1. Cosc 4765 Social Engineering

2. What is it? ● In the field of computer security, social engineering is the practice of conning people into revealing sensitive data on a computer system. ● the manipulation of an individual to obtain a goal. – often on the Internet, but also by phone, fax, and in person. It's the art of the con. – Example: ● SE: Hi this Tech support. We have a problem with your account, would you give your password, so I can fix you account. ● User: Of course, my password is blah

3. What is it? (2) ● It is an article of faith amongst experts in the field that "users are the weak link." – It should be noted that an infosecurity survey, 90% of office workers gave away they password in exchange for a cheap pen. ● http://www.theregister.co.uk/2003/04/18/office_workers_gi ve_away_passwords/ http://www.theregister.co.uk/2003/04/18/office_workers_gi ve_away_passwords/ – 2008 Webuser, 21% give up their passwords for a chocolate bar. (2004 survey: it was 71%) ● http://www.webuser.co.uk/news/top- stories/372143/passwords-given-up-for-chocolate http://www.webuser.co.uk/news/top- stories/372143/passwords-given-up-for-chocolate

4. Social Engineering and the Internet ● Use of e-mail with attachments that have malicious payloads – for instance, use the victim's machine to send massive quantities of spam. ● Even now that automatic execution of attachments is disabled. – Many users will blindly click on any attachments they receive and allow the attack to work.

5. Social Engineering and the Internet (2) ● E-mail: Phishing – messages that request password or credit card information in order to "set up their account" or "reactivate settings" or some other benign operation. – Spear Phishing: message directed at a specific group or even individual. ● Spyware (a subcategory of the Trojan Horse): – malicious software in which the user runs executable code that promises to do something but does other tasks in the background. This typically happens by offering a downloadable program which does a task or via the internet by secretly inserting code intended to exploit holes in the user's system security.

6. By Phone ● Help desks are particularly prone to this type of attack. – Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’”

7. Dumpster Diving ● A huge amount of information can be collected through company dumpsters. – The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and out-dated hardware”.

8. By Phone (2) ● The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.

9. Kevin Mitnick ● We can not talk about social Engineering without mentioning Mitnick, one of the more famous hackers, who was arrested 5 times for hacking. – He has published several books about events and social engineering. ● The Art of Deception: Controlling the Human Element of Security (ISBN 0471237124), published October 2002 – First chapter is on-line, omitted by the publisher, which commentary on the Takedown book and author John Markoff. ● The Art Of Intrusion: The Real Stories Behind The Exploits Of Hackers, Intruders, And Deceivers (ISBN 0764569597), published February 2005 – Book published by other authors ● Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It (ISBN 0786889136), by John Markoff and Tsutomu Shimomura ● A counterpoint view to the events surrounding Mitnick was written by journalist Jonathan Littman, in The Fugitive Game: Online with Kevin Mitnick (ISBN 0316528587). ● Other media inspired by Mitnick's story include the movie, also with the name Takedown, sometimes mistitled as Hackers 2: Takedown.

10. Protection? ● Firewalls – IDS – VPNs – All useless against Social Engineering. ● “There's a popular saying that a secure computer is one that's turned off. Clever, but false: The attacker simply talks someone into going into the office and turning that computer on” - Mitnick

11. Example ● From the movie “hackers” – Just call the security desk to get access. ● You know anything about computers? ● Gee … ● My BLT drive on my computer just went AWOL … ● http://www.youtube.com/watch?v=2efhrCxI4J0 http://www.youtube.com/watch?v=2efhrCxI4J0

12. Real Life Example ● Stanley Rifkin – Largest bank Heist in History ● He was consult hired to implement a backup system for the bank, but instead was able to steal 8 million dollars. The bank staff did the work with a money transfer. All he did was make several phone calls and pick up the money from a Swiss bank. ● What the bank did wrong? – Passwords written down – Poorly trained staff? – Other?

13. Preventing Social Engineering ● A good security policy. – How to deal with the issues we have currently looked at. – Violations should be posted and enforced. ● Physical attacks – enforce security that is already in place. If badges are required, then enforce it. ● For example: No tailgating at the door. – Require shredding, erasing of old hard drives, disks, etc. ● Training, training, and even retraining.

14. common intrusion tactics and strategies for prevention: Keep employees on their toes through continued awareness and training programs Impersonation & persuasion General- Psychological Mark documents as confidential & require those documents to be lockedStealing sensitive documentsOffice Continual awareness of system and network changes, training on password use Creation & insertion of mock software on intranet or internet to snarf passwords Intranet-Internet Keep all trash in secured, monitored areas, shred important data, erase magnetic media Dumpster divingDumpsters Control overseas & long-distance calls, trace calls, refuse transfersStealing phone toll accessPhone & PBX Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data Machine room/Phone closet Lock & monitor mail roomInsertion of forged memosMail room Require all guests to be escorted Wandering through halls looking for open offices Office All employees should be assigned a PIN specific to help desk supportImpersonation on help desk callsPhone (Help Desk) Don’t type in passwords with anyone else present (or if you must, do it quickly!) Shoulder surfingOffice Tight badge security, employee training, and security officers presentUnauthorized physical accessBuilding entrance Train employees/help desk to never give out passwords or other confidential info by phone Impersonation and persuasionPhone (Help Desk) Combat StrategyHacker TacticArea of Risk

15. Reality Check ● The idea of minimize the threat and make it harder for the hacker or even prevent the attack before it starts. ● Yet not create militant staff and oppressive environment for employees.

16. Q A &