Social Engineering2.0 Dr. Shawn P. Murray, CISSP, CRISC, FITSP-A

NSI IMPACT 2012

AgendA • Social Engineering Defined

• Who Are Social Engineers?

• Famous Social Engineers

• Computing Age

– Phishing

– Spear Phishing

– Whaling

– Hacking & Exploits

• Countermeasures

– Training, Training, Training!

• Resources for security professionals

– Publications

– Websites

– Technical (Tools)

According to the www.Social-Engineer.org site • “Social Engineering is defined as the process of deceiving

people into giving away access or confidential information.”

• Wikipedia defines it as: "is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim."

• “Although it has been given a bad name by the plethora of "free pizza", "free coffee", and "how to pick up chicks" sites, aspects social engineering actually touches on many parts of daily life.”

• “Many consider social engineering to be the greatest risk to security.”

Source: http://www.social-engineer.org/framework/Social_Engineering_Defined

WhAt is sociAl engineering?

Who Are sociAl engineers? By Trade:

• Detectives

• Special Agents

• Lawyers

• Sales professionals

• Recruiters

• Doctors

• Psychologists

• Any profession that uses human subjects to elicit information or to modify behavior

By Relationships

• Children

• Parents & Grandparents

• Spouses

• Friends

Bad Guys

• Scam artists or Cons

• Cyber criminals

• Hackers

• State actors

• Foreign governments

• Disgruntled Employees

• Insider Threat

• Identity Thieves

• Social Programs

• Medical ID Theft

• Banking & Insurance

• Impersonation

Prominent sociAl engineers At age 12, Kevin Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash.

Social engineering became his primary method of obtaining information, including user names and passwords and modem phone numbers

Mitnick gained unauthorized access to his first computer network in 1979, at 16, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software which he stole.

He was charged with and convicted of the crime in 1988.

Hacked into Pacific Bell voice mail computers. After a warrant was issued for his arrest, Mitnick fled, becoming a fugitive for 2 ½ years.

According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies.

Prominent sociAl engineers • Frank William Abagnale, Jr. is an American security

consultant known for his history as a former confidence trickster, check forger, impostor, and escape artist. He became notorious in the 1960s for passing $2.5 million worth of meticulously forged checks across 26 countries over the course of five years, beginning when he was 16 years old.

• In the process, he became one of the most famous impostors ever, claiming to have assumed no fewer than eight separate identities as an airline pilot, a doctor, a U.S. Bureau of Prisons agent, and a lawyer. He escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary), before he was 21 years old.

• He served fewer than five years in prison before starting to work for the federal government. He is a consultant and lecturer at the academy and field offices for the FBI. He also runs Abagnale & Associates, a financial fraud consultancy company

Source: http://en.wikipedia.org/wiki/Frank_William_Abagnale y

toP security risks According to sAns

• Priority One: Client-side software that remains unpatched. • Priority Two: Internet-facing web sites that are vulnerable.

• Operating systems continue to have fewer remotely-exploitable vulnerabilities that lead to massive Internet worms.

• Rising numbers of zero-day vulnerabilities

Phishing Planning. Phishers decide which business to target and determine how to get e-mail addresses for the customers of that business. They often use the same mass-mailing and address collection techniques as spammers. Setup. Once they know which business to spoof and who their victims are, phishers create methods for delivering the message and collecting the data. Most often, this involves e-mail addresses and a Web page. Attack. This is the step people are most familiar with -- the phisher sends a phony message that appears to be from a reputable source. Collection. Phishers record the information victims enter into Web pages or popup windows. Identity Theft and Fraud. The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. As many as a fourth of the victims never fully recover [Source: Information Week].

-If the phisher wants to coordinate another attack, he evaluates the successes and failures of the completed scam and begins the cycle again Source: by Tracy V. Wilson (www.howstuffworks.com)

sPeAr Phishing Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. Spear phishing attempts are not typically initiated by "random hackers" but are more likely to be conducted by perpetrators out for financial gain, trade secrets or military information As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority Visiting West Point teacher and National Security Agency expert Aaron Ferguson calls it the "colonel effect." To illustrate his point, Ferguson sent out a message to 500 cadets asking them to click a link to verify grades. Ferguson's message appeared to come from a Colonel Robert Melville of West Point. Over 80% of recipients clicked the link in the message. In response, they received a notification that they'd been duped and warning that their behavior could have resulted in downloads of spyware, Trojan horses and/or other malware. Source: by Search Security.com (http://searchsecurity.techtarget.com)

WhAling Whaling is a form of spear phishing that occurs when a scammer targets an organization and sends personalized emails to a specific executive officer or senior manager. Emails refer to fake but critical business matters, such as a legal subpoenas or customer complaints. Emails may appear to have been sent from a trustworthy source such as an employer or staff member within the organization. Email addresses may be similar (but not identical) to an address you are familiar with. The scammer’s aim is to convince you that the email requires urgent action by following a link to a fake website or opening a malware-infected attachment. When you visit the fake, but convincing website, it will ask you to do one or more of the following: • enter confidential company information and passwords • provide financial details or enter them when making a payment for a fake software download. If financial details are provided, the scammer will use them to commit fraud. Alternatively, if you open an email attachment, it will download malware onto your computer. Malware can record your key strokes, passwords and other company information, allowing the scammer to access it when you go online. Source: http://www.scamwatch.gov.au/content/index.phtml/itemId/829460

http://www.youtube.com/watch?v=XlvbV80K4D4&feature=player_detailpage&list=ULXlvbV80K4D4�

File shAring & cloud storAge Hackers use popular sites where anonymous accounts can be created and used to store or distribute hack exploits.

tools - BAck trAck

• The Back Track distribution originated from the Linux counterparts WHAX and Max Moser's Auditor Security Collection - "The Swiss Army Knife for security assessments".

• Both where focused on Linux-based penetration tests. While WHAX was packed with more features, Auditor was based on structure and stability. Auditor featured well-laid-out menus for its collection of over 300 tools for troubleshooting, network and systems-fortifying.

• Its user-friendliness resulted in enhanced usability for penetration testing which led to the formulation of the Back Track security testing distribution. The Auditor Security Collection was a Live CD based on Knoppix.

Source http://www.remote-exploit.org/articles/backtrack/index.html

trAining, trAining, trAining!

• Education

– Degrees are available in computer forensics and Information Assurance

– Federal Government have resources within their agencies

– Department of Defense

• DISA

• JKO, AKO

– NSA

• Coordinate through your government sponsors

• Excellent pentest training

– READ! Collaborate! Network!

– Join Local Chapters of Security Organizations

trAining, trAining, trAining!

• Certifications

– Certified Ethical Hacker (CEH)

– Certified EC-Council Instructor (CEI)

– Computer Hacking Forensic Investigator (CHFI)

– EC-Council Certified Security Analyst (ECSA)

– EC-Council Certified Incident Handler (ECIH)

– Certified Network Defense Architect (CNDA)

– Licensed Penetration Tester (LPT)

– EC-Council Certified VOIP Professional (ECVP)

– EC-Council Network Security Administrator (ENSA)

– EC-Council Certified Computer Investigator (ECCI

PuBlicAtions • Social Engineering: The Art of Human Hacking by Chris Hadnagy

• The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick

• What Every BODY is Saying: An Ex-FBI Agent's Guide to Speed-Reading People by Joe Navarro

• Social Engineering: Hacking The Human Mind an article in Forbes Magazine by Eric Savitz, Forbes Staff (March 29, 2012)

WeBsites recommending technicAl tools

Social-Engineering-Toolkit http://www.youtube.com/watch?v=9f2ANmI2-RI Social-Engineering Toolkit (SET) http://www.offensive-security.com/metasploit-unleashed/SET

The Metasploit Project is an open-source, computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. http://www.metasploit.com/

SANS Institute http://www.sans.org/top-cyber-security-risks/ Social Engineer.org http://www.social-engineer.org/

Questions?