Embed Size (px)
DESCRIPTION
Social Engineering. Grifting in the 21 st century U of I Experiment Power Grid Security Spring 2003. Definitions. Webster— management of human beings in accordance with their place and function in society—applied social science . - PowerPoint PPT Presentation
Citation preview
Social Engineering
Grifting in the 21st centuryU of I Experiment
Power Grid Security Spring 2003
Definitions Webster—management of human beings in accordance
with their place and function in society—applied social science.
Wetware—Human beings (programmers, operators, administrators) attached to a computer system, as opposed to the system’s hardware or software (also liveware & meatware)
Social Engineering—cracking techniques that rely on waknesses in wetware rather than software
Social Engineering--UW
Our Definition—Manipulation of human beings to obtain information or confidence pertaining to the security of networked computer systems (with malicious intent)
Social Engineering Cycle
Research (Dumpster diving , et. al.)
Developing rapport and trust
Exploiting trust
Use the information
Source: Mitnick, 2002
Social Engineering Major Tools Appeal to vanity
Appeal to authority
Eavesdropping
Prey on natural helpfulness
Manipulate lack of awareness of value of info
Social Engineering Methods Posing as fellow employee Posing as employee of vendor Posing as an authority figure Posing as a new employee requesting help Posing as a vendor offering patch, etc. Offering help if a problem occurs Sending free software or patch to install Sending a virus/Trojan horse Using false pop-up window asking for log-in Capturing victim keystrokes Leaving floppy sitting around with malicious code Using insider lingo to gain trust Offering a prize for registering web site with username and password Dropping document or file at company mail room for in-house delivery Modifying fax machine heading to appear to come from normal location Asking receptionist to receive then forward a fax Asking for a file to be transferred to an apparently internal location Getting voice mailbox set up for callbacks, making attacker seem internal Pretending to be from remote office and asking for email access locally
Source: Mitnick, 2002
Warning Signs of an Attack
Refusal to give callback number Out-of-ordinary request Claim of authority Stresses urgency Threatens negative consequences of
noncompliance Shows discomfort when questioned Name dropping Compliments or flattery Flirting
Source: Mitnick, 2002
Common Targets of Attacks
Unaware of info value—receptionist
Special privileges—help desk tech support
Manufacturer/vendor—vendors
Specific departments—accounting, HR
Source: Mitnick, 2002
Factors Making Companies Vulnerable Large number of employees Multiple facilities Info on employee whereabouts left invoice
mail messages Phone extension info made available Lack of security training Lack of data classification system No incident reporting/response plan
Source: Mitnick, 2002
Examples:
Passwords displayed on hardware Internal company info/memos User’s passwords/account info Theft of service (Mitnick) Theft of intellectual property Footprinting/casing prior to e-attack
Why do we care?
Humans are potentially the least secure link in any secure system
“You are the weakest link…Goodbye!”
Experiment U of I
War-driving• Revealed many wireless networks in use in industry,
manufacturing, commerce and education (not to mention residential)
• Most did not take minimal security measures
Why are industries relying on wireless?• Don’t know the risk
• Incompetent, apathetic, irresponsible
Experiment U of I (cont’d.)
Sent 10 letters to industry/commerce Identified wireless enabled
• Warned about risks
• Sent info obtained about network• MAC addresses
• Access Point brand & name
• WEP status
Offered to help evaluate risks
Results 1
FSI (First Step Internet)• Authentication scheme
• Access point names and locations
• Security practices
• IDS/mitigation
• Wireless backbone locations/type/frequency
• Future security plans
• Client security
• End user agreements
Results 2
St. Joseph’s Regional Medical Center• Well informed
• Cautious/paranoid/untrusting
• Unwilling to divulge any info about their network
• Educated about social engineering and would not answer direct questions
• Thorough risk assessment determined the liability was smaller than the risk
Recent Survey--UK
InfoSecurity Europe 2003 Survey of Office workers at London’s Waterloo Station
• 75% gave password immediately
• 15% further revealed their password after some simple social engineering tricks
• 2/3 have given password to colleagues
• 2/3 use the same password for everything
Lessons Learned
People can be trained to avoid/prevent social engineering (St. Joe’s)
It only takes one person to divulge insider info (knowingly or unknowingly) for a security breach
Social engineering is still the easiest method of obtaining insider info.
