Marta Barrio Marcos

Daniel González Gutiérrez

Summary

• What is Social Engineering?

• Techniques

• Why are we vulnerable?

• Famous Social Engineers

• Conclusions

What is SE?

“Social engineering is using manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is

usually to release information or to perform some sort of action item that benefits that

attacker.”

Kevin Mitnick

What is SE?

Psychological manipulation

Goals:

• Performing actions

• Divulging confidential information

• Confidence trick for the purpose of information

gathering, fraud, or system access

What is SE?

Life Cycle:

1. Footprinting

2. Establishing Trust

3. Psychological Manipulation

4. The Exit

Footprinting

Accumulating information:• Target

• Environment

Such as:• List of employee and phone numbers

• Organization Chart

• Location information

Software tools:• Maltego

• SET

• Creepy

Footprinting: Maltego

Footprinting: creepy

Establishing Trust

Develop a relationship

with the targetGenerate trust

Confidential information

Psychological Manipulation

Manipulatethe trust

Penetrate intothe system

easily

Next Target / Exploiting theactual system

The Exit

• Clear Exit

• Avoid Suspicion

• Not to leave any proof of his visit:

• Trace-back to his real identity

• Link him to the unauthorized entry into

the system in the future

Techniques

• Goal: Get Information

• Techniques:• Shoulder Surfing

• Impersonation

• Phishing

• Reverse Social Engineering

• Dumpster Diving

• Trojan Horses

• Surfing Online Contents

Shoulder Surfing

• Direct observation technique (looking

over someone’s shoulder):

• Passwords

• Security Codes

• PINs

Impersonation

The social engineer plays the role of someone youare likely to trust.

• Roles:• IT support

• Fellow employee

• Someone in authority

• They use:• Uniforms

• ID badge

• Insider information

• Names and details abut employees

Phishing

• False websites/emails

• Look like the originals

• Deceive users

• Get private information

• Get benefit

Phishing

*From infography in www.ThreatSim.com

Phishing

Phishing

Reverse Social Engineering

The attacker convinces the target that he has a

problem and the attacked is ready to help to

solve the problem.

• Sabotage: the attacker corrupts the system or

give it an appearance of being corrupted.

• Marketing: the only person who can solve the

problem is the attacker.

• Support: he gains the trust of the target (access

to sensitive information).

Dumpster Diving

Garbage Picking

• Find items that may prove useful:

Trojan Horses

Malware program with malicious code.

• Download a malicious file to the system.

• Open a backdoor.

• Access to the victim machine.

Trojan Horses

Surfing Online Contents

Emails; Phone numbers; Employers

names…

• Whois

• Official website

• Forums

• Software Tools

Why are we vulnerable?

• Why are we vulnerable to SE?

1. We all want to help

2. The first move is always trusted the

others

3. We hate to say “no”

4. We all love that we praise

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”

Gene Sparfford, expert in computer security.

Why are we vulnerable?

“You can always convince someone to turn it on.”Social Engineering.

Famous Social Engineers

Kevin Mitnick

“The World’s Most Wanted Hackers”

• 15 years old: he could ride any bus (free)

• 1981: COSMOS, Pacific Bell

• Arrested in 1981, 1983, 1987, 1995

• Author of “The art of deception”

Famous Social Engineers

Christopher Hadnagy

• www.social-engineer.org

• Work in backtrack

• Author of:• Elicitation

• Pretexting

• Micro expressions

• Tools of the Social Engineer

Conclusions

1Importance of

Information

2 The biggest vulnerability are…

Common Sense

US

DEMOS

• Demo 1: Stealing credentials in

facebook

• Demo 2: Exploit a vulnerability in a

computer and get total control

To… CONTROL YOUR SYSTEM