because we are just humans
DESCRIPTION
Introduction to social engineering performed for EHB students @ Erasmus Hogeschool BrusselsTRANSCRIPT
Because We Are Just Humans
EHB Keynote - April 2014 - Xavier Mertens
TrueSec
$ whoami
• Xavier Mertens (@xme)
!
• Consultant @ day
!
• Blogger, Hacker @ night
!
• BruCON co-organizer���2
TrueSec
The InfoSec World…
���3
TrueSec
$ cat disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
���4
TrueSec
Agenda
���5
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion
TrueSec
“Social What?”
���6
“Social engineering (SE) is the use of techniques to manipulate people into performing actions or divulging confidential information, rather than by
breaking in or using technical hacking techniques”
!
OR !
“A fancier way of lying”
TrueSec
Attackers Are Lazy!
���7
Why make it complicated?
TrueSec
First in the analog life
���8
Vendors: “It’s the last one, hurry up!” !
Headhunters: “I’m Alice from Marketing, May I speak to Bob, please?”
!
Kids: “May I go to this party?” !
… Women of course! (Maybe the wickests! ;-)
TrueSec
Sand in the gears
���9
TrueSec
Really?
���10
TrueSec
$ man 3 human• People aren’t stupid (…well, only some :-])
• But they are…
• Kind
• Naive
• Trustful
• Voluntary
• Scared
���11
TrueSec
People VS. Computers
���12
TrueSec
Agenda
���13
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion
TrueSec
The Trojan Horse
���14
TrueSec
Victor Lustig
���15
TrueSec
Bernie Madoff
���16
TrueSec
Christophe Rocancourt
���17
TrueSec
Agenda
���18
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion
TrueSec
Why?
���19
… Because it works!
TrueSec
How?
���20
… Sometimes being a good guy, sometimes being evil!
TrueSec
It’s Cheap!
���21
TrueSec
A nice target
• People know useful information (passwords, procedures, paths, phone numbers)
• People have access to
• Files
• Papers
• Badges
���22
TrueSec
A “Swiss Army Knife”
• People can interact with systems or people
• Download a file
• Disconnect a system
• Introduce to someone else
• Send a mail or fax
• Get personal info
���23
TrueSec
Attacks
• Physical
• Tailgating
• Shoulder surfing
• Trashing
���24
• Technical
• Phishing
• XSS
• Human DoS
TrueSec
Our toolbox• Mail → Easy, anonymous and free
• Phone → Quick and direct access to the target
• Fax → Don’t under estimate the power of a fax in 2014!
• Snail mail → A stamp or nothing…
���25
TrueSec
Psychology
• Fear
• Credulity
• Desire
• Solidarity
���26
TrueSec
The Process
• The target
• The objective
• The plan
���27
TrueSec
The Target• People
• Age, sex, social status, studies, …
• Company
• Open hours
• Jargon
• Procedures
• “Names”
���28
TrueSec
The Objective
• Which info are we looking for?
• Which questions to ask?
• Cross-check
���29
TrueSec
The Plan
• Write down a scenario
• Work below the radar
• Reminders, lexique, …
• Path
• “B” Plan!
���30
TrueSec
Train Yourself
• Challenge your friends!
• It’s a game!
���31
TrueSec
Agenda
���32
• Introduction
• Historical examples
• Why and how?
• In our digital world
• Conclusion
TrueSec
A fact…
���33
“We located the problem: It is located between the keyboard and the chair”
TrueSec
Pwn3d!
���34
This is a mass-pwnage device!
TrueSec
The new OSI-model
���35
Layer 1 - 6
Layer 7
Layer 8 (“user” or “political”)
Over used
Getting better defended
Can’t be patched! ;-)
(Source: @jaysonstreet)
TrueSec
You’ve been “Doxed”
���36
TrueSec
Your Footprint
• In our modern life, we are 24x7 online
• We like to share
• We like to contribute
• Want an example?
���37
TrueSec
At Home?
���38
TrueSec
Maltego
���39
TrueSec
B. Van Rillaer
���40
TrueSec
B. Van Rillaer
���41
• bert.van.rillaer(at)ehb(dot)be
• vanrillaer(at)gmail(dot)com
• +32 2 559 15 xx
• +32 486 33 xx xx
• Study @ KUL 1999-2003 (License in Computer Science)
• Clarinet player?
TrueSec
B. Van Rillaer
���42
• Twitter: @bvanrillaer
• 72 followers, last tweet 22/03
• Tweet most between 11:00 - 17:00
• Tablet Acer A200
• Mobile Samsung Galaxy S3 (GT-I9300)
• Active on G+, sell/buy on Kapaza
TrueSec
B. Van Rillaer
���43
TrueSec
Classic IT requests
• Could you give me the password?
• Could you power on/off this device
• Could you “<put your idea here>”
���44
TrueSec
Interested?
���45
TrueSec
Interested?
���46
• SET (https://www.trustedsec.com/downloads/social-engineer-toolkit/)
• Maltego (https://www.paterva.com/)
• Your own toolbox!
TrueSec
Conclusions
���47
TrueSec
Conclusions
���48
TrueSec
Conclusions
���49
“You don’t know what you can get away with until you try.”
!
- Colin Powell
TrueSec
Thank you! More info?
@xme
http://blog.rootshell.be
https://www.truesec.be
���50