs malware
Social EngineeringExample Two • Monday morning, 6am • Electric rooster is telling you it's time to start a new work week. • On the way to work you're thinking of all you need to accomplished this week. • Then, on top of that there's recent merger between your company and a competitor • One of your associates told you, “you better be on your toes because rumors of layoff's are floating around”
Social Engineering • You arrive at office and stop by restroom to make sure you look your best • You straighten your tie, and turn to head to your cube when you notice, sitting on back of sink, is a CD-ROM • Someone must have left this behind by accident • You pick it up and notice there is a label on it • Label reads "2005 Financials & Layoff's" You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for yourself
And so • The Game Is In Play: People Are The Easiest TargetYou insert CD-ROM • You find several files on the CD, including a spreadsheet which you quickly open Spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". • You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyoneSince your name is not on the list you feel a bit of relief • It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
Bingo - Gotcha • Spreadsheet you opened was not only thing executing on your computer • Moment you open that file you caused a script to execute which installed a few files on your computer • Those files were designed to call home and make a connection to a servers on Internet • Once connection was made software on server responded by pushing (or downloading) several software tools to your computer • Tools designed to give hacker complete control of your computer • Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there
Pretexting • The act of creating and using an invented situation in order to convince a target to release information or grant access to sensitive materials • This type of attack is usually implemented over the phone and can be used to obtain • Customer information, phone records, banking records and is also used by private investigators
Pretexting continued • Hacker will disguise their identity in order to ask a series of questions intended to get information he/she is wanting from their target • By asking these questions victim will unknowingly provide attacker with information hacker needs to carry out their attack
Pretexting via Phone • A Hacker will call someone up and imitate a person of authority and slowly retrieve information from them • Help Desks are incredible vulnerable to this type of attack
Help Desks are Gold Mines • Main purpose is to help Putting them at a disadvantage against an attacker • People employed at a help desk usually are being paid next to nothing • Giving them little incentive to do anything but answer questions and move onto next phone call • So how do you protect yourself?
Protecting Against These Attacks • Attacks can take two different approaches • Physical and Psychological • Physical aspect Workplace, over the phone, dumpster diving, and on-line. • Psychological aspect Persuasion, impersonation, ingratiation, conformity, and good ol’ fashion friendliness
How To Defend Against the Physical • Check and Verify all personnel entering the establishment. • More important files should be locked up • Shred all important papers before disposing • Erase all magnetic media (hard drives, disks) • All machines on the network should be well protected by passwords • Lock and store dumpsters in secure areas.
Security Policies and Training!!! • Corporations make mistake of only protecting themselves from physical aspect leaving them almost helpless to psychological attacks hackers commonly use • Advantage Alleviates responsibility of worker to make judgment call on the hacker’s request • Policy should address aspects of access control and password changes and protection. • Locks, ID’s, and shredders are important, should be required for all employees
Security Policies and Training!!! • Training – Not Just Once !!! • All employees should attend an annual refresher course include Social Engineering • Also send email reminders • How to spot an attacker, • Methods in preventing them from falling victim
What to do for Average Person • DO NOT DISCLOSE ANY PERSONAL INFORMATION UNLESS PERSON AND/OR SITE IS TRUSTED • Don’t fall prey to all the get rich quick schemes. • Update your security software regularly. • Have a strong password and change it regularly • Try not to have same one for all your passwords. • Shred your important papers before throwing them out
Social Engineering Clips Animation: http://www.youtube.com/watch?v=Y6tbUNjL0No Live Action: http://www.youtube.com/watch?v=8TJ4XOvY7II&feature=related
Lottery Sweepstakes Scams • These may come through mail notification, or you could possibly receive an e-mail advising that you’ve won a lottery sweepstakes • If you don’t participate in any type of lottery • You need to question why you would receive any type of notification • This type of scam will try a variety of ways to get your money They tend to charge an application or processing fee. • The following is a recent example ….
Lottery Sweepstakes Scams This looks official; however, it asks the receiver to send them $5, along with a claim form to obtain their winnings
Lottery Sweepstakes Scams • Another example of a sweepstakes scam advising you’ve won $215,000 and they’ve sent a portion of your winnings to help pay taxes. • Check amount was for $4875 and they want you to wire $3795 back to them.
Online Auction Scams • The following are some of the more common online auction scams to be aware of: • Overpayment Fraud targets the seller • A seller advertises a high-value item—like a car or a computer—on Internet • A scammer contacts the seller to purchase the item, then sends the seller a counterfeit check or money order for an amount greater than the price of the item • The purchaser asks seller to deposit payment, deduct the actual sale price, and then return the difference to the purchaser
Online Auction Scams Wire transfer schemes start with fraudulent and misleading ads for the sale of high-value items posted on well-known online auction sites. When buyers take the bait, they are directed to wire money to the crooks using a money transfer company. Once the money changes hands, the buyer never hears from them again. Second-chance schemes Involve scammers who offer losing bidders of legitimate auctions the opportunity to buy the item(s) they wanted at reduced prices They usually require that victims send payment through money transfer companies, but then don’t follow through on delivery ** Source-FBI and IC3 online data- http://www.fbi.gov/page2/june09/auctionfraud_063009.html
Nigerian Scams • Typed in Nigerian Scams Alive and Well 1,850,00 hits on google • Current Website with example http://www.hyphenet.com/blog/2011/10/08/the-famous-nigerian-scam-still-making-scammers-rich/
Some of the top Craigslist frauds/scams: • Craigslist Car Scams • Craigslist Apartment Rental Scams • Craigslist Ticket Scams • Craigslist Job scams • Craigslist Escrow Service Scams References: http://www.fraudguides.com/craigslist-car-scams.asp http://www.fraudguides.com/craigslist-apartment-rental-scams.asp http://www.fraudguides.com/craigslist-ticket-scams.asp http://www.fraudguides.com/craigslist-escrow-service-scams.asp http://wegolook.com
Craigslist Car Scams • Buying and selling cars on Craigslist can be a huge money-saver for both buyer as well as seller • Due to this, Auto category in Craigslist's For Sale section is very active, especially in urban areas. • Fraudulent postings are just common nowadays on craigslist • Stolen checks, counterfeit checks and bounced checks are costing people their money, cars or both http://bringatrailer.com/wp-content/uploads/2008/11/1967_Glas_GT_1700_Craigslist_1.jpg http://wegolook.com
Craigslist Apartment Rental Scams • Apartment Rental scams on Craigslist are targeted at those people looking for a deal and a new home. • Typically, the scam/fraud starts when a fraudster pretending to be owner of the property ,posts a great deal on an apartment and a person responds • They ask you to make a deposit and collect some personal information to be sent via email and then disappear http://wegolook.com
Craigslist Ticket Scams • Craigslist is a great place to sell tickets to sought-after concerts,sports events,shows, concerts, festivals, fairs or even airline tickets • You need to be very careful when purchasing tickets through Craigslist as these tickets could be stolen or counterfeit or they could be priced far beyond the exact value • The tickets may even have been used at a previous, similar event http://www.p2pnet.net/images/oltik.jpg http://wegolook.com
WeGoLook™ Services for Craigslist Buyer WeGoLook™ helps you buy with confidence. • WeGoLook™ will send a WeGoLooker™ to look at the item for you. • Your WeGoLooker™ will confirm existence and location of the item. • Take a few digital pictures and gathers some basic information about the item (brand, model number, serial number, manufacturer, VIN number, etc.) • With our Preferred WeGoLook™ report, Your WeGoLooker™ can even ask the seller to demonstrate that the item is in basic working order • With Custom WeGoLook™ report, we can guarantee that the item you purchase is delivered to the shipper. http://wegolook.com
Where To Go For Help If you are a victim of an online scam, you can file a formal complaint with Internet Crime Complaint Center (IC3). Their contact information is as follows:http://www.ic3.gov/complaint/default.aspx
Check out Hoax-Slayer • Check out this nice website of all the hoaxes on the Internet • Fun hoaxes • Virus Hoaxes • Giveaway Hoaxes • Charity Hoaxes • Bogus Warnings • Email Petitions • Chain Letters and many others ... http://www.hoax-slayer.com/
Summary • Social Engineering can be as or more devastating than a technical cyber attack • No good way to “patch” humans • Best defenses • Training, • Good security policies for handling information • Ongoing incentives for employees to stay vigilent • Scams are everywhere on the Internet • No good way to get rich quick • Be suspicious and do your homework when buying over the Internet • Try not to give personal information unless absolutely necessary
The End Next Time: Go into Device Security