Social Engineering 101 or The Art of How You Got Owned by That Random Stranger

1. @NTXISSA Social Engineering 101 or The Art of How You Got Owned by That Random Stranger Steven Hatfield aka @drb0n3z Security Systems Senior Advisor Dell 4/25/2015

2. @NTXISSA About Me 8 year Army veteran Currently studying for Bachelors of Science in CyberSecurity at UMUC 4 year Security Goon at DEF CON 3 year Social Engineer Village volunteer at DEF CON 1 year Security staff at Derbycon NTX ISSA Cyber Security Conference April 24-25, 2015 2

3. @NTXISSA LEGAL DISCLAIMER NTX ISSA Cyber Security Conference April 24-25, 2015 3

4. @NTXISSA Social Engineering 101 Definitions History Social Engineering Framework SET Social Engineering Toolkit Categories Examples Protection Resources Questions NTX ISSA Cyber Security Conference April 24-25, 2015 4

5. @NTXISSA Definition Social Engineering (SE) is a blend of science, psychology and art. While it is amazing and complex, it is also very simple. We define it as, Any act that influences a person to take an action that may or may not be in their best interest. We have defined it in very broad and general terms because we feel that social engineering is not always negative, but encompasses how we communicate with our parents, therapists, children, spouses and others. NTX ISSA Cyber Security Conference April 24-25, 2015 5 http://www.social-engineer.org/

6. @NTXISSA Definition Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious softwarethat will give them access to your passwords and bank information as well as giving them control over your computer. NTX ISSA Cyber Security Conference April 24-25, 2015 6 http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering

7. @NTXISSANTX ISSA Cyber Security Conference April 24-25, 2015 7

8. @NTXISSA History The term sociale ingenieurs was introduced in an essay by the Dutch industrialist J.C. Van Marken in 1894. The idea was that modern employers needed the assistance of specialists"social engineers"in handling the human problems of the planet, just as they needed technical expertise (ordinary engineers) to deal with the problems of dead matter (materials, machines, processes). NTX ISSA Cyber Security Conference April 24-25, 2015 8

9. @NTXISSA Social Engineering Framework Social Engineering Defined Categories of Social Engineers Hackers Penetration Testers Spies or Espionage Identity Thieves Disgruntled Employees Information Brokers Scam Artists Executive Recruiters Sales People Governments Everyday People NTX ISSA Cyber Security Conference April 24-25, 2015 9 Why Attackers Might Use Social Engineering Typical Goals The Attack Cycle Common Attacks Customer Service Delivery Person Phone Tech Support Real World Examples Con Men Crime Victims Phishing Politicians

10. @NTXISSA The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open- source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community. The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social- engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 12 months since its release, Metasploit: The Penetrations Testers Guide written by TrustedSecs founder as well as Devon Kearns, Jim OGorman, and Mati Aharoni. NTX ISSA Cyber Security Conference April 24-25, 2015 10 SET Social Engineer Toolkit

13. @NTXISSA Examples - Common Customer Service Delivery Person Phone Tech Support Con Men Crime Victims Phishing Politicians NTX ISSA Cyber Security Conference April 24-25, 2015 13

14. @NTXISSA Examples - Real World The Overconfident CEO In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the servers of a printing company which had some proprietary processes and vendors that competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed him that "hacking him would be next to impossible" because he "guarded his secrets with his life. "He was the guy who was never going to fall for this," said Hadnagy. "He was thinking someone would probably call and ask for his password and he was ready for an approach like that. NTX ISSA Cyber Security Conference April 24-25, 2015 14 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html

15. @NTXISSA Examples - Real World The theme-park scandal The target in this next case study was a theme park client that was concerned about potential compromise of its ticketing system. The computers used to check-in patrons also contained links to servers, client information and financial records. The client was concerned that if a check-in computer was compromised, a serious data breach might occur. Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two. NTX ISSA Cyber Security Conference April 24-25, 2015 15 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html

16. @NTXISSA Examples - Real World The hacker is hacked Hadnagy gives a third example showing how social engineering was used for defensive purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network computing) server, a server that allows control of other machines on the network. He was documenting the find with the VNC session open when, suddenly, in the background, a mouse began to move across the screen. John new it was a red flag because at the time of day this was happening, no user would be connected to the network for a legitimate reason. He suspected an intruder was on the network. NTX ISSA Cyber Security Conference April 24-25, 2015 16 http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html

17. @NTXISSA Examples - Real World Price-Matching Scam NTX ISSA Cyber Security Conference April 24-25, 2015 17

18. @NTXISSA Examples - Real World Evil Maid attacks NTX ISSA Cyber Security Conference April 24-25, 2015 18

19. @NTXISSA Examples - Real World Stuxnet Stuxnet delivered via USB sticks left around the Iranian site in a classic "social engineering" attack used unpatched Windows vulnerabilities to get inside the SCADA at Iran's Natanz enrichment plant. It then injected code to make a PLC speed up and slow down centrifuge motors wrecking more than 400 machines. Siemens made both the SCADA (WinCC) and the PLC (S7-300) attacked by Stuxnet. NTX ISSA Cyber Security Conference April 24-25, 2015 19 http://www.newscientist.com/article/dn20298-stuxnet-analysis-finds-more-holes-in-critical-software.html

20. @NTXISSA Examples - Real World Sing-o-gram - Michelle from SE crew Next, Chris and I packed our dark glasses and super-spy cameras and headed to the clients locations. Four buildings, three days, two states, no sleep. This particular client faces some big challenges when it comes to physical plant security, not the least of which is sharing buildings with other companies and retailers open to the general public. Despite having a great physical security team and RFID badging, we were able to gain access to most of their secured locations pretexting as inspectors and yes, a singing telegram (Ill let you guess who got to do that one). We didnt really need to do a lot of sneaky stuff; we took advantage of high traffic times and locations, acted like we belonged there, and exploited peoples general helpfulness. Using these principles, we accessed areas such their corporate mailroom, NOC, and executive offices and roamed freely without ever being stopped. NTX ISSA Cyber Security Conference April 24-25, 2015 20 http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-57/

21. @NTXISSA Examples - Real World News Reporter - Bob I've gotten myself into a building by claiming to be interviewing them for a blog and then spending all day taking pictures and plugging flashdrives in to print stuff NTX ISSA Cyber Security Conference April 24-25, 2015 21

22. @NTXISSA Protection Obviously, never give out confidential information. Safeguard even inconsequential information about yourself. Lie to security questions, and remember your lies. View every password reset email with skepticism. Watch your accounts and account activity. Diversify passwords, critical services, and security questions. NTX ISSA Cyber Security Conference April 24-25, 2015 22

23. @NTXISSA Resources http://www.social-engineer.org/ https://www.social-engineer.com/ https://www.trustedsec.com/social-engineer- toolkit/ http://www.amazon.com/Christopher-Hadnagy/ http://www.social-engineer.org/category/podcast/ DEFCON 23 CTF http://www.derbycon.com/ http://defcon.org/ http://www.amazon.com/Joe-Navarro/ NTX ISSA Cyber Security Conference April 24-25, 2015 23

25. @NTXISSA@NTXISSA The Collin College Engineering Department Collin College Student Chapter of the North Texas ISSA North Texas ISSA (Information Systems Security Association) NTX ISSA Cyber Security Conference April 24-25, 2015 25 Thank you

Internet

Social Engineering 101 or The Art of How You Got Owned by That Random Stranger