1 copyright © 2014 m. e. kabay. all rights reserved. social-engineering & low-tech attacks csh6...

1 Copyright © 2014 M. E. Kabay. All rights reserved.

Social-Engineering & Low-Tech Attacks

CSH6 Chapter 19“Social Engineering &

Low-Tech Attacks”Karthik Raman, Susan Baumes,

Kevin Beets & Carl Ness


TopicsBackground & HistorySocial Engineering

MethodsPsychology and Social

Psychology of Social Engineering

Dangers & ImpactDetectionResponseDefense & Mitigation

CSH6 Chapter 19

Spam, Phishing & Trojans E-mail Basics Spam (not SPAM™) Fighting Spam Phishing Trojan Code

CSH6 Chapter 20


Background & History (1) Trojan Horse

Trojan War Greek mythologyC. 1200-1300 BCEIliad & Odyssey of HomerVirgil’s Aeneid

Greeks sailed to island of TenedosPretended to abandon warLeft giant hollow horse with soldiers insideSinon, who convinced Trojans it was offering to

AthenaLacoon & Cassandra warned of danger

Greeks opened gates from inside, slaughtered Trojans, won war


Background & History (2)Definition: social engineering is obtaining

information or resources using coercion or deceit

Manipulate trust or gullibility of peopleOften piece together information

Random orderMultiple victims / enablers

Purposes vary but results often loss ofIntellectual propertyMoneyBusiness advantageCredibility….


Some Notorious Social EngineersFrank Abagnale, Jr.

See Catch Me If You Can movie

Impersonated pilot, attorney, teacher, doctor…

Passed phony checksBecame expert for FBI

Kevin MitnickMany exploitsSee earlier lecture on

History of Computer Crime


Social Engineering Methods

ImpersonationSeductionLow-Tech AttacksNetwork and Voice

MethodsReverse Social

Engineering


Impersonation Criminals wear uniforms, badges, use right terms Adopt confident air of entitlement Pretending to be HelpDesk employees

Employees conditioned to cooperateTechnical knowledge reduces

questionsSome HelpDesks violate standards

by habitually asking for passwords (BAD)

HelpDesk employees can be victimsCriminals pretend to be employeesOften assume identity of high-ranking executivesSometimes bully HelpDesk staff into violating

standard operating procedures


Seduction Long-term strategy

May study victim to learn background, habits, likes, dislikes, weaknesses

Form bond with victimApparent friendshipExploit good will to ask for

favorsMay use sexual relationship

as lever to develop trust Foot-in-the-door technique

especially usefulAsk for tiny deviation from

standardsGradually increase demands


Low-Tech Attacks Exploit physical weaknesses in defenses Often support social engineering Examples

Dumpster® DivingTheftLeveraging Social SettingsExploiting Curiosity or NaïvetéBriberyData Mining & Data GrindingPiggybacking / TailgatingPhishing & PharmingSpim, Spit, & Vishing Trojan Code and Viruses


Dumpster® Diving Dumpster® is registered trademark of Dempster

Brothers for mobile trash receptacles Discarded materials are not protected by law unless

on private property Many organizations sloppily

throw away confidential infoPapersMagnetic media

Criminals derive value fromInternal organization chartsMemorandaVacation schedules

Use info for industrial espionage and impersonation


TheftOutright theft of confidential information

PaperCD-ROMsUSB flash drives and disk drivesBackupsEntire laptop computers Purses, wallets, briefcasesTrash bags

Information used directly or for impersonation


Leveraging Social SituationsEmployees relaxing or traveling may let down

guardSocial engineers may deliberately eavesdrop

Company partiesClubs, trains, coffee shops

Classic errorsTalking about confidential matters

In public amongst themselvesTo friendly strangersLoudly on mobile phones

Letting strangers view computer screensLeaving portable computers unlocked


Exploiting Curiosity or NaïvetéCriminals (and researchers) have left media lying

aroundCD-ROMsUSB flash drivesiPod music playersMusic CDs

Victims routinely insert media into company computers

Unknowingly load malicious software; e.g.,Keyloggers – capture keystrokes and send them

to criminalsBackdoors – allow criminals to seize control of

compromised computer behind firewall


Bribery Exchange of value in return for violation of policy Dangerous for social engineer

Obviously wrongHonest employees (or one

with second thoughts) will report attempt to management

May lead to police involvement, arrest

Success depends in part on employee attitudeDisgruntled, unhappy employees betterContractorsThose about to quit or be fired anywayCriminal may probe for attitudes using negative

comments


Data Mining & Data Grinding Search engines

Reveal confidential informationMine information about

organizationsUse caches or WayBack Machine

for pages that have been removedWeb history for older versionsSearch-engine APIs provide special toolsSee references to “Google hacking” using any

search engine Data grinding

Extracting metadata from published docsUnprotected DOC & HTML files may contain

valuable info (e.g., author, e-mail address, ….)


WayBack Machine (Internet Archives)

http://archive.org/web/web.php




Network and Voice Methods

Piggybacking / Tailgating

Phishing & PharmingSpim, Spit, & Vishing Trojan Code and

Viruses


Piggybacking / TailgatingFollow authorized employee into secured location

Using social expectations of victimWhat is polite in normal society may be

insecure an unwise for securityPreparations

Dress like any other employeeHave excuse ready (“Forgot my

card….”)Defenses

Explicitly forbid piggybacking & explain whyTeach employees using role-playing


Phishing & PharmingPhishing

Sending e-mail to trickuser into providingpersonal information

Try to copy officialcorrespondence

Paste logosOften bad grammar,

spelling mistakesPharming

Fake Websites imitate real sites (banks, stores)

Collect login, financial information


Spim, Spit, & Vishing

SpimInstant messaging carrying

spamTry to trick victim by sending

link to fake Website via IMBypass normal Web/e-mail content controls

SpitSpam over Internet telephonyLimited controls over such spam

VishingVoice fishing: spam using phone & e-mailTrick victim into answering questions about

personal information


Trojan Code and VirusesDiscussed above in slide “

Exploiting Curiosity or Naïveté”Attackers insert malware on

victim’s computerMalware silently installedCollects or transmits confidential

informationProvides backdoor code to allow

unauthorized access


Reverse Social Engineering Aka knight-in-shining-armor attack Social engineer creates a problem

E.g., a denial-of-service attackRename or move of critical file

Arranges to seem to be only person who can solve problem

Fixes the problem (easy if attacker caused it)Gather information during solution

“I need to log on as you.”Victim may even forget that security policy has

been violatedGains trust for future exploitation


Psychology & Social Psychologyof Social Engineering

Psychology of Victim

Social PsychologySocial Engineer

Profile


Psychology of Victim Cognitive biases aid criminals Choice-supportive bias

Go with the flowUse what works most of time

Confirmation biasRemember what fitsSee person in janitor outfit as

janitor – regardless of rules Exposure effect

What is familiar is comfortableGain trust by referring to familiar topics

AnchoringFocus on one trait at a timeSoothing, friendly demeanor covers intrusive questions


Social PsychologySchema is picture of reality

Defines normal ways of making judgements and decisions

Many cognitive errorsFundamental attribution error: assuming that

behavior indicates stable, internal attributesTherefore a pleasant, friendly social engineer

cannot possibly be a criminalSalience: people notice outliers

So social engineers try to blend inConformity, compliance & obedience

Social engineers exert (false) authority

There’s an entire lecture on social psychology and security

in IS342 with a chapter in CSH6.


Social Engineer ProfileNot as in movies: may be

OutgoingConfidentWell educatedBlend into environment

(clothing, style, speech)Good actorQuick reactions to changing

circumstancesDark side

Exploits relationshipsLittle or no empathy for victims (instrumental)Increasingly, they are involved in criminal gangs

Especially bad stereotypes


Dangers & Impact

ConsequencesSuccess RateSmall Businesses vs

Large Organizations


Consequences Loss of control over internal

documentsAdvantage to competitors –

loss of market shareStock manipulation – SEC

investigationsBankrupt companyPossible criminal proceedings against officers

Loss of control over customer personally identifiable information (PII)

Legal ramifications including $$$ liabilityEmbarrassmentHuman consequences of identity theft

Difficulty tracking down how crime was committedDestroy trust among employees


Success Rate

Poor statistical baseDifficult to detectDifficult to find documentation

Anecdotal evidence from security expertsSocial engineering worksConsensus that methods are

often used…… and highly successful

Organizations must prepare to defend themselves against these methods (see below)


Small vs Large Organizations

Small OrganizationsLess prepared & more

vulnerablePeople know each otherMore likely to suspect and

challenge strangersBetter communication –

may report suspicions quickly to people they know

Smaller workforce to train

Large OrganizationsMore fragmented: many

strangers anywayConcern about

embarrassment if stranger is executive from afar

Bystander effect: let someone else deal with it

Poorer communications: may never have met security officers


Detection

PeopleAudit ControlsTechnology for

Detection


People (1)Train employees to remember details of

phone calls they receive when caller asks questions Gender?Caller ID?Noise in background?Accent?What questions?What answers?

Beware questions about names of managersNo employee should ask (let alone give)

password


People (2) Social engineers may use intimidation Ensure that employees know they will not be

punished for enforcing security policiesNo legitimate manager would threaten them

for NOT violating security rulesExplicitly provide script for responding to

threats – instant sign of potential fraud“Yes, I’ll be glad to help you – please

hold the line.”Employee immediately notifies

appropriate contact in security team Provide employees with notification procedure

Whom should they call?What information is most helpful (see previous slide)?


Audit ControlsReal-time audits of log files may detect

social-engineering attack in progressBut no guaranteesHuman manipulation may use no

technical exploits until later in crimeActual exploit may be very fast

Post hoc audits may be useful in reconstructing crimeTrace how criminal used

information winkled out of employees

Log Log file*

WinkleLittorina spp.

*Grooooaaaaannnnn


Technology for Detection

Content-blocking technology E-mailWeb pagesMake such monitoring

part of documented & signed security policies

Social Engineering Defense Architecture (SEDA)Voice-recognition

technologyProvides better logging of

phone calls


Response

Integrate social-engineering attacks into computer security incident response team processes

Collect forensic evidence In real time if possibleAt minimum ASAPInterview human victims

Right awayHumanely – do not give

impression of looking for scapegoats

Keep meticulous records


Defense & Mitigation

Training & Awareness

Technology for Prevention

Physical Security & Encryption


Awareness, Training, Education*

Raise awareness of problemsWhy employees should care

Explain social engineering techniques to employeesReal case studiesDemonstrations

Encourage and support challengesAsking reasons for questionsAsking for employee identificationChecking for authorization for unusual requests

Provide role-playing exercises to reduce reluctanceProvide emergency response contact info

*ATE


Technology for PreventionEffective antimalware tools

Block viruses, TrojansBlock dangerous Web sitesBlock dangerous phishing spamBlock popups, ActiveX controlsRestrict types of cookiesUse digital certificates to authenticate

internal e-mailControl over software installationCleanse documents of hidden metadataCheck Web for unauthorized posting of

confidential documents or information


Physical Security, Encryption, & DLPPrevent theft of confidential information

Lock filing cabinets after hoursShred discarded documents & disksProtect Dumpsters® against divers

Use data encryptionComputers – whole-disk encryptionPeripherals such as USB drivesVirtual private networks (VPNs)

for remote accessData-loss prevention (DLP)

Prevent unauthorized devices from connecting to organization’s networks


Now go and study

1 copyright © 2014 m. e. kabay. all rights reserved. social-engineering & low-tech attacks csh6...

Documents

social engineering slide

war slide

social settings

demands slide

helpdesk employees employees

kevin beets carl ness

vishing trojan code

voice methods