Social Engineering

Survey Results

0

1

2

3

4

5

6

Which topics would you be most in-terested in learning about? _x0004_All

7%_x0005_Most 13%

_x0005_Some 73%

_x0004_None7%

How much of your personal in-formation do you share online?

_x0001_044%

_x0003_1-350%

4 or more6%

How many times has your email and/or social media website been

hacked?

What is Social Engineering?

“Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.”-Wikipedia

Celebrity Victims

• Link from fake tweet and Facebook post lures people to a fictional website. Users are prompted to download software to view the video. Malicious software is downloaded instead.

• Targets Windows 7 and earlier versions

iCloud Hack Leads to Celebrity Phishing Attacks

Information Gathering Techniques

• Telephone calls to a target business or person• Dumpster diving• Phishing emails• Face to face conversations• Internet searches• Parking lots• GPS tracking• Getting a job at the target company

How is Personal Information Stolen?

Source: Iconix

Types of Social Engineering

Phishing

– Voice Phishing

– Spear Phishing

– Clone Phishing

More Types of Social Engineering

• Pretexting

• Shoulder surfing

• Role playing

• Piggybacking

Social Engineering Tools

• Social Engineering Toolkit• Maltego• Super Phisher - 000webhost.com• Web-console• Spoof Cards

How to Create a Fake Link

Influence Tactics

• Social engineers often exploit the three fixed action patterns in order to manipulate a victim.

• Fixed action patterns include the following: Liking, Reciprocity, and Authority.

• Learning the organization’s lingo, phone number spoofing, or mimicking an organization's hold music.

• Using the word “because”

The Human Condition

• Appeal to charm• Fear of loss• Willingness to trust• Appeal to authority• Eagerness to receive free stuff• Wanting to be helpful• Appeal to authority• Perceived low impact of information

Prevention Techniques

• Just say no to giving out personal information.• Be scrupulous with security questions.• Do you get e-mails about password resets? Be careful.

Contact the service provider to see if the e-mail is legitimate.

• You’ve probably heard this before, but here it is again: Never use the same password for multiple accounts!

• Keep an eye on your account activity i.e. social media accounts, bank accounts, etc.

• Beware of emails coming from anyone, for any reason that requires you to click links for any reason. Stop and think and before you click on the link. You should research the legitimacy of the email.

• Continue to educate yourself on the different social engineering techniques.

More Prevention Techniques

English-German Glossary

• Password s Passwort, s Kennwort • Password protection r

Passwortschutz • Permission e Berechtigung (-en) • Root directory s Wurzelverzeichnis • Save (v.) Speichern • Security leak s Sicherheitsleck (-s) • Application(s) software e Anwendung

(-en) • Hacker r Hacker (-), e Hackerin (-

nen)

• Information technology (IT) e Informatik

• Update n. e Aktualisierung (-en), e Änderung (-en)

• Virus snetwork n. s Netzwerk/r Virus (Viren)

• Trojan horse (virus) r Trojaner• Database e Datei• Error message e Fehlermeldung

Questions?? Fragen??

Sources• http://german.about.com/library/blcomputE_T-Z.htm• http://www.bloggernews.net/135080• http

://www.csoonline.com/article/2123378/identity-theft-prevention/social-engineering--eight-common-tactics.html

• http:// www.youtube.com/watch?v=yY-lMkeZVuY• www.infosecwriters.com/text_resources/pdf/Social_Engineering• http://

lifehacker.com/5824481/how-to-convince-people-to-let-you-cut-in-line• http://www.youtube.com/watch?v=V5NRKVgZNFg• http://www.social-engineer.org/framework/se-tools/physical/gps-trackers/• http

://www.csoonline.com/article/2131550/social-engineering/the-social-engineering-toolkit-s-evolution--goals.html

• http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

Sources (continued)

• http://iconixtruemark.wordpress.com/2011/09/23/the-security-threat-of-social-engineering/• http://en.wikipedia.org/wiki/Phishing• http://en.wikipedia.org/wiki/Voice_phishing• http://en.wikipedia.org/wiki/Social_engineering_%28security%29• http://arstechnica.com/security/2014/09/celeb-nude-photos-now-being-used-as-bait-by-intern

et-criminals/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29http://iconixtruemark.wordpress.com/2011/09/23/the-security-threat-of-social-engineering/

• http://www.darkreading.com/perimeter/poll-employees-clueless-about-social-engineering-/a/d-id/1316280