Social Engineering CS 334 - Computer Security Thanks to: The late - PowerPoint PPT Presentation

Social Engineering CS 334 - Computer Security Thanks to: The late Dr. Yosef Sherif, unknown colleague at UW-Madison, Mathew Sullivan at Iowa State, Tanya L. Crenshaw at U. Portland, various other colleagues and contributors 1

Social Engineering: Definition � • Social Engineering: “the practice of obtaining confidential information by manipulation of legitimate users.” (from Wikipedia.com) • Attackers “trick” employees into revealing sensitive information, usually to gain access to a computer system: user-ID, password, IP address, etc. 2

Social Engineering: Definition � • A Social Engineer is basically a flavor of “Con- Man” (“Con-Person?) • Historically, Con-Men have been highly successful at convincing victims to give them valuable items (money, jewelry, etc). • Social Engineers employ similar methods aided by modern technology to obtain valuable data from system users. 3

Social Engineering: Definition � • Con-Men and social engineers see their attacks as an art form or a social trade. – The pride themselves on their ability to manipulate a person’s natural tendency to trust others – They are highly skilled and use very effective psychological methods – Some work for personal edification; other work for profit 4

Social Engineering ¨ The end user is usually the weakest link of a system ¤ People are often lazy, ignorant to security, or simply gullible ¨ Social engineering is a journey into social psychology! ¤ Yes I know, that probably doesn’t sound very fun ¤ Well guess what… it is, so deal with it!

But First: Some Examples 6

Case Scenario: Meet Angry Cow � • Angry Cow is a Computer Science student at UW- Madison • Angry Cow just got an eviction notice! 7

Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid 8

Finding A Way In... • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice 9

10

Let ʼ s See -- Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee, and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments 11

Let ʼ s See -- David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments 12

Let ʼ s See -- Andrew Baldinger (who made these slides?) • Born March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments 13

Let ʼ s Start with Danielle Treu • Her Facebook profile is pubic, but she is intelligent. She keeps her contact information private • But her profile does say that she attends UW- Madison... • I wonder if they have some more public information about her 14

More Research • UW Whitepages is PUBLIC information • That conveniently provides her email address 15

Primary Contact 16

Establishing the Trust � • Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew • Angry Cow shows up later that day. David is expecting him. • Angry Cow identifies himself as Andrew and asks David for key to server room 17

The Hack • Angry Cow gets physical access to server, uses a standard password cracking program to get Admin username, password • Angry Cow logs into server and alters accounting files to indicate that his rent has been paid 18

Summary of This Example • Search for public information about your target, using both official and unofficial sources • Build a trust ladder, Danielle trusts Andrew and David trusts Danielle, therefor David will trust Andrew -- even if “Andrew” is really Angry Cow! • Built a credible story • Based on pretexting 19

Pretexting • Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. • It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. 20

Is This Really a Threat to Businesses? • So far, this just looks like a technique employed by angry individuals • Did you know that Hewlett Packard regularly engaged in Social Engineering? • They used the method of pretexting in order to get phone records • Watch the testimony of Patricia Dunn, former Director of HP: http:// pra-blog.blogspot.com/2006/10/ patricia-dunns-incredible- 21

Pretexting Will Likely Continue � • As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future. • Pretexting is the most common form of social engineering. • Pretexting is the most common 22

Example: Hacking Paris Hilton ʼ s Phone • In 2005, Paris Hilton’s phone was hacked. The contents of her T-Mobile Sidekick were posted to illmog.org, including the phone numbers of Eminem, Vin Diesel, Lindsay Lohan, and Anna Kournikova. 23

The Steps... • The attackers learn of a programming glitch on the T-Mobile website. They found that a tool on the website contained a vulnerability in a tool on the site that allowed users to reset their account password. • They figure out how to reset the password of any user whose phone was a Sidekick. 24

The Steps... • To get Paris Hilton’s phone number, the attackers get a caller-ID spoofer and call a T-Mobile sales store in California • The conversation goes something like this: – Attacker: “This is [whoever] from T-Mobile Headquarters in Washington. We heard you’ve been having problems with your customer account tools?” – Employee: “No, we haven’t had any problems really. Just a couple of slow downs.” – Attacker: “Yes, that is what is described here in this report. We’re going to have to look into this for a quick second.” 25

The Steps... • The T-Mobile rep gave out the URL of the internal T-Mobile site used to manage customer accounts. • Also gave the username and password used by employees to login. • With Hilton’s phone number, they could use the glitch to reset her password. • This caused a text message to be sent to her phone. • The attackers then called her, using their caller-ID spoofer. 26

The Steps... • Attacker: “There are some network difficulties. Have you been getting any SMS about a password reset? What were the contents of the message? • At this point, she has no idea that her password has really been changed and her account hacked • Since videos and data on the Sidekick are stored on T-Mobile’s central servers, they could download all of Hilton’s info to their own phones. • The hackers were teenagers. – Who appreciated that Hilton had nude photos saved on her Sidekick... 27

Also, gratuitous Matrix sidestory � • Hackers also called Laurence Fishburne, demanding that he “GIVE US THE SHIP!” 28

Now, Back to the “Theory” 29

Social Psychology: Persuasion ¨ A number of variables influence the persuasion process: ¤ The Communicator (Who?) ¤ The Message (What?) ¤ The Audience (Whom?) ¤ The Channel (How?) ¨ For now, let’s focus on “The Communicator”

Social Psychology: Persuasion ¨ The Communicator (Who?): ¤ Credibility ¤ Expertise ¤ Trustworthiness ¤ Attractiveness

Social Psychology: Persuasion ¨ Credibility: “The Milgram Experiment” white lab coat

Social Psychology: Persuasion ¨ Credibility: “The Milgram Experiment” ¤ The “assistant” will give electric shocks in increasing voltages to the “test subject” they can hear via a covered window, but can not see ¤ The “test subject” is actually an actor and is not really getting shocked

Social Psychology: Persuasion ¨ Credibility: “The Milgram Experiment” ¤ After a few shocks, “test subject” actor begins yelling in pain, banging on wall, begging for the shocks to stop ¤ “assistant” members would ask the man in the white coat what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous” n By the time the 450-volt switch is reached, the actor has already been dead silent for many minutes

Social Psychology: Persuasion ¨ So what’s the moral of the story? ¤ Most people will obey the man in the white coat ¤ In social engineering, creating the aura of an authority figure allows the adversary to persuade easily, because she has established creditability!