Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
25
@NTXISSA Social Engineering 101 or The Art of How You Got Owned by That Random Stranger Steven Hatfield aka @drb0n3z Security Systems Senior Advisor Dell 4/25/2015
Social Engineering 101 or The Art of How You Got Owned by That Random Stranger
1. @NTXISSA Social Engineering 101 or The Art of How You Got
Owned by That Random Stranger Steven Hatfield aka @drb0n3z Security
Systems Senior Advisor Dell 4/25/2015
2. @NTXISSA About Me 8 year Army veteran Currently studying for
Bachelors of Science in CyberSecurity at UMUC 4 year Security Goon
at DEF CON 3 year Social Engineer Village volunteer at DEF CON 1
year Security staff at Derbycon NTX ISSA Cyber Security Conference
April 24-25, 2015 2
3. @NTXISSA LEGAL DISCLAIMER NTX ISSA Cyber Security Conference
April 24-25, 2015 3
4. @NTXISSA Social Engineering 101 Definitions History Social
Engineering Framework SET Social Engineering Toolkit Categories
Examples Protection Resources Questions NTX ISSA Cyber Security
Conference April 24-25, 2015 4
5. @NTXISSA Definition Social Engineering (SE) is a blend of
science, psychology and art. While it is amazing and complex, it is
also very simple. We define it as, Any act that influences a person
to take an action that may or may not be in their best interest. We
have defined it in very broad and general terms because we feel
that social engineering is not always negative, but encompasses how
we communicate with our parents, therapists, children, spouses and
others. NTX ISSA Cyber Security Conference April 24-25, 2015 5
http://www.social-engineer.org/
6. @NTXISSA Definition Social engineering is the art of
manipulating people so they give up confidential information. The
types of information these criminals are seeking can vary, but when
individuals are targeted the criminals are usually trying to trick
you into giving them your passwords or bank information, or access
your computer to secretly install malicious softwarethat will give
them access to your passwords and bank information as well as
giving them control over your computer. NTX ISSA Cyber Security
Conference April 24-25, 2015 6
http://www.webroot.com/us/en/home/resources/tips/online-shopping-banking/secure-what-is-social-engineering
7. @NTXISSANTX ISSA Cyber Security Conference April 24-25, 2015
7
8. @NTXISSA History The term sociale ingenieurs was introduced
in an essay by the Dutch industrialist J.C. Van Marken in 1894. The
idea was that modern employers needed the assistance of
specialists"social engineers"in handling the human problems of the
planet, just as they needed technical expertise (ordinary
engineers) to deal with the problems of dead matter (materials,
machines, processes). NTX ISSA Cyber Security Conference April
24-25, 2015 8
9. @NTXISSA Social Engineering Framework Social Engineering
Defined Categories of Social Engineers Hackers Penetration Testers
Spies or Espionage Identity Thieves Disgruntled Employees
Information Brokers Scam Artists Executive Recruiters Sales People
Governments Everyday People NTX ISSA Cyber Security Conference
April 24-25, 2015 9 Why Attackers Might Use Social Engineering
Typical Goals The Attack Cycle Common Attacks Customer Service
Delivery Person Phone Tech Support Real World Examples Con Men
Crime Victims Phishing Politicians
10. @NTXISSA The Social-Engineer Toolkit (SET) was created and
written by the founder of TrustedSec. It is an open- source
Python-driven tool aimed at penetration testing around
Social-Engineering. SET has been presented at large-scale
conferences including Blackhat, DerbyCon, Defcon, and ShmooCon.
With over two million downloads, SET is the standard for
social-engineering penetration tests and supported heavily within
the security community. The Social-Engineer Toolkit has over 2
million downloads and is aimed at leveraging advanced technological
attacks in a social-engineering type environment. TrustedSec
believes that social- engineering is one of the hardest attacks to
protect against and now one of the most prevalent. The toolkit has
been featured in a number of books including the number one best
seller in security books for 12 months since its release,
Metasploit: The Penetrations Testers Guide written by TrustedSecs
founder as well as Devon Kearns, Jim OGorman, and Mati Aharoni. NTX
ISSA Cyber Security Conference April 24-25, 2015 10 SET Social
Engineer Toolkit
11. @NTXISSANTX ISSA Cyber Security Conference April 24-25,
2015 11
12. @NTXISSANTX ISSA Cyber Security Conference April 24-25,
2015 12
13. @NTXISSA Examples - Common Customer Service Delivery Person
Phone Tech Support Con Men Crime Victims Phishing Politicians NTX
ISSA Cyber Security Conference April 24-25, 2015 13
14. @NTXISSA Examples - Real World The Overconfident CEO In one
case study, Hadnagy outlines how he was hired as an SE auditor to
gain access to the servers of a printing company which had some
proprietary processes and vendors that competitors were after. In a
phone meeting with Hadnagy's business partner, the CEO informed him
that "hacking him would be next to impossible" because he "guarded
his secrets with his life. "He was the guy who was never going to
fall for this," said Hadnagy. "He was thinking someone would
probably call and ask for his password and he was ready for an
approach like that. NTX ISSA Cyber Security Conference April 24-25,
2015 14
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
15. @NTXISSA Examples - Real World The theme-park scandal The
target in this next case study was a theme park client that was
concerned about potential compromise of its ticketing system. The
computers used to check-in patrons also contained links to servers,
client information and financial records. The client was concerned
that if a check-in computer was compromised, a serious data breach
might occur. Hadnagy started his test by calling the park, posing
as a software salesperson. He was offering a new type of
PDF-reading software, which he wanted the park to try through a
trial offer. He asked what version they were currently using, got
the information easily, and was ready for step two. NTX ISSA Cyber
Security Conference April 24-25, 2015 15
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
16. @NTXISSA Examples - Real World The hacker is hacked Hadnagy
gives a third example showing how social engineering was used for
defensive purposes. He profiles 'John,' a penetration tester hired
to conduct a standard network pen test for a client. He ran scan
using Metasploit, which revealed an open VNC (virtual network
computing) server, a server that allows control of other machines
on the network. He was documenting the find with the VNC session
open when, suddenly, in the background, a mouse began to move
across the screen. John new it was a red flag because at the time
of day this was happening, no user would be connected to the
network for a legitimate reason. He suspected an intruder was on
the network. NTX ISSA Cyber Security Conference April 24-25, 2015
16
http://www.csoonline.com/article/2126983/social-engineering/social-engineering--3-examples-of-human-hacking.html
17. @NTXISSA Examples - Real World Price-Matching Scam NTX ISSA
Cyber Security Conference April 24-25, 2015 17
18. @NTXISSA Examples - Real World Evil Maid attacks NTX ISSA
Cyber Security Conference April 24-25, 2015 18
19. @NTXISSA Examples - Real World Stuxnet Stuxnet delivered
via USB sticks left around the Iranian site in a classic "social
engineering" attack used unpatched Windows vulnerabilities to get
inside the SCADA at Iran's Natanz enrichment plant. It then
injected code to make a PLC speed up and slow down centrifuge
motors wrecking more than 400 machines. Siemens made both the SCADA
(WinCC) and the PLC (S7-300) attacked by Stuxnet. NTX ISSA Cyber
Security Conference April 24-25, 2015 19
http://www.newscientist.com/article/dn20298-stuxnet-analysis-finds-more-holes-in-critical-software.html
20. @NTXISSA Examples - Real World Sing-o-gram - Michelle from
SE crew Next, Chris and I packed our dark glasses and super-spy
cameras and headed to the clients locations. Four buildings, three
days, two states, no sleep. This particular client faces some big
challenges when it comes to physical plant security, not the least
of which is sharing buildings with other companies and retailers
open to the general public. Despite having a great physical
security team and RFID badging, we were able to gain access to most
of their secured locations pretexting as inspectors and yes, a
singing telegram (Ill let you guess who got to do that one). We
didnt really need to do a lot of sneaky stuff; we took advantage of
high traffic times and locations, acted like we belonged there, and
exploited peoples general helpfulness. Using these principles, we
accessed areas such their corporate mailroom, NOC, and executive
offices and roamed freely without ever being stopped. NTX ISSA
Cyber Security Conference April 24-25, 2015 20
http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-57/
21. @NTXISSA Examples - Real World News Reporter - Bob I've
gotten myself into a building by claiming to be interviewing them
for a blog and then spending all day taking pictures and plugging
flashdrives in to print stuff NTX ISSA Cyber Security Conference
April 24-25, 2015 21
22. @NTXISSA Protection Obviously, never give out confidential
information. Safeguard even inconsequential information about
yourself. Lie to security questions, and remember your lies. View
every password reset email with skepticism. Watch your accounts and
account activity. Diversify passwords, critical services, and
security questions. NTX ISSA Cyber Security Conference April 24-25,
2015 22
24. @NTXISSANTX ISSA Cyber Security Conference April 24-25,
2015 24
25. @NTXISSA@NTXISSA The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA North Texas
ISSA (Information Systems Security Association) NTX ISSA Cyber
Security Conference April 24-25, 2015 25 Thank you