social engineering
The Weakest Link
Presented by:
John Ohno
Christopher Toste
What is social engineering?
Within the context of security it is the means of gathering information used to crack computer systems using social methods.
Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems
-Kevin Mitnick
Anatomy of an attack
So what makes up a good social engineering attack anyway?
Deception
This is the cornerstone of social engineering.
There is always some from of information gathering through odd channels.
Psychological manipulation
Using the human condition is another building block of an attack.
Knowing how humans work and react is an important quality of a hacker.
Types of attacks
Just like a standard hack there are types of techniques.
Quid pro quo
In English "Something for something".
QUid Pro Quo
This is the method of gaining information by giving some other from of 'gift'.
This is also within the realm of the hacker giving help to someone but in actuality using the interaction to gain control and information.
Tailgating
Not what you see on I-95 during rush hour.
TAILGATING
This is the act of following someone into a building you do not have access to.
The attacker uses their common courtesy of holding the door open to enter.
Phishing
Give a man a fish and you feed him for a day.
Teach a man to phish and he becomes rich overnight.
Phishing
Normally this is used to send malware or get credit card info however it can be used for many other things.
Phishing
Using this method one might be able to obtain phone numbers, addresses, and many other forms of identification.
It can then be used to perform other types of attacks.
Pretext
Kind of like how this slide is pretext for the next slide.
pretext
This is the process of presenting a situation to the target.
It typically uses other information to set up and uses the information to gain the target's trust.
Why these methods work
It all has to do with human psychology.
Why these methods work
Humans have a network of trust.
If you don't believe this here is a question:
Do you trust our information in this presentation is correct even though you may know nothing of the subject?
Why?
Because it is human nature to trust and want to help others.
This is why if you take advantage of it social engineering becomes very easy.
WHy?
If someone is willing to help you complete a task you are more likely to help them back.
Humans are bias toward others who help them even though they may be doing it to help themselves.
LAZINESS
Face it, we are lazy.
LAZINESS
Most humans are very lazy when it comes to difficult tasks.
They would like to get help from others but this also comes with having to put trust into others.
Putting your trust into someone to make your life easy is not a good way to protect yourself from a scam.
Laziness
Laziness also causes humans to take short cuts.
Using the same password and email for every site you visit.
Writing your passwords down and leaving them under your mouse pad.
The list goes on...
Good nature
Appealing to ones good nature goes a long way toward this.
Good nature
Appealing to ones good nature can produce amazing results in social engineering.
If you try to show the victim that they will be doing something good if they help you it makes it that much easier for them to trust you.
Good nature
We all know this example:
Your estranged second cousin died and left you 500,000 dollars. All you have to do is respond to this email with your bank account information.
Example: DEFCON 2012
Not to be confused with DEFense Readiness CONdition
DEFCON 2012
Social engineering "capture the flag" contest.
The goal was to gather 20 points of data on an unknown target.
Shane MacDougall, who was in the competition, had to gather information on WalMart.
DEFCON 2012
He pretended to be Gary Darnell, a newly hired manager of government logistics.
After 20 minutes on the phone with them he walked out victorious. Collecting all 20 flags.
He was able to collect all sorts of data from shift schedules to where the managers typically go out to lunch.
Example: BBC password SURVEY
A shocking look at how people view security.
BBC Password SURVEY
BBC put out an article in 2004 about password security.
It showed that 34% of the people who responded would gladly give their password away.
The shocking part is that 78% of the remainder would give their password if questioned.
BBC Password SurVEY
Some of the other things that were found out include:
- Writing down passwords
- Using the same password for every site
- Would trade password for a bar of chocolate
- Most wanted to not use the password in the first place
Example: Customer Service
Yes the power is on.
Customer Service
Mat Honan of wired.com had his twitter account hacked.
This hack's primary cause was between some rather loose security policies at Apple and Amazon.
Customer Service
Within an hour he had his entire digital life hacked.
All of his devices were wiped and his passwords reset.
Why? Because the hackers wanted his twitter account.
Customer Service
How did this happen? The hackers called up Amazon claiming to be him.
They were able to get the last 4 digits of his card from customer service.
With these 4 digits they were able to get into his Apple account.
Customer Service
From there they grabbed control of all of his devices and his twitter account.
After wiping all the hard drives and changing all of his passwords they finally accomplished what they wanted.
Customer SERVICE
After a lengthy processes he finally was able to gain control of most of his accounts again.
If it were not for the holes in the customer service at Amazon and the lesser holes at Apple they would have not succeeded.
Conclusions
Social engineering is a powerful method of attack on any system.
People are too trusting of untrusted sources.
If people practiced safer protocols they would not encounter these problems.
Q&A
Questions, comments, concerns?
FIN
social engineering
By azuresky808
social engineering
- 1,708
