Social Engineering for Engineers: Miroslaw Maj, Piotr

advertisement
Social-engineering
for engineers
The Whats, Whys, Wheres and Hows of social-engineering
1
Agenda
 On-going technology development
 Social-engineering
 What's the story with the frauds?
 How to prevent and defend against them?
 And what to do if we fail to do the above?
 What else should be done?
2
On-going technology
development
For the last 20 years (or so), we've been witnessing an
amazing technological development.
The challenge is not to be the first or the best...
... but not to be the last.
It's not easy however.
3
On-going technology
development
Who's having the problems then?
 Content and service providers
 Software and hardware vendors
 Legislators and law enforcement
 Internet users
4
On-going technology
development
For millions of years, mankind lived just like the
animals. Then something happened which unleashed
the power of our imagination. We learned to talk and
we learned to listen...
Nope, that's not Pink Floyd. It's Stephen Hawking.
But Internet-based communication is much more than
text and sound.
5
On-going technology
development
Pictures
Video
Instant messaging and VoIP
Memes
And more to come sooner or later
6
On-going technology
development
Still there are things that haven't changed e.g. nonverbal communication.
For ages our behaviour's been based on the same rules.
So what?
Well, IT systems and applications are prone to errors
just like the humans who develop and operate them.
7
Social-engineering
The practice of making laws or using other methods to
influence public opinion and solve social problems or
improve social conditions.
source: Merriam-Webster Dictionary
In the context of information security, refers to
psychological manipulation of people into performing
actions or divulging confidential information.
source: http://en.wikipedia.org/
8
Social-engineering
 Baiting
 Pretexting
 Phishing
 Quid pro quo
 Boooooriiiiinnnngggg...
9
Social-engineering
Robert Cialdini's six rules of influence:






Reciprocity
Commitment and Consistency
Social Proof
Authority
Liking
Scarcity
10
Reciprocity
Nigerian scams - an African king (or Asian general, or
South-American dictator) asks for your help in
recovering his huge money assets locked in the country
of his origin. You'll be rewarded but first, you have to
help. Some encouragement follows.
Favours - someone pretending to be an IT help-desk
specialist, calls you and offers help in sorting out your
PC's problem (apparently caused by himself). For this,
you'll give him - for example - your password.
11
Commitment and Consistency
"Free" IQ tests - its results shall be shown once you
send a premium-rate text message (does it affect the
overall score BTW? ;)
Limited content - to view a full article or video you
need to pay money or follow a dodgy link.
Mobile apps - if you clicked "download", "install", will
you click "no, I don't want you to access my contacts,
texts, data connection and location"?
12
Liking
Phishing - fake e-mails and websites look really like the
genuine ones (well, not in Poland, how's it in Georgia?
;)
Funny or hot content - you can't view the funny
content unless you install a "missing plugin". Which is
we-all-exactly-know-what.
Share - content liked or shared by our "friends" (whom
we like or at least know) is perceived as legitimate.
13
Authority
Donations - on-line payment and money exchange
services, together with Bitcoin, make for a good base
for money-laundering and other frauds.
Voice phishing - some people reveal their personal or
financial information when called "by THE bank", just
because they're told it's "THE bank" calling.
14
Scarcity
"Last minute" offers - some people will pay for goods
or services difficult to obtain or time-limited.
YOU are the 999. person on this website - and if you
follow the link you'll win an iPad... Or will you?
Slashdot effect - people desperately wanting to be (all)
the first to see the news will DDoS the website. Like
ACTA-case in Poland. Err, soft of.
15
Some numbers...
Service
Price
Credit card data
2 - 90 USD
Actual cards
190 USD
Skimming device
200 - 1000 USD
Fake ATMS
35 000 USD
e-Bank credentials
80 - 700 USD
Money transfers
10 - 40%
Fake e-commerce sites price per project
Spam
Data leaks
2013
Adobe
2,9 mln
2011
Sony PSN
77 mln
2009
Heartland Payment
Systems
130 mln
2008
Hannaford Brothers
4,6 mln
2007
TJX Companies
45 mln
2005
CardSystems Solutions
40 mln
10 USD per 1M e-mails




discounts
guarantees
trial periods
returns
16
How do they happen?
In a number of ways:
 sometimes a simple phone call is enough
 malware leading to an APT attack
 network snooping
 IP / MAC / e-mail / Called-ID spoofing
 credit cards skimming
 dumpster diving (no, really!)
But it's not all about the technology.
17
How to prevent and detect
them?
 DLP (Data Leak Prevention)
 IPS / IDS (Intrusion Prevention/Detection Systems)
 Application firewall
 URL filtering
 BGP / DNS blackholing
 SIEM (monitoring)
 Host agents
 Threat intelligence and whistle-blowers
But...
18
How to prevent and detect
them?
If you think technology can solve your security
problems, then you don't understand the problems and
you don't understand the technology.
Bruce Schneier
You can't defend. You can't prevent. The only thing you
can do is detect and respond.
Bruce Schneier
19
Source: http://www.clubhack.com/wp-content/uploads/2010/12/DSC_6514.jpg
And what to do if we fail to
do the above?
Detection should be based on both: user awareness
and network / system monitoring - one won't work
without another.
Incident response must be a process with appropriate
procedures, staffing, support, funding and tools.
Computer forensics is just a tool in incident responders'
hands. A powerful one but...
20
Computer forensics
With all this cloud, big data, BYOD, data encryption and
huge HDDs it's really hard to respond to incidents
efficiently.
That's when live forensics come into play:
 Volatile data (e.g. RAM) acquisition
 Imaging of unencrypted encrypted disk drives
 Preservation of data in the cloud
 Minimising delays in availability
21
Computer forensics
Triage is a simple way to preserve and examine
computer evidence faster and more efficiently while
keeping up with the standards and regulatory
requirements (e.g. chain of custody).
Triage can be performed by a trained incident
responder ("a rescue team" member) on the scene.
Computer forensics expert ("a surgeon") doesn't have
to be involved yet.
22
CSIRTs / CERTs
Computer Security Incident Response Teams (CSIRTs)
provide professional incident response capabilities.
Effectiveness of their work depends on appropriate
communication and co-operations with other
governmental and business CSIRTs/CERTs.
Maintaining defense capabilities and readiness on high
level means exercising and constantly improving.
23
CSIRT Services
http://www.cert.org/csirts/services.html
Reactive
Proactive
Security Quality Management
Alerts and Warnings
Announcements
Incident Handling
– Incident analysis
– Incident response on site
– Incident response support
– Incident response coordination
Technology Watch
Risk Analysis
Security Audits or Assessments
Business Continuity and Disaster
Recovery Planning
Vulnerability Handling
– Vulnerability analysis
– Vulnerability response
– Vulnerability response coordination
Configuration and Maintenance of
Security Tools, Applications, and
Infrastructures
Security Consulting
Awareness Building
Development of Security Tools
Education/Training
Intrusion Detection Services
Artifact Handling
– Artifact analysis
– Artifact response
– Artifact response coordination
Product Evaluation or Certification
Security-Related Information
Dissemination
24
And the conclusion is...
People are the first and the last line of defense from
the attacks against them and the technology.
The difference between us and the computers is that
we think. Sometimes too much.
It causes problems but that can also help avoid them.
So it's always better to think twice.
25
Quiz
https://www.paypal.com/webapps/mpp/security/antiphishing-canyouspotphishing
http://www.sonicwall.com/furl/phishing/
http://www.opendns.com/phishing-quiz/
http://www.mailfrontier.com/forms/msft_iq_test.html
http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest
http://www.contentverification.com/phishing/quiz/
http://www.onguardonline.gov/media/game-0011-phishing-scams
http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
26
Download