Upload
security-b-sides
View
1.530
Download
1
Embed Size (px)
DESCRIPTION
Advanced exploitation on social networks. Not a social engineering talk, nor a talk about technological exploitation: the combination of exploits against people and technology all in one place.
Citation preview
Social Penetration Mike Bailey
Mike Murray
Social Engineering:
The practice of obtaining
confidential information by
manipulating users.
Social Engineering:
The practice of obtaining
confidential information by
manipulating users.
Source: Wikipedia
Social Media Applications are
“applications that inherently
connect people and
information in spontaneous,
interactive ways”
Social Media Applications are
“applications that inherently
connect people and
information in spontaneous,
interactive ways”
Mark Drapeau and Linton Wells
National Defense University (NDU)
http://www.blogohblog.com/wp-content/pop/2008/03/facebook_chart.gif
http://1.media.tumblr.com/iNIi9iwtqk9wp2rxEL7NpIPVo1_500.jpg
The Tipping Point
The Vulnerability Cycle
Network
Client
Human /
Organization
Application
Service /
Server
Getting Penetrated
• Three Main Issues
– We leak information
– We are vulnerable to each other
– The web browser
Information Leakage Information Leakage
Information Leakage
• Intentional or Ignorance
• We leak a million things
– Images
– GPS Coordinates
– Picnic Flyers
– Group Messages/Conversations
– Job Postings
• If you can imagine it, you can find it.
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
User Vulnerability User Vulnerability
12
Only two things are infinite: the universe and human stupidity.
And I'm not sure about the former. - Albert Einsten
Human Vulnerability
• Humans are social creatures
• Human nature makes us vulnerable to each other
• Social engineers exploit weaknesses in human nature to obtain information or access
The Critical Faculty
• The hypnotist’s term for the part of the mind
that acts as the rational alert system
– Allows the human to act on largely unconscious process
– Things raise to conscious awareness based on CF activation
• This suggests that all SE success is CF-related
– Avoid activating critical-faculty
– We want the person to execute a task that is inappropriate, yet fail to raise the CF alert to conscious awareness 14
Would Military officers disobey a direct order under hypnosis?
The Military Experiments
Success in Social Engineering
Create a context that ensures Create a context that ensures Create a context that ensures Create a context that ensures that the behavior we want is that the behavior we want is that the behavior we want is that the behavior we want is
completely appropriatecompletely appropriatecompletely appropriatecompletely appropriate....
Success in Social Engineering
Create a context that ensures Create a context that ensures Create a context that ensures Create a context that ensures that the behavior we want is that the behavior we want is that the behavior we want is that the behavior we want is
completely appropriatecompletely appropriatecompletely appropriatecompletely appropriate....
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Basics
• This is third grade English class:
– Spelling
– Grammar
– Punctuation
• Most CF-activation is here
– Taught as base of much Sec Awareness
Training
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Awareness
• Words are meaningless without awareness of
what is working
– Your awareness of others acts as a compass
– You need to see and hear the effect of your words
• Main components of awareness in face-to-face
– Body language
– Facial expressions
– Language Tone
• How do we do this in technological social
engineering?
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Tone Analysis of Writing
• As native speakers of English, we infer
auditory tone into written word.
• Two main components:
– Word choice
– Punctuation
• Simple example
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Tone in SE
• Back to the prime rule
– Tone needs to be natural and appropriate.
• Every situation has a tone and a feel for the
writing that is unlikely to activate the CF.
Hello Michael Murray,
I appreciate your interest in viewing your TD Visa account information
using EasyWeb. Thank you for taking the time to write.
If you currently have an active EasyWeb profile but can not access your TD
Visa, you may have 2 separate customer profiles set up with TD Canada
Trust. For immediate assistance with correcting this situation, I
encourage you to call EasyLine toll free at 1-866-222-3456. A Banking
Specialist can combine your profiles if necessary, provided that the
personal information on both profiles match. Representatives are available
24 hours a day, 7 days a week. If you are not registered for EasyLine,
kindly press 2 and then 0 to speak with a representative. The combining
process usually takes about two days to complete, and once it is finished,
you should be able to view your entire personal portfolio via EasyWeb.
Actual Email from TD
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
The Elements of Influence
• Cialdini and others have found that creating a frame with
certain elements can enhance influence
– Reciprocity
– Authority
– Social Proof
– Confirmation
– Scarcity / Urgency
– Emotional / Amygdala hijack
– Confusion
• Inserting these elements within a frame can strengthen
influence
– These are natural human responses
– We use these responses to create a context for influence
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Confirmation
• Confirmation Bias
– That which confirms what we already
believe, we tend to believe.
– That which fails to confirm what we already
believe, we tend to ignore.
• The brain LITERALLY turns off
– No CF activation
During the run-up to the 2004 presidential election, while undergoing an fMRI bran scan, 30 men--
half self-described as "strong" Republicans and half as "strong“ Democrats--were tasked with
assessing statements by both George W. Bush and John Kerry in which the candidates clearly
contradicted themselves. . Not surprisingly, in their assessments Republican subjects were as critical
of Kerry as Democratic subjects were of Bush, yet both let their own candidate off the hook….
The neuroimaging results, however, revealed that…
"We did not see any increased activation of the parts of
the brain normally engaged during reasoning"
From: http://resonancetechnologies.com/press/articles/ThePoliticalBrain.pdf
© 2008 – Foreground Security, Michael Murray & Associates, LLC. All rights reserved
Confirmation in SE
• Signal Theory
– Branch of economics relating to the
messages passed by inference
– E.g. A CEH is a signal that you have chosen
the path of an EH
• We need to give appropriate signals
– Tone
– Language
– Appearance
Hello Michael Murray,
I appreciate your interest in viewing your TD Visa account information using EasyWeb. Thank you for taking the time to write.
If you currently have an active EasyWeb profile but can not access your TD Visa, you may have 2 separate customer profiles set up with TD Canada Trust. For
immediate assistance with correcting this situation, I encourage you to call EasyLine toll free at 1-866-222-3456. A Banking Specialist can combine your profiles if
necessary, provided that the personal information on both profiles match. Representatives are available 24 hours a day, 7 days a week. If you are not registered for
EasyLine, kindly press 2 and then 0 to speak with a representative. The combining process usually takes about two days to complete, and once it is finished, you
should be able to view your entire personal portfolio via EasyWeb.
Best regards,
Debra Matsumoto
Internet Correspondence Representative
________________________________________
TD Canada Trust 1-866-222-3456
http://www.tdcanadatrust.com
Email: [email protected]
TDD (Telephone Device for the Deaf) 1-800-361-1180
This email is directed to, and intended for the exclusive use of, the addressee indicated above. TD Canada Trust endeavours to provide accurate and up-to-date
information relating to its products and services. However, please note that rates, fees and information are subject to change.
Back to TD
We create relationships through trading value.
Temporary inequality creates powerful bonds.
Reciprocity == Investment
• The act of exchanging value
– I can do something for you
– You can do something for me.
• Both acts strengthen our bond.
– We become more invested in the relationship
– The more invested a person feels, the more likely they are to be influenced by the relationship
• This is the Nigerian scam’s overwhelming
power
32
Scarcity
• People will take almost any opportunity for their own gain
– Especially if the opportunity seems scarce
– If we have to hurry, the amygdala takes over
• This is a marketing tactic
– Infomercials
– Scams
34
Ron Popeil
“If you call in the next 15 minutes…”
Web Browsers Web Browsers
Web Browsers
• Malicious Links
• Credential Theft
• XSS
• CSRF
• Abusing websites, not systems
So much more we could discuss…
So little time.
Keep an eye on: MadSecInc.com
Email us: [email protected] [email protected]