Social Engineering

transcript

JL and Firascowww.pizzaratings.com

IT-Security 1

Social Engineeringby JL and Firasco

Contents

1. Definitions of Social Engineering (SE)2. Different types of Social Engineering3. How a Social Engineer proceeds (6 steps)4. Live example of Social Engineering (Movie)5. Why is Social Engineering so successful6. Is it ethical?

IT-Security 2

Definitions of Social Engineering

1. Involves exploiting the trusting nature of human beings to obtain information (human hacking)

2. The art and science of getting people to comply to your wishes

3. Is a collection of techniques used to manipulate people into performing actions or revealing confidential information

IT-Security 3

So now…

Raise your hand if you think you have ever been Social Engineered

IT-Security 4

IT-Security 5

Famous targets of Social Engineering

1. Industrial Spying2. Data Theft3. Idenitiy Theft4. Pizza4free5. Etc.

Types of Social Engineering

1. Phishing2. Trojan horse3. Quid pro Quo4. Pretexting

IT-Security 6

Types of Social Engineering: Phishing

IT-Security 7

Types of Social Engineering: Trojan Horse

IT-Security 9

Types of Social Engineering: Quid pro Quo (something for something)

IT-Security 10

Types of Social Engineering: Pretexting

IT-Security 11

How a Social Engineer proceeds

1.) ResearchCollect sufficient information about the target

which is going to be Social Engineered– Internet– Dumpster diving

IT-Security 12

2.) Establish contact– Call– Visit in person (face-to-face)– Mail

IT-Security 13

3.) Pretend using PretexingBe someone you are not

– Customer– Researcher– Technical support– Telephone survey

IT-Security 14

4.) Extract informationUse specific wording in questions to achieve

goal– Could I just see your ID as an example?– Are generally interested in

advertising your products?

IT-Security 15

5.) After getting neccessary informationTry hard not to loose the “connections“

– The target may not know that it has been Social Engineered

– Good “connections“ can always be helpful in the future so do not mess it up

IT-Security 16

6.) Combine dataCombine the bits and pieces into data

– Most of the times you have only asked for pieces of information

– A collection of superficial-looking information can often be combined to aquire highly sensible data

– Aproximately 5 pieces of supericial data can get you 1 sensible piece of information

IT-Security 17

Summary:1. Gathering of information2. Establish connection3. Pretend to be someone you are not4. Work your way to the main goal5. Keep good relationship with the victim6. Compile data

IT-Security 18

Real world example of Social Engineering (Click HERE to

play our movie)

IT-Security 19

Why is Social Engineering so successful

• A human being trusts another human up to a certain point

• People tend to obey to your orders when they see you got superior knowledge

• Makes all means of software and hardware protections USELESS

• Only very few companies and people are actually aware of the dangers of Social Engineering

• We do not like to say no

IT-Security 20

Why is Social Engineering so successful

• Flaws in human logic:1. Cognitive Biases2. Attribution Theory3. Reactance4. Context confusion5. Strong Affect6. Overloading

IT-Security 21

It’s discussion time

Is it ethical?

IT-Security 22

Definition of “ethical”

• Ethics is a general term for what is often described as the "science (study) of morality". In philosophy, ethical behavior is that which is "good" or "right."

IT-Security 23

Is it ethical?

IT-Security 24

Sources

• Wiley Publishing, Inc. - Social Engineering - 2nd Edition 2007

• http://www.securityfocus.com• http://en.wikipedia.org• www.ethicsscoreboard.com/rb_definitions.html

IT-Security 25

IT-Security 26

Why Social Engineering is so successful (continued)

Social Engineering

Documents