Upload
timothy-mckinney
View
213
Download
0
Embed Size (px)
Citation preview
Social Engineering Abuses
Sean Toh
BJ Bayha
Overview
• What is Social Engineering?
• What does the survey say ?
• Case Studies−Case 1: Kevin Mitnick −Case 2: Melissa Virus
• Conclusion
• Q and A
Define Terms
Social Engineering (n):
Term used among [experts] for cracking techniques that rely on weaknesses in [humans] rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.
-- The Jargon File aka The New Hacker’s Dictionary
Define Term – Cont’d
• Valid uses of Social Engineering
• Abuses of Social Engineering
• Computer exploits without the use
of social engineering
Statistical Review
•FBI Unified Crime
Reports does not bother
to survey computer crime.
•National Crime
Victimization Survey
collects data but does not
differentiate between
computer-related and
traditional crimes.
“I don’t think there
is a good figure on
that kind of crime. …
There is no
definitive report on
computer crime.” -- Cecil Greek, PhD.
Asst. Prof. Criminology
What does the survey say?• Why survey does not produce accurate
statistics?
• Without quantification and accuracy, recognized body cannot acknowledge the problem.
• Reasons for not reporting information leak−Lack of knowledge−Sometimes, user does not even know that it had
leaked information.−Confidence factor; institution fear that if news of
information leak is out, it may jeopardize its image and confidence among its customers.
“Damage figures that include the retail value of software copied or telephone and computer services used by hackers are usually overestimates.”
-- “A Gift of Fire” Sec. Ed.
Case Study 1 : Kevin Mitnick• Habitual prankster and phone service thief.
• Regularly switched large phone bills to victims and interrupted utility services.
• Used compromised access keys to use private computer and phone resources.
• Violated parole, late 1992.
• Stole cellular phone drivers and worm code from Tsutomo Shimomura, December 24th, 1995.
Case Study 1 : Kevin Mitnick• What is the problem?
−Subverted corporate procedures to gain access to computers and resources.
−Undermined trust in employees.−Major time served was for parole violation.−Currently a security consultant with the FBI
and popular speaker on computer security.−No accountability for his actions.−There is no law to that can be directly applied
to this behavior.
Case Study 2 : Melissa Virus
• Written by David Smith
• CERT Advisory March 27, 1999
• Exploited holes in MS Office and MS Outlook to propagate as an e-mail attachment.
• Required recipient to execute attached script (disguised as a MS Word document).
• Later variants managed to propagate itself if the user merely previewed the message.
Case Study 2 : Melissa Virus
• What is the problem?−The script hijacked e-mail accounts from
trusted sources.−Users did not realize unexpected and
unverified attachments are dangerous.−Arrested in 7 days due to ego.
• What is the cost?−Countless personal electronic artifacts were
lost.−Again, how can we quantify these losses?
Similarity between both Case Studies• Common vector of infection: “the
non-technical users”.
• Attacked: “source authentication
procedures”.
• Both required intervention from
internal, trusted users.
Concerns
• Is there law to prevent it? Is it sufficient?
Or Can a law be formulated to prevent it?
• No cost attached.−Case study: Melissa Virus.
• No legal protection from acts of private
citizens, but legal protection of officials
from government institution that is trying
to protect us.
Mitigation & Prevention
• Educate users.
• De-stigmatize victimization.
• Study and quantify problem.−Scope−Cost
• Increase awareness of programs like
FDLE/FSU’s CyberSafety
Conclusion
• Remember the human factor in
security instillations and procedures.
• Vigilance and user education are key
elements of any security procedures.
• More research has to be done to
quantify scope and nature of the
problem.
Questions & Answers
Bibliography
• Books− Sara Baase. “A Gift of Fire (2nd. Ed.)”. 2003. Prentice
Hall. Upper Saddle River, NJ.− Matt Bishop. “Computer Security Art and Science”.
2003. Addison-Wesley. Boston, MA. − Buck BloomBecker. “Spectacular Computer Crimes”.
1990. Dow Jones-Irwin. Homewood, IL.− Brian D. Loader and Douglas Thomas. “Cybercrime”.
2000. Routledge. New Yor, NY.− John Markoff and Tsutomu Shimomura. “Takedown”.
1996. Hyperion, New York, NY.− Michelle Slatalla and Joshua Quittner. “Masters of
Deception””. 1995. HarperCollins. New York, NY.
Bibliography – Cont’d
• Films− Dimension Films. 2000. “Takedown”− United Artists. 1995. “Hackers”.
Bibliography – Cont’d
• Websites− “Bureau of Justice Statistics Crime and Victims
Statistics”,http://www.ojp.usdoj.gov/bjs/cvict.htm (Accessed 3/2005)
− “Federal Bureau of Investigation Uniform Crime Reports”,http://www.fbi.gov/ucr/ucr.htm (Accesses 3/2005)
− “J-037: W97M.Melissa Word Macro Virus”,− http://www.securityfocus.com/advisories/1178
(Accessed 3/2005)− “Thwarting Evil Geniuses”, http://www.spokanejournal
.com/spokane_id=article&sub=2275 (Accesses 3/2005)
Bibliography – Cont’d
• Personal Interview− Phone interview. Cecil E. Greek, PhD. Associate
Professor, Florida State University Criminology Department. 13:26, 3/02/2005.
− Personal interview. Melody McGuire. Participant, Florida Department of Law Enforcement/Florida State University CyberSecurity Program.