social_engineering by lanyuehua


									      Information Systems 365/765
Information Systems Security and Strategy
                Lecture 7
                   Lecture 7
            Social Engineering
   Today’s Chocolate Bar

• Nestle Crunch,
  created in 1938
• Current slogan is
  “For the kid in
• Bunch-a-crunch
• "Betcha Can't
  Crunch This!"
• I use REAL people as
  examples in this presentation
• I do this not to mock them, or
  intimidate them, but to
  impress upon them in the
  most real way I know of, the
  importance of sharing
  information about themselves
  only on a “need to know
  basis” in public forums
     Social Engineering

• No matter how many security
  measures you introduce, there
  is one which proves to be the
  most challening…
• How do we secure human
 Social Engineering Defined

• The use of psychological tricks
  in order to get useful
  information about a system
• Using psychological tricks to
  build inappropriate trust
  relationships with insiders
         Kevin Mitnick

• World’s most famous Social
• “The weakest link in the
  security chain is the human
• Half of his exploits involved
  using social engineering
• See the master in action!
     Social Engineering
• Social Engineering goes back
  to the first lie ever told and
  will continue into the future.
• Social Engineering is
  successful because people are
  generally helpful, especially to
  those who are:
• Nice
• Knowledgeable
• Insistent
Three Primary Methods of Social

• Flattery
• Authority Impersonation
• Threatening Behavior
     Helpful By Default

• We don’t see a motive to hack
  our network. “If I see it
  everyday, it can’t be
• Industrial Espionage
• Revenge
• Just for fun
    How Does It Happen?

• “An ounce of prevention is
  worth a pound of cure!”
• The Social Engineer uses
  simple information found
  online, or by making a basic
  phone call into the office
• That stuff really isn’t that easy
  to get…Don’t be dramatic!
   Let’s Setup a Case Scenario
       Using a Method Called
• Meet Angry Cow
• Computer Science Student at
• Angry Cow just got an eviction
Case Continued – Simple Public
     Information is Found
• Angry Cow lives at the
• The Regent’s website
  indicates that it is
  owned by Steve Brown
• Angry Cow wants to
  “fix” Steve Brown’s
  record keeping
  spreadsheet to show
  that rent has been paid
Next – Finding A Way In…
• Facebook is Angry Cow’s first
  weapon of choice because it is an
  unofficial source of information
• Poor controls over data sharing
• Lots of important information there
  that might not seem important,
  but could be his first step in…
• Go to Facebook and search:
“Steve Brown Apartments” to find an
  appropriate unknowing accomplice
   Let’s See – Danielle Treu

• Born July 24, 1988
• Enjoys playing in the rain,
  drinking coffee and spending
• Works at Subway and as a
  Resident Assistant for Steve
  Brown Apartments
Let’s See – David Klabanoff

• Born April 21, 1979
• Likes Star Wars and
  The Muppet Movie
• Is a Concierge for
  Steve Brown
 Let’s See – Andrew Baldinger –
  I think I might know this guy!
• March 30, 1986
• Likes kayaking,
  exploring, and
  getting lost
• Lives at the
• Works as a
  Support Specialist
  for Steve Brown
 Let’s Start with Danielle Treu

• Her Facebook profile is public,
  but she is intelligent. She
  keeps her contact information
• But, her profile does say that
  she attends UW-Madison…
• I wonder if they have some
  more public information about
    The Research, Phase II
• I’m so thankful for the UW
• Remember, this is PUBLIC
• I got her email address!
Primary Contact
    Establishing the Trust
• Danielle talks to David, and
  since David trusts Danielle as
  an “insider”, this trust
  transfers to the fake Andrew
• Angry Cow shows up later that
  day, David is expecting him
• Angry Cow identifies himself
  as Andrew and asks David for
  key to server room
          The Hack
• Angry Cow, gets physical
  access to server, uses
  Ophcrack (just like we did in
  class to get Admin username)
• Angry Cow logs into server
  and alters accounting files to
  indicate that his rent has been
 Summary of This Example
• Search for public information
  about your target, using both
  official and unofficial sources
• Build a trust ladder, Julie
  trusts Andrew and David
  trusts Julie, therefore David
  will trust Andrew—even if
  “Andrew” really is Angry Cow!
• Built a credible story
 Let’s Watch Another Example

• Silence of the Lambs Movie

• Notice how they both establish
  trust through the use of
  kindness or perceived
How to Keep Social Engineering
        From Working

• Administrators need to:
• Establish Policies
• Train Employees
• Run Drills
• Office Workers:
• Need to be aware of Social
  Engineering tactics
• Follow policies
   Let’s Watch the AT@T Internal
    Social Engineering Training
• Which Social Engineering
  techniques can you identify in
  the video? (Flattery,
  Authority, Threats)
• How would you CLASSIFY this
  video (remember Data
• What is going on at AT&T?
• Pretexting is the
  act of creating
  and using an
  invented scenario
  (the pretext) to
  persuade a
  targeted victim to
  information or
  perform an action
  and is typically
  done over the

• It's more than a simple lie as it
  most often involves some prior
  research or set up and the use of
  pieces of known information (e.g.
  for impersonation: date of birth,
  Social Security Number, last bill
  amount) to establish legitimacy in
  the mind of the target.
     Is This Really a Threat to
     Businesses? PRETEXTING

• So far, this just looks
  like a technique
  employed by angry
• Did you know that
  Hewlett Packard
  regularly engaged in
  Social Engineering?
• They used the method
  order to get phone
• Let’s watch the
  testimony of Patricia
  Dunn, Director of HP
    Pretexting Will Likely Continue
• As most U.S. companies still
  authenticate a client by asking
  only for a Social Security
  Number, date of birth, or
  mother's maiden name, the
  method is effective in many
  criminal situations and will
  likely continue to be a security
  problem in the future.
• Pretexting is the most common
  form of Social Engineering

• Phishing is the use of email as a
  means to extract personal
  information from a user
• A variant is called IVR Phone
       Phishing Continued
• Direct you towards bogus
  (fake) websites
• Purpose is to harvest
• PayPal example – I don’t even
  have a PayPal account!
• Use common sense!
• Don’t click on links directly!
• Phishing Filter!

• Is a virus or malware, disguised
  in such as way as to appeal to a
  person’s curiosity or greed
• Usually arrives in the form of an
  email with an attachment
• ILOVEYOU virus is an example of
  a Trojan Horse
• Adware hiding inside downloads is
  another example
          Road Apples
• Road Apples are also known as
• Uses physical media and relies on
  the curiosity or greed of the
• USB drives or CDs found in the
  parking lot, with label: 3M
  Executive Salaries
• Autorun on inserted media
           Quid Pro Quo
• Means “something for
• A person contacts people one
  by one, until he/she finds a
  person with a problem
• When they find a person, they
  “fix” their problem by
  introducing malware to their
Summary – Today’s Take Aways

• Social Engineering involves
  manipulating others to get
• Main techniques are: Flattery,
  Authority, Threatening
• Main types are: Pretexting,
  Phishing, Trojan Horses and
  Quid Pro Quo
    Ways to Combat Social
• Good security policy
• Make sure your employees
  understand dangers and
• Make sure employees
  understand what Data
  Classification means and what
  type of information you
  publicly give away
Most Important Gem of Wisdom
in Defeating Social Engineering
• Never, Never give out username,
  password, account number, SSN,
  etc over the same channel used
  to initiate the request
• For example, if a phone call
  comes in, asking for a SSN, send
  the SSN via email or regular mail

To top