social engineering and phishing ( fish are not the only things that need to be concerned. )

Social Engineering and Phishing(Fish are not the only things that need to be

concerned.)

August 24, 2011

© 2011 SeNet International Corp. 2August 2011

SeNetSeNet Introduction

During the course of this presentation, I will illustrate methods that attackers and others with malicious intent have used to compromise Personally Identifiable Information (PII) and other sensitive data. I will also examine several case studies that show how PII was compromised and how the breach could have been prevented. Finally, I will offer several defense and protection mechanisms.

I am SeNet’s Chief Technology Officer (CTO). Previously, I worked for the security consulting practices of both KPMG and Deloitte and Touche. I have led and performed numerous vulnerability assessments and penetration tests in support of financial audits, FISMA audits, and other compliance-related efforts.

I can be reached at 703-206-9383 or [email protected].


SeNetSeNet About SeNet

• High-End Consulting Services Focus Government Certification and Accreditation Support Network Integration Security Compliance Verification and Validation Security Program Development with Business Case Justifications Complex Security Designs and Optimized Deployments

• Proven Solution Delivery Methodology Contract Execution Framework for Consistency and Quality Technical, Management, and Quality Assurance Components

• Exceptional Qualifications Executive Team – Security Industry Reputation and Active Project Leadership Expertise with Leading Security Product Vendors, Technologies, and Best Practices Advanced Degrees, Proper Clearances, Standards Organization Memberships, and

IT Certifications

• Corporate Resources Located in Fairfax, Virginia Fully Equipped Security Lab Over 40 Full-time Security Professionals

SeNet International is a small business founded in 1998 to deliver network and information security consulting services to government and commercial clients.


SeNetSeNet The PII Challenge

Definition

Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.

Challenges of PII• Pervasive – traditional and new, non-traditional end points• Highly sensitive and highly coveted• Difficult to do away with


SeNetSeNet PII Examples

Examples of PII Include:

• Full name (if not common)• National identification number• IP address (in some cases)• Vehicle registration/plate number• Driver's license number• Face, fingerprints, or handwriting• Credit card numbers• Digital identity• Birthday• Birthplace• Genetic information


SeNetSeNet PII Leakage Paths

• E-mail attachments• Printouts and faxes• Lost tapes, zip drives, and other storage media• Lost or stolen laptops• Social networking• Instant messaging programs• File sharing programs• Unsecure Web sites• Active attacks by bad actors

PII can “leak out” intentionally and unintentionally in many ways, such as:


SeNetSeNet Data Leakage Paths


SeNetSeNet PII Attack Vectors

• Phishing (no, it’s not a typo)

• Social Engineering

• Cross-site Scripting (XSS)

• SQL Injection

• Malware

• Many others


SeNetSeNetPhishing Attacks and Social

Engineering

While there are several different attack vectors that could be used to gain unauthorized access to PII, two of the most common are old fashion social engineering and phishing attacks.


SeNetSeNet What is Social Engineering?

Social engineering is the process of deceiving people into giving away access or confidential information.

Wikipedia defines it as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

Many consider social engineering to be the greatest risk to security.


SeNetSeNet Categories of Social Engineers

• Hackers

• Spies or Espionage

• Identify Thieves

• Disgruntled Employees

• Scam Artists

• Sales

• Governments


SeNetSeNet Why Social Engineering?

"Because there is no patch for human stupidity“

"People are the largest vulnerability in any network"

Path of Least ResistanceA hacker can spend hours, weeks, or months trying to brute force his or her way to a password... when a phone call with the right pretext and perfect questions can identify the same password or more in a few minutes.


SeNetSeNet What is Pretexting?

• Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases, it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they have never performed themselves.

• Pretexting is also not a “one size fits all” solution. A social engineer will have to develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. Being able to mimic the perfect technical support representative is useless if your target does not use outside support.

• One of the most important aspects of social engineering is trust.


SeNetSeNet Common SE Attack Vectors

In the world of social engineering, there are numerous attack vectors. Some involve a lot of technology; others contain none at all.

• Customer Service

• Tech Support

• Marketing

• Phone

• Delivery Person


SeNetSeNet Phishing vs. Spear Phishing

Phishing – E-mails that typically contain a link to a counterfeit Web site and are designed to look like an authentic login page. They will actually capture personal data for cyber criminals, who will use the data to commit financial fraud.

Spear Phishing – Targets are identified in advance and the e-mails that attempt to trick them into handing over personal data can be highly specific. They might claim to come from a friend or colleague, or seek to exploit the target’s known interests.


SeNetSeNet Social Engineering Tools

• SET – Social Engineering Toolkit

(http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET))

• BeEF – Browser Exploitation Framework

(http://www.bindshell.net/tools/beef.html)

• Metasploit – http://www.metasploit.com/


SeNetSeNet Demo

Demo Time


SeNetSeNet APT and PII

APT is not about smashing and grabbing; rather, it is about methodically reaching your objectives, establishing a beachhead within the organization, and exploiting as much of the organization as possible for as long as possible without being detected.


SeNetSeNet APT and PII (cont’d)

APT is:

• Advanced – Assumes everything from mundane attack attempts to sophisticated custom crafting of exploits.

• Persistent – Focused on an objective, so this is not just a “drive-by” or “smash-and-grab.” The threat will not go away or move out of legal reach. “Persistent” means trying to maximize exploitation of information over a period of time, sometimes a long period of time.

• Threat – Targeting your organization for a specific reason. This takes advantage of human ability and creativity, and is not a bot or worm, although those tools may be employed.


SeNetSeNet Case Study 1

• Began in mid-2009 and continued through December 2009. Involved several other companies in addition to Google.

• Google stated that some of its intellectual property had been stolen.

• Attackers were interested in accessing Gmail accounts of Chinese dissidents.

• Attackers had exploited purported zero-day vulnerabilities in Internet Explorer.

Operation Aurora


SeNetSeNet Case Study 1 (cont’d)

• Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code.

• Once a victim's system was compromised, a back-door connection that masqueraded as an SSL connection made connections to command and control servers.

• The victim's machine then began exploring the protected corporate intranet of which it was a part, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories.


SeNetSeNet Case Study 2

This case study explores an example where data (including PII) in an Oracle database is compromised.

Initially, a scan is conducted to identify Oracle databases.



Weak passwords are not just a problem with Microsoft. This tool can be used to determine whether default Oracle passwords exist.



With the correct credentials obtained, a tool such as DB-Examiner can be used to obtain a graphical view of the database structure.



Of course, data is the crown jewel that many attackers are after. In this example, using the compromised account and information about the data structure, a query is executed to view personal data including name, social security number, and salary.


SeNetSeNet Methods to Protect PII

• Encryption

• Multi-factor Authentication

• Strong Access Controls

• Security Awareness Training

• End-point Security

• Data Leakage Prevention


SeNetSeNet Social Engineering Protections

• Education/training

• Be aware of the information you are releasing.

• Determine which of your assets are most valuable to criminals.

• Keep your software up to date.

• When asked for information, consider whether the person you are talking to deserves the information they are asking about.

• Report suspicious activity.

• Be skeptical.

• Never respond using information contained in the e-mail, particularly links to Web sites.


SeNetSeNet Conclusions

As can be seen throughout this presentation, there are many different attack vectors that can be used to gain access to your PII or other sensitive information. Often, attackers choose the easiest target, which is why social engineering and phishing are being used more frequently.

While no method can guarantee 100% protection against these types of attacks, by understanding how these attacks work, you can better defend yourself against them.


SeNetSeNet Questions

Questions?

social engineering and phishing ( fish are not the only things that need to be concerned. )

Documents