ITSS 2015

Social Engineering (SE)Brad Reed, IT Security AnalystOIT – Information Security Office

Securing the University – ITSS 2015

ITSS 2015

Social Engineering

• “Social Engineering is defined as any act that influences a person to take an action that may or may not be in their best interest.” – Chris Hadnagy

• Experian was breached when a man impersonated a private investigator and talked his way into access at one of Experian’s subsidiaries.• eBay employees were manipulated into giving their

credentials to attackers which ended up compromising 145 million user accounts.-www.social-engineer.org

ITSS 2015

SE Stats

• www.social-engineer.org has compiled statistics from many engagements over the years, such as:• 90% of the people they ask will provide not just the spelling

of their names but their email addresses without confirming an identity• 67% of the people they surveyed will give out social security

numbers, birthdates or employee numbers

ITSS 2015

Man vs MachineWhich one to Hack?

ITSS 2015

Hacking the Machine

Scan Network for open ports

Install Malware on a victim machine

Enumerate the target network

Locate and copy the encrypted password file

Run automated cracking tools against the encrypted

file

ITSS 2015

Time Table

ITSS 2015

Hacking the Human

Make a phone call

AND / OR…

ITSS 2015

A simple conversation

ITSS 2015

Indirect SE AttackSecuring the University – Social Engineering

ITSS 2015

Adam Savage

ITSS 2015

Forgot to turn off this….

Which led to this….

ITSS 2015

Not just geo-coords…

ITSS 2015

No Tech Hacking

• What you don’t say can be more valuable to an SE attacker• Clothes, logos, stickers, badges• Social networking pages• Google yourself• Shoulder surfing• Dumpster diving

ITSS 2015

Johnny Long, No Tech Hacking

ITSS 2015

Direct AttacksSecuring the University – Social Engineering

ITSS 2015

Types of SE Attacks

ITSS 2015

Ground Rules for the HumanOS

• It has been proven that we speak 150 words per minute • We think at 500-600 words per minute• Some scientist even believe we make decisions up to 7

seconds in our subconscious before we make them in the real world• Understanding how humans work and think can be the

quickest way to creating our buffer overflow.

ITSS 2015

Color Test

• Lets establish a simplistic baseline for this discussion. Try to read the COLOR of the word not what the word spells. Do it as fast as possible, not stopping to think. It is not terrible, but it will illustrate how easy it is to inject a thought… if you succeed do it faster and faster if you can.

ITSS 2015

Color Test

ITSS 2015

Color Test

• Why is this so hard? It is the way the human mind is wired. Our brain sees the color but it reacts to the word being spelled first. Therefore the thought in our minds is the WORD not the color. This exercise shows it is possible to have “code” execute in the human brain that might be the opposite of what the person is thinking or seeing.

ITSS 2015

Fuzzing the HumanOS

• The Law of Expectations – The law of expectations basically states that a person will usually comply with an expectation. Decisions are usually made based on what that person feels the requestor expects them to do. This is one way we can start sending our malicious “data” to the brain program… Presupposition.

ITSS 2015

Simple Conversation….

ITSS 2015

Fuzzing the HumanOS

• To bypass the human “firewall” (conscious mind) and gain access directly to the root of the system (“subconscious”). The quickest way to inject your own code is through embedded commands.

ITSS 2015

Rules of Embedded Commands

• Be cautious of the following:• Usually they are short – 3 to 4 words• Slight emphasis on specific words• Hidden in normal sentences• Facial and body language can support the commands

ITSS 2015

Ways to Prevent an SE AttackSecuring the University – Social Engineering

ITSS 2015

Phishing

• Ways to recognize phishing messages• Deceptive Web links

• @ sign in middle of address• Variations of legitimate addresses• Presence of vendor logos that look legitimate• Fake sender’s address• Urgent request

ITSS 2015

Go Undercover

• Gandalf had it right when he said, “Keep it secret, keep it safe.”• Avoid working on private stuff in public places• Play it smart, don’t advertise anything about your job or

position you don’t think is safe to share• Avoid sensitive conversations in public places or favorite

lunch spots.

ITSS 2015

Shoulder Surfing

• The best defense is to remain aware when traveling. • Don’t put yourself in situations that invite shoulder

surfers • Position your back to the wall when using your

machine• Never leave your machine unattended. • Minimize or remove extraneous markings and

information from your mobile computing devices• Close your machine down if you think you are a

target

ITSS 2015

Don’t make an SE job easier…

• Don’t post anything you wouldn’t post on a bulletin board.• Make sure no easily-accessed information on a social

networking site connects to password or security question.• Careful what information is in photos or wall posts• Clothes with town names• Stating that you are leaving town

ITSS 2015

Other Ways to Protect Yourself

• Think before you speak• Recognize scare tactics• Used to put you “off-balance” in the conversation• Create a sense of urgency or illicit emotional response

• Prizes and special offers • Too good to be true…it usually is.

• Spoofed caller ID – Easy to do these days• When in doubt, offer to call them back on verified number

ITSS 2015

Discretion is the better part of valor• “Every unknown voice on the phone is a potential Social

Engineer until I feel otherwise. I’m not paranoid, just careful.” -Jack Wiles

•ASK QUESTIONS!!!!

ITSS 2015

• Brad Reed – IT Security Analyst• reedb1@ohio.edu• 740-593-9886

Thank You for your time!