What is it?

Real life cases

Traits Exploited

Phishing

Methodology

Scenarios

Tricks of the Trade

Physical Pen testing?

Defenses

Game

Demo!

Agenda

Human Link is the weakest in the Security Chain

Perception

Authority, Slow Response, Fear & Anxiety

http://www.youtube.com/watch?v=q7V4U2RUaeg&feature=related

Hackers

Mentalist

Rockford Files

James Bond!

Watch it!

Manipulation of Human Trust (and Traits) to elicit information. This could be further used to directly/indirectly steal data, identity, money, etc., get access to systems, further manipulate others, for financial gain or otherwise.

A combination of the standard security checks was identified by engineering and ethically manipulating the processes, trust levels and human aspect of day to day operations in the company.

Modes:

• Human Based

• Computer Based

Engineering the Socials &The Rest

Through

Situations

Urgency

Impersonation- Partially Known Factors

Persuasion

Request

Orders/Demand

..

Technology[Modems, Malware, OSINT, Exploits, Phishing, Spoofing, Websites, other computer based techniques and Help Desk ;) ]

Helplessness

Guilt

Anxiety

Fear[Authority]

Trust

Moral Duty

Helpfulness

Cooperation

Delegated Responsibility

Traits Exploited[Generally.. ;P]

2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond

Phone Phishing (IVRs)

A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords.

Phishing - Vishing

Fake ID

Fake Authorization Letter

Uniform?

Recorder

Videos

Bag?

Suit Up!

Barge In!

Asset Identification – Information?

No I don’t have a Gun

Diversion theft - "going straight out" or "urgently required somewhere else".

Passive - Tailgating, Eavesdropping, Shouldersurfing

Baiting

Cold Calling

Backdoors, Rootkits, keyloggers

Device!

Target

Frank Abegnale

Vistor Lustig

Kevin Mitnick

Badir Brothers – Again

Mike Ridpath

Catch Me if you can

Notorious in the 1960s for passing $2.5 million worth of meticulously forged checks across 26 countries over the course of five years, beginning when he was 16 years old

He attained eight separate identities as an airline pilot, a doctor, a U.S. Bureau of Prisons agent, and a lawyer. He escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary

Frank William Abagnale

Lustig had a forger produce fake government stationery for him

Invited six scrap metal dealers to a confidential

There, Lustig introduced himself as the deputy director-general of the Ministry of Posts and Telegraphs.

Lustig told the group that the upkeep on the Eiffel Tower was so outrageous that the city could not maintain it any longer, and wanted to sell it for scrap. Due to the certain public outcry, he went on, the matter was to be kept secret until all the details were thought out. Lustig said that he had been given the responsibility to select the dealer to carry out the task. The idea was not as implausible in 1925 as it would be today.

Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustigkept Capone's money in a safe deposit box for two months, then returned it to him, claiming that the deal had fallen through. Impressed with Lustig'sintegrity, Capone gave him $5,000. It was, of course, all that Lustig was after

Cases

1st Source Information Specialists

Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.

Cases Contd..

Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping, stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs, badges, etc]

Perimeter Security

General Intelligence

Emails, Phishing, Websites,

OSINT[social networks, forums, portals, public knowledge]

Research

Social Engineering ;)

..

TRUST

Involves - C*****S****

“They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. ”

You have won “ 100000$”!

Scenarios - 1Social Engineering

LUCK

Mr. Smith:Hello?

Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily.

Mr. Smith:Uh, okay. I’ll be home by then, anyway.

Caller:Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith?

Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they?

Caller:No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files?

Mr. Smith:My password is tuesday, in lower case letters.

Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there.

Mr. Smith:Thank you. Bye.

[- Taken from Melissa Guenther]

what I call a chain reaction

Layered Security

Defenses

Physical

Process

Tech

Least Privileges

Password Policy

Access Controls

Safe Disposal

Removable Device Policy

Latest Set Up

Content Management and filtering

Change Management

Monitoring

Awareness

http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

https://www.trustedsec.com/

http://en.wikipedia.org/wiki/Social_engineering_(security)

http://www.social-engineer.org/se-resources/

References