social engineering

The Weakest Link


Presented by:

John Ohno

Christopher Toste

What is social engineering?




Within the context of security it is the means of gathering information used to crack  computer systems using social methods.
Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these  measures address the weakest link in the security chain: the people who use, administer and operate computer systems

-Kevin Mitnick

Anatomy of an attack




So what makes up a good social engineering attack anyway?

Deception



This is the cornerstone of social engineering.

There is always some from of information gathering through odd channels.

Psychological manipulation



Using the human condition is another building block of an attack.

Knowing how humans work and react is an important quality of a hacker.

Types of attacks




Just like a standard hack there are types of techniques.

Quid pro quo




In English "Something for something".

QUid Pro Quo



This is the method of gaining information by giving some other from of 'gift'.

This is also within the realm of the hacker giving help to someone but in actuality using the interaction to gain control and information.

Tailgating




Not what you see on I-95 during rush hour.

TAILGATING



This is the act of following someone into a building you do not have access to.

The attacker uses their common courtesy of holding the door open to enter.

Phishing



Give a man a fish and you feed him for a day.

Teach a man to phish and he becomes rich overnight.

Phishing



Normally this is used to send malware or get credit card info however it can be used for many other things.

Phishing


Using this method one might be able to obtain phone numbers, addresses, and many other forms of identification.

It can then be used to perform other types of attacks.

Pretext




Kind of like how this slide is pretext for the next slide.

pretext


This is the process of presenting a situation to the target.

It typically uses other information to set up and uses the information to gain the target's trust.


Why these methods work




It all has to do with human psychology.

Why these methods work



Humans have a network of trust.

If you don't believe this here is a question:

Do you trust our information in this presentation is correct even though you may know nothing of the subject?

Why?



Because it is human nature to trust and want to help others.

This is why if you take advantage of it social engineering becomes very easy.

WHy?


If someone is willing to help you complete a task you are more likely to help them back.

Humans are bias toward others who help them even though they may be doing it to help themselves.

LAZINESS




Face it, we are lazy.

LAZINESS


Most humans are very lazy when it comes to difficult tasks.

They would like to get help from others but this also comes with having to put trust into others.

Putting your trust into someone to make your life easy is not a good way to protect yourself from a scam.

Laziness


Laziness also causes humans to take short cuts.

Using the same password and email for every site you visit.

Writing your passwords down and leaving them under your mouse pad.

The list goes on...

Good nature




Appealing to ones good nature goes a long way toward this.

Good nature


Appealing to ones good nature can produce amazing results in social engineering.

If you try to show the victim that they will be doing something good if they help you it makes it that much easier for them to trust you.

Good nature


We all know this example:

Your estranged second cousin died and left you 500,000 dollars. All you have to do is respond to this email with your bank account information.


Example: DEFCON 2012




Not to be confused with DEFense Readiness CONdition 

DEFCON 2012


Social engineering "capture the flag" contest.

The goal was to gather 20 points of data on an unknown target.

Shane MacDougall, who was in the competition, had to gather information on WalMart.

DEFCON 2012


He pretended to be Gary Darnell, a newly hired manager of government logistics.

After 20 minutes on the phone with them he walked out victorious. Collecting all 20 flags.

He was able to collect all sorts of data from shift schedules to where the managers typically go out to lunch.

Example: BBC password SURVEY




A shocking look at how people view security.

BBC Password SURVEY


BBC put out an article in 2004 about password security.

It showed that 34% of the people who responded would gladly give their password away.

The shocking part is that 78% of the remainder would give their password if questioned.

BBC Password SurVEY


Some of the other things that were found out include:

  • Writing down passwords
  • Using the same password for every site
  • Would trade password for a bar of chocolate
  • Most wanted to not use the password  in the first place

Example: Customer Service




Yes the power is on.

Customer Service


Mat Honan of wired.com had his twitter account hacked.

This hack's primary cause was between some rather loose security policies at Apple and Amazon.

Customer Service


Within an hour he had his entire digital life hacked.

All of his devices were wiped and his passwords reset.

Why? Because the hackers wanted his twitter account.

Customer Service


How did this happen? The hackers called up Amazon claiming to be him.

They were able to get the last 4 digits of his card from customer service.

With these 4 digits they were able to get into his Apple account.

Customer Service


From there they grabbed control of all of his devices and his twitter account.

After wiping all the hard drives and changing all of his passwords they finally accomplished what they wanted.

Customer SERVICE


After a lengthy processes he finally was able to gain control of most of his accounts again.

If it were not for the holes in the customer service at Amazon and the lesser holes at Apple they would have not succeeded.

Conclusions


Social engineering is a powerful method of attack on any system.

People are too trusting of untrusted sources.

If people practiced safer protocols they would not encounter these problems. 

Q&A




Questions, comments, concerns?

FIN

Made with Slides.com