The iCloud Hack CMSC 334 Prof Szajda 1 Social Engineering Many - - PowerPoint PPT Presentation

The iCloud Hack

CMSC 334 Prof Szajda

1

2

Social Engineering

Many of the slide here deal with Social Engineering.

Thanks for those slides go to: The late Dr. Yosef Sherif, unknown colleague at UW-Madison, Mathew Sullivan at Iowa State, Tanya L. Crenshaw at U. Portland, various other colleagues and contributors

iCloud Hack info

Thanks to Nik Cubrilovic https://www.nikcub.com/posts/ notes-on-the-celebrity-data-theft/

3

The iCloud Hack: What happened?

• Personal and private nude photos of celebs started

appearing on online image boards and forums

– First pics posted a week before the scam became public

• Not public because images were being ransomed (only censored

images distributed, and then only to entice folks to buy)

• Once uncensored images published, scam blew up

– Over 400 individual images and vids

• Over a dozen celebs, at least 100 individuals had data

compromised

4

Apparently...

• This scam only scratches the surface

– There are private communities and trading networks where data that is stolen remains private – Horizontally Organized

• People carrying out specific tasks
• Loosely organized
• Communication via private email and IM

5

The Goal

• Steal private media from phones that utilize cloud

backup services integrated into iPhones, Android, and Windows phones

• Accessing backup requires

– User ID and Password OR – Authentication token

6

Scammer Network Roles

• Users who troll social networks looking for targets

and collecting information

– Utilize public record services and buy credit reports – Setup fake profiles – Friending target or friends of target – Extract info that helps answer secret questions

7

Scammer Network Roles

• Folks who use the gathered data to determine

password of other authentication token. Methods:

• (Most with online tutorials!)

– RATS (Remote Access Tools)

• Target tricked into installing via private message OR
• Target receives email link or attachment that installs RAT OR
• Friend of target installs RAT on phone or computer via physical

access

– Phishing: Target receives password reset or other tricks that cause target to enter password into a hacker- controlled site – Password reminder: after gaining control of email, have “reminder link” sent to access cloud storage – Password reset: answering birth and security question challenges (often easily broken with public info)

8

Scammer Network Roles

• Folks who use the authentication info to “rip” cloud-

based backup services using pirates software specifically engineered to dump entire cloud backup set

– Including messages and deleted photos

9

Scammer Network Roles

• Collectors: Organize stolen data info folders

– Via Dropbox and Google Drive

• Create preview images for each set of data, then

email potential clients (i.e., their contacts)

• Email addresses for collectors or for those willing to

trade or sell are typically available by referral, often by someone offering a hacking or ripping service

10

Disturbing...

• Frequent source of new leads are folks who know

someone they want to hack (e.g., friends of celebs) and who have stumbled onto a scammer network via search terms or forums

• Contributor offers up Facebook profile along with

enough info to figure out authentication tokens (possibly even offering to install RAT via physical access)

• In return, contributor gets access to photos and

harvested data

11

FindMyPhone API Brute Force

• An attack on the protocol that allows someone to

find a lost iPhone, for example.

• Given the success rate with the “social engineering”

methods mentioned earlier, either this was not necessary, or possibly the hackers were not aware

• f it.

12

iCloud a Popular Target

• because Picture Roll backups are enabled by

default and iPhone is a popular platform

• Windows Phone backups are available on all

devices, but not enabled by default

13

Apple accounts particularly vulnerable

• Because of recovery process

– Broken into steps that fail at each point! – iCloud doesn’t reveal if an email is a valid iCloud address as part of recovery process

• BUT they do indicate whether email is valid if one attempts to
• pen a new account with the same email (thus allowing brute

force)

– Second step is date of birth

• And step succeeds or fails solely on the basis of date of birth, so it

can be guessed

– Last step is the two security questions

• Which can often be guessed based on harvested information

14

Apple accounts particularly vulnerable

• Solutions?
• Apple should disable interface that indicates

whether email is available for iCloud account

• Recovery process should be one big step

– Where all data is validated at once (so no way to know which step failed) – And user not given specific error message – Should also have rate limits and strict lockout on the recovery process on per-account basis

• Ability to post to POST email address to link and getting validity

response with little rate limiting is a serious bug

15

OPSEC level of average scammer

• Was not impressive
• 98% of email addresses provided in forums as part
• f advertising or promotions are with the popular

providers (gmail, outlook, yahoo)

– None of these are TOR friendly

• Users spoke of using VPNs when breaking into

accounts, and suggesting which VPNs are best, fastest, and “most anonymous”.

• It was incredibly easy to publicly identify those

responsible

16

Tracking one distributor

• Posted a screenshot as part of an ad to sell 60

photos and vids for a single celeb, but didn’t black

• ut his machine name or the machine names of the
• ther computers on his local network

– A user on one of reddit did a Google search and tracked down the company where the distributor worked. – Tracking each of the macine names lead to reddit account that posted a screen shot of the exact same explorer interface

• Dude apparently liked to take screen shots of his own machine

– Worse, the pics belonged to gymnast McKayla Maroney, who was a minor when the pics were taken

• Thus the screen shot is an admission of possession of child

pornography

17

So, How to Stay Secure

• Pick a better password
• Set security answers to be long random strings
• Enable two-factor authentication
• Ring-fence email

– Two different email addresses, one for public consumption, another for private accounts

• If you are a celeb, get a second phone that uses an

alias

18

Appleʼs Official Statement

19

Social Engineering

20

Social Engineering: Definition

• Social Engineering: “the practice of obtaining

confidential information by manipulation of legitimate users.” (from Wikipedia.com)

• Attackers “trick” employees into revealing sensitive

information, usually to gain access to a computer system: user-ID, password, IP address, etc.

21

Social Engineering: Definition

• A Social Engineer is basically a flavor of “Con-

Man” (“Con-Person?)

• Historically, Con-Men have been highly successful

at convincing victims to give them valuable items (money, jewelry, etc).

• Social Engineers employ similar methods aided by

modern technology to obtain valuable data from system users.

22

Social Engineering: Definition

• Con-Men and social engineers see their attacks as

an art form or a social trade.

– The pride themselves on their ability to manipulate a person’s natural tendency to trust others – They are highly skilled and use very effective psychological methods – Some work for personal edification; other work for profit

23

Social Engineering

¨ The end user is usually the weakest link of a system

¤ People are often lazy, ignorant to security, or simply

gullible

¨ Social engineering is a journey into social

psychology!

¤ Yes I know, that probably doesn’t sound very fun ¤ Well guess what… it is, so deal with it!

25

But First: Some Examples

Case Scenario: Meet Angry Cow

• Angry Cow is a Computer Science student at UW-

Madison

• Angry Cow just got an eviction notice!

26

Simple Public Information is Found

• Angry Cow lives at the

Regent

• The Regent’s website

indicates that it is owned by Steve Brown Properties

• Angry Cow wants to “fix”

Steve Brown’s record keeping spreadsheet to show that rent has been paid

27

Finding A Way In...

• Facebook is Angry Cow’s first weapon of

choice because it is an unofficial source of information

• Poor controls over data sharing
• Lots of important information there that

might not seem important, but could be his first step in…

• Go to Facebook and search: “Steve Brown

Apartments” to find an appropriate unknowing accomplice

28

29

Letʼs See -- Danielle Treu

• Born July 24, 1988
• Enjoys playing in the rain, drinking coffee, and

spending money

• Works at Subway and as a Resident Assistant for

Steve Brown Apartments

30

Letʼs See -- David Klabanoff

• Born April 21, 1979
• Likes Star Wars and The Muppet Movie
• Is a Concierge for Steve Brown Apartments

31

Letʼs See -- Andrew Baldinger (who made these slides?)

• Born March 30, 1986
• Likes kayaking,

exploring, and getting lost

• Lives at the Regent
• Works as a

Technology Support Specialist for Steve Brown Apartments

32

Letʼs Start with Danielle Treu

• Her Facebook profile is pubic, but she is intelligent.

She keeps her contact information private

• But her profile does say that she attends UW-

Madison...

• I wonder if they have some more public information

about her

33

More Research

• UW Whitepages is PUBLIC information
• That conveniently provides her email address

34

Primary Contact

35

Establishing the Trust

• Danielle talks to David, and since David trusts

Danielle as an “insider”, this trust transfers to the fake Andrew

• Angry Cow shows up later that day. David is

expecting him.

• Angry Cow identifies himself as Andrew and asks

David for key to server room

36

The Hack

• Angry Cow gets physical access to server, uses a

standard password cracking program to get Admin username, password

• Angry Cow logs into server and alters accounting

files to indicate that his rent has been paid

37

Summary of This Example

• Search for public information about your target,

using both official and unofficial sources

• Build a trust ladder, Danielle trusts Andrew and

David trusts Danielle, therefor David will trust Andrew -- even if “Andrew” is really Angry Cow!

• Built a credible story
• Based on pretexting

38

Pretexting

• Pretexting is the act of creating and using an

invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.

• It’s more than a simple lie as it most often involves

some prior research or set up and the use of pieces

• f known information (e.g. for impersonation: date
• f birth, Social Security Number, last bill amount) to

establish legitimacy in the mind of the target.

39

Is This Really a Threat to Businesses?

• So far, this just looks like a

technique employed by angry individuals

• Did you know that Hewlett Packard

regularly engaged in Social Engineering?

• They used the method of pretexting

in order to get phone records

• Watch the testimony of Patricia

Dunn, former Director of HP: http:// pra-blog.blogspot.com/2006/10/ patricia-dunns-incredible-

40

Pretexting Will Likely Continue

• As most U.S. companies still authenticate a client by

asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.

• Pretexting is the most common form of social

engineering.

• Pretexting is the most common

41

Example: Hacking Paris Hiltonʼs Phone

• In 2005, Paris Hilton’s

phone was hacked. The contents of her T-Mobile Sidekick were posted to illmog.org, including the phone numbers of Eminem, Vin Diesel, Lindsay Lohan, and Anna Kournikova.

42

The Steps...

• The attackers learn of a programming glitch on the

T-Mobile website. They found that a tool on the website contained a vulnerability in a tool on the site that allowed users to reset their account password.

• They figure out how to reset the password of any

user whose phone was a Sidekick.

43

The Steps...

• To get Paris Hilton’s phone number, the attackers

get a caller-ID spoofer and call a T-Mobile sales store in California

• The conversation goes something like this:

– Attacker: “This is [whoever] from T-Mobile Headquarters in Washington. We heard you’ve been having problems with your customer account tools?” – Employee: “No, we haven’t had any problems really. Just a couple of slow downs.” – Attacker: “Yes, that is what is described here in this

• report. We’re going to have to look into this for a quick

second.”

44

The Steps...

• The T-Mobile rep gave out the URL of the internal

T-Mobile site used to manage customer accounts.

• Also gave the username and password used by

employees to login.

• With Hilton’s phone number, they could use the

glitch to reset her password.

• This caused a text message to be sent to her

phone.

• The attackers then called her, using their caller-ID

spoofer.

45

The Steps...

• Attacker: “There are some network difficulties.

Have you been getting any SMS about a password reset? What were the contents of the message?

• At this point, she has no idea that her password

has really been changed and her account hacked

• Since videos and data on the Sidekick are stored
• n T-Mobile’s central servers, they could download

all of Hilton’s info to their own phones.

• The hackers were teenagers.

– Who appreciated that Hilton had nude photos saved on her Sidekick...

46

Also, gratuitous Matrix sidestory

• Hackers also called Laurence Fishburne,

demanding that he “GIVE US THE SHIP!”

47

48

Now, Back to the “Theory”

Social Psychology: Persuasion

¨ A number of variables influence the persuasion

process:

¤ The Communicator (Who?) ¤ The Message (What?) ¤ The Audience (Whom?) ¤ The Channel (How?)

¨ For now, let’s focus on “The Communicator”

Social Psychology: Persuasion

¨ The Communicator (Who?):

¤ Credibility ¤ Expertise ¤ Trustworthiness ¤ Attractiveness

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

white lab coat

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

¤ The “assistant” will give electric shocks in increasing

voltages to the “test subject” they can hear via a covered window, but can not see

¤ The “test subject” is actually an actor and is not really

getting shocked

Social Psychology: Persuasion

¨ Credibility: “The Milgram Experiment”

¤ After a few shocks, “test subject” actor begins yelling in

pain, banging on wall, begging for the shocks to stop

¤ “assistant” members would ask the man in the white coat

what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous”

n By the time the 450-volt switch is reached, the actor has

already been dead silent for many minutes

Social Psychology: Persuasion

¨ So what’s the moral of the story?

¤ Most people will obey the man in the white coat ¤ In social engineering, creating the aura of an authority

figure allows the adversary to persuade easily, because she has established credibility!

Social Psychology: Persuasion

¨ The Communicator (Who?):

¤ Credibility ¤ Expertise ¤ Trustworthiness ¤ Attractiveness

Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)

Social Psychology: Persuasion

In general, will social engineering attacks be more successful if the adversary, instead of looking like this…

Social Psychology: Persuasion

…looks like this?

The answer is YES! (and that’s true regardless of sex)

Social Psychology: Persuasion

…looks like this?

The answer is YES! (and that’s true regardless of sex)

Social Psychology: Persuasion

Would my social engineering attack have been more successful if this… …looked like this instead? Side note: women are more likely to trust women, and men are more likely to trust men

Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789

Social Psychology: Illusory Superiority

¨ I bet you are thinking, “That wouldn’t happen to me, I

know better!”

¤ Oh really? Don’t be so sure! Social Engineers have a

nearly 50% success rate with minimal effort

¤ It’s easy for you to say you wouldn’t be fooled, because

you are currently suffering from bias!

n This bias is called illusory superiority n Causes people to overestimate their positive qualities and

abilities and to underestimate their negative qualities, relative to others

So… people are dumb

¨ Amazing statistics, for your enjoyment:

¤ In a 2003 information security survey, 90% of office

workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen

¤ In another study, 70% of people claimed they would

reveal their computer password in exchange for a bar

• f chocolate

¤ 34% of respondents volunteered their password when

asked without even needing to be bribed

* Researchers made no attempt to validate the passwords Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm

Popular Methods of Attack

• Dumpster Diving
• Shoulder Surfing
• Malicious E-mail Attachments
• Deception and Manipulation
• “Phishing”
• “Pharming”
• Reverse Social Engineering
• PBX Disguise

62

Dumpster Diving

• Searching through a

company’s trash bins for sensitive/internal documents

– Memos – Company Directories – Account Statements

63

Shoulder Surfing

• Observing an employee

using his/her computer:

– Witness userID and/or password entry – Observe system resources – Obtain customer information

64

Malicious Email Attachments

• E-mail messages carefully written to entice readers

to download malicious files.

– Usually sent as “spam” to multiple employees listed in a company directory or email list, but can target a specific employee – Messages appear to be harmless, sometimes using common names to pose as a coworker or friend: John, Richard, Judy, Cindy, etc.

65

Malicious Email Attachments

– Attachments can be downloaded directly by user’s request or automatically through embedded images. – Malicious files may include keystroke loggers, password stealers, viruses, worms, and/or trojan horses.

66

Related: “Roadside Apples”

• Also known as “Baiting”
• Uses physical media and relies on the curiosity or

greed of the victim

• USB drives or CDs found in the parking lot, with

label: 3M Executive Salaries

• Autorun on inserted media

67

Deception and Manipulation

• Impersonation: Pretending to be a customer, Tech

Support Specialist, manager, etc.

• Ingratiation: motivating the victim to comply in order

to improve or protect their reputation with management.

• Conformity: motivation the victim to comply

because it is a standard practice.

• Peer Pressure: motivating the victim through

flattery, flirtation, intimidation and/or guilt.

68

Example:

• “Hi Jim, this is Steve from tech support. I’m

showing your boss, Rick, has a virus on his desktop

• computer. I understand Rick is on a business trip

and I can’t seem to get a hold of him at the hotel. You wouldn’t happen to have his user ID handy, would you? I’d like to clean his computer before he gets back. I’m sure he’d appreciate your help.”

69

Phishing

• Do I really have to explain this?

70

Pharming

• An in-depth phishing scheme involving

– cracking into a local DNS server – changing the IP routing information of a popular website to a phishing website

• Users trust the phishing website because the

internet address has been requested directly and shows correctly (http://www.citibank.com).

71

Reverse Social Engineering

• A method used to get the user to seek the social

engineer for help!

• Three step process:

– Sabotage:

• Attacker causes an application on the victim’s computer to fail

– Advertising:

• Attacker advertises his/her phone number for the victim to call for

help

– Assisting:

• The attacker asks for personal or sensitive information while

pretending to assist the user

72

Related: Quid Pro Quo

• Means “something for something”
• A person contacts people one by one until he/she

finds a person with a problem

• When they find a person, they “fix” their problem by

introducing malware to their machine

73

PBX Disguise

• PBX (Public Business eXchange) an attacker

manipulates the company’s internal caller-ID system to impersonate someone of authority

• PBX system can be cracked/hacked to generate a

false caller-ID for the attacker

• Usually done by convincing someone of authority to

“blind transfer” the attacker’s call to the victim

74

PBX Disguise Example

• Attacker: “Hello? Who is this? Tech Support? Oh,

I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me please? I’m in a hurry.”

• <Tech Support blind transfers the call.>
• Attacker: “Hi Terry, this is Jim from Tech Support.

You can verify my identity from the caller-ID. Yes, I need to reset your password...”

75

Attack Template

• Any combination of methods are strategically

employed by the social engineer for each situation

• Attacks usually follow four steps:

– Preparation – Confidence Build – Exploitation – Retrieval

76

Attack Template

• Preparation: attacker researches information that

will build credibility with the victim

• Confidence Build: attackers uses research to gain

the victim’s confidence.

• Exploitation: attacker motivates the victim to divulge

sensitive information.

• Retrieval: attacker uses sensitive information for

profit or to prepare for a higher level attack

77

Example

• Preparation: Attacker dumpster dives for an old

copy of the company directory from a trash bin behind the company’s main headquarters; collects names and phone numbers to impersonate and target.

• Confidence Build: Attacker uses deception to pose

as a department manager, mentioning names of

• ther coworkers in the field (from the directory) to

buy credibility

78

Example (cont.)

• Exploitation: Attacker manipulates a victim business

manager from another location to unwittingly reveal the physical location of a data center holding a customer information database.

• Retrieval: attacker uses this information to target

employees at the data center, who further reveal information used to gain access to the database; customer information is later used to commit credit fraud for personal profit.

79

Who is this?

Source: http://ils.unc.edu/~neubanks/inls187/home/fugitive.html

Kevin Mitnick

¨ In 1981, at the age of 17, Mitnick and his gang of

hackers decided to physically break into COSMOS, a database used for controlling the phone system’s basic recordkeeping functions

¨ In broad daylight on a Saturday, the group talked their

way past security and into the room where the database system was located

¨ From that room, the gang lifted combination lock codes

for nine Pacific Bell offices and the COSMOS system’s

• perating manuals

Source :http://www.takedown.com/bio/mitnick.html

Kevin Mitnick

¨ To ensure continued access, they placed fake names and

phone numbers into a company rolodex, which would have allowed them to call in and further social engineer, if needed

¤ Take-home point: hackers always leave a way back in

¨ A manager soon realized the names were fraudulent and

contacted police; Mitnick was later tied to the theft by a conspirator’s former girlfriend

¤ Take-home point: don’t tell your girlfriend about your crime

attempts, especially when they constitute a felony J

Source :http://www.takedown.com/bio/mitnick.html

Kevin Mitnick

• Hacked into the National Security Agency system

using Hughes Aircraft’s network in 1985

• Convicted in 1995 of theft and fraud on over 20,000

credit cards, and for hacking into systems at Motorola & Sun Microsystems.

• Sentenced to 5 years in prison, 8 months of which

he was held in solitary confinement; lifetime probation from using computers.

83

Ways to Combat Social Engineering

• Good security policy
• Make sure your employees understand dangers

and threats

• Make sure employees understand what Data

Classification means and what type of information you publicly give away

84

Most Important Gem of Wisdom

• Never, ever give out username, password, account

number, SSN, etc., over the same channel used to initiate the request!

• For example, if a phone call come in asking for a

SSN, send the SSN via email or regular mail

85

86

Questions?