Social Engineering and Phishing (Fish are not the only things that need to be concerned.) August 24, 2011 Introduction SeNet During the course of this presentation, I will illustrate methods that attackers and others with malicious intent have used to compromise Personally Identifiable Information (PII) and other sensitive data. I will also examine several case studies that show how PII was compromised and how the breach could have been prevented. Finally, I will offer several defense and protection mechanisms. I am SeNet’s Chief Technology Officer (CTO). Previously, I worked for the security consulting practices of both KPMG and Deloitte and Touche. I have led and performed numerous vulnerability assessments and penetration tests in support of financial audits, FISMA audits, and other compliance-related efforts. I can be reached at 703-206-9383 or gus.fritschie@senet-int.com. © 2011 SeNet International Corp. 2 August 2011 About SeNet SeNet SeNet International is a small business founded in 1998 to deliver network and information security consulting services to government and commercial clients. • High-End Consulting Services Focus • Proven Solution Delivery Methodology • Contract Execution Framework for Consistency and Quality Technical, Management, and Quality Assurance Components Exceptional Qualifications • Government Certification and Accreditation Support Network Integration Security Compliance Verification and Validation Security Program Development with Business Case Justifications Complex Security Designs and Optimized Deployments Executive Team – Security Industry Reputation and Active Project Leadership Expertise with Leading Security Product Vendors, Technologies, and Best Practices Advanced Degrees, Proper Clearances, Standards Organization Memberships, and IT Certifications Corporate Resources Located in Fairfax, Virginia Fully Equipped Security Lab Over 40 Full-time Security Professionals © 2011 SeNet International Corp. 3 August 2011 The PII Challenge SeNet Definition Personally Identifiable Information (PII) is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Challenges of PII • Pervasive – traditional and new, non-traditional end points • Highly sensitive and highly coveted • Difficult to do away with © 2011 SeNet International Corp. 4 August 2011 PII Examples SeNet Examples of PII Include: • • • • • • • • • • • Full name (if not common) National identification number IP address (in some cases) Vehicle registration/plate number Driver's license number Face, fingerprints, or handwriting Credit card numbers Digital identity Birthday Birthplace Genetic information © 2011 SeNet International Corp. 5 August 2011 PII Leakage Paths SeNet PII can “leak out” intentionally and unintentionally in many ways, such as: • • • • • • • • • E-mail attachments Printouts and faxes Lost tapes, zip drives, and other storage media Lost or stolen laptops Social networking Instant messaging programs File sharing programs Unsecure Web sites Active attacks by bad actors © 2011 SeNet International Corp. 6 August 2011 Data Leakage Paths SeNet © 2011 SeNet International Corp. 7 August 2011 PII Attack Vectors SeNet • Phishing (no, it’s not a typo) • Social Engineering • Cross-site Scripting (XSS) • SQL Injection • Malware • Many others © 2011 SeNet International Corp. 8 August 2011 SeNet Phishing Attacks and Social Engineering While there are several different attack vectors that could be used to gain unauthorized access to PII, two of the most common are old fashion social engineering and phishing attacks. © 2011 SeNet International Corp. 9 August 2011 SeNet What is Social Engineering? Social engineering is the process of deceiving people into giving away access or confidential information. Wikipedia defines it as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.” Many consider social engineering to be the greatest risk to security. © 2011 SeNet International Corp. 10 August 2011 SeNet Categories of Social Engineers • Hackers • Spies or Espionage • Identify Thieves • Disgruntled Employees • Scam Artists • Sales • Governments © 2011 SeNet International Corp. 11 August 2011 SeNet Why Social Engineering? "Because there is no patch for human stupidity“ "People are the largest vulnerability in any network" Path of Least Resistance A hacker can spend hours, weeks, or months trying to brute force his or her way to a password... when a phone call with the right pretext and perfect questions can identify the same password or more in a few minutes. © 2011 SeNet International Corp. 12 August 2011 What is Pretexting? SeNet • Pretexting is the act of creating an invented scenario to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases, it can be creating a whole new identity and then using that identity to manipulate the receipt of information. Pretexting can also be used to impersonate people in certain jobs and roles that they have never performed themselves. • Pretexting is also not a “one size fits all” solution. A social engineer will have to develop many different pretexts over his or her career. All of them will have one thing in common: research. Good information gathering techniques can make or break a good pretext. Being able to mimic the perfect technical support representative is useless if your target does not use outside support. • One of the most important aspects of social engineering is trust. © 2011 SeNet International Corp. 13 August 2011 SeNet Common SE Attack Vectors In the world of social engineering, there are numerous attack vectors. Some involve a lot of technology; others contain none at all. • Customer Service • Tech Support • Marketing • Phone • Delivery Person © 2011 SeNet International Corp. 14 August 2011 SeNet Phishing vs. Spear Phishing Phishing – E-mails that typically contain a link to a counterfeit Web site and are designed to look like an authentic login page. They will actually capture personal data for cyber criminals, who will use the data to commit financial fraud. Spear Phishing – Targets are identified in advance and the e-mails that attempt to trick them into handing over personal data can be highly specific. They might claim to come from a friend or colleague, or seek to exploit the target’s known interests. © 2011 SeNet International Corp. 15 August 2011 Social Engineering Tools SeNet • SET – Social Engineering Toolkit (http://www.social-engineer.org/framework/Computer_Based_ Social_Engineering_Tools:_Social_Engineer_Toolkit_(SET)) • BeEF – Browser Exploitation Framework (http://www.bindshell.net/tools/beef.html) • Metasploit – http://www.metasploit.com/ © 2011 SeNet International Corp. 16 August 2011 Demo SeNet Demo Time © 2011 SeNet International Corp. 17 August 2011 APT and PII SeNet APT is not about smashing and grabbing; rather, it is about methodically reaching your objectives, establishing a beachhead within the organization, and exploiting as much of the organization as possible for as long as possible without being detected. © 2011 SeNet International Corp. 18 August 2011 APT and PII (cont’d) SeNet APT is: • Advanced – Assumes everything from mundane attack attempts to sophisticated custom crafting of exploits. • Persistent – Focused on an objective, so this is not just a “drive-by” or “smash-and-grab.” The threat will not go away or move out of legal reach. “Persistent” means trying to maximize exploitation of information over a period of time, sometimes a long period of time. • Threat – Targeting your organization for a specific reason. This takes advantage of human ability and creativity, and is not a bot or worm, although those tools may be employed. © 2011 SeNet International Corp. 19 August 2011 Case Study 1 SeNet Operation Aurora • Began in mid-2009 and continued through December 2009. Involved several other companies in addition to Google. • Google stated that some of its intellectual property had been stolen. • Attackers were interested in accessing Gmail accounts of Chinese dissidents. • Attackers had exploited purported zero-day vulnerabilities in Internet Explorer. © 2011 SeNet International Corp. 20 August 2011 Case Study 1 (cont’d) SeNet • Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code. • Once a victim's system was compromised, a back-door connection that masqueraded as an SSL connection made connections to command and control servers. • The victim's machine then began exploring the protected corporate intranet of which it was a part, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. © 2011 SeNet International Corp. 21 August 2011 Case Study 2 SeNet This case study explores an example where data (including PII) in an Oracle database is compromised. Initially, a scan is conducted to identify Oracle databases. © 2011 SeNet International Corp. 22 August 2011 Case Study 2 (cont’d) SeNet Weak passwords are not just a problem with Microsoft. This tool can be used to determine whether default Oracle passwords exist. © 2011 SeNet International Corp. 23 August 2011 Case Study 2 (cont’d) SeNet With the correct credentials obtained, a tool such as DB-Examiner can be used to obtain a graphical view of the database structure. © 2011 SeNet International Corp. 24 August 2011 Case Study 2 (cont’d) SeNet Of course, data is the crown jewel that many attackers are after. In this example, using the compromised account and information about the data structure, a query is executed to view personal data including name, social security number, and salary. © 2011 SeNet International Corp. 25 August 2011 Methods to Protect PII SeNet • Encryption • Multi-factor Authentication • Strong Access Controls • Security Awareness Training • End-point Security • Data Leakage Prevention © 2011 SeNet International Corp. 26 August 2011 SeNet Social Engineering Protections • Education/training • Be aware of the information you are releasing. • Determine which of your assets are most valuable to criminals. • Keep your software up to date. • When asked for information, consider whether the person you are talking to deserves the information they are asking about. • Report suspicious activity. • Be skeptical. • Never respond using information contained in the e-mail, particularly links to Web sites. © 2011 SeNet International Corp. 27 August 2011 Conclusions SeNet As can be seen throughout this presentation, there are many different attack vectors that can be used to gain access to your PII or other sensitive information. Often, attackers choose the easiest target, which is why social engineering and phishing are being used more frequently. While no method can guarantee 100% protection against these types of attacks, by understanding how these attacks work, you can better defend yourself against them. © 2011 SeNet International Corp. 28 August 2011 Questions SeNet Questions? © 2011 SeNet International Corp. 29 August 2011