Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | martina-obertova |
View: | 213 times |
Download: | 0 times |
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 1/15
PC Security Final Essay
Social Engineering
Contents
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 2/15
Introduction 1
What is Social Engineering? 2
Social Engineering Techniques 3
Social Engineering for Beginners 6
Well known Social Engineers 8
Ways to prevent a Engineering Attack 9
Conclusion 12
References 13
Introduction:
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 3/15
Social Engineering is a way of manipulating a person into giving you important data. In PC
security terms it’s a way of hacking a system without being in front of an actual PC. There
are so many examples of social engineering in the world today and people just aren’t being
vigilant enough.
Social engineering can take the form of a phone call, an email, a letter and if the person is
really daring, they might actually go so far as to pose as someone else face to face.
There has been many stories go around about social engineering and how people manage to
trick others. One of the most popular instances is a woman in America who rang a bank and
posed as the Bank Presidents daughter. She demanded the account numbers of the banks
biggest client. The member of staff wasn’t inclined to give her the information; however this
fraudster said that if she did not receive the account numbers and information that she was
looking for, that her father would not be pleased and in turn he would fire that member of
staff. Of course the member of staff was so afraid of losing their job that they eventuallycomplied only to find a few days later that this major clients bank account had been cleaned
out and that they had indeed been fooled.
You would think that after a story like that, that people would be more on the look out.
However, clever hackers these days are coming up with new and unsuspecting ways to trick
the public and steal their identities and lives.
In this essay I will outline the different types of social engineering i.e the many different
ways and examples of how someone can be a social engineer, as well as giving pointers on
how to be vigilant and stop yourself from being hacked.
What is Social Engineering?
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 4/15
“Social engineering is the act of manipulating people into performing actions or divulging
confidential information” i
Some social engineering can be considered the simplest form of fraud and in most cases the
victim never see's the person who has tricked them.
“All social engineering techniques are based on specific attributes of human decision-
making known as cognitive biases. These biases, sometimes called "bugs in the human
hardware," are exploited in various combinations to create attack techniques.”ii
Basically what the above is saying, is that all of this fraud is based on decisions made by the
hacker or person trying to exploit the information. What they extract depends entirely on the
following:
The questions they choose to ask
The route they chose i.e. phone, email, person to person contact (very rare)
The amount of time they are willing to spend digging for information. Patience. A hacker can't afford to get frustrated when trying to extract information as
it may essentially blow his/her cover.
Manners. The more they sweet-talk and the more innocent they claim to be, the higher
the chance that they will be told what they want to hear. Often people are eager to
help those that they think are helpless, so if the hacker calls up and acts like they are
completely lost or confused, often they will pick up little bits of information.
Social Engineering Techniques:
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 5/15
The main technique and often the most simplest that is used in Social Engineering is
Pretexting. This is the technique that I have mentioned above in the introduction. Someone
tells a simple lie to extract information. They invent a scenario in which they impersonate
someone else or say that they are speaking on behalf of someone very important to get what
they need.
People may impersonate someone else to get valuable information about a company.More often than not this type of attack is aimed at large businesses, either by someone who is
looking to cash in on a weak link in the company, or the company's competition looking to
see how they can up their own game.
Phishing is another technique that can be used in social engineering. These days it is really
easy to create a website and manipulate html code and people can get caught.
Scammers set up a fake website that looks like something more legitimate and popular that
people would use regularly, for example eBay. Then they send you an email from that website
looking for some personal details to verify an account with a bad link. When you click this
link, they fake website logs your details (credit card number and whatever you have entered)along with your password for your email account. They can then use these details to steal
your identity and things can become quite serious.
The most well known phishing scam was in 2003, when hackers sent emails to people
pretending to be from eBay, as above, people were told that their accounts would be
suspended if they did not enter in their credit card details. They were given a link which
redirected them to a site similar to the format of eBay and when they entered in their details
they were phished.
iii
Diagram 1. The above diagram shows a print screen of the email that was sent around in 2003.
Spear Phishing is similar to pretexting; however it normally appears internally within a
company. An email will be sent to someone in a company and it will look like an official
company email. They may pose as someone from human resources, and normally what they
would look for is the details for one specific member of staff.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 6/15
Not only will they look for details, but often they will also ask you to download some sort of
software claiming that it’s relevant to your everyday work. This software will contain a
Trojan or other malware that will spread rapidly from computer to computer in the network.
The “spear” in the title indicates that they want to target one specific person within acompany rather than the company itself, however when they have the details of one member
of staff then it could lead to something much bigger eventually.
The following extract is an example of Spear Phishing from a blog I found online. iv
“The Forrester analyst, Paul Stamp, describes a recent spear phishing attack on a medi-
um sized enterprise. He described how the enterprise had issued a press release announ-
cing the hire of a new COO. A few days later, the new COO received a email pur-
portedly from the firm that does the enterprise's travel bookings. He was requested to
click on the link and make sure his details were accurate.
The executive did and ended up at a official looking website for the travel agency. There he
found that the travel agency already had all his personal details in the database, so it looked
good. He was then requested to download some software that would link his Outlook email to
the travel agency's booking systems. The COO did this. Unbeknownst to the COO he was ac-
tually downloading Trojan horse malware which then rapidly spread through his new enter-
prise.”
Phone Phishing.
This technique is often more complicated than it sounds and isn’t just as simple as one phone
call. The attacker starts out by sending an email to the victim posing as a bank. This email
might say something such as
“Dear Sir
There has been some unusual activity on your account lately.
You will need to contact the bank to verify your details.
The following is a number for you to call and you will be put straight through to one of our customer service representatives [Insert Number]
We look forward to hearing from you soon.
[Insert Name]
Manager of tsb Permanent.”
When the victim will call that number, they might be put through to a fancy automated
system or voice recording. These days’ attackers have to get more sophisticated with their
means of attacking so that their victims will not be able to tell the difference between what’s
real and what’s fake, so hearing an automated voice system is not uncommon. Then thevictim may be put directly through to their attacker who may be posing as a customer service
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 7/15
representative where they will be asked for their details. By the time the phone call ends the
attacker should have everything that they needed.
Trojans and Malware
This technique often requires the use of a computer. A Trojan or malware may be transmitted
to the victims computer through a lost form of external media, (People are often curious whenthey see a usb key on the ground in the parking lot of their company and don’t often stop to
think of the consequences) or more commonly attachments in an email.
They will be sent an email asking them to download a report or file and when they do, they
will automatically get a Trojan, malware or keylogger. Every stroke they type on the
computer may be monitored and every piece of personal information that they will enter will
be kept.
Shoulder surfing.
This technique is possible the easiest thing you could do if you wanted to find out
information quickly, however it is often overlooked as being too unreliable and amateurish.
This can range between anything from looking over the shoulder of someone in an airport to
standing really close to someone as they are entering the pin at an ATM.
There are pros and cons. Pros being that if a place is crowded you are nearly sure to get away
with this technique, unless you are looking really shifty. The cons however are that this is
only a good technique if an attacker is looking to just steal from a random person. If they
were looking to target someone in particular, it would be a lot of work having to first find out
where they are travelling to so that you can follow them around and look for information and
then if you are following the same person from place to place then you are going to start to
look a bit creepy eventually!
I would say this technique is more for the beginner in Social Engineering rather than the Pro’s
who would only target big companies and businesses.
Social Engineering for Beginners!
Social Engineering is ALWAYS closer than you think. Just the other day I was surfing a local
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 8/15
forum and I saw something that I believe to be a form of social engineering. Now of course
this thread that I am about to show you may be perfectly innocent, but it seems to me that this
person is digging for specific information from a specific person. After all, I know some
people on this local forum as Cork is a small place, so it seems to me that he already knows
the user he is hoping will reply. This person has made their thread so pointless and harmless
looking that no one would suspect them.
v
There is a possibility that this user is trying to find out the answer to a password reset
question.
With most email accounts, there is an option to reset your password if you can provide 2
pieces of information together such as an answer to a secret question and a location.
A lot of people would choose an easy answer to their password reset question as they don’t
want to forget the answer. They may think that this is the most convenient route to take but it
is also leaving them wide open to attacks from hackers.
If a hacker can guess a password reset question, this indeed is another form of social
engineering. So the best way to stop yourself from being left open to attack is to make your
password a mixture of:
• Upper Case Letters
• Lower Case Letters
• Numbers
• An underscore if possible
• Words which are not easy to decipher.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 9/15
I will also stress that it is a possibility that the above thread was totally innocent, however it
is always important to be on your guard.
Internet forums can be a place of great discussion and may pass the time, however on local
forums you need to be more aware of the consequences if a debate or a flame war breaks out.
“Flaming is hostile and insulting interaction between Internet users. Flaming usually
occurs in the social context of a discussion board, Internet Relay Chat (IRC), by e-mail
or on Video-sharing websites. It is usually the result of the discussion of heated real-
world issues like politics, religion, and philosophy, or of issues that polarise
subpopulations (for example, the perennial debating between Xbox 360 and PlayStation
3 owners). Internet trolls frequently set out to incite flame wars for the sole purpose of
offending or irritating other posters.” vi
Flaming can lead to a more serious situation where someone may become a victim of cyber
bullying. You may wonder how this ties in with Social Engineering.
Cyber bullying and flaming could lead to a social engineering attack from someonewho may be looking to “get their own back” or just be spiteful. They may try to compromise
your account to teach you a lesson. Don’t get me wrong, I’m not anti-forums and when
properly moderated they can be a wonderful place to chat to like-minded people, however it
is just as important to be picky about what information you give on an internet forum as it is
to be careful about what phishing links you click on!
Well Known Social Engineers.
The most well known social engineer in the World is Kevin Mitnick.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 10/15
Kevin started social engineering at a very young age when a bus driver told him that he could
buy his own ticket stubbing machine. He bought this machine and then went searching for
transfer tickets which he could use. He continued this on for years until he found the world of
technology and hacking where he became the most well known social engineer.
He used to tap phone lines to listen to peoples conversations and also speaker systems indrive through’s and restaurants.vii
viii
Mitnick in the centre with some friends.
Frank Abengale
This man is another example of another famous social engineer.
This man was well known for his bank fraud. He spent his life on the run and claimed
to have no fewer than 8 identities. He started at the age of 16 and committed a long list of
crimes including fraud.
He is well known in popular culture as the movie “Catch me if you can” is based on
his life.
Similarly to Mitnick, Abengale is now a security consultant.
Ways to prevent a Social Engineering Attack
There are many things you can do to prevent a social engineering attack.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 11/15
• Do not click on suspicious links in emails
• Do not give out details over the phone unless you are 100% confident that you are
speaking to an official body that you trust.
• Do not give out your credit card details to any links that may appear in emails. Your
bank is sure to contact you by letter or phone to arrange an appointment to discuss
your finances, they would never actively send out an email to ask you to verify your account or change your details online.
• If you find a piece of external media, do not take the chance that it isn’t infected.
Leave it where you find it and do not insert it into your computer.
• Do not download attachments from websites that you do not trust.
• If you receive an internal email asking you for your details within the company you
are working for, speak to your supervisor to verify that this email was legitimate
before entering any details. After all, there may not be any “Jane” working in human
resources!
• Have multiple passwords! Do not use the same password for all accounts as it will be
too predictable, and if someone happens to crack it then they are in a position to stealyour entire identity.
The majority of these are common sense, however good hackers are coming out with new
pieces of technology every day which make it more difficult for you to be on your guard
when it comes to these attacks.
Protecting your email
I cannot stress enough the importance of making your password hard to crack. As mentionedabove there are ways of doing this.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 12/15
If will demonstrate creating a password for hotmail. Most other email websites will be the
same so this will apply across the board.
1. Here I entered a name as the password. All in lowercase letters “stephen”. This was
the message that I received.
ix
2. I decided to backtrack and delete that password. I retyped it this time using one
uppercase letter, a mixture of lowercase letters and two digits which I will remember.
I would not recommend using your age as your two digits as this will make your
password easier to crack for anyone that may know you personally. The password I
typed was “Stephen48586878”. This password may be hard to remember because of
all the digits, but this was only a personal preference anyway. Some people prefer to
play around with it and manipulate the cases rather than the digits to make their
passwords stronger. This was the message that I was shown.
x
I was told that the password was strong. In fact the box on the right gave a very clear indication of the type of password that they are looking for. This is designed to help you out.
The next part of the email address that I will show you how to protect is your password reset
question. Every email account either needs a password reset question or a linked email
address to automatically send the password to. I much prefer the password reset question, as
it stops an attacker from automatically obtaining your details if they have the password to thelinked account also.
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 13/15
Again I’ll use Hotmail as the primary example. This type of question is exactly the type of
question you should not use because anyone who knows you well will know this straight
away.
xi
If possible, you should choose your own question, as some email websites give you the
option to write your own, however in this case you don’t have that option. The next best
option on that list is “Favourite Historical Person”. You can make this an actor or a writer
even and to make the answer stronger, I suggest putting a memorable number at the end of
the question, as well as the number of spaces in the question.
xii
This is just a simple way that you can stop yourself from being a victim of social engineering.
However, no password or reset question is foolproof so you have to be vigilant against the
phising scams.
Conclusion
Social engineering is a much bigger part of our lives than we sometimes realise. A con artistmay not necessarily jump out at you. He mightn’t be wearing tatty clothes or look suspicious,
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 14/15
he could just as well be wearing an Armani suit and have a wife and kids.
Social engineering will always be the number one way to extract information. Regardless of
what new technology people will come up with over the next few years. The art of the lie will
never change.
References
7/28/2019 104274037 PC Security Final Essay Social Engineering
http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 15/15
i Taken from http://en.wikipedia.org/wiki/Social_engineering_(security)
ii Taken from http://en.wikipedia.org/wiki/Social_engineering_(security)#Social_engineering_techniques_and_terms
iii Found at: http://www.fileguru.com/images/b/scam_sensor_for_outlook_utilities_security-11581.png
iv Taken from http://www.authenticationworld.com/blog/2006/12/targeted_spear_phishing_exampl.html
v Taken from http://www.peoplesrepublicofcork.com/~peoplesr/forums/showthread.php?t=163752
vi Taken from http://en.wikipedia.org/wiki/Flaming_(Internet)
vii Taken from http://en.wikipedia.org/wiki/Mitnick#Early_life
viii Found at http://upload.wikimedia.org/wikipedia/en/f/fa/Lamo-Mitnick-Poulsen.png
ix
x
xi xii (References ix, x, xi, xii all taken from the hotmail sign in page:https://signup.live.com/signup.aspx?ru=http://mail.live.com/%3frru
%3dinbox&wa=wsignin1.0&rpsnv=11&ct=1259635165&rver=6.0.5285.0&wp=MBI&wreply=http://mail.live.com/def ault.aspx&lc=1033&id=64855&mkt=en-us&bk=1259635166&rollrs=12&lic=1)