Social-engineering for engineers The Whats, Whys, Wheres and Hows of social-engineering 1 Agenda On-going technology development Social-engineering What's the story with the frauds? How to prevent and defend against them? And what to do if we fail to do the above? What else should be done? 2 On-going technology development For the last 20 years (or so), we've been witnessing an amazing technological development. The challenge is not to be the first or the best... ... but not to be the last. It's not easy however. 3 On-going technology development Who's having the problems then? Content and service providers Software and hardware vendors Legislators and law enforcement Internet users 4 On-going technology development For millions of years, mankind lived just like the animals. Then something happened which unleashed the power of our imagination. We learned to talk and we learned to listen... Nope, that's not Pink Floyd. It's Stephen Hawking. But Internet-based communication is much more than text and sound. 5 On-going technology development Pictures Video Instant messaging and VoIP Memes And more to come sooner or later 6 On-going technology development Still there are things that haven't changed e.g. nonverbal communication. For ages our behaviour's been based on the same rules. So what? Well, IT systems and applications are prone to errors just like the humans who develop and operate them. 7 Social-engineering The practice of making laws or using other methods to influence public opinion and solve social problems or improve social conditions. source: Merriam-Webster Dictionary In the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. source: http://en.wikipedia.org/ 8 Social-engineering Baiting Pretexting Phishing Quid pro quo Boooooriiiiinnnngggg... 9 Social-engineering Robert Cialdini's six rules of influence: Reciprocity Commitment and Consistency Social Proof Authority Liking Scarcity 10 Reciprocity Nigerian scams - an African king (or Asian general, or South-American dictator) asks for your help in recovering his huge money assets locked in the country of his origin. You'll be rewarded but first, you have to help. Some encouragement follows. Favours - someone pretending to be an IT help-desk specialist, calls you and offers help in sorting out your PC's problem (apparently caused by himself). For this, you'll give him - for example - your password. 11 Commitment and Consistency "Free" IQ tests - its results shall be shown once you send a premium-rate text message (does it affect the overall score BTW? ;) Limited content - to view a full article or video you need to pay money or follow a dodgy link. Mobile apps - if you clicked "download", "install", will you click "no, I don't want you to access my contacts, texts, data connection and location"? 12 Liking Phishing - fake e-mails and websites look really like the genuine ones (well, not in Poland, how's it in Georgia? ;) Funny or hot content - you can't view the funny content unless you install a "missing plugin". Which is we-all-exactly-know-what. Share - content liked or shared by our "friends" (whom we like or at least know) is perceived as legitimate. 13 Authority Donations - on-line payment and money exchange services, together with Bitcoin, make for a good base for money-laundering and other frauds. Voice phishing - some people reveal their personal or financial information when called "by THE bank", just because they're told it's "THE bank" calling. 14 Scarcity "Last minute" offers - some people will pay for goods or services difficult to obtain or time-limited. YOU are the 999. person on this website - and if you follow the link you'll win an iPad... Or will you? Slashdot effect - people desperately wanting to be (all) the first to see the news will DDoS the website. Like ACTA-case in Poland. Err, soft of. 15 Some numbers... Service Price Credit card data 2 - 90 USD Actual cards 190 USD Skimming device 200 - 1000 USD Fake ATMS 35 000 USD e-Bank credentials 80 - 700 USD Money transfers 10 - 40% Fake e-commerce sites price per project Spam Data leaks 2013 Adobe 2,9 mln 2011 Sony PSN 77 mln 2009 Heartland Payment Systems 130 mln 2008 Hannaford Brothers 4,6 mln 2007 TJX Companies 45 mln 2005 CardSystems Solutions 40 mln 10 USD per 1M e-mails discounts guarantees trial periods returns 16 How do they happen? In a number of ways: sometimes a simple phone call is enough malware leading to an APT attack network snooping IP / MAC / e-mail / Called-ID spoofing credit cards skimming dumpster diving (no, really!) But it's not all about the technology. 17 How to prevent and detect them? DLP (Data Leak Prevention) IPS / IDS (Intrusion Prevention/Detection Systems) Application firewall URL filtering BGP / DNS blackholing SIEM (monitoring) Host agents Threat intelligence and whistle-blowers But... 18 How to prevent and detect them? If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier You can't defend. You can't prevent. The only thing you can do is detect and respond. Bruce Schneier 19 Source: http://www.clubhack.com/wp-content/uploads/2010/12/DSC_6514.jpg And what to do if we fail to do the above? Detection should be based on both: user awareness and network / system monitoring - one won't work without another. Incident response must be a process with appropriate procedures, staffing, support, funding and tools. Computer forensics is just a tool in incident responders' hands. A powerful one but... 20 Computer forensics With all this cloud, big data, BYOD, data encryption and huge HDDs it's really hard to respond to incidents efficiently. That's when live forensics come into play: Volatile data (e.g. RAM) acquisition Imaging of unencrypted encrypted disk drives Preservation of data in the cloud Minimising delays in availability 21 Computer forensics Triage is a simple way to preserve and examine computer evidence faster and more efficiently while keeping up with the standards and regulatory requirements (e.g. chain of custody). Triage can be performed by a trained incident responder ("a rescue team" member) on the scene. Computer forensics expert ("a surgeon") doesn't have to be involved yet. 22 CSIRTs / CERTs Computer Security Incident Response Teams (CSIRTs) provide professional incident response capabilities. Effectiveness of their work depends on appropriate communication and co-operations with other governmental and business CSIRTs/CERTs. Maintaining defense capabilities and readiness on high level means exercising and constantly improving. 23 CSIRT Services http://www.cert.org/csirts/services.html Reactive Proactive Security Quality Management Alerts and Warnings Announcements Incident Handling – Incident analysis – Incident response on site – Incident response support – Incident response coordination Technology Watch Risk Analysis Security Audits or Assessments Business Continuity and Disaster Recovery Planning Vulnerability Handling – Vulnerability analysis – Vulnerability response – Vulnerability response coordination Configuration and Maintenance of Security Tools, Applications, and Infrastructures Security Consulting Awareness Building Development of Security Tools Education/Training Intrusion Detection Services Artifact Handling – Artifact analysis – Artifact response – Artifact response coordination Product Evaluation or Certification Security-Related Information Dissemination 24 And the conclusion is... People are the first and the last line of defense from the attacks against them and the technology. The difference between us and the computers is that we think. Sometimes too much. It causes problems but that can also help avoid them. So it's always better to think twice. 25 Quiz https://www.paypal.com/webapps/mpp/security/antiphishing-canyouspotphishing http://www.sonicwall.com/furl/phishing/ http://www.opendns.com/phishing-quiz/ http://www.mailfrontier.com/forms/msft_iq_test.html http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest http://www.contentverification.com/phishing/quiz/ http://www.onguardonline.gov/media/game-0011-phishing-scams http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html 26