Date post: | 10-Jul-2015 |
Category: |
Engineering |
Upload: | wh0s |
View: | 152 times |
Download: | 0 times |
Marta Barrio Marcos
Daniel González Gutiérrez
Summary
• What is Social Engineering?
• Techniques
• Why are we vulnerable?
• Famous Social Engineers
• Conclusions
What is SE?
“Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is
usually to release information or to perform some sort of action item that benefits that
attacker.”
Kevin Mitnick
What is SE?
Psychological manipulation
Goals:
• Performing actions
• Divulging confidential information
• Confidence trick for the purpose of information
gathering, fraud, or system access
What is SE?
Life Cycle:
1. Footprinting
2. Establishing Trust
3. Psychological Manipulation
4. The Exit
Footprinting
Accumulating information:• Target
• Environment
Such as:• List of employee and phone numbers
• Organization Chart
• Location information
Software tools:• Maltego
• SET
• Creepy
Footprinting: Maltego
Footprinting: creepy
Establishing Trust
Develop a relationship
with the targetGenerate trust
Confidential information
Psychological Manipulation
Manipulatethe trust
Penetrate intothe system
easily
Next Target / Exploiting theactual system
The Exit
• Clear Exit
• Avoid Suspicion
• Not to leave any proof of his visit:
• Trace-back to his real identity
• Link him to the unauthorized entry into
the system in the future
Techniques
• Goal: Get Information
• Techniques:• Shoulder Surfing
• Impersonation
• Phishing
• Reverse Social Engineering
• Dumpster Diving
• Trojan Horses
• Surfing Online Contents
Shoulder Surfing
• Direct observation technique (looking
over someone’s shoulder):
• Passwords
• Security Codes
• PINs
Impersonation
The social engineer plays the role of someone youare likely to trust.
• Roles:• IT support
• Fellow employee
• Someone in authority
• They use:• Uniforms
• ID badge
• Insider information
• Names and details abut employees
Phishing
• False websites/emails
• Look like the originals
• Deceive users
• Get private information
• Get benefit
Phishing
*From infography in www.ThreatSim.com
Phishing
Phishing
Reverse Social Engineering
The attacker convinces the target that he has a
problem and the attacked is ready to help to
solve the problem.
• Sabotage: the attacker corrupts the system or
give it an appearance of being corrupted.
• Marketing: the only person who can solve the
problem is the attacker.
• Support: he gains the trust of the target (access
to sensitive information).
Dumpster Diving
Garbage Picking
• Find items that may prove useful:
Trojan Horses
Malware program with malicious code.
• Download a malicious file to the system.
• Open a backdoor.
• Access to the victim machine.
Trojan Horses
Surfing Online Contents
Emails; Phone numbers; Employers
names…
• Whois
• Official website
• Forums
• Software Tools
Why are we vulnerable?
• Why are we vulnerable to SE?
1. We all want to help
2. The first move is always trusted the
others
3. We hate to say “no”
4. We all love that we praise
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”
Gene Sparfford, expert in computer security.
Why are we vulnerable?
“You can always convince someone to turn it on.”Social Engineering.
Famous Social Engineers
Kevin Mitnick
“The World’s Most Wanted Hackers”
• 15 years old: he could ride any bus (free)
• 1981: COSMOS, Pacific Bell
• Arrested in 1981, 1983, 1987, 1995
• Author of “The art of deception”
Famous Social Engineers
Christopher Hadnagy
• www.social-engineer.org
• Work in backtrack
• Author of:• Elicitation
• Pretexting
• Micro expressions
• Tools of the Social Engineer
Conclusions
1Importance of
Information
2 The biggest vulnerability are…
Common Sense
US
DEMOS
• Demo 1: Stealing credentials in
• Demo 2: Exploit a vulnerability in a
computer and get total control
To… CONTROL YOUR SYSTEM