Microsoft PowerPoint 2007 (pptx @ 1574kb)

Social Engineering 101
August 31st, 2010
www.iac.iastate.edu/iasg | facebook.com/infasgroup
Social Engineering

The end user is usually the weakest link of a system
 People
are often lazy, ignorant to security, or simply
gullible

Social engineering is a journey into social
psychology!
 Yes
I know, that probably doesn’t sound very fun
 Well guess what… it is, so deal with it!
Social Psychology: Persuasion

A number of variables influence the persuasion
process:
 The
Communicator (Who?)
 The Message (What?)
 The Audience (Whom?)
 The Channel (How?)

We’ll be discussing “The Communicator” in
particular.
Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)
Social Psychology: Persuasion

The Communicator (Who?):
 Credibility
 Expertise
 Trustworthiness
 Attractiveness
Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)
Social Psychology: Persuasion

Credibility: “The Milgram Experiment”
white lab coat
Source: http://www.nytimes.com/slideshow/2008/06/30/science/070108-MIND_2.html
Social Psychology: Persuasion

Credibility: “The Milgram Experiment”
 The
“assistant” will give electric shocks in increasing
voltages to the “test subject” they can hear via a
covered window, but can not see
 The “test subject” is actually an actor and is not really
getting shocked
Social Psychology: Persuasion

Credibility: “The Milgram Experiment”
 After
a few shocks, “test subject” actor begins yelling in
pain, banging on wall, begging for the shocks to stop
 “assistant” members would ask the man in the white
coat what to do, upon being told to continue, 65% of
“assistants” would go on to administer 450-volt shocks
from the switch labeled “dangerous”
 By
the time the 450-volt switch is reached, the actor has
already been dead silent for many minutes
Social Psychology: Persuasion

So what’s the moral of the story?
 Most
people will obey the man in the white coat
 In our social engineering experiment, I was temporarily
an authority figure, and was able to persuade easily,
because I have established credibility
Social Psychology: Persuasion

The Communicator (Who?):
 Credibility
 Expertise
 Trustworthiness
 Attractiveness
Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)
Social Psychology: Persuasion
Would my social engineering attack have been
more successful if this…
Social Psychology: Persuasion
Would my social engineering attack have been
more successful if this…
…looked like this instead?
The answer is YES! (and that’s true regardless of sex)
Social Psychology: Persuasion
Would my social engineering attack have been
more successful if this…
…looked like this instead?
Side note: women are more likely to trust women,
and men are more likely to trust men
Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789
Social Psychology: Illusory Superiority

I bet you are thinking, “That wouldn’t happen to me,
I know better!”
 Oh
really? Don’t be so sure! We had a nearly 50%
success rate with minimal effort
 It’s easy for you to say you wouldn’t be fooled, because
you are currently suffering from bias!
 This
bias is called illusory superiority
 Causes people to overestimate their positive qualities and
abilities and to underestimate their negative qualities,
relative to others
Source: http://en.wikipedia.org/wiki/Illusory_superiority
Back to the Video

Let’s hear from you:
 What
made my social engineering attack successful?
 What could I have done better?
So… people are dumb

Amazing statistics, for your enjoyment:
 In
a 2003 information security survey, 90% of office
workers gave researchers what they claimed was their
password in answer to a survey question in exchange
for a cheap pen
 In another study, 70% of people claimed they would
reveal their computer password in exchange for a bar
of chocolate
 34% of respondents volunteered their password when
asked without even needing to be bribed
* Researchers made no attempt to validate the passwords
Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm
Phishing

Remember we talked about the need for
credibility?
A
good phishing attempt will look like one of these
examples (which, if you were here last year, I used in
my Ettercap lecture):
http://129.186.201.46/service/
Spear Phishing

Simply put, spear phishing is targeted phishing
 Spear
phishing terrifies the government, large
corporations, small businesses, and the average
individual
 It does not always occur via e-mail; works over the
phone quite well too!
 Dumpster diving can make it easy to find useful
information
Carnegie Mellon SSL Certificate Study

In an online study conducted among 409 participants, researchers found
that the majority of respondents would ignore warnings about an
expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the
user, the more likely they would be to ignore it, the study found.



50 percent of Firefox 2 users polled who could identify the term
"expired security certificate," 71 percent said they would ignore the
warning.
Of the 59 percent of Firefox 2 users who understood the significance of
a "domain mismatch" warning, 19 percent said they would ignore the
hazard.
The Carnegie Mellon team conducted a second study, with 100
participants and under lab conditions. The participants were shown an
invalid certificate warning when they navigated to their bank’s website.
69% of technologically savvy Firefox 2 users ignored an expired
certificate warning from their own bank.
Source: http://news.cnet.com/8301-1009_3-10297264-83.html
ISU WebCT SSL Certificate Invalidation




Two years ago, the certificate for WebCT was not
renewed before its expiration
ITS was immediately inundated with calls and
requests for support; employees walked users
through how to ignore the certificate error
The certificate remained invalid for two days
Such problems train the average user to simply
ignore these types of warnings
 “I’ve
seen this before, and they just told me to click
ignore last time.”
Reverse Social Engineering: A New Spin on S.E.

An attacker makes the victim come to him directly!
 Example:
Hacker sabotages a network, causing a
problem arise. That hacker then advertises that he is
the appropriate contact to fix the problem, and then,
when he comes to fix the network problem, he requests
certain bits of information from the employees and gets
the data or credential information that he really came
for. The victims may never know an attack took place,
because the network problem goes away, leaving
everyone happy in the end.
 This also builds future credibility for the hacker
Who is this?

Hint: possibly the greatest
social engineer ever born…
Source: http://img.thesun.co.uk/multimedia/archive/00039/F_200705_May07ed_img_39143a.jpg
Who is this?


Hint: possibly the greatest
social engineer ever born…
…and the worst person to
have walked the earth in the
20th century
Source: http://blog.verdylives.com/wp-content/uploads/2009/10/2865398363_ba996e4e0d.jpg
Adolf Hitler


In Hitler’s early writings, the future dictator discusses
Jews as the perfect scapegoats for Germany’s postWWI problems; he does show distain for the race at
this time, but does not propose violence against them
By the mid 1930s, Adolf had already quickly gained
support via social engineering the people of Germany


Specifically, he rode on anti-communist hysteria and
published extreme propaganda
In Hilter’s later writings (circa 1940s), it becomes clear
that Adolf has come to believe in his own party’s
propaganda
Source :http://www.takedown.com/bio/mitnick.html
Who is this?
Source: http://ils.unc.edu/~neubanks/inls187/home/fugitive.html
Kevin Mitnick



In 1981, at the age of 17, Mitnick and his gang of
hackers decided to physically break into COSMOS, a
database used for controlling the phone system’s basic
recordkeeping functions
In broad daylight on a Saturday, the group talked their
way past security and into the room where the
database system was located
From that room, the gang lifted combination lock codes
for nine Pacific Bell offices and the COSMOS system’s
operating manuals
Source :http://www.takedown.com/bio/mitnick.html
Kevin Mitnick


To ensure continued access, they placed fake names
and phone numbers into a company rolodex, which
would have allowed them to call in and further social
engineer, if needed
 Take-home point: hackers always leave a way back in
A manager soon realized the names were fraudulent
and contacted police; Mitnick was later tied to the theft
by a conspirator’s former girlfriend

Take-home point: don’t tell your girlfriend about your crime
attempts, especially when they constitute a felony 
Source :http://www.takedown.com/bio/mitnick.html
Next Meeting: September 7
2010 ISU Cyber Defense Competition
Saturday October 9th, 8:00am – 5:00pm
Howe Hall Atrium
(more information at next meeting)
Still Have Questions?
General Inqiries: IASG Cabinet <iasg-cabinet@iastate.edu>
Specific To This Lecture: Matthew Sullivan <msulliv@iastate.edu>
Lectures are usually video recorded and are made available via our website within 48 hours.
www.iac.iastate.edu/iasg | facebook.com/infasgroup