Andrij Kuzyszyn

CS615A: Systems Administration

What is Social Engineering?

Case Study 1

Case Study 2

How can you help mitigate the chance of infiltration?

The practice of manipulating people into divulging information they wouldn’t normally share.

Weapons included in a social engineers arsenal include such diverse elements as: ◦ Pretexting

Uses an invented scenario.

Uses characters and information gathered during research to create a more plausible lie.

◦ Phishing

Uses a look-a-like website or e-mail to try and trick a user into sending sensitive information to a compromised server.

Kevin Mitnick ◦ Former Cyber-Criminal, current author.

◦ Just recently regained the ability to legally touch a computer.

◦ Grandfather of social engineering.

Badir Brothers ◦ Three blind brothers

◦ Set up extensive computer fraud scheme in Israel

◦ Used voice impersonation and Braille-display computers.

Who is Robin Sage?

25 Year old “Cyber Threat Analyst”

Currently working at the Naval Network Warfare Command in Norfolk, VA.

Graduated MIT.

10 Years of experience in the Information Security field.

Has an account with Facebook, LinkedIn, and Twitter (among other sites).

Thomas Ryan – Security researcher and “White Hat” from NY.

Picture was taking from a “pornography-related” website in order to attract more attention.

Many of her “friends” on social networking sites offered her dinner.

She was connected with: ◦ Many senior military officers. ◦ Chairman of the Joint Chiefs of Staff. ◦ Senior intel officer in the Marine Corps. ◦ Chief of staff from a U.S. Congressman. ◦ Executives from the National Reconnaissance Office.

She was connected to senior executives from the following companies: ◦ Lockheed Martin ◦ Google ◦ Northrop Grumman ◦ Some offered her consulting work.

The following government entities offered her an interview based on her profile: ◦ FBI

◦ CIA NSA

◦ Department of the Navy

Only a handful of people realized she was fake, yet no central warning was issued.

One soldier uploaded a photo of himself on patrol in Afghanistan which contained geo-location data.

A contractor with the NRO misconfigured his profile so that it revealed the answers to the security questions on his personal e-mail account.

No centralized place to warn about such scams.

Shows a gaping lack of sense when it comes to social networking.

Anonymous vs. HBGary

Technology security company Sells security solutions to both the US

Government and other non-government entities.

Some key players: ◦ Penny Leavy – Owner of HBGary ◦ Aaron Barr – Former CEO of HBGary, administrator

of HBGary’s e-mail, braggart. ◦ Ted Vera – COO of HBGary, likes to use bad

passwords. ◦ Greg Hoglund – Owner of Rootkit.com ◦ Jussi Jaakonaho – “Chief Security Specialist” at Nokia

SQL Injection attack on custom-written CMS application which runs hbgaryfederal.com.

Injection released user database from CMS.

Passwords were hashed using unsalted MD5 = Trivial to brute-force w/ Rainbow Tables.

Cracked both Aaron Barr and Ted Vera’s passwords.

Ted Vera’s password was also used as his password for HBGary’s research servers.

Used a privilege escalation vulnerability (which had a patch for months) to gain root access.

Deleted all research and backup data.

Aaron happened to use the same password for the company’s Google Apps account.

Learned the following after dredging through email: ◦ The root password to the machine running rootkit.org

was either “88j4bb3rw0cky88” or 88Scr3am3er88” ◦ Jussi Jaakonaho has root access.

Used a pretexted email sent from Greg’s E-Mail to get Jussi to: ◦ Reveal the real root password: “w0cky” ◦ Give the hackers Greg’s account name. ◦ Give the public ip ◦ Reset Greg’s password. ◦ OFFERED TO DROP THE FIREWALL!!!!

Scared yet?

You can’t…

Training Programs. ◦ Train employees on the dangers of social

engineering.

◦ Train during on-boarding process.

◦ Retrain as often as possible

◦ Make training relevant to employees personal lives as well

DLP Applications.

Mock Social Engineering Attacks. ◦ See if training is working.

Separation of Duties ◦ Does your CEO really need to be the administrator

of your e-mail?

◦ How many systems should one Sys Admin really control?

Password Auditing ◦ Ensure that no one is using the same password for

multiple applications (they always will).

CONSTANT VIGILANCE!!!!!

Further Reading: ◦ The Art of Deception, Kevin Mitnick ◦ The Art of Intrusion, Kevin Mitnick ◦ The Social Engineering Framework

www.social-engineer.org

◦ Getting In Bed With Robin Sage, Thomas Ryan ◦ Anonymous speaks: the inside story of the HBGary

hack, Arstechnica article by Peter Bright

Tools: ◦ Maltego – Organize and classify data. ◦ The Social Engineering Toolkit ◦ WYD (Who’s Your Daddy Password Profiler)