The Art of Human Hacking : Social Engineering

A new modern threat for the IT industry?

By:

Introduction Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.

Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.

Present day danger displaying is a protective reaction to understanding a risk to set yourself up, your system, and your benefits. This syndicated

programs how risk displaying can be utilized as a hostile weapon. While customary risk demonstrating takes a gander at the assailant, the benefit

and the framework – hostile risk displaying glances back at the protector to comprehend his strategies and uncover shortcomings.

By receiving the P4S's - People, Points, Posture, Pwnage,

Survey – an attacker can comprehend where best to strike to

inflict the most ideal result.

P4S’s

Make a HPTL (High Payoff Target List)

– resources that give the greatest value for the money when bargained / compromised

– illustration: security work force, senior administrators

• auxiliary targets

– targets which can be utilized as a backhanded assault vector

– deals faculty, bolster staff, and merchants

• make a rundown of focuses of chance

– the "low hanging natural product" of the venture

First “ P” Stands For “PinPoint”

deteriorate target resources into purposes of assault

• separate every benefit into base segments

– distinguish what parts can be promptly compromised

• Physical versus Human Resources

– family affiliations, pastimes

– behavioral examination, psych profiling

– assessment investigation

– target fingerprinting, mapping

– port outputs, powerlessness inventories

– framework maps, application examination

Second “P” Stands For “Points Of Attack”

distinguish resource's guarded stance • survey the state or stance of every part – is it prepared to be traded off? • bunches of basic time-based parts – specialized timetables – are firewalls rebooted, patches connected at altered interims? – change administration windows and discharge plans –when are workers most drastically averse to be locked in (off-hours, voyaging, meetings, and so on) • does the undertaking comprehend security? – is there a proactive security stance, or basically receptive? – is occurrence reaction actualized, tried?

Third “P” Stands For “Posture”

execute the assault (Hax0r those benefits)

– compromise numerous advantages utilizing differed assaults

– sensible assaults – assault rationale of procedures or applications

– social engineering – assault the general population component

– physical assaults – draw in on location (high hazard)

– influence known shortcomings to trade off resources

– concentrate on resources whose stance abandons them uncovered

• human shortcomings are frequently the most straightforward to misuse

– pay off, extortion, straightforward motivating forces

Fourth “P” Stands For “Pwnage”

“S” Stands For “Survey”

constantly monitor, keep up traded off resources • assailant should constantly monitor, redesign resource list – distinguish if target reaction has been initiated – examine assault and guarded adequacy – perform a money saving advantage examination on failing to meet expectations resources • perform harm evaluation on lost resources – guarantee no assault spillage has happened – recognize possible substitutions.

Social Engineering has proven to be the fastest and most successful way to hack into an organization. The SE technique works every time and more often than not it works the first time. Social Engineering remains one of the largest cyber security threat to IT infrastructures.

Methods of Social Engineering

The methods are different and hard to count. I studied a bit and found that I can categorize these methods into different headings as written below.

•Quid Pro Quo - Something for something

• Phishing - Fraudulently obtaining private

information

• Baiting - Real world Trojan Horse

• Pretexting - Invented Scenario

• Diversion Theft - A con

• Employment For Social Engineering

•Honey Trapping

Quid Pro Quo • Something for SomethingCall random numbers at a company,

claiming to be from technical support.

Eventually, you will reach someone with a legitimate problem

Grateful you called them back, they will follow your instructions

The attacker will "help" the user, but will really have the victim type commands that will allow the attacker to install malware

Phishing • Fraudulently obtaining private informationo Send an email that looks like it came from a

legitimate business

o Request verification of information and warn of some consequence if not provided

o Usually contains link to a fraudulent web page that looks legitimate

o User gives information to the social engineer Ex: Ebay Scam , Bank Scam Etc

Phishing

Continued...

• Spear Fishingo Specific phishing

Ex: email that makes claims using your name

• Vishingo Phone phishingo Rogue interactive voice system

Ex:call bank to verify information

Baiting • Real world Trojan horseo Uses physical media

o Relies on greed/curiosity of victim

o Attacker leaves a malware infected cd or usbdrive in a location sure to be found

o Attacker puts a legitimate or curious lable to gain interest

o Ex: "Company Earnings 2009" left at company elevator

Curious employee/Good samaritan usesUser inserts media and unknowingly installs malware

Pretexting • Invented Scenarioo Prior Research/Setup used to

establish legitimacyGive information that a user would normally not divulge

o This technique is used to impersonateAuthority act

Using prepared answers to victims questionsOther gathered information

o Ex: Law EnforcementThreat of alleged infraction to detain suspect and hold for questioning

Pretexting

Real

Example:

• Signed up for Free Credit Report

• Saw Unauthorized charge from another credit company

o Called to dispute charged and was asked for Credit Card Number

They insisted it was useless without the security code

o Asked for Social Security number

• Talked to Fraud Department at my bank

Diversion

Theft

• A Cono Persuade deliver person that delivery is

requested elsewhere - "Round the Corner"

o When deliver is redirected, attacker pursuades delivery driver to unload delivery near address

o Ex: Attacker parks security van outside a bank. Victims going to deposit money into a night safe are told that the night safe is out of order. Victims then give money to attacker to put in the fake security van

o Most companies do not prepare employees for this type of attack

Weakest

Link?

• No matter how strong your:o Firewallso Intrusion Detection Systemso Cryptographyo Anti-virus software

• You are the weakest link in computer security!o People are more vulnerable than computers

• "The weakest link in the security chain is the human element" -Kevin Mitnick

Honey Trapping: Techniques For Social Engineering

This is among the popular methods of social engineering when the stakes are high. Usually, men are more prone to honey traps compared to women.

This dangerous method can be described in following steps:

•Identify the person in the target company who has good insider information

•Have a high class hooker to seduce the person

•Film it when they’re in the act

•Use the film to blackmail the trapped person

The same method was used in recent Pathankot Air Base (2016) Terrorist attack in India. As the film/video is with the social engineer, the person can get whatever he or she wants. They can even make the trapped person do things he or she won’t ever think of doing. In some cases, the stress and guilt is so high that the trapped person may commit suicide.

There is not much you can do in cases of honey traps except to educate the people who work for you. But that is not a guaranteed solution as it plays with the basic human tendencies. Likewise, there is no 100% firewall against any of the above methods of social engineering. People err and that’s where the social engineers make profits. All you can do is to educate and if the employees understand, it is good or else not only they, but their companies are also at risk of social engineering.

To Understand How a Typical Honey Trap Assignment Works Read Below:

Prior to the Assignment:

•A Honey Trap Case Manager will get in touch with you. They will help you on arranging and executing your Honey Trap trap task.

•Pick your specialist from a combination of male or female operators of various identities, foundations, and/or ways of life.

•You will have an interview with the operator and the case specialist to arrange the points of interest of your Honey Trap .

What a Typical Assignment Consists of:

• The Agent will endeavor to chat with the subject.

• Specialist will ask the subject any foreordained inquiries settled upon for the situation meeting.

• Trade telephone numbers under the guise of a future meeting.

• Contact and correspondence will be kept up for a pre-concurred time allotment. Illustrations: Phone, Email, Text or Social Networking

• An discretionary second meeting can be orchestrated lunch, supper, or at an inn.

After the Honey Trap:

• Agent will submit reports and photos

• The SIM card utilized by the honeytrap operator amid the task

• Duplicates of all roads of interchanges, for example, email, content or voice messages.

Ways to Prevent Social EngineeringTraining

• User Awarenesso User knows that giving out certain information is bad

• Military requires Cyber Transportation to holdo Top Secret Security Clearanceo Security Plus Certification

• Policieso Employees are not allowed to divulge private informationo Prevents employees from being socially pressured or tricked

Ways to Prevent Social Engineering Cont..

• 3rd Party test - Ethical HackerHave a third party come to your company and attempted to hack

into your network3rd party will attempt to glean information from employees using

social engineeringHelps detect problems people have with security

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about internal information

• Do not provide personal information, information about the company(such as internal network) unless authority of person is verified

General Safety

Before transmitting individual data over the web, check the association is secure and check the url is right

In the event that uncertain if an email message is true blue, contact the individual or organization by another methods to verify

Be paranoid and aware when interfacing with anything that necessities ensured

The lsmallest data could trade off what you're ensuring