The Art of Deception

- Controlling Human Element of Security -

Shohei HagiwaraNovember 17th, 2009

Topic: Infromation Security

Technologies Encryption, wirewall, anti-virus software, password

Focus: human...

Outline: Social engineering? A couple of examples of how attackers get access

to information

The book...

Title: The Art of Deception

Year: 2002

Authors: Kevin Mitnick, William Simon Kevin Mitnick: ex-world-famous hacker, consultant

First crime: free bus ride when 12 years old

William Simon: writer/editor

What is Social Engineering?

”uses influence and persuasion to deceive people by convincing them that the social engineer is someone he [or she] is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.”(from the book)

Pretend, deceive/manipulate, get information

Human Factor of Security

Human Factor → the weakest link Emotion, mistakes, misjudgement, tiredness

”Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.” Albert Einstein

6 Basic Tendencies of Human Nature

Suggested by Robert B. Cialdini 1. Authority 2. Liking 3. Reciprocation 4. Consistency 5. Social Validation 6. Scarcity

Other Factors

National Characters Love thy neighbors

Organizational Innocence Sharing information, trust, little/no security

→ this is changing...

When Innocent Information Isn't...

Information that is valuable Credit card number, PIN number, Password, etc

We won't give them away because we know they are valuable

What about Date of Birth, Pet's name, Student ID, Unit#

Continued...

Seemingly useless information can be used to impersonate

Step to next more valuable information

An example

Banks and CheCredit First Call to Bank: ”I am writing a book. What do

you give CheCredit to get credit record?” Second Call to Bank: ”I am calling from Checredit. I

am doing a survey to improve service.” ”hours of operation, how many employees, how

often call, what is Merchant ID, how long with the bank, suggestions?”

Another example

Video shop

First call to a shop: ”I had a great experience with the shop and want to send a letter to the manager. And also, I want to send a letter to the company headquarter. What is your brunch number?”

Now you have manager's name and brunch number.

Continue...

How to prevent

1. Classify information → what is and is not okay to be shared

2. Verify. Don't rely lingo and feelings. Get caller's name and phone number.

Building Trust

Appearance, voice, talking, personality

Frequent contacts (ex) Video Shop

Call to another shop: pretend to be the manager of shop

Small requests, chats

Continue...

Can you help me?

People like helping others

Example of video shop

Another call to shop: ”system is down. Can you check a customer for me? Credit card number?”

How to prevent

Verify verify verify! Call listed number

But you want employees to be helpful to each other at workplace.

Dumpster Diving

Low risk and high return

Password, receipt, list, etc

Shredder may not work... Puzzle → whole list of company systems and

passwords

How to Prevent Dumpster Diving

Lock the dumpster

Cross shredd

Mutilevel approach to information of different sensitivity

Background check on custodian

Attack on Entry Level Employee

An easy target They don't know value of information They don't know the structure of company Likely to obey authority

What is the best countermeasure?

Anti-virus? Firewall? Encryption? Code Names?

no.

Have trained, aware, concsioutious employees

Train Employees

Not web page or panphlet

Not a one-day seminar → ongoing

Raise awareness!!! Procedures are not enough. There are threats Part of job to protect information against threats

Reward, encouragement

Awareness → specific techniques

Question...

Questions?