Upload
angelica-hopkins
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
ITSS 2015
Social Engineering (SE)Brad Reed, IT Security AnalystOIT – Information Security Office
Securing the University – ITSS 2015
ITSS 2015
Social Engineering
• “Social Engineering is defined as any act that influences a person to take an action that may or may not be in their best interest.” – Chris Hadnagy
• Experian was breached when a man impersonated a private investigator and talked his way into access at one of Experian’s subsidiaries.• eBay employees were manipulated into giving their
credentials to attackers which ended up compromising 145 million user accounts.-www.social-engineer.org
ITSS 2015
SE Stats
• www.social-engineer.org has compiled statistics from many engagements over the years, such as:• 90% of the people they ask will provide not just the spelling
of their names but their email addresses without confirming an identity• 67% of the people they surveyed will give out social security
numbers, birthdates or employee numbers
ITSS 2015
Man vs MachineWhich one to Hack?
ITSS 2015
Hacking the Machine
Scan Network for open ports
Install Malware on a victim machine
Enumerate the target network
Locate and copy the encrypted password file
Run automated cracking tools against the encrypted
file
ITSS 2015
Time Table
ITSS 2015
Hacking the Human
Make a phone call
AND / OR…
ITSS 2015
A simple conversation
ITSS 2015
Indirect SE AttackSecuring the University – Social Engineering
ITSS 2015
Adam Savage
ITSS 2015
Forgot to turn off this….
Which led to this….
ITSS 2015
Not just geo-coords…
ITSS 2015
No Tech Hacking
• What you don’t say can be more valuable to an SE attacker• Clothes, logos, stickers, badges• Social networking pages• Google yourself• Shoulder surfing• Dumpster diving
ITSS 2015
Johnny Long, No Tech Hacking
ITSS 2015
Direct AttacksSecuring the University – Social Engineering
ITSS 2015
Types of SE Attacks
ITSS 2015
Ground Rules for the HumanOS
• It has been proven that we speak 150 words per minute • We think at 500-600 words per minute• Some scientist even believe we make decisions up to 7
seconds in our subconscious before we make them in the real world• Understanding how humans work and think can be the
quickest way to creating our buffer overflow.
ITSS 2015
Color Test
• Lets establish a simplistic baseline for this discussion. Try to read the COLOR of the word not what the word spells. Do it as fast as possible, not stopping to think. It is not terrible, but it will illustrate how easy it is to inject a thought… if you succeed do it faster and faster if you can.
ITSS 2015
Color Test
ITSS 2015
Color Test
• Why is this so hard? It is the way the human mind is wired. Our brain sees the color but it reacts to the word being spelled first. Therefore the thought in our minds is the WORD not the color. This exercise shows it is possible to have “code” execute in the human brain that might be the opposite of what the person is thinking or seeing.
ITSS 2015
Fuzzing the HumanOS
• The Law of Expectations – The law of expectations basically states that a person will usually comply with an expectation. Decisions are usually made based on what that person feels the requestor expects them to do. This is one way we can start sending our malicious “data” to the brain program… Presupposition.
ITSS 2015
Simple Conversation….
ITSS 2015
Fuzzing the HumanOS
• To bypass the human “firewall” (conscious mind) and gain access directly to the root of the system (“subconscious”). The quickest way to inject your own code is through embedded commands.
ITSS 2015
Rules of Embedded Commands
• Be cautious of the following:• Usually they are short – 3 to 4 words• Slight emphasis on specific words• Hidden in normal sentences• Facial and body language can support the commands
ITSS 2015
Ways to Prevent an SE AttackSecuring the University – Social Engineering
ITSS 2015
Phishing
• Ways to recognize phishing messages• Deceptive Web links
• @ sign in middle of address• Variations of legitimate addresses• Presence of vendor logos that look legitimate• Fake sender’s address• Urgent request
ITSS 2015
Go Undercover
• Gandalf had it right when he said, “Keep it secret, keep it safe.”• Avoid working on private stuff in public places• Play it smart, don’t advertise anything about your job or
position you don’t think is safe to share• Avoid sensitive conversations in public places or favorite
lunch spots.
ITSS 2015
Shoulder Surfing
• The best defense is to remain aware when traveling. • Don’t put yourself in situations that invite shoulder
surfers • Position your back to the wall when using your
machine• Never leave your machine unattended. • Minimize or remove extraneous markings and
information from your mobile computing devices• Close your machine down if you think you are a
target
ITSS 2015
Don’t make an SE job easier…
• Don’t post anything you wouldn’t post on a bulletin board.• Make sure no easily-accessed information on a social
networking site connects to password or security question.• Careful what information is in photos or wall posts• Clothes with town names• Stating that you are leaving town
ITSS 2015
Other Ways to Protect Yourself
• Think before you speak• Recognize scare tactics• Used to put you “off-balance” in the conversation• Create a sense of urgency or illicit emotional response
• Prizes and special offers • Too good to be true…it usually is.
• Spoofed caller ID – Easy to do these days• When in doubt, offer to call them back on verified number
ITSS 2015
Discretion is the better part of valor• “Every unknown voice on the phone is a potential Social
Engineer until I feel otherwise. I’m not paranoid, just careful.” -Jack Wiles
•ASK QUESTIONS!!!!
ITSS 2015
• Brad Reed – IT Security Analyst• [email protected]• 740-593-9886
Thank You for your time!