Because We Are Just Humans

EHB Keynote - April 2014 - Xavier Mertens

TrueSec

$ whoami

• Xavier Mertens (@xme)

!

• Consultant @ day

!

• Blogger, Hacker @ night

!

• BruCON co-organizer���2

TrueSec

The InfoSec World…

���3

TrueSec

$ cat disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

���4

TrueSec

Agenda

���5

• Introduction

• Historical examples

• Why and how?

• In our digital world

• Conclusion

TrueSec

“Social What?”

���6

“Social engineering (SE) is the use of techniques to manipulate people into performing actions or divulging confidential information, rather than by

breaking in or using technical hacking techniques”

!

OR !

“A fancier way of lying”

TrueSec

Attackers Are Lazy!

���7

Why make it complicated?

TrueSec

First in the analog life

���8

Vendors: “It’s the last one, hurry up!” !

Headhunters: “I’m Alice from Marketing, May I speak to Bob, please?”

!

Kids: “May I go to this party?” !

… Women of course! (Maybe the wickests! ;-)

TrueSec

Sand in the gears

���9

TrueSec

Really?

���10

TrueSec

$ man 3 human• People aren’t stupid (…well, only some :-])

• But they are…

• Kind

• Naive

• Trustful

• Voluntary

• Scared

���11

TrueSec

People VS. Computers

���12

TrueSec

Agenda

���13

• Introduction

• Historical examples

• Why and how?

• In our digital world

• Conclusion

TrueSec

The Trojan Horse

���14

TrueSec

Victor Lustig

���15

TrueSec

Bernie Madoff

���16

TrueSec

Christophe Rocancourt

���17

TrueSec

Agenda

���18

• Introduction

• Historical examples

• Why and how?

• In our digital world

• Conclusion

TrueSec

Why?

���19

… Because it works!

TrueSec

How?

���20

… Sometimes being a good guy, sometimes being evil!

TrueSec

It’s Cheap!

���21

TrueSec

A nice target

• People know useful information (passwords, procedures, paths, phone numbers)

• People have access to

• Files

• Papers

• Badges

���22

TrueSec

A “Swiss Army Knife”

• People can interact with systems or people

• Download a file

• Disconnect a system

• Introduce to someone else

• Send a mail or fax

• Get personal info

���23

TrueSec

Attacks

• Physical

• Tailgating

• Shoulder surfing

• Trashing

���24

• Technical

• Phishing

• XSS

• Human DoS

TrueSec

Our toolbox• Mail → Easy, anonymous and free

• Phone → Quick and direct access to the target

• Fax → Don’t under estimate the power of a fax in 2014!

• Snail mail → A stamp or nothing…

���25

TrueSec

Psychology

• Fear

• Credulity

• Desire

• Solidarity

���26

TrueSec

The Process

• The target

• The objective

• The plan

���27

TrueSec

The Target• People

• Age, sex, social status, studies, …

• Company

• Open hours

• Jargon

• Procedures

• “Names”

���28

TrueSec

The Objective

• Which info are we looking for?

• Which questions to ask?

• Cross-check

���29

TrueSec

The Plan

• Write down a scenario

• Work below the radar

• Reminders, lexique, …

• Path

• “B” Plan!

���30

TrueSec

Train Yourself

• Challenge your friends!

• It’s a game!

���31

TrueSec

Agenda

���32

• Introduction

• Historical examples

• Why and how?

• In our digital world

• Conclusion

TrueSec

A fact…

���33

“We located the problem: It is located between the keyboard and the chair”

TrueSec

Pwn3d!

���34

This is a mass-pwnage device!

TrueSec

The new OSI-model

���35

Layer 1 - 6

Layer 7

Layer 8 (“user” or “political”)

Over used

Getting better defended

Can’t be patched! ;-)

(Source: @jaysonstreet)

TrueSec

You’ve been “Doxed”

���36

TrueSec

Your Footprint

• In our modern life, we are 24x7 online

• We like to share

• We like to contribute

• Want an example?

���37

TrueSec

At Home?

���38

TrueSec

Maltego

���39

TrueSec

B. Van Rillaer

���40

TrueSec

B. Van Rillaer

���41

• bert.van.rillaer(at)ehb(dot)be

• vanrillaer(at)gmail(dot)com

• +32 2 559 15 xx

• +32 486 33 xx xx

• Study @ KUL 1999-2003 (License in Computer Science)

• Clarinet player?

TrueSec

B. Van Rillaer

���42

• Twitter: @bvanrillaer

• 72 followers, last tweet 22/03

• Tweet most between 11:00 - 17:00

• Tablet Acer A200

• Mobile Samsung Galaxy S3 (GT-I9300)

• Active on G+, sell/buy on Kapaza

TrueSec

B. Van Rillaer

���43

TrueSec

Classic IT requests

• Could you give me the password?

• Could you power on/off this device

• Could you “<put your idea here>”

���44

TrueSec

Interested?

���45

TrueSec

Interested?

���46

• SET (https://www.trustedsec.com/downloads/social-engineer-toolkit/)

• Maltego (https://www.paterva.com/)

• Your own toolbox!

TrueSec

Conclusions

���47

TrueSec

Conclusions

���48

TrueSec

Conclusions

���49

“You don’t know what you can get away with until you try.”

!

- Colin Powell

TrueSec

Thank you! More info?

@xme

xavier@truesec.be

http://blog.rootshell.be

https://www.truesec.be

���50