Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Social Engineering
A Wolf in Sheep’s Clothing
Roberto Salgadou Programmer / Security Researcher / Pentester
u Co-founder of Websec
u Websec = Information Security Solutions
u Pen-testing, training, monitoring, etc…
Contact Infou @LightOS
u http://www.websec.ca
Overviewu What is Social Engineering?
u Definition
u Brief History
u Trending Topic
u The Evolution of S.E.
u Different Forms of S.E.
u How is Social Engineering Performed?
u Performing OSINT (Open-source Intelligence)
u Selecting a Delivery Method for Payload
u Creating a Command & Control Center
u Making Payload FUD (Fully UnDetectable)
u Live Demo
u How to Defend Against Social Engineering?
Social EngineeringWhat is it?
Definition
u S.E. is an attack vector which involves tricking the human element into breaking security procedures.
u Generally requires very little to NO technological or security knowledge. The very strongest security can be overcome by a clever social engineer.
u Comes in many shapes, forms & colors.
u ALL of us have been victims of it at some point throughout our lives. Affects both end-users and businesses.
Brief History of S.E
u Doesn’t have a defined starting moment.
u Has probably been around since the beginning of humanity.
u Countless examples of S.E. throughout history.
Brief History of S.E - Examplesu Adam & Eve - 4000-6000 BC
u The Trojan Horse - 1188 BC
u George Parker – Early 1900s
u Charles Ponzi – 1920s
u Victor Lustig (“The man who sold the Eiffel Tower”) – 1925
u Frank Abagnale (Catch Me If You Can) – 1960s
u Kevin Mitnick – Around 1980-1995
u Thomas Katona (treasurer of Alcona County, Michigan) – 2007
u Bernie Madoff - 2008
u RSA SecurID Breach – 2011
u AP Twitter Hacked – 2013
u Target (HVAC contractor) - 2013
Brief History of S.E – Personal Examplesu Myself (Gypsies) – 2003?
u Close Friend - 2013
u My Roommate – 2015
u ?
#SocialEngineering is Trending…
The Evolution of S.E.u S.E. is no longer confined to the physical realm.
u Technology has made some fraud more difficult to commit, however it's created all sorts of new opportunities for adaptable fraudsters.
u Nigerian phishing scams still work, however not as well as before.
u Attackers have gotten more clever with their techniques.
The Evolution of S.E.u Receiving an EXE file via e-mail is a thing of the past.
u Ever suspect that an Office document (Word, PowerPoint, Excel) could hack you?
u Heard of HTA? Supported by Windows since 1999.
u Like EXE, but currently undetectable by AV and can run PowerShell
u Unicode magic!
Unicode Magic!
uLeft-To-Right Override
u+U202D
uRight-To-Left Override
u+U202E
Live Demo!
Different forms of S.E.
u Baiting
u Phishing
u Pretexting
u Tailgating
u Quid Pro Quo
u Shoulder Surfing
u Dumpster Diving
Baiting
u Refers to leaving “bait” for the target to pick up, relying on the curiosity or greed of the person being targeted.
u The Trojan Horse is one of the greatest mythological examples of baiting.
u Modern day example is throwing USBs “Executive Salary Summary Q1 2016”.
u Free Music/Movies for downloading a “game” or providing personal info on a form.
Baiting
u Send Secretary a bouquet of USB flowers.
u Pretend to be from romantic lover/admirer.
u Curiosity will inevitably lead to the USB flower been plugged in.
u This scenario makes the target be less suspicious of an attack.
Baiting
u According to research, 76% of people plug in an unknown USB to their office computer.
Baiting
u USBs exist that can FRY your computer by just plugging in.
Phishing
u Involves fake emails, websites, ads designed to impersonate real systems with the tricking the user.
u One of the more prevalent forms of Social Engineering seen today.
u Fake Anti-Virus infection warning (Scareware), Paypalphishing sites, offers for free music, etc…
Phishing
Phishing
Phishing
Phishing
Phishing
u Fake SMS message from “Rogers”
u Number 7000 can be spoofed
u Website http://rogers-clients.com/login/
Phishing
Pretextingu Invented scenario to trick victim to perform actions that
normally be unlikely (human equivalent of Phishing)
u Impersonate trustworthy figure: fake IT support needing to do maintenance, false investigator performing a company audit, co-workers, police, tax authorities, etc...
Pretexting
Quid Pro Quou Means “something for something”.
u A malicious actor calls several IT companies claiming to be
IT service.
u Eventually the attacker will encounter a company that
actually requires the service offered.
Shoulder Surfing
u Looking over someone's shoulder to obtain personal access information.
u Someone's ATM/Smartphone PIN, computer passwords.
u Can be done from a distance too with cameras.
Dumpster Diving
u Involves going through a person/company’s garbage to obtain confidential information.
u Can find bank statements, credit card numbers, contracts, corporate policies, etc..
Social EngineeringHow is it done?
Open-Source Intelligence
u Intel gathered from publically available sources.
u Many platforms available: Google, Facebook, LinkedIn, etc…
u Software available to help: Maltego, theHarvester, creepy, etc…
Delivery Method for Payload
u Several forms: In person, phone, email, website, USB drops.
u E.g.: Pretend to work for their ISP and claim you’ve detected malware installed on their computer.
u Consider what we know about the target.
u Which method would seem the least suspicious?
u Identify your strengths and weaknesses. Practice.
Picking a Domain
u Character omission, repetition, swapping, replacement,
insertion
u Missing dot
u Singularize or pluralize
u Bit flipping
u Homoglyphs
u Wrong TLD
u URLCrazy tool
Command & Control Center
u Server to host: Load an AWS instance
u Amazon = affordable + trusted IP address
u Different open-source and commercial tools available:
u Metasploit Framework
u PowerShell Empire Framework
u Wide variety of RATs
MSF C&C
u Free (community edition) & reliable.
u Constantly being improved and added to, has a community contributing stuff.
u Multiplatform.
u Resource Scripts (neat feature to automate).
u Developed and maintained by Rapid7.
Making Payload FUD
u There are many publicly available crypters, packers and code obfuscators.
u Crypters & RATs are shared in online communities, e.g. indectectables.NET
u Mini-Challenges to obtain crypters so they remain FUD for longer.
u Few attack vectors still aren’t well detected (macros, HTAfiles, PowerShell)
Making Payload FUD
LIVE DEMO
Social EngineeringHow to defend against it?
Am I a target?
u Most definitely!
Heard of Ransomware?
Tips For Staying Safe!
First we have to ask ourselves, why are these techniques so effective?
Carelessness or lack of awareness? Maybe a bit of both…
Tips For Staying Safe!
From Kevin Mitnick’s book “The Art of Deception”:
u People inherently want to be helpful and therefor are
easily duped.
u They assume a level of trust to avoid conflict.
u It’s all about gaining access to information that people
think is innocuous when it isn’t.
u Hear a nice voice over the phone and we want to be
helpful.
Tips For Staying Safe!
u Training & Awareness
u Reminders (Posters)
u Security Hygiene in Office
u Have Policies In-place
u Testing, Testing & More Testing!
u Follow Best Security Practices
u AV?
Tips For Staying Safe!
u Don’t trust what the link shows as the URL, it can be spoofed. Same with file extensions.
<a href="https://www.google.com/" onmousedown="this.href='http://websec.ca'">https://www.google.com/</a>
Don’t Re-use Passwords
u If an attacker obtains your credentials, they may be able to access multiple systems.
u I wrote a tool called “credmap” to test for credential re-use.
u Available at: https://github.com/lightos/credmap
Continuity
u Remember it takes patience, time and continuity.
u But keep on fighting off those pesky attackers and you’ll eventually get there!