SOCIAL ENGINEERING IN A DIGITAL ENVIRONMENT A. Martin Zeus-Brown Angus M Marshall University of Teesside Intro • About me – My background – Research area’s • Remote covert investigations • Cyber crime • Social engineering – This area is a new area that I’m interested in exploring and linking in with my other areas Idea • Looking at social engineering – Its move to the e-environment – The Technologies used – Avatars (e-presence) – Victims Pre-Contact Social Engineering model Victim identification Stage 1 Desires identification Weakness identification Victim identification • Victims can be: – A single target selection – A group selection – A localisation target • Feed from intelligence – Selected to for fill a reward need – Selected due to a weakness – Random selection Pre-Contact Social Engineering model Attack type identification Stage 2 Attack type Vs. Victim Desires (Stage 1) Reward Attack type identification • The attack type identification will affected by: – Previous attacks carried out (knowledge) – Ingenuity of the attacker (originality of attacks) Attackers ability (technical level of the attacks) – Attackers e- environment security – The common e-environment ie the game or forum – Victims expected knowledge (to evade/ignore the attack) Victims expected e-environment security Attack type identification • The attack (A) type identification will affected by: – – – – – – – Previous attacks carried out (knowledge) Ingenuity of the attacker (originality of attacks) Attackers ability (technical level of the attacks) Attackers e- environment security The common e-environment ie the game or forum Victims expected knowledge (to evade/ignore the attack) Victims expected e-environment security (Ce) (Ce) (Ce) (Cxg) (Cf ) (Ve) (Vg) This can be mapped successfully to the cyber profiling formula proposed by Marshall Moore and Tompsett [ 2006] L=(Ce x Cf x A)/(Ve x Vg x C x g) This could help us predict possible social engineering attacks as it seem to be the criminal is using this logic unwittingly already to select the best type of attack Pre-Contact Social Engineering model Stage 1 knowledge Stage 2 knowledge Reward Vs. Risk Stage 3 Risk > reward Move back to stage 1 Risk < reward Proceed to 1st contact How can Pre-contact information be obtained • In the meat space environment – – – – – Dumpsters diving Freedom of information Public records Word of mouth Observation of activity • The e-environment hold many similarities e-Data sources • Social network sites – Myspace – Facebook – etc • Online games – World Of Warcraft “researchers have claimed that WoW (and other MMOGs) can be used as a laboratory for studying human behaviour.” – Age Of Conan – Dark Ages Of Camelot (J Bohannon 2008) The e-garbage Can • While many people think a deleted web page has gone. – We know its not true • • • • Wayback Machine Archive-It Collections WebCite Even Google – cached:URL – Many more place’s as well such as • proxy servers • User’s webhistory • etc Social network sites • You can gather huge amounts of information such as: – – – – – – – – Name Address DOB Phone number Employer School Friends names Likes and dislikes (possible password list) Physical Network Data Collection • The Physical network – WIFI sniffing • This type of collection requires a medium to high level of technical knowledge and would suggest that the attacker has some prior knowledge – Man in the middle/Re-play attacks • Again this requires a high level of technical knowledge The uses • The information + a little social engineering can result in: – Grooming. • Leading child exploitation. – Fraud. • including affects on e-economics and virtual economics [Castronova 2007] [ Castronova 2005] – Money laundering. – Terrorism. – Other linked crimes/acts 1st contact Comparison •e-environment –Social compliance • meat space – Social compliance Me, my virtual self and Avatar What is it The e-presence • Made up of 3 parts – The Avatar – The Persona – The e-self What can be considered an avatar • Still image. • 3D model. – IP law starting to impact on avatar [Onishi H 2008] What can be considered an Persona • User name • Nick name • Any collection of data that the users want to represents them (or in some case’s how users feel’s at a given time) What can be considered The e-self • This is the actions that the operator or operators of the epresence take: – Interacting with a playing in a game. – The wording of the post they make. • Negatively or Positively – The good they purchase – Website’s they visit – Ect… Victim Perceptions • Victim ability to identify fraud in meat space vs. e-environment. – Victim’s see a lower threat to their avatar, due to: • Little to no tactile ownership • The removal of physical stimulus Avatar ownership • However the owners of avatars can build a very strong link to the avatar. – With arguments, fights and even death spilling over to meat space – “Feelings such as love, like, dislike, fear, hate or indifference drive the agents movements and affect an agent's reaction to an Inhabitant when in its vicinity” [Allen, R, 1998] Further studies • Furthers studies are needed to better understand – The link between meat space a eenvironment susceptibility to social engineering – Avatar ownership – The link between e-self actions and choices and meat space action and choices References • • • Allen, R (1998) 'The Bush soul: Travelling consciousness in an unreal world', Digital Creativity, 9:1, 7 — 10 Castronova, E, "On Virtual Economies" July 2002. CESifo Working Paper Series No. 752. Available at SSRN: Castronova, E, Synthetic Worlds: The Business and Culture of Online Games 2005 • • Bower J M, "The Scientific Research Potential of Virtual Worlds" 27 July 2007, p. 472 Bohannon J, A TASTE OF THE GONZO SCIENTIST: Scientists Invade Azeroth , 20 June 2008 Science 320 (5883), 1592. [DOI: 10.1126/science.1161351] Kingsley, M (1899) West African Studies. London: Macmillan and Co., pp. 199-209. Criminalization of the internet an examination of illegal activity online, Proc EAFS 2006 , Marshall M. Moore G. Tompsett B, 2006 MacKay M, World of Warcraft, could it be killing our teens. online:http://searchwarp.com/swa26182.htm last seen: 06/07/2008 Meier, C.A. (1986) Soul and Body. San Francisco: The Lapis Press, pp. 268-277. Onishi H, Who am I talking to?, Bileta 2008 • • • • •