26
JL and Firasco www.pizzaratings.com IT-Security 1 Social Engineering by JL and Firasco
JL and Firascowww.pizzaratings.com
IT-Security 1
Social Engineeringby JL and Firasco
Contents
1. Definitions of Social Engineering (SE)2. Different types of Social Engineering3. How a Social Engineer proceeds (6 steps)4. Live example of Social Engineering (Movie)5. Why is Social Engineering so successful6. Is it ethical?
JL and Firascowww.pizzaratings.com
IT-Security 2
Definitions of Social Engineering
1. Involves exploiting the trusting nature of human beings to obtain information (human hacking)
2. The art and science of getting people to comply to your wishes
3. Is a collection of techniques used to manipulate people into performing actions or revealing confidential information
JL and Firascowww.pizzaratings.com
IT-Security 3
So now…
Raise your hand if you think you have ever been Social Engineered
JL and Firascowww.pizzaratings.com
IT-Security 4
JL and Firascowww.pizzaratings.com
IT-Security 5
Famous targets of Social Engineering
1. Industrial Spying2. Data Theft3. Idenitiy Theft4. Pizza4free5. Etc.
Types of Social Engineering
1. Phishing2. Trojan horse3. Quid pro Quo4. Pretexting
JL and Firascowww.pizzaratings.com
IT-Security 6
Types of Social Engineering: Phishing
JL and Firascowww.pizzaratings.com
IT-Security 7
Types of Social Engineering: Trojan Horse
JL and Firascowww.pizzaratings.com
IT-Security 9
Types of Social Engineering: Quid pro Quo (something for something)
JL and Firascowww.pizzaratings.com
IT-Security 10
Types of Social Engineering: Pretexting
JL and Firascowww.pizzaratings.com
IT-Security 11
How a Social Engineer proceeds
1.) ResearchCollect sufficient information about the target
which is going to be Social Engineered– Internet– Dumpster diving
JL and Firascowww.pizzaratings.com
IT-Security 12
How a Social Engineer proceeds
2.) Establish contact– Call– Visit in person (face-to-face)– Mail
JL and Firascowww.pizzaratings.com
IT-Security 13
How a Social Engineer proceeds
3.) Pretend using PretexingBe someone you are not
– Customer– Researcher– Technical support– Telephone survey
JL and Firascowww.pizzaratings.com
IT-Security 14
How a Social Engineer proceeds
4.) Extract informationUse specific wording in questions to achieve
goal– Could I just see your ID as an example?– Are generally interested in
advertising your products?
JL and Firascowww.pizzaratings.com
IT-Security 15
How a Social Engineer proceeds
5.) After getting neccessary informationTry hard not to loose the “connections“
– The target may not know that it has been Social Engineered
– Good “connections“ can always be helpful in the future so do not mess it up
JL and Firascowww.pizzaratings.com
IT-Security 16
How a Social Engineer proceeds
6.) Combine dataCombine the bits and pieces into data
– Most of the times you have only asked for pieces of information
– A collection of superficial-looking information can often be combined to aquire highly sensible data
– Aproximately 5 pieces of supericial data can get you 1 sensible piece of information
JL and Firascowww.pizzaratings.com
IT-Security 17
How a Social Engineer proceeds
Summary:1. Gathering of information2. Establish connection3. Pretend to be someone you are not4. Work your way to the main goal5. Keep good relationship with the victim6. Compile data
JL and Firascowww.pizzaratings.com
IT-Security 18
Real world example of Social Engineering (Click HERE to
play our movie)
JL and Firascowww.pizzaratings.com
IT-Security 19
Why is Social Engineering so successful
• A human being trusts another human up to a certain point
• People tend to obey to your orders when they see you got superior knowledge
• Makes all means of software and hardware protections USELESS
• Only very few companies and people are actually aware of the dangers of Social Engineering
• We do not like to say no
JL and Firascowww.pizzaratings.com
IT-Security 20
Why is Social Engineering so successful
• Flaws in human logic:1. Cognitive Biases2. Attribution Theory3. Reactance4. Context confusion5. Strong Affect6. Overloading
JL and Firascowww.pizzaratings.com
IT-Security 21
It’s discussion time
Is it ethical?
JL and Firascowww.pizzaratings.com
IT-Security 22
Definition of “ethical”
• Ethics is a general term for what is often described as the "science (study) of morality". In philosophy, ethical behavior is that which is "good" or "right."
JL and Firascowww.pizzaratings.com
IT-Security 23
Is it ethical?
JL and Firascowww.pizzaratings.com
IT-Security 24
Sources
• Wiley Publishing, Inc. - Social Engineering - 2nd Edition 2007
• http://www.securityfocus.com• http://en.wikipedia.org• www.ethicsscoreboard.com/rb_definitions.html
JL and Firascowww.pizzaratings.com
IT-Security 25
JL and Firascowww.pizzaratings.com
IT-Security 26
Why Social Engineering is so successful (continued)
