Social Engineering CS 334 - Computer Security Thanks to: The late - - PowerPoint PPT Presentation

1

Social Engineering

CS 334 - Computer Security

Thanks to: The late Dr. Yosef Sherif, unknown colleague at UW-Madison, Mathew Sullivan at Iowa State, Tanya

• L. Crenshaw at U. Portland, various
• ther colleagues and contributors

Social Engineering: Definition

• Social Engineering: “the practice of obtaining

confidential information by manipulation of legitimate users.” (from Wikipedia.com)

• Attackers “trick” employees into revealing sensitive

information, usually to gain access to a computer system: user-ID, password, IP address, etc.

2

Social Engineering: Definition

• A Social Engineer is basically a flavor of “Con-

Man” (“Con-Person?)

• Historically, Con-Men have been highly successful

at convincing victims to give them valuable items (money, jewelry, etc).

• Social Engineers employ similar methods aided by

modern technology to obtain valuable data from system users.

3

Social Engineering: Definition

• Con-Men and social engineers see their attacks as

an art form or a social trade.

– The pride themselves on their ability to manipulate a person’s natural tendency to trust others – They are highly skilled and use very effective psychological methods – Some work for personal edification; other work for profit

4

Social Engineering

¨ The end user is usually the weakest link of a system

¤ People are often lazy, ignorant to security, or simply

gullible

¨ Social engineering is a journey into social

psychology!

¤ Yes I know, that probably doesn’t sound very fun ¤ Well guess what… it is, so deal with it!

6

But First: Some Examples

Case Scenario: Meet Angry Cow

• Angry Cow is a Computer Science student at UW-

Madison

• Angry Cow just got an eviction notice!

7

Simple Public Information is Found

• Angry Cow lives at the

Regent

• The Regent’s website

indicates that it is owned by Steve Brown Properties

• Angry Cow wants to “fix”

Steve Brown’s record keeping spreadsheet to show that rent has been paid

8

Finding A Way In...

• Facebook is Angry Cow’s first weapon of

choice because it is an unofficial source of information

• Poor controls over data sharing
• Lots of important information there that

might not seem important, but could be his first step in…

• Go to Facebook and search: “Steve Brown

Apartments” to find an appropriate unknowing accomplice

9

10

Letʼs See -- Danielle Treu

• Born July 24, 1988
• Enjoys playing in the rain, drinking coffee, and

spending money

• Works at Subway and as a Resident Assistant for

Steve Brown Apartments

11

Letʼs See -- David Klabanoff

• Born April 21, 1979
• Likes Star Wars and The Muppet Movie
• Is a Concierge for Steve Brown Apartments

12

Letʼs See -- Andrew Baldinger (who made these slides?)

• Born March 30, 1986
• Likes kayaking,

exploring, and getting lost

• Lives at the Regent
• Works as a

Technology Support Specialist for Steve Brown Apartments

13

Letʼs Start with Danielle Treu

• Her Facebook profile is pubic, but she is intelligent.

She keeps her contact information private

• But her profile does say that she attends UW-

Madison...

• I wonder if they have some more public information

about her

14

More Research

• UW Whitepages is PUBLIC information
• That conveniently provides her email address

15

Primary Contact

16

Establishing the Trust

• Danielle talks to David, and since David trusts

Danielle as an “insider”, this trust transfers to the fake Andrew

• Angry Cow shows up later that day. David is

expecting him.

• Angry Cow identifies himself as Andrew and asks

David for key to server room

17

The Hack

• Angry Cow gets physical access to server, uses a

standard password cracking program to get Admin username, password

• Angry Cow logs into server and alters accounting

files to indicate that his rent has been paid

18

Summary of This Example

• Search for public information about your target,

using both official and unofficial sources

• Build a trust ladder, Danielle trusts Andrew and

David trusts Danielle, therefor David will trust Andrew -- even if “Andrew” is really Angry Cow!

• Built a credible story
• Based on pretexting

19

Pretexting

• Pretexting is the act of creating and using an

invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.

• It’s more than a simple lie as it most often involves

some prior research or set up and the use of pieces

• f known information (e.g. for impersonation: date
• f birth, Social Security Number, last bill amount) to

establish legitimacy in the mind of the target.

20

Is This Really a Threat to Businesses?

• So far, this just looks like a

technique employed by angry individuals

• Did you know that Hewlett Packard

regularly engaged in Social Engineering?

• They used the method of pretexting

in order to get phone records

• Watch the testimony of Patricia

Dunn, former Director of HP: http:// pra-blog.blogspot.com/2006/10/ patricia-dunns-incredible-

21

Pretexting Will Likely Continue

• As most U.S. companies still authenticate a client by

asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.

• Pretexting is the most common form of social

engineering.

• Pretexting is the most common

22

Example: Hacking Paris Hiltonʼs Phone

• In 2005, Paris Hilton’s

phone was hacked. The contents of her T-Mobile Sidekick were posted to illmog.org, including the phone numbers of Eminem, Vin Diesel, Lindsay Lohan, and Anna Kournikova.

23

The Steps...

• The attackers learn of a programming glitch on the

T-Mobile website. They found that a tool on the website contained a vulnerability in a tool on the site that allowed users to reset their account password.

• They figure out how to reset the password of any

user whose phone was a Sidekick.

24

The Steps...

• To get Paris Hilton’s phone number, the attackers

get a caller-ID spoofer and call a T-Mobile sales store in California

• The conversation goes something like this:

– Attacker: “This is [whoever] from T-Mobile Headquarters in Washington. We heard you’ve been having problems with your customer account tools?” – Employee: “No, we haven’t had any problems really. Just a couple of slow downs.” – Attacker: “Yes, that is what is described here in this

• report. We’re going to have to look into this for a quick

second.”

25

The Steps...

• The T-Mobile rep gave out the URL of the internal

T-Mobile site used to manage customer accounts.

• Also gave the username and password used by

employees to login.

• With Hilton’s phone number, they could use the

glitch to reset her password.

• This caused a text message to be sent to her

phone.

• The attackers then called her, using their caller-ID

spoofer.

26

The Steps...

• Attacker: “There are some network difficulties.

Have you been getting any SMS about a password reset? What were the contents of the message?

• At this point, she has no idea that her password

has really been changed and her account hacked

• Since videos and data on the Sidekick are stored
• n T-Mobile’s central servers, they could download

all of Hilton’s info to their own phones.

• The hackers were teenagers.

– Who appreciated that Hilton had nude photos saved on her Sidekick...

27

Also, gratuitous Matrix sidestory

• Hackers also called Laurence Fishburne,

demanding that he “GIVE US THE SHIP!”

28

29

Now, Back to the “Theory”

Social Psychology: Persuasion

¨ A number of variables influence the persuasion

process:

¤ The Communicator (Who?) ¤ The Message (What?) ¤ The Audience (Whom?) ¤ The Channel (How?)

¨ For now, let’s focus on “The Communicator”

Social Psychology: Persuasion

¨ The Communicator (Who?):

¤ Credibility ¤ Expertise ¤ Trustworthiness ¤ Attractiveness

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

white lab coat

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

¤ The “assistant” will give electric shocks in increasing

voltages to the “test subject” they can hear via a covered window, but can not see

¤ The “test subject” is actually an actor and is not really

getting shocked

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

¤ After a few shocks, “test subject” actor begins yelling in

pain, banging on wall, begging for the shocks to stop

¤ “assistant” members would ask the man in the white coat

what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous”

n By the time the 450-volt switch is reached, the actor has

already been dead silent for many minutes

Social Psychology: Persuasion

¨ So what’s the moral of the story?

¤ Most people will obey the man in the white coat ¤ In social engineering, creating the aura of an authority

figure allows the adversary to persuade easily, because she has established creditability!

Social Psychology: Persuasion

¨ The Communicator (Who?):

¤ Credibility ¤ Expertise ¤ Trustworthiness ¤ Attractiveness

Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)

Social Psychology: Persuasion

In general, will social engineering attacks be more successful if the adversary, instead of looking like this…

Social Psychology: Persuasion

…looks like this?

The answer is YES! (and that’s true regardless of sex)

Social Psychology: Persuasion

…looks like this?

The answer is YES! (and that’s true regardless of sex)

Social Psychology: Persuasion

Would my social engineering attack have been more successful if this… …looked like this instead? Side note: women are more likely to trust women, and men are more likely to trust men

Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789

Social Psychology: Illusory Superiority

¨ I bet you are thinking, “That wouldn’t happen to me, I

know better!”

¤ Oh really? Don’t be so sure! Social Engineers have a

nearly 50% success rate with minimal effort

¤ It’s easy for you to say you wouldn’t be fooled, because

you are currently suffering from bias!

n This bias is called illusory superiority n Causes people to overestimate their positive qualities and

abilities and to underestimate their negative qualities, relative to others

So… people are dumb

¨ Amazing statistics, for your enjoyment:

¤ In a 2003 information security survey, 90% of office

workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen

¤ In another study, 70% of people claimed they would

reveal their computer password in exchange for a bar

• f chocolate

¤ 34% of respondents volunteered their password when

asked without even needing to be bribed

* Researchers made no attempt to validate the passwords Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm

Popular Methods of Attack

• Dumpster Diving
• Shoulder Surfing
• Malicious E-mail Attachments
• Deception and Manipulation
• “Phishing”
• “Pharming”
• Reverse Social Engineering
• PBX Disguise

43

Dumpster Diving

• Searching through a

company’s trash bins for sensitive/internal documents

– Memos – Company Directories – Account Statements

44

Shoulder Surfing

• Observing an employee

using his/her computer:

– Witness userID and/or password entry – Observe system resources – Obtain customer information

45

Malicious Email Attachments

• E-mail messages carefully written to entice readers

to download malicious files.

– Usually sent as “spam” to multiple employees listed in a company directory or email list, but can target a specific employee – Messages appear to be harmless, sometimes using common names to pose as a coworker or friend: John, Richard, Judy, Cindy, etc.

46

Malicious Email Attachments

– Attachments can be downloaded directly by user’s request or automatically through embedded images. – Malicious files may include keystroke loggers, password stealers, viruses, worms, and/or trojan horses.

47

Related: “Roadside Apples”

• Also known as “Baiting”
• Uses physical media and relies on the curiosity or

greed of the victim

• USB drives or CDs found in the parking lot, with

label: 3M Executive Salaries

• Autorun on inserted media

48

Deception and Manipulation

• Impersonation: Pretending to be a customer, Tech

Support Specialist, manager, etc.

• Ingratiation: motivating the victim to comply in order

to improve or protect their reputation with management.

• Conformity: motivation the victim to comply

because it is a standard practice.

• Peer Pressure: motivating the victim through

flattery, flirtation, intimidation and/or guilt.

49

Example:

• “Hi Jim, this is Steve from tech support. I’m

showing your boss, Rick, has a virus on his desktop

• computer. I understand Rick is on a business trip

and I can’t seem to get a hold of him at the hotel. You wouldn’t happen to have his user ID handy, would you? I’d like to clean his computer before he gets back. I’m sure he’d appreciate your help.”

50

Phishing

• Do I really have to explain this?

51

Pharming

• An in-depth phishing scheme involving

– cracking into a local DNS server – changing the IP routing information of a popular website to a phishing website

• Users trust the phishing website because the

internet address has been requested directly and shows correctly (http://www.citibank.com).

52

Reverse Social Engineering

• A method used to get the user to seek the social

engineer for help!

• Three step process:

– Sabotage:

• Attacker causes an application on the victim’s computer to fail

– Advertising:

• Attacker advertises his/her phone number for the victim to call for

help

– Assisting:

• The attacker asks for personal or sensitive information while

pretending to assist the user

53

Related: Quid Pro Quo

• Means “something for something”
• A person contacts people one by one until he/she

finds a person with a problem

• When they find a person, they “fix” their problem by

introducing malware to their machine

54

PBX Disguise

• PBX (Public Business eXchange) an attacker

manipulates the company’s internal caller-ID system to impersonate someone of authority

• PBX system can be cracked/hacker to generate a

false caller-ID for the attacker

• Usually done by convincing someone of authority to

“blind transfer” the attacker’s call to the victim

55

PBX Disguise Example

• Attacker: “Hello? Who is this? Tech Support? Oh,

I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me please? I’m in a hurry.”

• <Tech Support blind transfers the call.>
• Attacker: “Hi Terry, this is Jim from Tech Support.

You can verify my identity from the caller-ID. Yes, I need to reset your password...”

56

Attack Template

• Any combination of methods are strategically

employed by the social engineer for each situation

• Attacks usually follow four steps:

– Preparation – Confidence Build – Exploitation – Retrieval

57

Attack Template

• Preparation: attacker researches information that

will build credibility with the victim

• Confidence Build: attackers uses research to gain

the victim’s confidence.

• Exploitation: attacker motivates the victim to divulge

sensitive information.

• Retrieval: attacker uses sensitive information for

profit or to prepare for a higher level attack

58

Example

• Preparation: Attacker dumpster dives for an old

copy of the company directory from a trash bin behind the company’s main headquarters; collects names and phone numbers to impersonate and target.

• Confidence Build: Attacker uses deception to pose

as a department manager, mentioning names of

• ther coworkers in the field (from the directory) to

buy credibility

59

Example (cont.)

• Exploitation: Attacker manipulates a victim business

manager from another location to unwittingly reveal the physical location of a data center holding a customer information database.

• Retrieval: attacker uses this information to target

employees at the data center, who further reveal information used to gain access to the database; customer information is later used to commit credit fraud for personal profit.

60

Who is this?

Source: http://ils.unc.edu/~neubanks/inls187/home/fugitive.html

Kevin Mitnick

¨ In 1981, at the age of 17, Mitnick and his gang of

hackers decided to physically break into COSMOS, a database used for controlling the phone system’s basic recordkeeping functions

¨ In broad daylight on a Saturday, the group talked their

way past security and into the room where the database system was located

¨ From that room, the gang lifted combination lock codes

for nine Pacific Bell offices and the COSMOS system’s

• perating manuals

Source :http://www.takedown.com/bio/mitnick.html

Kevin Mitnick

¨ To ensure continued access, they placed fake names and

phone numbers into a company rolodex, which would have allowed them to call in and further social engineer, if needed

¤ Take-home point: hackers always leave a way back in

¨ A manager soon realized the names were fraudulent and

contacted police; Mitnick was later tied to the theft by a conspirator’s former girlfriend

¤ Take-home point: don’t tell your girlfriend about your crime

attempts, especially when they constitute a felony J

Source :http://www.takedown.com/bio/mitnick.html

Kevin Mitnick

• Hacked into the National Security Agency system

using Hughes Aircraft’s network in 1985

• Convicted in 1995 of theft and fraud on over 20,000

credit cards, and for hacking into systems at Motorola & Sun Microsystems.

• Sentenced to 5 years in prison, 8 months of which

he was held in solitary confinement; lifetime probation from using computers.

64

Ways to Combat Social Engineering

• Good security policy
• Make sure your employees understand dangers

and threats

• Make sure employees understand what Data

Classification means and what type of information you publicly give away

65

Most Important Gem of Wisdom

• Never, never give out username, password,

account number, SSN, etc., over the same channel used to initiate the request!

• For example, if a phone call come in asking for a

SSN, send the SSN via email or regular mail

66

67

Questions?