Social Engineering Abuses

Sean Toh

BJ Bayha

Overview

• What is Social Engineering?

• What does the survey say ?

• Case Studies−Case 1: Kevin Mitnick −Case 2: Melissa Virus

• Conclusion

• Q and A

Define Terms

Social Engineering (n):

Term used among [experts] for cracking techniques that rely on weaknesses in [humans] rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.

-- The Jargon File aka The New Hacker’s Dictionary

Define Term – Cont’d

• Valid uses of Social Engineering

• Abuses of Social Engineering

• Computer exploits without the use

of social engineering

Statistical Review

•FBI Unified Crime

Reports does not bother

to survey computer crime.

•National Crime

Victimization Survey

collects data but does not

differentiate between

computer-related and

traditional crimes.

“I don’t think there

is a good figure on

that kind of crime. …

There is no

definitive report on

computer crime.” -- Cecil Greek, PhD.

Asst. Prof. Criminology

What does the survey say?• Why survey does not produce accurate

statistics?

• Without quantification and accuracy, recognized body cannot acknowledge the problem.

• Reasons for not reporting information leak−Lack of knowledge−Sometimes, user does not even know that it had

leaked information.−Confidence factor; institution fear that if news of

information leak is out, it may jeopardize its image and confidence among its customers.

“Damage figures that include the retail value of software copied or telephone and computer services used by hackers are usually overestimates.”

-- “A Gift of Fire” Sec. Ed.

Case Study 1 : Kevin Mitnick• Habitual prankster and phone service thief.

• Regularly switched large phone bills to victims and interrupted utility services.

• Used compromised access keys to use private computer and phone resources.

• Violated parole, late 1992.

• Stole cellular phone drivers and worm code from Tsutomo Shimomura, December 24th, 1995.

Case Study 1 : Kevin Mitnick• What is the problem?

−Subverted corporate procedures to gain access to computers and resources.

−Undermined trust in employees.−Major time served was for parole violation.−Currently a security consultant with the FBI

and popular speaker on computer security.−No accountability for his actions.−There is no law to that can be directly applied

to this behavior.

Case Study 2 : Melissa Virus

• Written by David Smith

• CERT Advisory March 27, 1999

• Exploited holes in MS Office and MS Outlook to propagate as an e-mail attachment.

• Required recipient to execute attached script (disguised as a MS Word document).

• Later variants managed to propagate itself if the user merely previewed the message.

Case Study 2 : Melissa Virus

• What is the problem?−The script hijacked e-mail accounts from

trusted sources.−Users did not realize unexpected and

unverified attachments are dangerous.−Arrested in 7 days due to ego.

• What is the cost?−Countless personal electronic artifacts were

lost.−Again, how can we quantify these losses?

Similarity between both Case Studies• Common vector of infection: “the

non-technical users”.

• Attacked: “source authentication

procedures”.

• Both required intervention from

internal, trusted users.

Concerns

• Is there law to prevent it? Is it sufficient?

Or Can a law be formulated to prevent it?

• No cost attached.−Case study: Melissa Virus.

• No legal protection from acts of private

citizens, but legal protection of officials

from government institution that is trying

to protect us.

Mitigation & Prevention

• Educate users.

• De-stigmatize victimization.

• Study and quantify problem.−Scope−Cost

• Increase awareness of programs like

FDLE/FSU’s CyberSafety

Conclusion

• Remember the human factor in

security instillations and procedures.

• Vigilance and user education are key

elements of any security procedures.

• More research has to be done to

quantify scope and nature of the

problem.

Questions & Answers

Bibliography

• Books− Sara Baase. “A Gift of Fire (2nd. Ed.)”. 2003. Prentice

Hall. Upper Saddle River, NJ.− Matt Bishop. “Computer Security Art and Science”.

2003. Addison-Wesley. Boston, MA. − Buck BloomBecker. “Spectacular Computer Crimes”.

1990. Dow Jones-Irwin. Homewood, IL.− Brian D. Loader and Douglas Thomas. “Cybercrime”.

2000. Routledge. New Yor, NY.− John Markoff and Tsutomu Shimomura. “Takedown”.

1996. Hyperion, New York, NY.− Michelle Slatalla and Joshua Quittner. “Masters of

Deception””. 1995. HarperCollins. New York, NY.

Bibliography – Cont’d

• Films− Dimension Films. 2000. “Takedown”− United Artists. 1995. “Hackers”.

Bibliography – Cont’d

• Websites− “Bureau of Justice Statistics Crime and Victims

Statistics”,http://www.ojp.usdoj.gov/bjs/cvict.htm (Accessed 3/2005)

− “Federal Bureau of Investigation Uniform Crime Reports”,http://www.fbi.gov/ucr/ucr.htm (Accesses 3/2005)

− “J-037: W97M.Melissa Word Macro Virus”,− http://www.securityfocus.com/advisories/1178

(Accessed 3/2005)− “Thwarting Evil Geniuses”, http://www.spokanejournal

.com/spokane_id=article&sub=2275 (Accesses 3/2005)

Bibliography – Cont’d

• Personal Interview− Phone interview. Cecil E. Greek, PhD. Associate

Professor, Florida State University Criminology Department. 13:26, 3/02/2005.

− Personal interview. Melody McGuire. Participant, Florida Department of Law Enforcement/Florida State University CyberSecurity Program.