CSCD 303Essential Computer SecuritySpring 2013

Lecture 5 - Social Engineering2General Social Engineering Techniques, Scams, ToolsReading: Chapter 13

Overview

• Social Engineering Revisited–How is Social Engineering

Accomplished–Different methods of Social

Engineering– Prevention of Social Engineering

• Scams–Different ones–How to guard against them

Kevin MitnickFamous Social Engineer Hacker• Went to prison for hacking• Became ethical hacker

"People are generally helpful, especially to someone who is nice, knowledgeable or insistent."

Kevin Mitnick - Art of Deception

Kevin's Book http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X

• "People inherently want to be helpful and therefore are easily duped"

• "They assume a level of trust in order to avoid conflict"

• "It's all about gaining access to information that people think is innocuous when it isn't"

• Social engineering cannot be blocked by technology alone

Social Engineering Example

Target And Attack• The basic goals of social engineering are

the same as hacking in general:– To gain unauthorized access to

systems or information in order to commit

– Fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.

• Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military / government agencies, and hospitals

An Example

• One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network.

• How did they do it? – By obtaining small amounts of access,

bit by bit, from a number of different employees

• First, they researched the company for two days before even attempting to set foot on premises

And so on…

• Series of Steps1. They learned key employees’

names by calling HR2. Next, they pretended to lose their

key to the front door, and a man let them in

3. Then they "lost" their identity badges when entering third floor secured area, smiled, and a friendly employee opened the door for them.

And so on…

4 Strangers knew CFO was out of town, so were able to enter his office and obtain financial data off his unlocked computer

5 They dug through corporate trash, finding all kinds of useful documents

6 They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of building in their hands.

7 Strangers had studied CFO's voice, so they were able to phone, pretending to be CFO, in a rush, desperately in need of his network password

From there, they used regular technical hacking tools to gain super-user access into system

Social engineers are known to use non-technical tactics to gather information

• Dumpster Diving• Baiting• Pretexting• Diversion Theft

10

Social Engineering Techniques

Dumpster DivingWhat are they looking for?Anything that might be valuable to cyber

criminals, could be used for blackmail or sale

• Research secrets• Project schedules• Collaborator lists• Financial, legal, and licensing information• Personal employee and system information

11

Social Engineering Techniques

Dumpster Diving

http://www.social-engineer.org/framework/How_To_Gather_Information:_Dumpster_Diving

Many original dumpster divers were individuals who were into phone phreaking

– These individuals were primarily interested in accessing information about telephone companies such as AT&T and learning structure and operation of their phone systems

Many people simply throw away billing or banking statements that often reveals confidential information such as account and social security identification numbers

Dumpster Diving

Preventing Dumpster Diving Best way to prevent anyone from seeing your

'private trash' is to shred it. – Paper shredders are inexpensive devices,

help eliminate or destroy those important documents that have found their way into trashcan

Corporate policy, if not already in effect, be put in place to state the guidelines for proper handling and disposing of sensitive documents

http://social-engineer.org/wiki/archives/DumpsterDiving/CrimeandClues_dumpster_diving.htm

Baiting

• Real world Trojan horse

Uses physical media

Relies on greed/curiosity of victim

Attacker leaves a malware infected cd or usb drive in a location sure to be found

Attacker puts a legitimate or curious lable to gain interest

Ex: "Company Earnings 2009" left at company elevator Curious employee/Good samaritan User inserts media and unknowingly installs malware

Baiting Example

Social EngineeringExample Two• Monday morning, 6am

– Electric rooster is telling you it's time to start a new work week.

– On the way to work you're thinking of all you need to accomplished this week. 

• Then, on top of that there's recent merger between your company and a competitor

• One of your associates told you, “you better be on your toes because rumors of

layoff's are floating around”

Social Engineering

• You arrive at office and stop by restroom to make sure you look your best

• You straighten your tie, and turn to head to your cube when you notice, sitting on back of sink, is a CD-ROM

• Someone must have left this behind by accident• You pick it up and notice there is a label on it• Label reads "2005 Financials & Layoff's"You get a sinking feeling in your stomach and

hurry to your desk.  It looks like your associate has good reasons for concern, and you're about to find out for yourself

And so The Game Is In Play: People Are The Easiest

Target

You insert CD-ROM You find several files on the CD, including a spreadsheet

which you quickly openSpreadsheet contains a list of employee names, start dates,

salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it.  In

fact, many of the names don't seem familiar.  Why would they, this is pretty large company, you don't know everyone

Since your name is not on the list you feel a bit of relief It's time to turn this over to your boss. Your boss thanks

you and you head back to your desk.

Bingo - Gotcha

• Spreadsheet you opened was not only thing executing on your computer

• Moment you open that file you caused a script to execute which installed a few files on your computer

• Those files were designed to call home and make a connection to a servers on Internet

– Once connection was made software on server responded by pushing (or downloading) several software tools to your computer

• Tools designed to give hacker complete control of your computer

• Now they have a platform, inside your company's network, where they can continue to hack the network.  And, they can do it from inside without even being there

Pretexting

The act of creating and using an invented situation in order to convince a target to release information or grant access to sensitive materials

This type of attack is usually implemented over the phone and can be used to obtain

– Customer information, phone records, banking records and is also used by private investigators

Pretexting continued

Hacker will disguise their identity in order to ask a series of questions intended to get information he/she is wanting from their target

By asking these questions victim will unknowingly provide attacker with information hacker needs to carry out their attack

Pretexting via Phone

A Hacker will call someone up and imitate a person of authority and slowly retrieve information from them

Help Desks are incredible vulnerable to this type of attack

Help Desks are Gold Mines

Main purpose is to help Putting them at a disadvantage against an attacker

People employed at a help desk usually are being paid next to nothing

Giving them little incentive to do anything but answer questions and move onto next phone call

So how do you protect yourself?

Protecting Against These AttacksAttacks can take two different

approaches– Physical and Psychological

Physical aspect Workplace, over the phone, dumpster diving, and on-line.

Psychological aspect Persuasion, impersonation, ingratiation, conformity, and good ol’ fashion friendliness

How To Defend Against the Physical Check and Verify all personnel entering the

establishment. More important files should be locked up Shred all important papers before disposing Erase all magnetic media (hard drives, disks) All machines on the network should be well

protected by passwords Lock and store dumpsters in secure areas.

Security Policies and Training!!! Corporations make mistake of only protecting

themselves from physical aspect leaving them almost helpless to psychological attacks hackers commonly use

– Advantage Alleviates responsibility of worker to make judgment call on the hacker’s request

– Policy should address aspects of access control and password changes and protection.

Locks, ID’s, and shredders are important, should be required for all employees

Security Policies and Training!!!Training – Not Just Once !!!All employees should attend an

annual refresher course include Social Engineering

Also send email reminders– How to spot an attacker, – Methods in preventing them

from falling victim

What to do for Average Person

DO NOT DISCLOSE ANY PERSONAL INFORMATION UNLESS PERSON AND/OR SITE IS TRUSTED

Don’t fall prey to all the get rich quick schemes. Update your security software regularly. Have a strong password and change it regularly

– Try not to have same one for all your passwords.

Shred your important papers before throwing them out

Social Engineering Clips

Animation:http://www.youtube.com/watch?v=Y6tbUNjL0No

Live Action:http://www.youtube.com/watch?v=8TJ4XOvY7II&feature=related

Online Scams

These may come through mail notification, or you could possibly

receive an e-mail advising that you’ve won a lottery sweepstakes

If you don’t participate in any type of lottery

– You need to question why you would receive any type of notification

This type of scam will try a variety of ways to get your money

They tend to charge an application or processing fee.

The following is a recent example ….

Lottery Sweepstakes Scams

Lottery Sweepstakes Scams

This looks official; however, it asks the receiver to send them $5, along with a claim form to obtain their winnings

• Another example of a sweepstakes scam advising you’ve won $215,000 and they’ve sent a portion of your winnings to help pay taxes.

•Check amount was for $4875 and they want you to wire $3795 back to them.

Lottery Sweepstakes Scams

Online Auction Scams

The following are some of the more common online auction scams to be aware of:

Overpayment Fraud targets the seller A seller advertises a high-value item—like a car or a

computer—on Internet A scammer contacts the seller to purchase the item,

then sends the seller a counterfeit check or money order for an amount greater than the price of the item

The purchaser asks seller to deposit payment, deduct the actual sale price, and then return the difference to the purchaser

Online Auction Scams

Wire transfer schemes start with fraudulent and misleading ads for the sale of high-value items posted on well-known online auction sites. When buyers take the bait, they are directed to wire money to the crooks using a money transfer company. Once the money changes hands, the buyer never hears from them again.

Second-chance schemes Involve scammers who offer losing

bidders of legitimate auctions the opportunity to buy the item(s) they wanted at reduced prices They usually require that victims send payment through money transfer companies, but then don’t follow through on delivery ** Source-FBI and IC3 online data-

http://www.fbi.gov/page2/june09/auctionfraud_063009.html

Nigerian Scams

Typed in Nigerian Scams Alive and Well1,850,00 hits on google

Current Website with example

http://www.hyphenet.com/blog/2011/10/08/the-famous-nigerian-scam-still-making-scammers-rich/

http://wegolook.com

• Craigslist Car Scams• Craigslist Apartment Rental Scams • Craigslist Ticket Scams• Craigslist Job scams• Craigslist Escrow Service Scams

Some of the top Craigslist frauds/scams:

References:http://www.fraudguides.com/craigslist-car-scams.asphttp://www.fraudguides.com/craigslist-apartment-rental-

scams.asphttp://www.fraudguides.com/craigslist-ticket-scams.asphttp://www.fraudguides.com/craigslist-escrow-service-

scams.asp

•Buying and selling cars on Craigslist can be a huge money-saver for both buyer as well as seller•Due to this, Auto category in Craigslist's For Sale section is very active, especially in urban areas.•Fraudulent postings are just common nowadays on craigslist•Stolen checks, counterfeit checks and bounced checks are costing people their money, cars or both

http://wegolook.com

Craigslist Car Scams

http://bringatrailer.com/wp-content/uploads/2008/11/1967_Glas_GT_1700_Craigslist_1.jpg

•Apartment Rental scams on Craigslist are targeted at those people looking for a deal and a new home. •Typically, the scam/fraud starts when a fraudster pretending to be owner of the property ,posts a great deal on an apartment and a person responds•They ask you to make a deposit and collect some personal information to be sent via email and then disappear

http://wegolook.com

Craigslist Apartment Rental Scams

•Craigslist is a great place to sell tickets to sought-after concerts,sports events,shows, concerts, festivals, fairs or even airline tickets•You need to be very careful when purchasing tickets through Craigslist as these tickets could be stolen or counterfeit or they could be priced far beyond the exact value•The tickets may even have been used at a previous, similar event

http://wegolook.com

Craigslist Ticket Scams

http://www.p2pnet.net/images/oltik.jpg

Solutions to Internet Scams

http://wegolook.com

WeGoLook™ Services for Craigslist Buyer

• WeGoLook™ will send a WeGoLooker™ to look at the item for you.• Your WeGoLooker™ will confirm existence and location of the item.• Take a few digital pictures and gathers some basic information about the item (brand, model number, serial number, manufacturer, VIN number, etc.)• With our Preferred WeGoLook™ report, Your WeGoLooker™ can even ask the seller to demonstrate that the item is in basic working order• With Custom WeGoLook™ report, we can guarantee that the item you purchase is delivered to the shipper.

WeGoLook™ helps you buy with confidence.

Where To Go For Help

If you are a victim of an online scam, you can file a formal complaint with Internet Crime Complaint Center (IC3). Their contact information is as follows:

http://www.ic3.gov/complaint/default.aspx

Check out Hoax-Slayer

Check out this nice website of all the hoaxes on the Internet

• Fun hoaxes• Virus Hoaxes• Giveaway Hoaxes• Charity Hoaxes• Bogus Warnings• Email Petitions• Chain Letters and many others ...

http://www.hoax-slayer.com/

Summary Social Engineering can be as or more devastating than a technical cyber attack No good way to “patch” humans Best defenses

– Training, – Good security policies for handling information– Ongoing incentives for employees to stay vigilent

Scams are everywhere on the Internet– No good way to get rich quick– Be suspicious and do your homework when buying

over the Internet– Try not to give personal information unless

absolutely necessary

The End

Next Time: Go into Device Security