Social Engineering 101 August 31st, 2010 www.iac.iastate.edu/iasg | facebook.com/infasgroup Social Engineering The end user is usually the weakest link of a system People are often lazy, ignorant to security, or simply gullible Social engineering is a journey into social psychology! Yes I know, that probably doesn’t sound very fun Well guess what… it is, so deal with it! Social Psychology: Persuasion A number of variables influence the persuasion process: The Communicator (Who?) The Message (What?) The Audience (Whom?) The Channel (How?) We’ll be discussing “The Communicator” in particular. Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology) Social Psychology: Persuasion The Communicator (Who?): Credibility Expertise Trustworthiness Attractiveness Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology) Social Psychology: Persuasion Credibility: “The Milgram Experiment” white lab coat Source: http://www.nytimes.com/slideshow/2008/06/30/science/070108-MIND_2.html Social Psychology: Persuasion Credibility: “The Milgram Experiment” The “assistant” will give electric shocks in increasing voltages to the “test subject” they can hear via a covered window, but can not see The “test subject” is actually an actor and is not really getting shocked Social Psychology: Persuasion Credibility: “The Milgram Experiment” After a few shocks, “test subject” actor begins yelling in pain, banging on wall, begging for the shocks to stop “assistant” members would ask the man in the white coat what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous” By the time the 450-volt switch is reached, the actor has already been dead silent for many minutes Social Psychology: Persuasion So what’s the moral of the story? Most people will obey the man in the white coat In our social engineering experiment, I was temporarily an authority figure, and was able to persuade easily, because I have established credibility Social Psychology: Persuasion The Communicator (Who?): Credibility Expertise Trustworthiness Attractiveness Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology) Social Psychology: Persuasion Would my social engineering attack have been more successful if this… Social Psychology: Persuasion Would my social engineering attack have been more successful if this… …looked like this instead? The answer is YES! (and that’s true regardless of sex) Social Psychology: Persuasion Would my social engineering attack have been more successful if this… …looked like this instead? Side note: women are more likely to trust women, and men are more likely to trust men Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789 Social Psychology: Illusory Superiority I bet you are thinking, “That wouldn’t happen to me, I know better!” Oh really? Don’t be so sure! We had a nearly 50% success rate with minimal effort It’s easy for you to say you wouldn’t be fooled, because you are currently suffering from bias! This bias is called illusory superiority Causes people to overestimate their positive qualities and abilities and to underestimate their negative qualities, relative to others Source: http://en.wikipedia.org/wiki/Illusory_superiority Back to the Video Let’s hear from you: What made my social engineering attack successful? What could I have done better? So… people are dumb Amazing statistics, for your enjoyment: In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen In another study, 70% of people claimed they would reveal their computer password in exchange for a bar of chocolate 34% of respondents volunteered their password when asked without even needing to be bribed * Researchers made no attempt to validate the passwords Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm Phishing Remember we talked about the need for credibility? A good phishing attempt will look like one of these examples (which, if you were here last year, I used in my Ettercap lecture): http://129.186.201.46/service/ Spear Phishing Simply put, spear phishing is targeted phishing Spear phishing terrifies the government, large corporations, small businesses, and the average individual It does not always occur via e-mail; works over the phone quite well too! Dumpster diving can make it easy to find useful information Carnegie Mellon SSL Certificate Study In an online study conducted among 409 participants, researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found. 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. The participants were shown an invalid certificate warning when they navigated to their bank’s website. 69% of technologically savvy Firefox 2 users ignored an expired certificate warning from their own bank. Source: http://news.cnet.com/8301-1009_3-10297264-83.html ISU WebCT SSL Certificate Invalidation Two years ago, the certificate for WebCT was not renewed before its expiration ITS was immediately inundated with calls and requests for support; employees walked users through how to ignore the certificate error The certificate remained invalid for two days Such problems train the average user to simply ignore these types of warnings “I’ve seen this before, and they just told me to click ignore last time.” Reverse Social Engineering: A New Spin on S.E. An attacker makes the victim come to him directly! Example: Hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets the data or credential information that he really came for. The victims may never know an attack took place, because the network problem goes away, leaving everyone happy in the end. This also builds future credibility for the hacker Who is this? Hint: possibly the greatest social engineer ever born… Source: http://img.thesun.co.uk/multimedia/archive/00039/F_200705_May07ed_img_39143a.jpg Who is this? Hint: possibly the greatest social engineer ever born… …and the worst person to have walked the earth in the 20th century Source: http://blog.verdylives.com/wp-content/uploads/2009/10/2865398363_ba996e4e0d.jpg Adolf Hitler In Hitler’s early writings, the future dictator discusses Jews as the perfect scapegoats for Germany’s postWWI problems; he does show distain for the race at this time, but does not propose violence against them By the mid 1930s, Adolf had already quickly gained support via social engineering the people of Germany Specifically, he rode on anti-communist hysteria and published extreme propaganda In Hilter’s later writings (circa 1940s), it becomes clear that Adolf has come to believe in his own party’s propaganda Source :http://www.takedown.com/bio/mitnick.html Who is this? Source: http://ils.unc.edu/~neubanks/inls187/home/fugitive.html Kevin Mitnick In 1981, at the age of 17, Mitnick and his gang of hackers decided to physically break into COSMOS, a database used for controlling the phone system’s basic recordkeeping functions In broad daylight on a Saturday, the group talked their way past security and into the room where the database system was located From that room, the gang lifted combination lock codes for nine Pacific Bell offices and the COSMOS system’s operating manuals Source :http://www.takedown.com/bio/mitnick.html Kevin Mitnick To ensure continued access, they placed fake names and phone numbers into a company rolodex, which would have allowed them to call in and further social engineer, if needed Take-home point: hackers always leave a way back in A manager soon realized the names were fraudulent and contacted police; Mitnick was later tied to the theft by a conspirator’s former girlfriend Take-home point: don’t tell your girlfriend about your crime attempts, especially when they constitute a felony Source :http://www.takedown.com/bio/mitnick.html Next Meeting: September 7 2010 ISU Cyber Defense Competition Saturday October 9th, 8:00am – 5:00pm Howe Hall Atrium (more information at next meeting) Still Have Questions? General Inqiries: IASG Cabinet <iasg-cabinet@iastate.edu> Specific To This Lecture: Matthew Sullivan <msulliv@iastate.edu> Lectures are usually video recorded and are made available via our website within 48 hours. www.iac.iastate.edu/iasg | facebook.com/infasgroup