Upload
akashag11111
View
154
Download
1
Embed Size (px)
Citation preview
1
We provide the cyber intelligence that keepsblue chip companies fromturning red
"Beyond Network and Apps: Pen Testing Wetware"
Terry Gudaitis, PhD
October 2008, MSU
2© 2007 Cyveillance, Inc. www.cyveillance.com
Agenda
• Defining the “Wetware” or Social Engineering side of pen testing
• How SE fits into a pen testing methodology
• Objectives of SE
• Collection Methodologies
– Physical
– Electronic
– Internet
• Case Studies/Examples
• Questions and Answers
3© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Definition:
Human or social/psychological based methodologies used to persuade, coerce, or manipulate others into revealing sensitive, private, or confidential information.
The methodologies may include direct or remote assessment, observations, interpersonal communication, lures, schemes, or traps to elicit information.
In Historical Terms = A Con Game
4© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Human Vulnerabilities and Exploiting Cognitive Biases:
• SE will target the human weaknesses:– Ignorance or naiveté – Illness, vulnerability or psychological susceptibility (i.e., guilt, depression)– Fear, uncertainty or doubt– A desire to be liked, desired or respected– A desire to be helpful, feel successful, or accomplish a goal
• The Objectives for the SE may be to Garner:– Cash or equivalents– Account access, passwords, logins– Identity information– Proprietary or business knowledge– Physical goods (i.e., badges, ID’s, codes)
• Victims (Targets) are either the corporation, the individual or both
5© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Most “Popular” or Successful Motivations include:
• Get the Job Done
• Fear of Not Doing Their Job
• Wanting to be Helpful
• Severe Empathy and Willingness to Break the Rules
• Ease and Laziness (sometimes this is just due to lack of policies)
The SE:
• Confident
• Knowledgeable
• “Correct Personality” for the role
6© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Basic Methodology
1. Targeting – Who, Why, Where, What type of Information– How to conduct the collection of information and intelligence
2. Data Collection – Background data– Understand the target; Know your target– Understand the Vulnerabilities
3. Scenario Development– Construct the plan to elicit the information– Assess the plan; Analyze the plan
4. Implementation– Collecting the targeted information– Collection of targeted information…and beyond?– Documentation of collection (times, dates, persons, means)
5. Review – What was collected?– How can it be exploited?– Lessons Learned
7© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Targeting:
• Who or What is the Target
• What types of information would be useful? Best?
• How will the SE be able to acquire the most useful information?
• Is it possible or necessary to collect information at the physical location or is that 1) not possible; or 2) too risky?
• What information may be able to be collected via electronic or via the Internet?
• Develop the targeting plan
• Start information collection
• Apply the collection of information/intelligence that has been gathered
8© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Data Collection of SE Information via the Internet:
• Target’s website • Related websites• Partners, Vendors, Associates• Name search databases• Blogs• Social Engineering Sites
- This is the initial starting point of research- This is where the background and back-data will be gathered - This will assist in the other types of data collection (physical
and/or electronic)
9© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Internet Intelligence: Organizational Target and Human Target
• World Wide Web• Blogs (Web logs)• IRC/Chat• Public email groups• P2P• Discussion forums• Usenet• Images, Vlogs• Unsolicited Commercial Bulk Email (SPAM)• People Finds
10© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Data Collection of SE Information via Physical Means:
• Dumpster Diving• Shoulder Surfing• Direct Observation
– What types of badges?– Where are the physical entry points?– What does the building/environment look like?– What is the corporate culture?
• Interaction and Discussion with Employees and other workers• Observation of personnel movements
– Where people come and go from and to– Where do people park?– How do they commute?– Is everyone onsite…or do people telecommute?
11© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Physical Means
• Recon of the physical target– How to dress– When to show up– What type of demographic– Understanding of the perimeter
• Observational Intelligence– Just sit there– Interact without Entrance– Deliveries and Soliciting
• Gaining Physical Entry– Coat-tailing– Walking Right In– Assessing Barriers (i.e., security guards, Xray machines, ID checks)
• Collecting Onsite Documents and Items– Where is the low hanging fruit?– Exiting with “the goods!”
12© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Data Collection of SE Information via Electronic Means:
• Using listening devices, trojans
• Telephone communications
– Personnel
– Help Desks
– Call Centers
• Email communications
• Virtual Games (i.e., Second Life)
• Posting of surveys, websites (phishing-like activities)
• Any information collected from thumb drives, CD’s, etc…
13© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Electronic Means
• Recon
• Remote Assessment
• Softest Target
• May include foreign language usage
• May need obfuscation tactics
• Analysis of Replies and Correspondence
• Duration of pre-elicitation communications
• Plan to cease communications
14© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Developing the Targeting Scenario:
• Applying the background research, information, and intelligence gathering!
• Develop the scenario and point of contact with the target(s) in order to elicit the needed information (i.e., passwords, login data)
– Who are you going to contact?
– What is your “story?” …and what is the backdrop?
– How are you going to contact them?
– When are you going to contact them?
– How many players do you need to make the scenario seem real?
– What psychological vulnerability are you going to focus on? …and why?
15© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
High Profile Case – VP Candidate
“The hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code. Using those details, the hacker tricked Yahoo Inc.'s service into assigning a new password, "popcorn," for Palin's e-mail account, according to a chronology of the crime published on the Web site where the hacking was first revealed.”
http://wikileaks.org/wiki/Sarah_Palin%27s_E-mail_Hacked
16© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Case Studies:
EX #1: Elicitation of Customer Data from Insurance Files
EX #2: Gaining Access to Medical Systems and Patient Data
EX #3: Gaining Physical Entry and Access to Internal Databases
17© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
EX #1: Elicitation of Customer Data from Insurance Files
1. Targeting: Company – Access to Customer Policy Information
2. Data Collection - Internet Only - Background data, P2P. WWW
3. Scenario Development– Impersonation of a legitimate customer’s family member– Policy holder in jeopardy (medically unable to communicate)– 3 Person scenario – play on severe empathy
4. Implementation - Phone call to Customer Service Desk
5. Review – Collected Policy # and coverage– Collected SS#– Follow-up contact could possibly get online account access credentials
18© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
EX #2: Gaining Access to Medical Systems and Patient Data
1. Targeting - Help Desk of Major Hospital
1. Data Collection – Internet Collection (i.e., Doc’s resumes, nurses at conferences)– Onsite Observation
2. Scenario Development– Impersonate a Doctor to gain assess to medical database– 2 person scenario
3. Implementation – Email and then phone call to Help Desk
4. Review – Password and UserID (in fac,t re-set password)– Access to Dr.’s email account, address book, etc…– Access to medical database
19© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
EX #3: Gaining Physical Entry and Access to Internal Databases
1. Targeting – Executives of a large Financial Services organization
2. Data Collection – Internet background data– Onsite Observation; Onsite Data Collection at HQ– Email/Postings to company’s forum
3. Scenario Development– Create role of an executive assistant for each executive– 1 person played all 4 exec assistants
4. Implementation – Gained Physical Access and Created Spear/Whale Phish to attempt to get password credentials
5. Review – Access gained to floor/office space of execs– 2 of 4 credentials were elicited (the execs used the same choice of password
for the phish as they did for their corporate accounts)
20© 2007 Cyveillance, Inc. www.cyveillance.com
Social Engineering
Summary:
1. Most everyone can be “psyched” into giving away information
2. 5 Phases of conducting successful SEing• Targeting• Data Collection• Scenario Development• Implementation• Review
3. Planning, planning, planning!
4. Thorough Understanding of the emotional and psychological impact
5. Acting, acting, acting!
21
We provide the cyber intelligence that keepsblue chip companies fromturning red
Contact:Terry Gudaitis, PhDCyber Intelligence Director, [email protected] 703-351-2437
Questions?