social-engineering for engineers the whats, whys, wheres and hows of social-engineering 1
TRANSCRIPT
2
Agenda On-going technology development
Social-engineering
What's the story with the frauds?
How to prevent and defend against them?
And what to do if we fail to do the above?
What else should be done?
3
On-going technology development
For the last 20 years (or so), we've been witnessing an amazing technological development.
The challenge is not to be the first or the best...
... but not to be the last.
It's not easy however.
4
On-going technology development
Who's having the problems then?
Content and service providers
Software and hardware vendors
Legislators and law enforcement
Internet users
5
On-going technology development
For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen...
Nope, that's not Pink Floyd. It's Stephen Hawking.
But Internet-based communication is much more than text and sound.
6
On-going technology development
Pictures
Video
Instant messaging and VoIP
Memes
And more to come sooner or later
7
On-going technology development
Still there are things that haven't changed e.g. non-verbal communication.
For ages our behaviour's been based on the same rules.
So what?
Well, IT systems and applications are prone to errors just like the humans who develop and operate them.
8
Social-engineeringThe practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions.
source: Merriam-Webster Dictionary
In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.
source: http://en.wikipedia.org/
10
Social-engineeringRobert Cialdini's six rules of influence:
Reciprocity Commitment and Consistency Social Proof Authority Liking Scarcity
11
ReciprocityNigerian scams - an African king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help. Some encouragement follows.
Favours - someone pretending to be an IT help-desk specialist, calls you and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password.
12
Commitment and Consistency
"Free" IQ tests - its results shall be shown once you send a premium-rate text message (does it affect the overall score BTW? ;)
Limited content - to view a full article or video you need to pay money or follow a dodgy link.
Mobile apps - if you clicked "download", "install", will you click "no, I don't want you to access my contacts, texts, data connection and location"?
13
LikingPhishing - fake e-mails and websites look really like the genuine ones (well, not in Poland, how's it in Georgia? ;)
Funny or hot content - you can't view the funny content unless you install a "missing plugin". Which is we-all-exactly-know-what.
Share - content liked or shared by our "friends" (whom we like or at least know) is perceived as legitimate.
14
Authority
Donations - on-line payment and money exchange services, together with Bitcoin, make for a good base for money-laundering and other frauds.
Voice phishing - some people reveal their personal or financial information when called "by THE bank", just because they're told it's "THE bank" calling.
15
Scarcity"Last minute" offers - some people will pay for goods or services difficult to obtain or time-limited.
YOU are the 999. person on this website - and if you follow the link you'll win an iPad... Or will you?
Slashdot effect - people desperately wanting to be (all) the first to see the news will DDoS the website. Like ACTA-case in Poland. Err, soft of.
16
Some numbers...Service Price
Credit card data 2 - 90 USD
Actual cards 190 USD
Skimming device 200 - 1000 USD
Fake ATMS 35 000 USD
e-Bank credentials 80 - 700 USD
Money transfers 10 - 40%
Fake e-commerce sites price per project
Spam 10 USD per 1M e-mails
discounts guarantees trial periods returns
Data leaks
2013 Adobe 2,9 mln
2011 Sony PSN 77 mln
2009 Heartland Payment Systems 130 mln
2008 Hannaford Brothers 4,6 mln
2007 TJX Companies 45 mln
2005 CardSystems Solutions 40 mln
17
How do they happen?In a number of ways: sometimes a simple phone call is enough malware leading to an APT attack network snooping IP / MAC / e-mail / Called-ID spoofing credit cards skimming dumpster diving (no, really!)But it's not all about the technology.
18
How to prevent and detect them?
DLP (Data Leak Prevention) IPS / IDS (Intrusion Prevention/Detection Systems) Application firewall URL filtering BGP / DNS blackholing SIEM (monitoring) Host agents Threat intelligence and whistle-blowersBut...
19
How to prevent and detect them?
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.
Bruce Schneier
You can't defend. You can't prevent. The only thing you can do is detect and respond.
Bruce Schneier
Source: http://www.clubhack.com/wp-content/uploads/2010/12/DSC_6514.jpg
20
And what to do if we fail todo the above?
Detection should be based on both: user awareness and network / system monitoring - one won't work without another.
Incident response must be a process with appropriate procedures, staffing, support, funding and tools.
Computer forensics is just a tool in incident responders' hands. A powerful one but...
21
Computer forensicsWith all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently.
That's when live forensics come into play: Volatile data (e.g. RAM) acquisition Imaging of unencrypted encrypted disk drives Preservation of data in the cloud Minimising delays in availability
22
Computer forensicsTriage is a simple way to preserve and examine computer evidence faster and more efficiently while keeping up with the standards and regulatory requirements (e.g. chain of custody).
Triage can be performed by a trained incident responder ("a rescue team" member) on the scene.
Computer forensics expert ("a surgeon") doesn't have to be involved yet.
23
CSIRTs / CERTsComputer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities.
Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs.
Maintaining defense capabilities and readiness on high level means exercising and constantly improving.
24
CSIRT Serviceshttp://www.cert.org/csirts/services.html
Reactive Proactive Security Quality Management
Alerts and Warnings
Incident Handling – Incident analysis – Incident response on site – Incident response support – Incident response coordination
Vulnerability Handling – Vulnerability analysis – Vulnerability response – Vulnerability response coordination
Artifact Handling – Artifact analysis – Artifact response – Artifact response coordination
Announcements
Technology Watch
Security Audits or Assessments
Configuration and Maintenance of Security Tools, Applications, and Infrastructures
Development of Security Tools
Intrusion Detection Services
Security-Related Information Dissemination
Risk Analysis
Business Continuity and Disaster Recovery Planning
Security Consulting
Awareness Building
Education/Training
Product Evaluation or Certification
25
And the conclusion is...People are the first and the last line of defense from the attacks against them and the technology.
The difference between us and the computers is that we think. Sometimes too much.
It causes problems but that can also help avoid them.
So it's always better to think twice.
26
Quizhttps://www.paypal.com/webapps/mpp/security/antiphishing-canyouspotphishing
http://www.sonicwall.com/furl/phishing/
http://www.opendns.com/phishing-quiz/
http://www.mailfrontier.com/forms/msft_iq_test.html
http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest
http://www.contentverification.com/phishing/quiz/
http://www.onguardonline.gov/media/game-0011-phishing-scams
http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html