Social Engineering - nii.ac.jp · ... (analytics, advertising products ... In Network and...
Transcript of Social Engineering - nii.ac.jp · ... (analytics, advertising products ... In Network and...
Digital Natives
Co
ol h
and
le
iPd
ad iP
ho
ne
Mac
Apple Emai
l
To b
uy
stu
ff
Amazon
2: Google [email protected]
1: Backup email unknown
3: Backup: m…[email protected]
4: forgot PW? Support asks for:
Billing address
Last 4 digits of CC
5: Whois: Address
Billing address
6: Add new CC:
Email, CC (fake) Billing address
7: forgot PW? You need:
Email, CC info Billing address
Last 4 digits of other CCs are visible
Last 4 digits of CC
8: Devices iPhone iPad Mac
9: Post nonsense to Twitter
Knowledge Worker
• It demands that we impose the responsibility for their productivity on the individual knowledge workers themselves. Knowledge workers have to manage themselves. They have to have autonomy.
• Continuous innovation has to be part of the work, the task and the responsibility of knowledge workers.
• Knowledge worker productivity requires that the knowledge worker is both seen and treated as an 'asset' rather than a 'cost'. It requires that knowledge workers want to work for the organization in preference to all other opportunities.”
Source: http://www.knowledgeworkerperformance.com/Peter-Drucker-Knowledge-Worker-Productivity.aspx
• „But in all my experience, I have never been in any accident…of any sort worth speaking about. I have but one vessel in distress in all my years
at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament
that threatened to end in disaster of any sort.“
Experts
E.J. Smith, 1907, Captain
RMS Titanic
Source: New York Times, April 16, 1912
Experts
• Reliable data is often not available – Example bot nets
How to steal a botnet, Richard Kemmerer https://www.youtube.com/watch?v=2GdqoQJa6r4 Richard A. Kemmerer. 2009. How to steal a botnet and what can happen when you do. In Proceedings of the 11th international conference on Information and Communications Security (ICICS'09), Sihan Qing, Chris J. Mitchell, and Guilin Wang (Eds.). Springer-Verlag, Berlin, Heidelberg, 1-1. DOI=10.1007/978-3-642-11145-7_1 http://dx.doi.org/10.1007/978-3-642-11145-7_1
• Alternate Sources: – Models, Prediction – Estimates, Experience, Guesses
It is not bad to use these methods if one is aware of the
drawbacks
Prediction
• People overestimate their knowledge – „Unknown Unknowns“ (D. Rumsfeld)
• People are bad at evaluating the quality of their knowledge – Example: Anchoring
• People are bad at judging how good their judgment is. – Example: 2% confidence studies
– Effective error rate: 15 - 30%
Social Engineering
• Anatomy of an attack. http://blogs.rsa.com/anatomy-of-an-attack/
• Google hack attack was ultra sophisticated, new details show http://www.wired.com/threatlevel/2010/01/operation-aurora/
• Microsoft hacked: Joins apple, facebook, twitter – InformationWeek http://www.informationweek.com/security/attacks/microsoft-hacked-joins-apple-facebook-tw/240149323
• N. Perlroth. Chinese hackers infiltrate new york times computers. The New York Times, Jan. 2013.
Types of S.E. Attacks
• Physical approaches – Dumpster diving, stealing, …
• Social approaches – Relationships, inside knowledge
• Reverse social engineering – Victim contacts attacker
• Technical approaches – Freely available information, guessing and targeted
attacks.
• Socio-technical approaches – USB sticks, …
https://www.youtube.com/watch?v=vBPG_OBgTWg
(0:39)
Perception
https://www.youtube.com/watch?v=IGQmdoK_ZfY
A well-known video…
Human Factors
On Pseudologia
phantastica [with regard
to] the example of the
character Felix Krull from
the homonymous novel
by Thomas Mann and
cognitively induced
biases in stereotypical
judgment
Emotions and Feelings
• Authority
• Strong Emotion
• Overloading
• Reciprocation
• Deceptive Relationships
• Reverse Social Engineering
AppInspect: Large-scale Evaluation of Social Networking Apps
• Social networks act as proxies between user and third-party providers
• Personal information is transferred to providers
• App providers themselves rely on third-parties (analytics, advertising products)
• Custom hosting infrastructures
• Approval of apps with authentication dialog
Enumeration
• Exhaustive search in June 2012 with character trigrams • 434,687 unique applications in two weeks • Main obstacle: Facebook account rate limits
Most Popular Apps
• 10,624 most popular app, 94.07% of samples’ cumulative application usage
• Language: English (64.72%), 69 different languages
Permissions per Provider
• 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address
Permissions per Provider
• 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address
Suspicious Apps
• 40 providers requested more than 10 permissions • 139 web tracking / advertising providers used • Manually verified requested permissions vs. app
functionality • Legitimate uses
– dating and job hunting applications – XBOX application (not available anymore)
• Malpractices – Horoscopo Diario, 2.5 million monthly users
Would only require birthdate, 25 different permissions – Wisdom of the Buddha etc.
Vulnerability
• 55% Apache httpd, nginx (15.63%), Microsoft IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-2010-2263) • 8 hosts ProFTPD buffer overflow (CVE-2006-5815, CVE-2010-
4221) • Host with 1.2 million monthly users and sensitive information
Information Leaks
• 51 applications leaked unique user identifiers (HTTP Referrer)
• 14 out of these 51 applications also leaked API authorization tokens
Facebook Summary
• Reported our findings to Facebook in November 2012 – Facebook responded within one week – Skype meetings with Facebook – Facebook acknowledged problems and contacted developers – Fixed in May 2013
• Security and privacy implications – Since January 2010 unproxied access to email address – 60% of application developers request email address – Social phishing, context-aware spam – Users trackable with real name
• Hosting – Number of hosts possible vulnerable – FTP/SSH bruteforce – Amazon EC2 community images
Techniques
• Shoulder surfing • Phishing
– Spear phishing
• Google (e.g. intitle:”Live View / – AXIS 210″) • Waterholing • Baiting
– USB stick
• Social Networking Sites – freddi staur – Robin Sage
• IM • Spying, Pretending justified interest • Telephone, Face2face
Is it the users’ fault?
http://www.emarsys.net/u/reg.php?par=sliBLsUjox_194008_111
_2_t_119422470_23396
Hagai Hartman
emarsys eMarketing
Systems AG
Maerzstrasse 1/5 OG 1/5
Wien, 1150, AT
Why do Nigerian Scammers Say They are
from Nigeria? https://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
Are phishers really stupid?
Lessons learned
• Secure passwords to not solve all problems – Alternate attack vectors
• Phishing, • Social engineering, etc.
• Backup passwords, recovery options are dangerous – Security questions
– Backup email accounts – Support calls
• How can you identify a person? – credit card? – social security number?
– fingerprint?
– Login / password?
Cloud Dienste in mobilen Netzwerken
Christian Platzer
Further reading
Fraud and Abuse: A Survey of Life on the Internet TodayEllen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1201 Social AuthenticationAlex Rice, Product Security, Facebook http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1202
• Authority
• Strong Emotion
• Overloading
• Reciprocation
• Deceptive Relationships
• Integrity and Consistency
• Social Proof
Psychological Background
Empirical Research
• Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.
• WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.
• Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Large-scale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.
• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.
Attack scenario
Friend
Friend
Phished
friend
Spammed
friend
Spam
Attack
seed
Spammed
friend
Spam
Spammed
friend
Spam
Spammed
friend
Spam
Phishing
Phished
friend
Spammed
friendSpam
Spammed
friend
Spam
Spammed
friend
Spam
Spammed
friend
Spam
Phishing
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
Friend
1st Iteration 2
nd Iteration 3
rd Iteration ...