444 49 6MB
English Pages [317] Year 2012
Course 2012
Social Engineering: Deceptions and Defenses by Randy W. Williams Technical Editor: William Dalton
2012/CN/D.2/906/D.1
Copyright
© LEARNING TREE INTERNATIONAL, INC. All rights reserved. All trademarked product and company names are the property of their respective trademark holders. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, or translated into any language, without the prior written permission of the publisher. Copying software used in this course is prohibited without the express permission of Learning Tree International, Inc. Making unauthorized copies of such software violates federal copyright law, which includes both civil and criminal penalties.
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Acknowledgements The author would like to acknowledge the following for contributions to this course ► The Product Management team ► The Publications team ► The Product Development Lab ► All the dedicated instructors
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Introduction and Overview
Course Objectives ► Defend against social engineering deceptions that threaten organizational security ► Plan, execute, and evaluate security assessments for human weaknesses ► Explore the dangers of psychological manipulation ► Measure and report your organization’s preparedness for social engineering attacks ► Implement procedures and policies to defeat deceptions ► Mitigate personnel vulnerabilities with education and security awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Intro -2
Course Contents Introduction and Overview Chapter 1
Introduction to Social Engineering
Chapter 2
Gathering Information
Chapter 3
Understanding the Communication Model
Chapter 4
Gaining Physical Access
Chapter 5
Eliciting Information
Chapter 6
Impersonation
Chapter 7
The Psychology of Persuasion
Chapter 8
Countermeasures
Chapter 9
Course Summary Next Steps
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Intro -3
Warning! ► In this course, you will learn the basics of how to perform social engineering ► The exercises and workshops are to be performed as specified by the instructor ► We require participants to “social engineer courteously” and only within the bounds prescribed in the exercises and demonstrations ► Outside of class, do not employ the tools and techniques learned without permission • It is very likely against the law and the policies of your organization
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Intro -4
Social Engineering ► Social engineering covers a wide array of deceptive methods for gaining illicit access and stealing information • This course will cover the topic from initial probing and reconnaissance to execution • Many time-proven techniques will be discussed and demonstrated ► We cannot, however, cover all of the methods • Social engineering is limited only by the imagination
!!!
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Intro -5
Chapter 1
Introduction to Social Engineering
Objectives ► Assess social engineering threats ► Identify types of social engineers ► Examine classic case studies ► Review the tools and techniques of a social engineer ► Evaluate a social engineering attack framework
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -2
Contents Social Engineering ► Case Studies ► Tools and Techniques of Social Engineers ► Motif for This Course ► Hands-On Exercise 1.1
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -3
Social Engineering ► Social engineering is a huge security threat today ► Observing or controlling human actions to allow illicit access to resources • It might best be identified by the greatest vulnerability: human weaknesses • Access may be used to gain information ◦ Physical or logical access may be used to gain credit card information • Information may be used to gain access ◦ Knowledge of door codes leading to physical theft ► Social engineering includes far more than interpersonal discussions or manipulation • It may be performed entirely online • Meeting or talking to a person is not always necessary • Physical security skills are also a part of it ◦ Lock picking
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -4
Fixing the Problem ► Many vulnerabilities in technologies can be remedied with a patch to software • Social engineering vulnerabilities prey on ◦ Failures to follow established policy/common sense ◦ Inherent weaknesses ► Social engineering often involves securing the mind • But this must include organizational, physical, and technological defenses ► As Kevin Mitnick has said, “There is no patch for stupidity”*
*Source: Lambert, Laura, et al., ed. The Internet: A Historical Encyclopedia. ABC-CLIO, 2005. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -5
Terms and Definitions ► Target • The person or organization to be deceived, elicited, or manipulated ► Vector • A method of approach or method of gaining access to an objective ► Objective • The ultimate goal for a social engineer ► Reconnaissance • Scouting an objective and the environment to identify the possible targets, vectors, and objectives ► Organization communication model • Understanding how information is created, formatted, sent, and received
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -6
Terms and Definitions ► Elicitation • Drawing out useful information from people in such a way as the disclosures are not perceived ► Pretexting • Setting a staged scenario based on a false reality or false identities ► Persuasion and manipulation • Compelling or directing the thoughts or actions of human assets
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -7
Risks ► Risk is simply defined as: • The possible loss or misuse of an asset ► Any time an asset is used or deployed, it is exposed to risk ► A simple formula may be used to describe risk: • Risk = Vulnerability × Threat level × Asset value • Vulnerability ◦ The severity of the flaw that may allow illicit use or control • Threat level ◦ The likelihood that an asset may be attacked • Asset value ◦ The inherent value or replacement cost of an asset
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -8
An Untrained Mind Is the Vulnerability ► Social engineering preys on people, their tendencies, and weaknesses ► Being willing to disobey policy • Perhaps for a perceived greater good ► A lack of knowledge • Not knowing the consequences of divulging small pieces of information ► Psychology • Instinctive behaviors that may be manipulated ► Helpfulness • Wanting to assist others or prevent harm ► Greed or fear of loss • Being faced with foregoing an opportunity • Confrontation with personal, occupational, or financial loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -9
Social Engineering Threats ► The likelihood of attack may be keyed to the • Defenses to be surmounted • Complexity required of a successful attack • Damage to be inflicted • Gain for the attacker • Ease of reconnaissance
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -10
Assets An attack may target any of a range of assets ► Knowledge • Organizational plans • Procedures • Passwords or passcodes ► Intellectual Property (IP) • Customer data • Employee records • Diagrams ► Tangible • Computers • Cell phones • Other valuable equipment
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -11
Types of Social Engineers ► Simple thieves • Their design is often to steal physical assets ► Hackers and identity thieves • Attackers that leverage human weaknesses in the use of computing technology to commit theft or fraud ► Rogue internal personnel • Individuals with internal access who perform misleading actions to inappropriately gain access or information ► Corporations • Commercial espionage ► Pranksters • Individuals or groups seeking to embarrass ► National spying organizations • Social engineering has always been a part of their stock and trade
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -12
What Is a Social Engineer? ► Consider these questions about social engineering: True
False
Social engineers are not technology-savvy
True
False
It always involves conversations
True
False
It is always a stranger who engages in it
True
False
Hacking is generally unrelated to it
True
False
It is typically done on the fly, because it is really an art
True
False
It can be prevented with adequate technology safeguards
True
False
Social engineers only target information
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -13
Acceptable Social Engineering ► Many of the techniques used by illicit social engineers are also employed legally in everyday life by people around us • Romantic relationships • Salespersons • Managers • Mentors, life coaches, and motivational speakers • Parents and children • Friends playing a prank ► While these examples are not illegal or illicit, the techniques are often the same
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -14
Contents ► Social Engineering
Case Studies ► Tools and Techniques of Social Engineers ► Motif for This Course ► Hands-On Exercise 1.1
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -15
Learning From Case Studies ► Quite a bit may be learned by studying earlier well-known social engineering attacks ► We will focus on two cases that were covered in the press • Elizabeth Moreau: ESPN reporter at a hotel • Prison break in Florida: Document forgery ► These cases both involve social engineering • But radically differing objectives and vectors
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -16
Examining Case Studies
Do Now
1. The instructor will divide the class into two groups: • Group 1 will explore the case study of Elizabeth Moreau* • Group 2 will explore the case study of a Florida Prison Break ** 2. The Elizabeth Moreau case study is on the next slide. The Florida case study is on the slide after 3. There are links under Documents\Chapter 1\ that can help you research these topics 4. Take 10 minutes to read the descriptions 5. Afterward, we will analyze the particulars of each case to compare and contrast the methods used
Sources: *http://msn.foxsports.com/collegefootball/story/espn-reporter-elizabeth-moreau-pranked-in-gainesville-102110 **https://www.cnn.com/2013/11/06/justice/florida-inmates-mistakenly-freed/index.html © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -17
Case Study 1: Elizabeth Moreau ► The incident • Moreau, a reporter for ESPN, checked into a Hilton hotel • Late at night, she received a call, allegedly from the hotel manager, advising her of a dangerous gas leak in the building • Among other things, she was instructed to take the top off the toilet tank and throw it through her window to ensure she had breathable air • After doing so, the prankster conferenced the call to the actual night manager • The prankster then told the night manager that his wife was drunk and had gotten mad and deliberately broken the guest suite window ► The aftermath • Moreau was not charged for replacing the window • The hotel began notifying future guests about calls pretending to be from the front desk ► Why her and the hotel? • The Hilton hotel had phone systems that allowed outside calls to be directly forwarded to guest rooms • There was no way to discern if it was an internal or outside line © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -18
Case Study 2: Florida Prison Break ► The incident • Two inmates serving life in Florida, escaped using forged documents • Realistic looking documents reducing the sentence to time-served were delivered to the clerk of the court after-hours drop box. • Everyone fell for the ploy and both were released very quickly. One was given bus fare to get into town • It was not discovered until quite a while later ► The aftermath • The escapees did not go far and were re-captured • Many court systems began auditing their early release orders to see if this had also happened to them • This jurisdiction began printing orders on special paper and now requires a call from a judge. ► Why? • To get out
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -19
Discussion of Case Studies 1. What were the ultimate objectives of each case? 2. What were the vectors? 3. Who were the attackers? 4. What skills did the attackers require? 5. What was the risk of getting caught? 6. How did human failings play into these attacks? 7. How much planning was required? 8. What technologies were involved? 9. How could the attacks have been prevented?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -20
Contents ► Social Engineering ► Case Studies
Tools and Techniques of Social Engineers ► Motif for This Course ► Hands-On Exercise 1.1
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -21
Attack Methodologies and Techniques ► There are many methodologies describing how social engineering may be performed ► We will follow this loose model of attacks: • Information gathering • Understanding the communication model • Gaining access • Eliciting information • Impersonating • Pretexting and persuading • Exiting ► Tools and techniques vary with the • Attacker • Objective • Environment • Imagination
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -22
Reconnaissance ► Social engineering attacks rarely just happen without a great deal of planning • Attacks require a strong knowledge of the targets, objectives, communication methods, weaknesses, and environment ► Reconnaissance may be performed • Interpersonally ◦ Person to person • Indirectly ◦ Through intermediaries or documents • On-site ◦ At the victim’s physical location • Online ◦ Using “open source” published information
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -23
Understanding the Organization ► For many ploys, a deception must occur ► Creating a plausible deception means knowing how the real communication is supposed to look ► An attacker must analyze how things work in the context of the • Source • Message • Channel • Receiver ► This relies on intelligence gathering
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -24
Gaining Physical Access ► Social engineering attacks are not limited to human-based exploits ► Deception and manipulation may only allow an attacker to get close to an objective • The rest of the job may require the skills of a thief ► Common skills of a social engineer will include • Lock picking • Knowledge of tools and techniques to avoid sensors and detection systems
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -25
Elicitation ► People usually do not just reveal secrets to anyone when asked ► Elicitation involves the drawing out of information • Using interviewing techniques • Establishing rapport • Pacing and leading the conversation ► While often performed in person, elicitation may be performed • Via remote communication ◦ E-mail ◦ Blogs ◦ Chat sessions • Over a long period of time
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -26
Impersonation ► Manipulation and access are often facilitated by forging an identity ► This may involve spoofing the source or receiver of information ► Impersonation and pretexting can be performed in many ways • Directly or interpersonally ◦ Face-to-face meetings • Online or electronically ◦ Via e-mail, ID cards, telephone, or fax • Indirectly ◦ Letters, posters, loudspeaker announcements, and advertisements
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -27
Pretexting and Persuasion ► Employing psychological tricks to manipulate • Employing psychological principles to influence thought and behavior ► Some of the techniques to be explored include • Mindlessness • Reciprocity • Social proofing • Using authority • Consistency
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -28
Exit Strategy ► Once an objective has been reached or claimed, it is time for the attacks to end and the parties to go on their way ► However, simply stopping a ruse and exiting might leave a victim suspicious • Have I been duped? • Is anything missing? • Has something been altered? ► An effective social engineering ploy will include exiting the scenario in a normal way • Ensuring no suspicions have been aroused
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -29
Contents ► Social Engineering ► Case Studies ► Tools and Techniques of Social Engineers
Motif for This Course ► Hands-On Exercise 1.1
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -30
Motif for This Course ► We will explore a wide array of conventional and unconventional tactics in exploring how social engineering is performed • We will also discuss defenses ► Some of these will be tests carried out by you with fellow class participants • In others, you could be the subject of the experiment ► In all cases, the tests involve a simple proof of concept with trivial effects ► Examples: • Failing to remember an obvious answer • Inducing one to perform simple math incorrectly • Missing major details and changes around you ► None will involve sensitive information or embarrassing results ► But some of the experiments may fail • A danger of working with people: We don’t all respond identically
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -31
Tools Used in This Course ► To explore social engineering, you have several assets ► A computer with access to the Internet • For researching and demonstration ► Three virtual machines • A standard Windows operating system ◦ There are many bookmarks in Internet Explorer to be used in exercises • Kali Linux ◦ An operating system dedicated to exploits and testing tools E-mail harvesters The Social Engineering Toolkit (SET) • Windows server ◦ Used as a target in some exercises
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -32
Contents ► Social Engineering ► Case Studies ► Tools and Techniques of Social Engineers ► Motif for This Course
Hands-On Exercise 1.1
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -33
Hands-On Exercise 1.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 1.1: Exploring the Virtual Machines
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -34
Objectives ► Assess social engineering threats ► Identify types of social engineers ► Examine classic case studies ► Review the tools and techniques of a social engineer ► Evaluate a social engineering attack framework
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -35
Review Questions
Review
1. What is the common element among all social engineering attacks?
2. What is a vector?
3. What is a social engineering objective?
4. How do lock-picking skills assist a social engineer?
5. Why is it important for a social engineer to understand the communication model of an organization or business process?
6. Describe several examples in which a social engineer never speaks to the target
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
1 -36
Chapter 2
Gathering Information
Objectives ► Identify the goals of information gathering ► Assess the types of useful information ► Inspect on-site information goals and techniques ► Enumerate online information sources ► Recommend reconnaissance countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -2
Contents Goals of Information Gathering ► Gathering On-site Information ► Hands-On Exercise 2.1 ► Online Information Sources ► Reconnaissance Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -3
Goals of Information Gathering ► Information gathering is performed to support later efforts • Analyzing communication within the organization • Gaining access • Impersonation • Persuasion ► The types of information and goals may be divided into several categories • Organizational • Relational • Events • Technical • Physical
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -4
Organizational ► Organizations have goals to achieve • To accomplish this, they create structure and define roles • People are assigned to roles that support business processes ► Understanding the who, what, how, where, and why of this can be a great help to an attacker • An organization chart • Directory/telephone listing • Listings of departments and their heads • Employee rosters • Vendor and contractor information • Work schedules
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -5
Organizational ► The social engineer wants to know • Where people are—by location • Who makes decisions and who receives decisions • How to normally contact or access personnel • When people go to work or are on vacation • Besides employees, who else is involved in the organization’s life ◦ Janitorial services, HVAC repair, etc. ► Key personnel • Names • Nicknames • Contact information • Location • Responsibilities • Help desk information • Internal telephone and fax numbers/extensions
HVAC = heating, ventilating, and air conditioning © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -6
Relational ► The focus is on the context of communication and the: • Source • Message • Channel • Receiver ► These elements are present in all communication • A social engineer wants to discover how to subvert or spoof one or more of these elements ► Pretexting and persuasion often rely on knowing the correct person to contact • Pretending to be an authorized party • Impersonating someone in authority ► While it is important to know “who knows who” • It may be just as useful to know “who doesn’t know who” • Impersonation is easy when you don’t know the other person
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -7
Relational ► Consider the case of Stanley Mark Rifkin, who pulled off one of the largest bank heists ever in 1978—$10.8 million ► As an IT contractor at a bank, he had access to the money-wiring desk • He overheard the procedures used to wire money—who and how • He also discovered that clerks often wrote down the daily passcode ► He left the room and called in to the desk, claiming to be from an international branch • He requested a large transfer to his own account and provided a passcode • When he was asked for and did not know the “interoffice settlement number,” he said he’d call right back ► He simply asked another bank department, claiming to be from the wiring desk, and was given the necessary number • He called back the wiring desk, and the transfer was performed ► To do this, he needed one passcode and a knowledge of relationships
Source: Mitnick, Kevin D., & William L. Simon. “The Art of Deception: Controlling the Human Element of Security”. www.amazon.com/Art-Deception-Controlling-Element-Security/. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -8
Discussion of Stanley Mark Rifkin
Do Now
1. What were the organizational flaws that allowed Rifkin to perform his theft? 2. How did being unknown help Rifkin with his heist? 3. What was his vector? 4. What was his exit strategy? 5. What special knowledge was needed for this crime? 6. What could the bank have done differently to prevent the crime?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -9
Events ► Throughout each day, week, month, and year, key events take place • Retailers cash out at the end of each day • Personnel change shifts • Publishers go to press • Individuals take vacations • Companies celebrate holidays or hold “all hands on deck” meetings ► Employees and other insiders know these events ► From a social engineer’s view, it may be useful to know about these events to take advantage of them • Known absences ease impersonation • Knowledge engenders familiarity • Conferences and celebrations are opportunities to meet people
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -10
Technical ► Social engineering is often aided by technical means ► Impersonation, rapport, and pretexting are aided by knowing the right things • Domain name • E-mail applications used • Customer service contact methods • E-mail addresses • Browsers used • Names and capabilities of custom applications ► Other examples of useful technical knowledge: • Billing or department codes • Badge or ID numbers • Phone numbers of key personnel • Access codes • Security vendors
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -11
Physical ► Insiders know where certain things are • The main entrances • The cafeteria • Vending machines • Designated smoking areas ► Along with this, it may prove useful to know • Sign-in procedures and authorization procedures • Access controls—badges, locks, doors, vaults • Alarm and occupancy detection systems • Hours of operation • Parking areas • Freight delivery locations • Guards’ locations and routes ► Much of this is on public display or easily viewed
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -12
Contents ► Goals of Information Gathering
Gathering On-site Information ► Hands-On Exercise 2.1 ► Online Information Sources ► Reconnaissance Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -13
Gathering On-site Information ► This sort of reconnaissance requires the attacker to appear at the target site • And risk of being remembered later, being photographed, or having credentials recorded ► On the other hand, it is the best way to see and catalog the defenses and assets ► The tools for on-site information gathering include rather mundane items: • Cell phone with a camera • Notepad and pen
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -14
Useful On-site Information ► The on-site information needed depends on the type of attack • This information may make the best vector clear after analysis
► Types of IT equipment used
► Personnel names and roles
► Public areas
► Identification and sign-in procedures
► Restricted areas
► Hours of operation ► Access points, entrances, and windows
► Access controls ► Lock brands
► Types of computers ► Janitorial schedule ► Vendors and suppliers
► Reception and guard locations ► Alarms and occupancy detectors ► Wired and wireless network access © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -15
Dumpster Diving ► Dumpster diving is recovering sensitive or useful information that has been discarded • In most jurisdictions, it is legal to take anything found in refuse containers ► Items that are particularly useful: • Organizational procedures • Memos and letters • E-mails • Diagrams • Business cards and IDs • Sticky notes with passwords and passcodes • Credit card records and financial documents • Bills and receipts
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -16
Gaining Site Access ► Getting on-site may be the hardest part of social engineering ► Pretexts are popular access vectors • They require little to no impersonation • No fake IDs, beyond a business card ► Example pretexts: • Job interviews • Sales calls ► Impersonation is also a successful vector • Fire department inspectors • HVAC repair personnel • Office equipment supplies and repair • Vending machine personnel ► These people are seldom noticed and may be unescorted
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -17
Linking ► This refers to leveraging one piece of information to gain more information • It can make one information leak become a cascade ► Here is an attack example from 2012 • Amazon allowed customers to call and change their e-mail address or add a credit card to an Amazon account if they could verify their name, e-mail address, and mailing address ◦ Easily discovered online • This could give access to an Amazon account • Once in, attackers could discover the last four digits of stored credit cards • Those same four digits could be used to trick Apple customer service into resetting an Apple ID password • This would allow Apple account access, which could be linked to PayPal • And so on …
Source: Olivarez-Giles, Nathan. “Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack.” WIRED. https://www.wired.com/2012/08/amazon-changes-policy-wont-addnew-credit-cards-to-accounts-over-the-phone/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -18
Contents ► Goals of Information Gathering ► Gathering On-site Information
Hands-On Exercise 2.1 ► Online Information Sources ► Reconnaissance Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -19
Hands-On Exercise 2.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 2.1: Dumpster Diving and Linking
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -20
Contents ► Goals of Information Gathering ► Gathering On-site Information ► Hands-On Exercise 2.1
Online Information Sources ► Reconnaissance Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -21
Online Information Sources ► When casing a site online, there is much to learn ► The information may be divided into two categories: • Technical • Nontechnical ► Technical information refers to the systems and software in use • What kind of servers do they use? • What vendor or software is used for e-mail? • Often related to more conventional hacking exploits ► Nontechnical is concerned with the meaning, purpose, and use of information • Personnel and contact information • Departments • Important activities and events • Relationships
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -22
Technical Information Gathering ► Netcraft.com • Keeps a record of applications and operating systems used by millions of websites ► Password profilers • These tools are useful for generating possible passwords likely to be used by an individual based on interests, hobbies, and web content ► Data mining • Deep analysis of a site in order to harvest ◦ E-mail addresses ◦ Documents ◦ Contact names
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -23
Open-Source Information Gathering ► Open sources are public databases that may be queried for information regarding a target • Google and Google Hacking • Jigsaw: especially good for company/personnel information • Netcraft: web server types • Pipl.com and other people search databases ► When queries are submitted, no message is sent to the target ► This provides benefits: • A quieter profile for the attacker • An extensive store of information ► But it does result in a lot of information to examine • A lot of dirt • A little gold
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -24
Google Hacking ► Using Google Hacking involves the use of extended search features to closely target the information sought ► The Google archives include much more than general page content • Type of file (.doc, .xls, .pdf) • Directory location (e.g., /private) Warning: Google will display • Title of page CAPTCHA prompts after a number of queries have been • Ports used made. This is to prevent excessive use/abuse by automated software
► They have an extensive set of search operators to finely tune a search ► An archive of successful Google hacks is stored at www.exploitdb.com/google-dorks/ • It locates everything from credit cards to usernames and passwords to personal photos • People and organizations that make sensitive information so easily found are called Google Dorks © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -25
Google Hacking Operators ► site:.learningtree.com ► inurl:"/archive/" ► intitle:"Welcome to" ► intext:"Short Course"
intitle:"Welcome to"
inurl:archives filetype:pdf
Welcome to Learning Tree Social Engineering
http://learningtree.com/archives/filename.pdf
► filetype:PDF ► index.of file_name • Used when lists of files are sought ► Use + to require another condition to be true "Intensive+short"
site:.learningtree.com
intext:"Short Courses"
► Use () with | as an OR ("password" | "username")
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -26
Google Hacking Cheat Sheet intitle:"to learning tree" site:.learningtree.com
filetype:pdf
Welcome to Learning Tree
http://www.learningtree.com/courses/2012/social-engineering-deceptions-and-defenses.pdf Social Engineering Deceptions and Defenses: Hands-On
inurl:/courses/2012/ •
Defend against social engineering deceptions that threaten organizational security • Plan, execute and evaluate security assessments for human weaknesses • Promote vigilance and implement procedures and policies to defeat “Defend against” | “engineering deceptions” deceptions • Mitigate personnel vulnerabilities with education and security awareness • Measure and report your organization's preparedness for social engineering attacks
“and security awareness”
Warning: Google tracks these parameters closely. After a dozen or so from one site over a few minutes, users are prompted to fill in a CAPTCHA form
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -27
Google Hacking
Do Now
Open a browser, go to google.com, and search for these items: 1. A page with a title of “reset your password” at ETRADE.com site:.fidelity.com intitle:"reset your password" 2. Password requirements for NASA.gov with “HECC” in the URL or title 3. The name of the Chief Operating Officer contained in a PDF document at Learningtree.com 4. The role of Magnus Nylund at LearningTree.com 5. Any files at NASA.gov ending in .sql that contain the words “select from” or “drop table” 6. Some PDFs called 10-Q at LearningTree.com that contain the words “I.R.S. Employer Identification” • What is this number? _____________________
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -28
Harvesting E-Mail Accounts Many tools are available to analyze websites and extract e-mail accounts ► TheHarvester is an application that is provided with Kali Linux ► It raids online information resources to gather accounts • Google—Gmail, subdomains/hostnames • Google profiles • Bing search • PGP servers • LinkedIn
PGP = Pretty Good Privacy © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -29
TheHarvester
Do Now
1. Go to your Kali Linux machine 2. Open a terminal prompt 3. Run TheHarvester by entering this on one line: theharvester -d learningtree.com -b google -l 50 -f emails.html 4. When it is finished, examine the password list by entering: iceweasel emails.html 5. Close Iceweasel 6. Feel free to try other sources, such as linkedin, bing, and yahoo
Exercise Manual © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -30
Password Cracking Basics ► Most passwords can be cracked by a dictionary attack • Using a list of words that are thought to be important to a person • The cracking tools may be tuned to append and prepend numbers and letters • The key is getting the seed word ◦ Often set as something memorable to the user ► Others might be cracked by use of a rainbow table • Too complex to discuss here, but very effective
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -31
Online vs. Offline Cracking ► When cracking account credentials, two methods may be used: • Online ◦ A program interactively tries to log in, just as a user would ◦ However, it is slow (1–10 guesses per second) ◦ Dictionary attacks with small lists may be used ◦ Hydra is a commonly used tool • Offline ◦ If the encrypted passwords can be sniffed or stolen, they may be attacked much faster (thousands to millions of guesses per second) ◦ However, some technical expertise is required, or the password database must be insecurely stored ◦ Rainbow tables, dictionary attacks, brute force ► Online cracking is very likely to trigger intruder lockout controls
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -32
Non-technical Information Gathering ► In today’s online world, a huge amount of information is published about • Individuals • Organizations ► Much of it is open source ► Places to look for information: • Public records (city, state, federal, job sites) ◦ Government ID numbers ◦ Contacts ◦ Responsible parties • The organization’s own site ◦ Investors’ pages ◦ Help pages for portals Often contain password requirements ◦ Career advertisements Describe the hardware and software in use
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -33
Social, Job, and Business Networks ► Vast amount of information may be gleaned from • Facebook accounts • LinkedIn profiles • Twitter streams • Dating sites
SOCIAL NETWORKING
► Social networking was the top source of reconnaissance information at Defcon’s “Capture the Flag” contest* ► Employment sites are particularly useful for discovering the hardware and software in use by a company • Job postings typically describe very closely the skills required for a particular brand and model
*Source: Hadnagy, Christopher, and Eric Maxwell. “Social Engineering Capture the Flag Results, Defcon 20.” https://www.social-engineer.org/wp-content/uploads/2014/03/SocialEngineerDefcon20SECTFResultsReport-Final.pdf © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -34
Contents ► Goals of Information Gathering ► Gathering On-site Information ► Hands-On Exercise 2.1 ► Online Information Sources
Reconnaissance Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -35
Countermeasures ► Check IDs • Business cards are not IDs; they are advertisements • Be aware that without special equipment, IDs can be convincing forgeries ► Be wary of outside parties • Escorting for all outside personnel ◦ Repair personnel ◦ Utilities ◦ Inspectors • Use guest badges to indicate visitors are present ► Forbid cameras or use security tape-over • And inspect on exit
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -36
User Name and Password Security ► User names should not be any value that is easily researched • Employee number • E-mail address • Formula: 6 + 2 (6 letters of last name + 2 initials) ◦ Ronald W. Smithson = smithsrw • Default passwords are always a problem ► The best passwords are three to five unrelated words • armyoceanthrivebottle (army, ocean, thrive, bottle) ► Many organizations try to implement complexity rules • Uppercase/lowercase • Special characters: !@#$%^&*() • Numbers • Ranges: minimum 8 and maximum 14 characters ► Intruder lockout to defend against password guessing • Internally and on external websites
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -37
Online Defenses ► Craft policies to limit employee discussions of work-related issues • Social networks • Friends and family • Career sites ► Data mining defenses • Maximum page fetches per minute • Address lockout for offenders
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -38
Minimizing Google Hacking ► It is difficult to completely contain what will be indexed by Google • robots.txt is a good start • A file that is placed at the document root ◦ And other directories User-agent: * • Its directives instruct Google what to Disallow: /.element avoid with their indexing Disallow: /editionssi ► Web developers should work with management and security to establish which pages and content to allow into Google • Google and most search engines will obey the directives
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Disallow: Disallow: Disallow: Disallow: Disallow: Disallow: Disallow:
/ads /aol /audio /audioselect /beta /browsers /cl
2 -39
Minimizing Google Hacking
Do Now
1. Open your browsers and inspect these pages: www.nasa.gov/robots.txt www.chase.com/robots.txt
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -40
Objectives ► Identify the goals of information gathering ► Assess the types of useful information ► Inspect on-site information goals and techniques ► Enumerate online information sources ► Recommend reconnaissance countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -41
Review Questions
Review
1. What dangers are there in advertising for a job candidate?
2. What type of information did Stanley Rifkin exploit in his bank theft crime?
3. Why should an organization chart be destroyed before disposal?
4. What tools are necessary for gathering on-site information?
5. How might you locate a web page on jpl.nasa.gov with the phrases “Change JPL Password” and “Directory Listing”?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
2 -42
Chapter 3
Understanding the Communication Model
Objectives ► Explore an organization communication model ► Examine how information flows in an organization ► Discover vulnerabilities in communication ► Exploit communication weaknesses ► Identify defenses to protect communication
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -2
Contents Communication Models ► Exploiting Communication Weaknesses ► Hands-On Exercise 3.1 ► Securing
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -3
Communication Models ► In all successful social engineering attacks, there is a communication failure or deception • Whether it is spoken or read, something went wrong • And an attacker capitalized on it ► Understanding communication is key to both attackers and defenders ► We will utilize the Berlo Source, Message, Channel, Receiver (SMCR) model of communication* • Although constructed for verbal communication, it is equally applicable to other types ◦ E-mail and electronic messaging ◦ Letters and memos
*Source: Berlo, David K. The Process of Communication: An Introduction to Theory and Practice. Holt, Rinehart, and Winston, 1960. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -4
The Berlo Communication Model ► The model identifies four major components: • Source • Message • Channel • Receiver Source
Message Encoding
Transmitting
Channel
Receiver Decoding
► For effective communication, the Source must create and encode a Message ► The Source selects a Channel, which is the medium of exchange, and transmits it ► The Receiver decodes the Message
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -5
Source ► The Source seeks to convey a meaning to the Receiver ► Success depends on several attributes that must be common to both Source and Receiver: • Communication skills • Attitude • Knowledge • Social system • Culture
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -6
Commonality of Source and Receiver ► If there is an incompatibility between these peers, communication may fail ► Communication skills • Can the parties carry on an effective conversation? ► Attitude • Is there agreement about the importance of the message? ► Knowledge • Is accurate information being said and interpreted correctly? ► Social system • Do the parties communicating hold the standing to communicate with one another? ► Culture • If someone asks you how your evening went, and you answer, “Sick,” does that mean it was great or poor?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -7
Message ► A party converts meaning into words and a Message is created • The content and structure must be compatible to both Source and Receiver ► This Message is then encoded • Telepathy is not reliable yet, so meaning must be converted into patterns of ◦ Letters to form words ◦ Lines and shapes to make symbols ◦ Electronic patterns to create packets • The encoding depends on the Channel
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -8
Channel ► Another thing that must be common to Source and Receiver is the Channel • The Channel must be available and accurately convey the Message ► The choice of a particular Channel affects these security aspects: • Authenticity of Source and Receiver • Confidentiality of Message content • Integrity of the Message • Availability—functionality and signal-to-noise ratio
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -9
Receiver ► When the Channel delivers a Message, the Receiver decodes it • To derive the meaning ► Have you ever talked to someone, and although the words were clear, you could not figure out what he or she said? • That is a decoding incompatibility ► If all these work correctly, the meaning and intent of the Source is delivered to the Receiver
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -10
Contents ► Communication Models
Exploiting Communication Weaknesses ► Hands-On Exercise 3.1 ► Securing Communications
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -11
Exploiting Communication Weaknesses ► Communication is secure only when the meaning and intent of the Source are reliably and accurately delivered with proper access control to the Receiver ► We desire to have • Confidentiality • Integrity and authenticity • Availability
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -12
Confidentiality ► Information or access is available only to authorized parties ► This applies to • Telephone calls • Letters • E-mails • Computer transactions Eavesdropping is a threat Here are the salaries of top-earning employees
Here are the salaries of top-earning employees
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -13
Integrity ► A Message has not been altered in an unauthorized manner as stored or transmitted ► Message interception may allow an attacker to alter and resend the Message
Modification is a threat Mary should be fired
Mary should be promoted Compromised Channel Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -14
Authenticity ► The parties communicating are known and accepted ► The Source must direct the Message to the correct Receiver Misdirection and impersonation are threats Here are the salaries of top-earning employees
Here are the salaries of top-earning employees
Error by the Source in selecting the Receiver Compromised Channel Message
Source
Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Unintended Receiver
Channel
Decoding
3 -15
Authenticity ► The Receiver must be able to trust that the Source is accurate
Impersonation is a threat Send my money to this overseas account…
Send my money to this overseas account…
The Channel fails to authenticate the Source
Spoofed Source Encoding
Message
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -16
Availability ► The Channel must be able to deliver Messages in a way that is • Timely • Reliable
Mary should be promoted
Source
Message Encoding
Transmitting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Channel
Receiver Decoding
3 -17
Sources and Receivers ► The Source creates a Message and selects the Channel • The Channel may be secure or insecure ► It is the choice of the Receiver to decode and accept a Message • Or to reject it ► Some common social engineering attacks against Sources and Receivers are • Impersonation of the Source or Receiver • Interception and redirection of the Channel
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -18
Message Vulnerabilities ► Misdirection to an invalid Receiver • If the Source may be misled, a confidential Message may be sent to an unintended destination ► With technology, DNS poisoning can accomplish this • DNSSEC can help prevent poisoning internal addresses, but not external addresses ► Man-in-the-Middle (MitM) attacks • To be demonstrated in a later chapter ► Pretexting and manipulation can do this to humans • To be studied later
DNS = domain name system DNSSEC = Domain Name System Security Extensions © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -19
Insecure Channels ► Many forms of communication are inherently insecure • They have inherent vulnerability ► Face to face • Secure only when both parties are honest and can identify each other ► Company mail • Generally insecure • Little better than e-mail ► Government and commercial postal services • Little or no verification of the Source • Possible verification of Receiver • Commonly very well trusted
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -20
Insecure Channels ► E-mail • Without a digital signature, security is presumptive ► Telephone calls and texting • Source is easily spoofed with VoIP and call-spoofing applications ► Internet and websites • HTTP has no authentication or integrity • Secured only with HTTPS
HTTP = Hypertext Transfer Protocol HTTPS = HTTP Secure VoIP = Voice over Internet Protocol © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -21
Contents ► Communication Models ► Exploiting Communication Weaknesses
Hands-On Exercise 3.1 ► Securing Communications
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -22
Hands-On Exercise 3.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 3.1: Exploiting Communication Weaknesses
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -23
Contents ► Communication Models ► Exploiting Communication Weaknesses ► Hands-On Exercise 3.1
Securing Communications
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -24
Securing Communications ► Organizational communication can be secured as a whole by armoring its elements • Source • Message • Channel • Receiver ► While no defense is ever perfect, subverting communication may be made significantly more difficult
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -25
Source and Receiver ► Many attacks can be prevented by identifying the Source and Receiver • Who is talking to whom is critical ► Authentication measures are critical • Are you who you say you are? • Verifying this is critical ► If someone is authenticated, are they authorized to perform an action?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -26
Technical Measures ► These technologies can safeguard electronic transactions and messages • Digital signatures ◦ Verify the Source ◦ Test the content to verify that what was sent is the same as what was received • Encryption limits access to designated Receivers • One-time passcodes, such as with RSA SecurID tokens ► Being a part of a Public Key Infrastructure (PKI) provides structure to these technical measures • By deploying keys, encryption, and hashing to provide a means of verifying nonrepudiation • Creating a hardened channel ► Systems and applications that do not have these safeguards must be initially treated as untrusted
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -27
Operational Defenses ► The defenses are incumbent on every person ► It is critical to test authority and authenticity • Does a party have authority to do something? • Am I communicating with the party I expect? ► Standard phone lines are insecure—caller ID can be spoofed • Calling a party back to confirm is better verification ► E-mail that has a digital signature can be viewed as authentic • Anything else could be forged ► Standard government and commercial mail services cannot be trusted to provide authenticity or integrity • Out-of-band verification may be necessary
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -28
Management Measures ► Create a culture of measured paranoia • People are out to get you ► Implement job and role controls based on • Least privilege • Separation of duties • Need to know ► Grade information to identify its proper classification • Organizational procedures should be highly restricted ► Audit business functions to identify weak communication
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -29
Objectives ► Explore an organization communication model ► Examine how information flows in an organization ► Discover vulnerabilities in communication ► Exploit communication weaknesses ► Identify defenses to protect communication
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -30
Review Questions
Review
1. Where can messages be misdirected in the Berlo SMCR Model?
2. What is necessary for the Source and Receiver to properly communicate?
3. Name three insecure channels of remote communication
4. How can authenticity be added to a. A web page? b. A telephone call? c. A written letter? 5. What are several management countermeasures that may be applied to reduce the risk from social engineering?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
3 -31
Chapter 4
Gaining Physical Access
Objectives ► Examine the interest that social engineers have in physical security ► Explore types of locks and access controls ► Reveal vulnerabilities in locks that endanger security ► Assess weaknesses in sensors and detection systems ► Identify best practices that enhance physical security
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -2
Contents Physical Security ► Physical Access Controls ► Hands-On Exercise 4.1 ► Detection Sensors ► Physical Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -3
Physical Security ► Organization security depends on physical security • Once the physical barriers are overcome, logical security is often easily breached ► This is not a complete treatise on how to secure a site • But you will get a fresh new view of security when you look opportunistically from the outside in ► The focus is on low-hanging fruit ► We will discuss • Locks and other access controls • Detection sensors • Principles for shoring up physical defenses
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -4
Social Engineers Know Lock Picking ► Pretexting, impersonation, and manipulation may get an attacker close to a desired asset • Access controls and other defenses may be the last barrier • Lock picking and sensor evasion are common skills to social engineers ► You will learn a small amount about lock picking • However, no picking tools are legally allowed ◦ Even though picking a lock is not that difficult • We will, however, crack a safe using some wire and a screwdriver
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -5
Methods of Gaining Access ► Defeating an access control by mechanical or electronic means • Lock picking • Sensor evasion ► Tricking people • Impersonating • Tailgating and piggybacking ◦ Following an authorized person into a controlled area after they have been validated to the access control • Shoulder surfing ◦ Low tech: Peering over someone’s shoulder ◦ Medium tech: Binoculars and telescopes ◦ High tech: Covertly planted cameras and skimming devices
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -6
Shoulder Surfing ► Shoulder surfing has progressed well beyond sneaking a peek over a victim’s shoulder ► Cameras and illicit card readers are skillfully concealed in and around devices that require passwords and PIN codes • ATMs • Door controls • Computers
Fake insert placed above ATM
ATM = automatic teller machine PIN = personal identification number Source: “Taking a Trip to the ATM? Beware of ‘Skimmers.’” Federal Bureau of Investigation, U.S. Department of Justice. https://www.fbi.gov/news/stories/atm-skimming. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -7
Contents ► Physical Security
Physical Access Controls ► Hands-On Exercise 4.1 ► Detection Sensors ► Physical Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -8
Access Controls: Locks ► Locks have been around for thousands of years • No doubt, the science of picking locks is only a few days younger ► Locks are generally much more intimidating to those who are honest and respect them • Social engineers see them as a fun challenge ► DEF CON has a section of its meetings called the “Lockpick Village” • Enthusiasts from around the world gather to ◦ Show off ◦ Be educated ◦ Discover new techniques for defeating physical security ► Let’s start with some basic terms and types of locks
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -9
Lock Components ► The bolt is the part that physically prevents a door from being opened Keyways build in inherent structural weakness
► The mortise cylinder is the part that has a keyway and the mechanism that moves the lock
Cylinder
► It is not unheard of to buy a great lock and have a cylinder that is easily picked or broken ► Also, great cylinders may have a poor lock that is easily broken
Bolt
► Many weak cylinders can be opened in seconds by “lock snapping” • Jamming a tool in the keyway and applying torque, snapping the cylinder
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -10
Simple Mechanical Access Controls ► Pin tumbler • The most common mechanism • Bittings push the pins up to a shear point, allowing the cylinder to turn • Typically picked in seconds • Bump key vulnerable ► Tubular • Identical to pin tumblers, except the pins are arranged in a circle • Common to vending machines and bicycle locks • Picked in a minute with a special tool
Image sources: en.wikipedia.org/wiki/Pin_tumbler_lock en.wikipedia.org/wiki/Tubular_pin_tumbler_lock © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -11
Bump Keys ► A key with all bittings cut to the lowest level ► When tapped into a keyway, it springs all the pins upward • Exposing the shearing point ► With simultaneous torque turning the key, the cylinder can be turned
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -12
Lock Bumping Videos
Instructor-Led Demo
1. On your Windows 10 virtual machine, open the desktop folder for Documents and go to Chapter 4 2. Double-click the Lock Bumping #1 shortcut* a. This video will show normal keys and lock bumping b. Watch: 0:00–1:50 and 2:50–3:40
*Source: TomSGT123, www.youtube.com/user/Tomsgt123 © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -13
More Simple Mechanical Access Controls ► Disc or wafer tumbler • Least secure of all lock mechanisms • Bittings are cut flat on top • Commonly used for desks, filing cabinets, and key cabinets • Imprecise, easily picked ► Combination-pad locks • User must dial in a series of combinations, with clockwise and counterclockwise turns • Shims may be inserted to open most • Master locks are particularly vulnerable to simple tests that can narrow the combinations to about 80 different combinations • They may also be cut
Image source: https://en.wikipedia.org/wiki/Wafer_tumbler_lock © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -14
High-end Mechanical Access Controls ► Schlage Primus • Key blades contain bittings on two sides • The lower bittings are inset and point in the opposite direction Example of a Schlage Primus key
► Medeco • One of the most common high-security lock systems • Bittings are cut on angles • Both the height and angle of each bitting must be correct • Called biaxial keys
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -15
Bumping Medeco Video
Instructor-Led Demo
1. On your Windows 10 virtual machine, open the desktop folder for Documents, and go to Chapter 4 2. Open Medeco #1* a. Medeco M3 biaxial locks are considered among the best b. Watch: 0:45–1:20 3. Open Medeco #2, which shows a 12-year-old girl successfully bumping a Medeco in about 30 seconds*
*Source: Marc Weber Tobias, https://www.youtube.com/channel/UCRIoXm0nuukioc8g3wB5grg © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -16
Electronic Access Controls ► Radio-Frequency IDentification (RFID): passive • The reader emits a Query signal query signal • RFID responds with ID# 112233 a unique ID number • Good over a few centimeters • RFID tags can be cloned with skimmers at distances from a few inches to several meters • RFID signals are not encrypted
RFID reader continuously sends querying signal
► Magnetic-stripe cards • Common to credit cards and hotel keys • Magnetic card must be swiped through a reader device • Forgery may be performed only if card is passed near a skimmer
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -17
Skimming Cards Video
Instructor-Led Demo
1. On your Windows 10 virtual machine, open the desktop folder for Documents, and go to Chapter 4 2. Open the video tutorial RFID Cloning* a. This is a demonstration of how an RFID device or card can be cloned with an RFID reader/cloner—the gray token is live and the blue one is blank b. Watch: 0:25–end c. The device at left is an RFID reader. On the right is a hand-held RFID writer 3. Open the video tutorial Clone RFID Thief** a. This is a demonstration of how the right equipment can allow reading an RFID card from a meter or more b. Watch: 0:00–0:45 4. What are several ways to get the RFID signal for cloning?
*Source: Ryan McGovern, [email protected] **Source: Francis Brown, [email protected], https://www.bishopfox.com/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -18
Smart Cards ► Smart cards are complex authentication tokens ► Called PIV and CAC in the U.S. government • They incorporate ◦ Photo ID, plus a ghost image as a watermark ◦ Magnetic-stripe data with a unique personnel number ◦ Bar codes ◦ RFID ◦ Integrated-circuit chip with private key, certificate, and PIN code • Very difficult to copy or forge • Chip typically locks down after three incorrect access codes are used • The U.S. military now issues metal sleeves with CACs to prevent illicit remote reading of card data
CAC = Common Access Card PIV = Personal Identity Verification Image source: “CAC: DoD Common Access Card.” U.S. Department of Defense. http://www.cac.mil/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -19
Other Simple Bypass Techniques ► While lock picking is intriguing, simply forcing or breaking a lock is often quicker ► For small safes, it is far easier to steal the safe and open it later ► For electronic safes, try to trip the internal reset button ► Shove knives • A staple of fire departments ◦ Faster than breaking down a door • Used on building doors that open outward to the exterior • It can be slipped in between the door and the jamb, and it will wiggle the catch open
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -20
Egress = Ingress ► Many organizations have locks that focus on inbound protection • But motion sensors open the doors for egress • Primarily for fire and safety reasons ► Generating heat or movement on the inside can cause a lock to open ► Christopher Hadnagy* tells of a time he was challenged to open a gate that had hardened steel bars, a pick-proof electronic lock, and an array of safeguards • He opened it in a few minutes by sticking a towel attached to a coat hanger through a gap and waving it to trigger the egress sensor ► Glass entrance doors are often easy to open • Infrared motion detectors usually unlock the door for egress • Squeeze a plastic garment bag between doors • Inflate it with a hair dryer • Allow the heat to activate the egress sensor
*Source: Hadnagy, Christopher. Social Engineering: The Art of Human Hacking. Wiley, 2011. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -21
Look at or Photograph the Key ► Medeco locks can be photographed and duplicated • These high-security locks can be opened by getting a good photograph of the key and replicating it ► Key codes relate the pin height • Some keys have numbers on them that indicate the height of the bittings • Simply recording the number allows a copy to be cut
9
6
3
1
9631
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -22
Contents ► Physical Security ► Physical Access Controls
Hands-On Exercise 4.1 ► Detection Sensors ► Physical Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -23
Hands-On Exercise 4.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 4.1: Cracking a Safe
Exercise Manual © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -24
Contents ► Physical Security ► Physical Access Controls ► Hands-On Exercise 4.1
Detection Sensors ► Physical Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -25
Detection Sensors ► Along with locks, security may be augmented with detection sensors to generate an alert when an intruder is present ► The sensors typically measure the environment and sound an alarm when some change threshold is reached • Sound • Heat • Weight • Humidity • Electrical or magnetic signal strength
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -26
Evasion ► Several approaches may be taken toward sensors that cause them to fail to alarm ► Disable • Make the system nonfunctional or overwhelm its inputs so that it cannot operate properly ► Block • Screen the sensor from the intruder so that it receives too little input ► Diffuse • Scatter the signals that the sensor would receive so that signals are too weak ► Confuse • Make the signals it receives unintelligible
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -27
CCTV ► Closed-Circuit Television • May be manned and monitored • Or just be used to record ► Very difficult to bypass • May generate an alarm when disconnected ► Extremely easy to blind • Nearly all types can be “flared” with a simple laser pointer
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -28
PIR ► Passive InfraRed (PIR) detection is commonly used as • An occupancy detector: opening doors and turning on lights • A motion-detecting alarm ► It senses heat and determines movement when an object with a human body temperature moves between zones • It is much more sensitive close up, as an object would have to move a shorter distance to traverse zones ► If the heat of an object can be blocked or reflected away from the sensor, it is possible to evade detection ► Identified by curved sensor area, typically translucent white
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Top-down view of a room with PIR
4 -29
Ultrasonic Detection ► Sound waves are emitted from the sensor, as with sonar • A stable map of the area is built • Objects changing location trigger the alarm • Subject to many false alarms ◦ A curtain moving due to wind from air conditioning or heating ► Diffusing the signals may work • A cloth sheet held in front of a person can scatter the signals enough to allow passage ► Appear similar to smoke detectors, with small vents for sound signals
Top-down view of a room with an ultrasonic motion detector
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -30
Other Sensors ► Door-opening magnetic contact switches • Vary from simple to difficult to bypass ► Glass-breaking • Foil lining around windows attached to electrical sensors is very hard to bypass • Sonic systems that detect the high-frequency sounds when glass breaks are generally reliable ► Light beams • Regular light or laser • Light IR (infrared) and invisible ◦ Night-vision goggles might show the beams ► Weight/pressure and humidity • For use in highly controlled environments • Can be set to alarm when very small changes in weight are detected or when a human generates humidity by breathing • Prone to false positives © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -31
Contents ► Physical Security ► Physical Access Controls ► Hands-On Exercise 4.1 ► Detection Sensors
Physical Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -32
Rating Access Controls ► A lock may be rated highly by Underwriters Laboratories or the Builders Hardware Manufacturers Association • Most of the scoring focuses on the physical strength of the mechanism • They do not have a realistic scoring system for rating how easily the lock may be bypassed or picked ► The famed lock expert Marc Weber Tobias invented a rating for this • The 3T–2R rule • Sparsely used today ► Locks should be security-scored for • 3 T’s ◦ Time ◦ Tools ◦ Training • 2 R’s ◦ Reliable bypass methods ◦ Repeatable techniques
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -33
Better Access Controls ► Cameras should be covered with a cowling • To prevent accurate aiming of lasers for flaring ► Augmenting locks with cameras creates a second layer of defense • Even if a lock is picked, a camera can record the intruder ◦ It is called “getting burnt” ► Bump-resistant locks • Cushioning between pins • More precise tolerances • Stronger springs or foam • Three-dimensional keys ◦ Pins are turned ► Harden RFID implementations • Use two-factor authentication with RFID • Shielded wallets or RFID containers to prevent RFID skimming ◦ Mandatory in the U.S. military
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -34
Other Measures ► The U.S. Defense Department maintains the DoD Lock Program* • Standards, specifications, and guidance for physical access controls ► Many locales and insurance companies have minimum lock strength and quality standards ► Safes that are not water- or air-tight are prone to easy-access problems • Inserting tools to manipulate the mechanisms • Although the shell and door may be strong, the access mechanism may be easy to manipulate ► Lost keys must be replaced and locks rekeyed quickly ► Privacy screens help prevent simple shoulder surfing ► Regular inspection of devices requiring access codes or cards • Look for shoulder-surfing cameras • Hidden card skimmers
*Source: Naval Facilities Engineering Command. “Department of Defense Lock Program.” https://www.navfac.navy.mil/navfac_worldwide/specialty_centers/exwc/products_and_services/capital_improvements/dod_lock.html © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -35
Objectives ► Examine the interest that social engineers have in physical security ► Explore types of locks and access controls ► Reveal vulnerabilities in locks that endanger security ► Assess weaknesses in sensors and detection systems ► Identify best practices that enhance physical security
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -36
Review Questions
Review
1. Why do social engineers study lock picking?
2. What is the biggest simple threat to standard doors and lock mechanisms?
3. Why is PIR generally preferred over ultrasonic motion detection?
4. What is the primary threat to RFID authentication?
5. What might happen if someone could see or hold your keys for a few moments?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
4 -37
Chapter 5
Eliciting Information
Objectives ► Inspect the elicitation process and interview phases ► Identify important elements of creating rapport ► Examine elicitation tactics ► Enumerate social engineering information goals ► Specify defenses to halt information loss due to elicitation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -2
Contents Eliciting Information ► Developing Rapport ► Elicitation Tactics and Goals ► Hands-On Exercise 5.1 ► Halting Information Loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -3
Eliciting Information ► According to the FBI: • “The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated”* ► To a social engineering target, it may seem like a friendly conversation • It is really an interview ► Elicitation may be performed by insiders • It is not a threat from the outside only ► Information may be elicited by a number of interview styles • Establishing a friendly rapport • Creating a sense of urgency • Neutral or nonpartisan • Making an adversarial situation
*Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -4
Elicitation Vulnerability ► People have certain natural propensities that allow elicitation to be effective • We like to ◦ Be seen as intelligent and knowledgeable ◦ Believe people want to know more about us ◦ Win over others to our views ◦ Educate or correct others’ mistakes ◦ Be honest in dealings with others ◦ Gossip ► These are characteristics that a social engineer may identify and exploit ► Successful elicitation will progress through several phases © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -5
Interview Steps ► Elicitation is not a conversation • It’s an interview • The social engineer may try to make it appear conversational ► Successful interviews are planned and proceed through a series of phases • Planning • Controlling the environment • Initial contact and greetings • Opening • Interviewing and developing rapport • Closing
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -6
Planning ► Gathering information before the interview is key • “Preparation stands as the most important factor”* ► The interviewer should know • Who is to be interviewed • The elicitation techniques to be employed: friendly vs. collegial • Lingo understood by the target • Some background of the target: background, character, or habits • Topics that might be discussed • Specific questions or issues to be answered • What assets the target may have knowledge about • How the interview should close
*Source: Vessel, David. “Conducting Successful Interrogations.” FBI Law Enforcement Bulletin. October 1998. http://webcache.googleusercontent.com/. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -7
Controlling the Environment ► The managing environment is the first step in elicitation • It is the stage on which a play unfolds ► The environment should be chosen according the techniques to be used • A friendly conversation calls for a mutually safe and collegial setting • With an adversarial approach, the target would be compelled to come to the interviewer, and a desk might be used to impart authority ► Pay attention to the whole environment • Background noise • Decor • Seating ◦ Distance to the target ◦ Directness Face-to-face with a desk is authoritative A 90-degree angle is amicable © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -8
Initial Contact and Greetings ► You get only one chance to make a first impression • Many people decide in the first moments of a conversation how the rest of it will go ► It is in this phase that the target sets his or her initial expectations • Personal or professional gain • A need for information • Passing the time • Entertainment or amusement • Curiosity • Developing a relationship
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -9
Opening ► This is where the conversation begins ► Some common ground must be found • Shared location • Mutual interest or situation • Common past • Future expectations ► The parties meet and introduce or identify themselves • Not necessarily in a formal manner ◦ Names are not always required A fellow traveler in an airport Two people waiting in a line • Roles are established
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -10
Interviewing ► Developing rapport is the next goal • Use active listening to show attention and interest ◦ Paraphrasing and restating ◦ Servers that repeat an order back get better tips* • Putting a target at ease ◦ Nodding and encouraging discussion • Be aware of body language that indicates discomfort ► Having rapport does not always mean having a friendly conversation • Even adversaries have rapport ► The social engineer then works toward achieving the information goals • Topics that might be discussed • Specific questions or issues to be answered • What assets the target may have knowledge about *https://www.psychologytoday.com/blog/let-their-words-do-the-talking/201207/six-tips-get-higher-tips
.
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -11
Closing
► When the elicitation ends, successful social engineers will conclude the conversation in such a way that the target is unaware of the process • Providing a natural end to the exchange • This is called having an exit strategy ► Rushing off after obtaining key information would be a tip-off
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -12
Contents ► Eliciting Information
Developing Rapport ► Elicitation Tactics and Goals ► Hands-On Exercise 5.1 ► Halting Information Loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -13
Rapport ► Rapport drives communication ► Developing rapport is a skill and an art • Some people are natural rapport builders • Others have to work at it ► Good interviewers are all around us • Waiters repeat your order back to you even though they already know it • An auto salesperson asks if you are looking for a car ◦ Why else would you be in an auto dealership? • These techniques help establish rapport
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -14
Social Engineering and Rapport ► Directing and controlling a conversation can have clear benefits to a social engineer • Identifying key personnel and relationships • Guiding a conversation to gain restricted information • Learning how an organization or procedure is performed ◦ The SMCR model • Discovering weakness ► We are all told in our security awareness training to not discuss things like this with unauthorized personnel • This may be very difficult to resist
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -15
The Result of Having Rapport ► When you have built rapport, the other party is very susceptible to • Following your lead • Being eager to stay in rapport ► Consider a very good conversation you’ve had at a restaurant • You may have talked for a long time ◦ Ordered beverages or appetizers ◦ Talked more ◦ Then, even though no one was hungry or thirsty, the other party ordered more food just for the sake of keeping the conversation going ► If a social engineer can create and control rapport, few areas are off-limits
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -16
Building Rapport ► There are many ways to build rapport • Note that this is a simple introduction to the topic • Months of study, training, and experience are needed to master it ► Matching and mirroring the other person • Quickly becoming familiar to the other person through mannerisms and speech • The easiest method ► In a DEF CON Capture the Flag contest, one social engineer ensured his lingo was the same as his victim • “He had Target's lingo nailed and had a surprising level of technical knowledge about the company. [He] reassured one mildly suspicious manager by citing her store number.”* • He had looked up the store number online at their website
*Source: Cowley, Stacy. “How a Lying ‘Social Engineer’ Hacked Wal-Mart.” CNNMoney. August 8, 2012. https://money.cnn.com/2012/08/07/technology/walmart-hackdefcon/index.htm © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -17
Pacing by Matching and Mirroring ► Matching and mirroring are the easiest methods ► This involves being seen as familiar and compatible and a part of their world, using techniques like: • Controlling voice and speech ◦ Tone ◦ Rhythm ◦ Volume ◦ Vocabulary and lingo ◦ Formality • Using body language that is matched and is welcoming ◦ Gestures ◦ Breathing ◦ Posture • Matching words, lingo, and experience ◦ Establishing that communication is both possible and useful
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -18
Lingo Leads to Rapport
Do Now
1. A large part of elicitation involves matching the language • In a telephone or e-mail conversation, the lingo used is most critical 2. Come up with a sentence that would use insider lingo • For example, Learning Tree instructors have their own lingo. Consider this: IR needs you to become 200V certified to perform a 446 hybrid Customs OS using an i7 load. 3. Take five minutes to come up with a sentence that only someone in your line of business would understand • Look to include: acronyms, obscure references, terse language
4. How would you feel about someone speaking to you in this way? ______________________________________________________________
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -19
Leading ► Directing or controlling how the conversation moves and, perhaps, responses • While pacing enables entry into the other person’s world, leading takes them into yours ► When rapport has been established and the pacing is practiced, it is possible to redirect the flow of the conversation • Trust is present • Ideas flow freely ► One of the main reasons to utilize leading is that it facilitates something known as a Yes Set • A manipulation technique
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -20
Contents ► Eliciting Information ► Developing Rapport
Elicitation Tactics and Goals ► Hands-On Exercise 5.1 ► Halting Information Loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -21
Elicitation Tactics and Goals ► This section will enumerate social engineering tactics and goals to be achieved through elicitation • Tactics ◦ Methods of eliciting more information ◦ Goals ► Note that successful elicitation does not require • Just one meeting • Face-to-face contact ► Informal settings are more likely to be successful • We are more likely to be open and honest with strangers than friends • People will be more guarded if a promise of confidentiality is made ◦ Paradoxically, if no assurance is given, targets speak more freely* ► Online postings and discussions that are perceived as anonymous are much more likely to gather confidential information
*Source: Stone, Brad. “Our Paradoxical Attitudes Toward Privacy.” New York Times. July 2, 2008. bits.blogs.nytimes.com/2008/07/02/our-paradoxical-attitudes-towards-privacy. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -22
Elicitation Tactics ► Showing mutual interest and assumed knowledge • Expressing knowledge in a common area is good for rapport • It must, however, be portrayed with the correct lingo and some knowledge ► Making an oblique reference • A question does not have to be direct • Asking about a company celebration could reveal which vendors have easy site access ► Conducting a fake ad hoc interview • Portraying the power to influence hiring or the awarding of contracts is an incentive to reveal information or boast • It does not have to be in a formal setting
Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -23
Elicitation Tactics ► Competing with “Top this…” • If the target is competitive, he or she will want to come out on top • Telling a story about something sensational allows the target to beat it ► Feigning confidentiality and quid pro quo • If a social engineer pretends to reveal secret information, it sets the stage and expectation for the target to do the same ► Praising or criticizing a third party • A target may have the urge to correct any “misunderstandings” • They may also add to the praise or criticisms
Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice. https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -24
Elicitation Tactics ► Making false statements • People who are strict or competitive dislike allowing a false statement to go unchallenged • There is an urge to set the record straight ► Feigning ignorance • Some people like to teach • They might see an “uneducated” person as a worthy challenge and reveal information by helping the social engineer to understand ► Using flattery • A person with low or high self-esteem will soak up compliments • Complimenting someone when information is revealed can work like a Pavlovian experiment: stimulus → response
Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice. https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -25
Elicitation Tactics ► Active listening • Repeating back parts of an answer or statement is a strong motivator to continue a conversation • Body language and positioning are also ways of providing positive or negative feedback ► Moving macro to micro • It is rare that a conversation with any rapport would start with a discussion of passwords ◦ One could talk about hassles at work ◦ This could lead to the new program and its “dumb” passwords ◦ Later, one could ask if the company uses random passwords, too
Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice. https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -26
Elicitation Tactics ► Being provocative • A social engineer could take a stance on a significant issue and allow the target to ask questions to express their view • This has the benefit of making it seem like the target is driving the conversation ► Using an adversarial approach • A debate can inspire the target to dig deep into their knowledge and experience to respond • A competitive nature can overcome common sense about what is being revealed
Source: “Elicitation Techniques.” Federal Bureau of Investigation, U.S. Department of Justice. https://www.fbi.gov/file-repository/elicitation-brochure.pdf. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -27
Elicitation Goals ► Organized social engineers will elicit information useful to achieving their overall goals ► The following categories of information could be fulfilled by elicitation: • Organizational ◦ Understanding how the organization works • Personal ◦ Useful for interviews and furthering rapport • Personnel ◦ Identifying key people and roles • IT information and telephony ◦ For leveraging IT and telephony assets • Physical site information ◦ Entrances, hours of operation, barriers, access controls
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -28
Examples of Organizational Information ► Departments
► Ongoing large contracts
► Upper-management teams
► Partnerships
► Company culture
► Outside vendors • Janitorial • Waste handling • Security measures • Pest control • Vending • Office equipment
► Recent mergers or divestitures ► Outsourced functions ► Shredding and disposal policies ► Procedures for business functions ► Company events ► Blogs and social networking
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -29
Useful Personal Information ► Full name
► Area of residence
► Job title
► Recent travel
► Commendations or sanctions
► Vehicle
► Friends and family members
► Political and cultural affiliations
► Residence ► Marital status ► Vacations taken
► Color and clothing preferences ► Future personal and professional plans
► Recent events ► Pets ► Blogs and online interests ► Hobbies ► Likes and dislikes © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -30
Useful Personnel Information ► Managers and chain of command ► Co-workers ► Length of time at the organization ► Poor and excellent performers
► Termination procedures ► New-hire procedures ► Security awareness training ► Reorganizations
► Procedures for getting accounts
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -31
Useful Technical Information ► Operating systems used
► Hard drive encryption used
► E-mail programs
► Social networking allowed
► Content filtering
► Browsers used and allowed
► Use of authentication tokens
► VPNs and outside access
► Writing down passwords
► Password policies
► Types of mobile phones
► Telephone and fax numbers
► Hardware vendors
► Support contacts and numbers
► Guest networks available ► Network access control ► Antivirus and defensive applications ► USB access USB = Universal Serial Bus VPN = virtual private network © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -32
Useful Physical Site Information ► Work hours and shifts
► Guard or receptionist at entrances
► Site access procedures
► Lunch and smoking areas
► Visitor access procedures
► Availability of T-shirts, hats, or logo materials
► Badge access controls, keys, and cards ► Surveillance systems ► Occupancy detectors and egress sensors
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
► Delivery times and locations ► Ease of egress
5 -33
Contents ► Eliciting Information ► Developing Rapport ► Elicitation Tactics and Goals
Hands-On Exercise 5.1 ► Halting Information Loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -34
Hands-On Exercise 5.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 5.1: Setting Up Elicitation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -35
Contents ► Eliciting Information ► Developing Rapport ► Elicitation Tactics and Goals ► Hands-On Exercise 5.1
Halting Information Loss
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -36
Halting Information Loss ► In order to prevent information loss from elicitation, one should be prepared ► There is no way to isolate oneself from social engineers • If they really want to meet you, they will find a way
“Chance favors only the prepared mind.”
—Louis Pasteur
► The following will dramatically reduce susceptibility to elicitation: • Have situational awareness • Scripting • Need to know • Least privilege
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -37
Situational Awareness ► It is critical that personnel be aware of their surroundings and circumstances • Many venues and times can be chosen to elicit information • It would most likely be a time and place that is conducive to rapport ► Venues most at risk: • Meetings outside the workplace • Gatherings where badges or name tags are worn • Conferences and conventions ► Personal practices • Place significant value on the information possessed • Exercise more caution in unfamiliar areas • Refrain from talking “shop” with outsiders • Remove badges and visible ID when not needed • Judiciously publish information on social networking sites • Report elicitation attempts
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -38
Scripting ► A social engineer’s worst prospect is someone who sticks to a standard line and reveals little • This is scripting • It might make you appear boring, but it works ► Scripting responses: • Listen more and talk less • Give a nondescript answer • Refer questions to official sources • Ignore questions or statements regarding sensitive areas • State that you do not know enough • Be blunt: Indicate that such conversations have to be cleared first ► Scripting should be rehearsed
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -39
Scripting ► Some scripted responses may seem good, but are dangerous • Responding with “Why do you ask?” ◦ It continues rapport • Lying ◦ It can be used as leverage to gain more information ► Control the conversation • You always have power over how you respond and what to discuss • If you cannot control the conversation, you may end it
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -40
Least Privilege and Need to Know ► Create a policy and enforce a “need to know” • The goal is to prevent elicitation • It is useful even among “insiders” ◦ If an employee does not know something, he or she cannot leak it ► Least privilege • Restrict access to the minimum rights necessary to perform a task • The information that can be elicited is limited to what a person can access
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -41
Objectives ► Inspect the elicitation process and interview phases ► Identify important elements of creating rapport ► Examine elicitation tactics ► Enumerate social engineering information goals ► Specify defenses to halt information loss due to elicitation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -42
Review Questions
Review
1. What is elicitation?
2. What is the first step for a social engineer seeking to elicit information?
3. Why is it useful to mirror the gestures and body language of a target?
4. Why are conferences and large meetings especially risky for elicitation?
5. What is scripting?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
5 -43
Chapter 6
Impersonation
Objectives ► Enumerate methods of impersonation ► Identify how interpersonal impersonation is performed ► Assess the methods of remote impersonation ► Learn how authentication systems can be spoofed ► Evaluate methods of indirect deception ► Specify countermeasures to impersonation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -2
Contents Impersonation ► In-Person Impersonation ► Hands-On Exercise 6.1 ► Remote Impersonation ► Deceiving Authentication Systems ► Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -3
Impersonation ► Impersonation • “To assume the character or appearance of, especially fraudulently”* • It is also called spoofing ► It has many potential social engineering uses, including pretexting • “The act of creating an invented scenario to persuade a targeted victim to release information or perform some action”** • Based on an assumed identify, targets may be lured into a scenario and play out a role ► It may be used to gain access or to create misplaced trust in a person ► Information gathering determines the effectiveness of impersonation ► Impersonating an employee was the most popular vector at DEF CON 20†
*www.thefreedictionary.com/impersonate **www.social-engineer.org/newsletter/SocialEngineerNewsletterVol02Is16.htm †www.social-engineer.org/social-engineering/defcon-20-social-engineering-ctf-report/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -4
Impersonation Requirements ► In the SMCR model, impersonation can attack in many ways • Source is not authentic • Message is plausible, but not authentic • Channel is unsafe and the message is modified • Receiver is not the one intended ► Attributes of successful impersonation include • It has implied authenticity • The message is convincing or plausible • It is properly formatted • Source or destination is trusted or authoritative • No evidence of alteration
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -5
Impersonation Vectors ► There are many ways in which an identity or persona can be spoofed • In person ◦ Involves meeting face to face • Remotely ◦ Using networking or telephony as the vector Online Telephone Fax • Authentication systems ◦ Fooling or bypassing devices and protocols • Indirectly ◦ Spoofing without ever having had an interactive exchange ► Other creative impersonation methods can be thought up
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -6
Contents ► Impersonation
In-Person Impersonation ► Hands-On Exercise 6.1 ► Remote Impersonation ► Deceiving Authentication Systems ► Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -7
In-Person Impersonation ► Disguises do not have to be “Hollywood” quality • Many people will accept at face value a business card as identification • Few businesses would refuse a “fire safety inspector” access to the site ► Props can complete an ensemble • Business cards • Name tags • Hats with a logo • Clipboard • Gadgets
John Harper Network Repair 123 Main St
John Harper
► Change blindness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -8
Disguises ► An effective disguise does not have to involve makeup, glasses, and a mustache ► Much of the effectiveness of a disguise is in its implied authority, not the name of the person • Fire safety personnel • Insurance inspectors • Vending equipment suppliers • Office equipment repair personnel • Food deliverers
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -9
Discussion: How to Rob a Bank
Do Now
1. Open the Documents folder on the desktop of the Windows 10 virtual machine and go to the Chapter 6 folder 2. Open and read the “Robbing a Bank” article 3. Why is Mr. Stickley let right into a bank and allowed to go almost anywhere he wants? 4. What props does he use to complete his ensemble? 5. Why are partners useful in his social engineering efforts? 6. What are three things an organization could do to avoid this sort of easy impersonation?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -10
Change Blindness ► Change blindness is • “Failure to observe large changes in the vision field that occur simultaneously with brief disturbances”* • It is linked to the idea that we can only really focus on one thing at a time ► Impersonation can be easy if the target does not remember who he or she is talking to ► It may sound difficult to believe, but perhaps you should test yourself
*Source: Definition “Change Blindness.” https://www.medilexicon.com/dictionary/10710 © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -11
Contents ► Impersonation ► In-Person Impersonation
Hands-On Exercise 6.1 ► Remote Impersonation ► Deceiving Authentication Systems ► Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -12
Hands-On Exercise 6.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 6.1: Experiencing Change Blindness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -13
Contents ► Impersonation ► In-Person Impersonation ► Hands-On Exercise 6.1
Remote Impersonation ► Deceiving Authentication Systems ► Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -14
Remote Impersonation ► When communicating remotely, it’s always a question as to whether the parties are authentic ► Many tactics exist to impersonate the source and receiver • E-mail ◦ Phishing, spearphishing, and whaling • Websites ◦ Popups ◦ Clickjacking ◦ Blogs and URL shorteners ◦ Cloned sites ◦ Social networking • Telephone and fax ◦ Caller ID spoofing
URL = uniform resource locator © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -15
Client-Side Attacks ► Using technology to attack client software requires initial actions on the part of the victim • Clients initiate communication ► Potential targets of exploitation include • Browsers • Add-ons like Adobe products and Java • Movie and music players ► There are many ways to lure clients to rogue servers • To compromise the system • To eavesdrop on communication See also Learning Tree Courses: • To manipulate their actions • 537: Penetration Testing: • •
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Tools and Techniques 589: Vulnerability Assessment: Protecting Your Organization 940: Securing Web Applications, Services, and Servers
6 -16
Clickjacking ► Clickjacking is a programming technique that allows an impersonator to easily convince web users to perform actions by spoofing the site they think they are looking at ► Using Cascading Style Sheets (CSS), a malicious programmer will • Show a page in the background that can be seen • Present another page in the foreground that is invisible and clickable ► A user will believe they are looking at one site, but are really performing actions on another
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -17
Clickjacking
Do Now
1. Open the Documents folder on the desktop of the Windows 10 virtual machine, and go to the Chapter 6 folder 2. Open the Step 1 – Buy Something link, and click the buttons to perform a purchase. This how a transaction should normally flow. Close your browser 3. Next, open Step 2 and click three links to win a contest. Click all three links. Nothing will happen. Or did something happen? 4. In reality, you were clicking the same buttons as in the first link, but they were hidden from you 5. Finally, open the “Step 3 – See the spoof” link. The opacity of the front page has been set to 50 percent. You can now see how you were misled into buying the expensive item ► The same thing can happen with Facebook. It is called likejacking
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -18
Browser Popups and Phishing ► Fake warning popups are commonplace • Attackers hope to convince unwary users to download a malicious payload • Others try to confuse users by disguising the Cancel button • Normal caution and popup blockers stop them
Your PC is infected. Click here to remove virus
► Phishing messages are also common • Spam filters and common sense are typically adequate To: [email protected] From: [email protected] Subject: We’ll Be Rich Together Dear Blessed One, I am the son of a deposed African prince. I am willing to share my millions with you if…
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -19
Spearphishing and Whaling ► Spearphishing is a targeted ploy • Attackers research their victims and create realistic messages that can lure a target to ◦ Accept and open a malicious attachment ◦ Divulge sensitive information ◦ Set the stage for pretexting ► Whaling is spearphishing with a high-value target
To: [email protected] From: [email protected] Subject: Saw Your LinkedIn Page Dear John, We met briefly at a conference last year. I now have an opening for a person like you. Could I meet you at your site…
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -20
Blogs and URL Shortening ► Blogs and sites that allow user comments and links are ready-made to redirect users to rogue sites • User-contributed links and applets may send an unknowing user to any address • Facebook and LinkedIn allow and facilitate links ◦ Only moderate verification is done • Many are hidden behind URL-shortening sites, such as bitly.com
Joe’s Blogs about Social Engineering Risks Click to read more about this article on cnn.com Link to recent CNN articles about: social engineering
bitly.com/1hd07T
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Warning: This link forwards the user to a destination registered with bitly.com. Is it cnn.com, or some other destination?
6 -21
Cloning a Website ► Websites are easily cloned • Not the entire site, but key pages ◦ The front page ◦ Login page ► The malicious objective is to impersonate a valid site • Gather credentials • Encourage the user to accept and run a malicious payload
Rogue server
► Bitly.com is perfect for a social engineer 2. After supplying credentials, user is forwarded to real server
Victim
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Real server 6 -22
SET ► The Social Engineering Toolkit is a multifunctional application designed to aid in client-side attacks • Attacks that require a willing or unknowing user • www.trustedsec.com ► Its library of attacks include • Browser attacks • E-mail and spearphishing tools • USB drive payloads • Site cloners • Clickjacking
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Select from the menu: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
Spear-Phishing Attack Vectors Website Attack Vectors Infectious Media Generator Create a Payload and Listener Mass Mailer Attack Teensy USB HID Attack Vector SMS Spoofing Attack Vector Update the Metasploit Framework Update the Social-Engineer Toolkit Help, Credits, and About Exit the Social-Engineer Toolkit
6 -23
Credential Stealing
Do Now
1. On Kali Linux, open a terminal window and enter the command ifconfig eth0 2. Record its IP address: ________________________ 3. Launch SET from the desktop a. Choose 1 for Social-Engineering Attacks b. Choose 2 for Web Site Vectors Warning: SET does not c. Choose 3 for Credential Harvester Attack always run correctly. If it Method crashes or does not steal credentials, close it and d. Choose 2 for Site Cloner start again e. Enter the IP address of your Kali Linux f. Enter this for the URL: http://www2.learningtree.com/mylearningtree to clone that site 4. When you see the Credential Harvester message in blue, continue to the next page
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -24
Credential Stealing
Do Now
5. With Windows 10, visit your own web server on Kali Linux a. Open any browser and go to your Kali Linux address b. Note that the site has been cloned c. Enter any username and password and submit it d. Notice that you now have been forwarded to the real learningtree.com 6. Go to the Linux Attacker and look over the SET console for credentials 7. Return to Kali Linux and close SET 8. What would a user think when his or her user name and password did not work the first time? 9. How would an attacker lure someone to such a cloned site?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -25
Telephone and Fax ► Caller ID is easily spoofed • Using voice over IP, the caller’s number may be set to anything • ID messages can be forged to look very similar to internal numbers • A major service provider is SpoofCard* ► A common prank is swatting • Calling the police from a spoofed number and getting them to “rescue” the people inside from “hostage-takers” ► Fax • It is simple to change the outgoing caller number on faxes • Faxes can be made even more convincing with SpoofCard
*www.spoofcard.com © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -26
Social Media and Career Sites ► Social networking and career websites offer unprecedented opportunities for impersonation • Almost anyone can register an account and assume any name • Facebook and Twitter • LinkedIn • Employment sites ► Many people leave their picture galleries available to the public • A social engineer can download them and use them to forge an identity • You could be “friending” a complete stranger
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Linked In In Susan Grey, recruiter, wants you to join her LinkedIn network
6 -27
Contents ► Impersonation ► In-Person Impersonation ► Hands-On Exercise 6.1 ► Remote Impersonation
Deceiving Authentication Systems ► Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -28
Deceiving Authentication Systems
► Authentication systems can be fooled • Just like people ► Authentication and authorization ► We will discuss several forms of authentication and their weaknesses
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -29
Authentication Methods ► Authentication is performed by one or more methods • Something you know • Something you have • Something you look like ► The mechanisms for authenticating include • User name and password • RFID • Tokens • Magnetic-stripe cards • Biometrics ► Each of these has its own weaknesses • Some problems are inherent to the method • Others are specific to vendors
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -30
User Name and Password ► The most common type of authentication is the user name and password • Combined, these are referred to as credentials ► An impersonation may be performed by attacking the credentials • Cracking • Recording • Interception ► Passwords can be cracked in many situations • Poor choice of password • Cracking tools • Writing down password • Sharing password ► Other methods are available
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -31
Keyloggers ► If a social engineer can gain access to a workstation, keystroke loggers may be installed ► Software based • Software must be installed, possibly remotely • Available to computers and cell phones • Commonly detected by malware protection • May be a separate program or browser add-on ► Hardware based • These are installed manually and in person • Detected by visual inspection • Data may have to be fetched by retrieving the device ◦ Some transmit data over the Internet • Physical security is a sure defense • USB restrictions may be used to prevent rogue devices from being activated
Image source: en.wikipedia.org/wiki/Hardware_keylogger © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -32
Sniffing and MiTM ► Protocol analyzers are tools used primarily for detecting network problems • They may also be used to intercept, record, and replay credentials ► Man-in-the-middle (MitM) tools are specifically designed to covertly grab data over a network • Ettercap is a sophisticated tool that is able to intercept and record credentials ► If an attacker can gain access to the internal network, these tools are very effective
ettercap.github.com/ettercap/about.html © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -33
Ettercap ► This is one of the best MitM tools ► It works by getting between a client and a server • It spoofs being the client to a server • To the server, it pretends to be the client ► Tools like these can be connected to any network-enabled port, and • Perform data interception • Alter data as it is transmitted
Username: Quasi Password: moto
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Username: Quasi Password: moto
6 -34
MitM With Ettercap
Do Now
1. Write down the IP addresses of these virtual machines: a. Windows 10: _________________________________ b. Windows Server: _________________________________ 2. Go to your Kali Linux virtual machine, open a terminal prompt, and enter the following case-sensitive command on one line: sudo ettercap -TqM arp:remote
/10.10.10.X/
/10.10.10.Y/
21
where 10.10.10.X is the Windows 10 address; 10.10.10.Y is the Windows Server address 3. Go to your Windows 10 virtual machine and open a command prompt. Connect to Windows Server with: ftp 10.10.10.Y (using your Windows 2003 IP address) 4. Log in as administrator with a password of adminpw 5. Go to your Kali Linux and inspect the intercepted data 6. After you have inspected the data, press in the terminal window to shut down Ettercap
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -35
Modifying Data With Ettercap
Instructor-Led Demo
1. The instructor will now perform a MitM modification attack 2. You will shortly connect to the instructor’s FTP server. The address is: ___________________________________ 3. The instructor will enter: sudo ettercap –TqM arp:remote // /10.10.10.Y/ 21 -F windoze.ef where 10.10.10.Y is the instructor’s Windows server 4. Once the instructor is ready, open a command prompt and enter the following: ftp 10.10.10.Y • Log in as administrator, with a password of adminpw • Note the user name was changed by the MiTM 5. Enter quit from the FTP prompt and try logging in as student, with any password 6. The instructor will now turn off Ettercap and return the network to normal operation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -36
Authentication Tokens ► Tokens are small electronic devices that provide an ever-changing number to be used in authentication • Authentication by what you possess ► They are generally considered to be very strong security ► The devices are subject to • Compromise of the token-generating code ◦ RSA that exposed their token code to intruders via a social engineering scam • Theft of the token itself
932283027
► Many organizations opt for two-factor authentication • Authentication with the token value • Plus user name and password (something you know)
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -37
Biometrics ► Biometric authentication measures the unique physical characteristics of a person ► In general, a constellation of points are gathered to form a unique pattern with each of the modalities • Fingerprint • Face shape • Iris color and shape patterns (considered the best) • Retina intraocular veins and capillaries ► There are huge differences in reliability among products • For example, some facial recognition software is fooled with a photograph
Source: Yeo, Vivian. “Lenovo Sticking With Face Recognition Tool.” CNET. https://www.cnet.com/news/lenovo-sticking-with-face-recognition-tool/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -38
Bypassing Facial Recognition
Instructor-Led Demo
1. Does facial recognition use three-dimensional or two-dimensional measurements? 2. What else looks like you that is two-dimensional? 3. On the Windows 10 virtual machine, open the desktop link to Documents and go to Chapter 6 4. View the video Facial Recognition Bypass on Android*; the instructor will narrate it 5. How would a social engineer come by your image? 6. What should a facial recognition scanner do to prevent this sort of impersonation? 7. Would sensing head movement or blinking solve this authentication bypass problem?
*Source: R.W. Williams, securitytutoring.com © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -39
Contents ► Impersonation ► In-Person Impersonation ► Hands-On Exercise 6.1 ► Remote Impersonation ► Deceiving Authentication Systems
Indirect Impersonation ► Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -40
Indirect Impersonation ► Often called reverse social engineering ► The attacker uses indirect means to deceive the target • Poster • Sticker with new hotline/help-desk number ► Target feels more comfortable contacting the social engineer • After seeing an advertisement, help-desk sticker, or poster
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -41
Indirect Impersonation ► With this vector, the social engineer convinces people to initiate contact • The challenge is making it easy for the target ► This may be accomplished in many ways • Posters • Mail and memos • Fax • Public speaker systems • Flyers placed on automobile windshields ► The most important aspect of the deception is that the message must • Appear plausible • Be well formatted
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -42
Reverse Social Engineering ► Registering a one-time domain ► Use of e-greetings and e-invites ► Posters and flyers • These can be delivered and may be assumed to be genuine ► Government mail, company mail, and courier are assumed to have authenticity • Fraudulent instructions or information can simply be mailed
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
Go to www.citybankpicnic.com Log in with your account and win a prize!
6 -43
Contents ► Impersonation ► In-Person Impersonation ► Hands-On Exercise 6.1 ► Remote Impersonation ► Deceiving Authentication Systems ► Indirect Impersonation
Impersonation Countermeasures
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -44
In-person Impersonation ► Inoculate employees by showing them how impersonation works • Introduce the potential language and ploys of a social engineer ► Verifying identity • Check credentials with official IDs • Call the vendor to verify repair personnel • Do not assume that a name tag or a business card is truthful ► Escorting at all times • Do not allow individuals to wander off ► When guests sign in, two parties should be present • Mitigating change blindness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -45
Remote Impersonation ► Be wary of any e-mail • Show a healthy skepticism with e-mails • Confirm the source by digital signatures or return call ◦ Not the number in the e-mail ► Have a callback policy • Caller ID is not a guarantee • Call back to a known accurate number ► Distrust sites not under the control of the organization • HTTPS is not a guarantee, but an good indicator ► Blogs and social networking sites are an ideal place to meet a social engineer • Distrust URLs • Never visit a site or supply credentials to a site you are not certain about
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -46
Authentication ► Name tags and badges are not strong authentication ► Physical security is key to prevent keyloggers and MitM • Anti-malware software can detect and prevent most keylogger programs • Inspect a computer that has been outside your control ► Keyloggers and MitM tools typically must be physically attached to a device or network • Implement access control and device management to prevent this ► Skimmers are easily hidden and disguised • Never swipe a card or RFID with an unfamiliar scanner/sensor • Encase RFID card in a metal sleeve ◦ Skimmers can reach several meters
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -47
Authentication Systems ► Use thoroughly tested protocols and products ► Protect tokens, magnetic cards, and RFID cards • Tokens should require two-factor authentication ► The organization must implement network access control and protection to prevent rogue PCs and hardware from monitoring traffic ► All authentication traffic should be encrypted • It may or may not be necessary to encrypt data ► Biometric products should be tested thoroughly for accuracy and check for signs of a living person • Eye blinking • Temperature • Pulse • Electromagnetic fields • Sweat
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -48
Indirect Impersonation ► Be skeptical of • New signs, flyers, and posters • Messages delivered by government mail or courier are not necessarily trustworthy ► Verify communication • Whether written or by any remote means ► Delivery by official channels does not mean authentic communication
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -49
Objectives ► Enumerate methods of impersonation ► Identify how interpersonal impersonation is performed ► Assess the methods of remote impersonation ► Learn how authentication systems can be spoofed ► Evaluate methods of indirect deception ► Specify countermeasures to impersonation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -50
Review Questions
Review
1. What is change blindness?
2. What does clickjacking do?
3. What is an example of indirect impersonation?
4. What advantages do hardware keyloggers have over software versions?
5. How could biometrics (like facial recognition) be augmented to be more accurate?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -51
Review Questions
Review
6. How can one be certain of the source and content of an electronic message?
7. Which of these is likely to be the best impersonation vector? a. b. c. d.
Vendor Family Employee Survey taker
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
6 -52
Chapter 7
The Psychology of Persuasion
Objectives ► Examine the psychological principles of persuasion ► Discover key motivators that lead to manipulation ► Enumerate the dangers of a mindless state ► Uncover the power of social proofing and authority ► Specify defenses against impersonation ploys
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -2
Contents Pretexting and Manipulating Behavior ► Mindlessness ► Social Proof and Authority ► Resisting Persuasion
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -3
Pretexting and Manipulating Behavior ► Pretexting is often the endgame of a social engineer • “… the act of creating an invented scenario to persuade a targeted victim to release information or perform some action”* ► If an attacker has credibility, a story may unfold that results in illicit access or release of information • It may be a short story that unfolds in minutes • Scenarios could be developed over months or years ► We will examine the psychological factors that facilitate allowing an attacker to motivate, manipulate, and exploit targets “Persuasion is no longer just an art. It’s an out-and-out science.”
—Robert Cialdini *Source: “Pretexting Defined.” Social Engineering Framework. www.social-engineer.org/framework/influencing-others/pretexting/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -4
Robert Cialdini’s Motivators* ► Reciprocity • Using obligation or concession—quid pro quo ► Scarcity • Used to create a feeling of urgency against a backdrop of gain or loss ► Commitment and consistency • After making a commitment, people are more agreeable to requests that are consistent with their prior decisions ► Liking • People do more for someone they like or see as attractive ► Social proof and consensus • Leading a victim into conformity with a group ► Authority • Spoofing a legal, organizational, or social imperative
*Source: Cialdini, Robert. Influence: The Psychology of Persuasion. Harper Business, 2006. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -5
Reciprocity ► The principle of quid pro quo is fairly universal • It evokes notions of fairness and equity • To be someone who receives and does not give back is seen as negative ► Those who take and don’t return something of value get called names • Moocher, ingrate, beggar, and lowlife ► In assessing a target environment, a good social engineer will not look to see who can help him or her • They will look to see who they can help ► Consider the scenario where a stranger helps you • They then pose a pretext wherein you can help them gain a small insight about your organization or let them know who performs a role Warning: How could reciprocity be used to allow someone unauthorized access to a site?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -6
Scarcity ► This principle often focuses on the fear of loss • By failing to omit or commit an action, a loss will be incurred • Or others will achieve a gain and you are left behind ► Achieving a gain is good • But sustaining a loss is worse ► Using what Cialdini refers to as “loss language” provides great incentive ► Which of these statements is more motivating to you? • I can only help you get this contract if I can get some details • You are likely to lose this contract if I can’t get some details https://zeltser.com/how-the-scarcity-principle-is-used-in-online-scams-and/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -7
Act Now! ► Making the victim work harder for a gain or stating a time limitation is especially motivating ► The most successful scams often involve making the victim work harder or act quicker • Making the victim perform work ◦ Clicking multiple confirmations ◦ Repeating instructions back to the social engineer • Time limitations ◦ Act now or the offer is off the table ◦ Confirm your Facebook account at this link, or it will be canceled* ► These tactics act to cement the resolve of the victim *Source: https://zeltser.com/how-the-scarcity-principle-is-used-in-online-scams-and/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -8
Greed Also Works ► At the 2012 DEF CON Social Engineering “Capture the Flag” contest, the winner was a security professional who employed greed as his primary tool • He captured all data points possible in the contest ► Greed at work: • The social engineer called a Wal-Mart store in Canada, claiming to be an executive from headquarters • After some light banter, he indicated he “had a multi-million-dollar opportunity to win a major government contract” • With that stated, it was easy to get information on “physical logistics: its janitorial contractor, cafeteria food-services provider, employee pay cycle, and staff shift schedules” ► According to the winner, Gary Darnell: • “As soon as they think there’s money, common sense goes out the window.”
Source: Cowley, Stacy. “How a Lying ‘Social Engineer’ Hacked Wal-Mart.” CNNMoney. August 8, 2012. money.cnn.com/2012/08/07/technology/walmart-hack-defcon/index.htm © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -9
The Dollar Auction*
Do Now
1. We will perform an auction for $1.00 or £1.00 2. The instructor will start the bidding system on Kali Linux: a. In terminal: service apache2 start b. The address of the Instructor Kali Linux host will be displayed: ifconfig eth0 3. Students will connect to the bidding application using Firefox: http:///bid/bid.php and enter their names 4. Rules: a. The winner will purchase $1 or £1 for the winning price b. New bids must exceed the previous bid by one cent or more—no ties c. Losers must pay their last bid, as well, but get nothing d. Enabling autobid will always increase the price, regardless of your last bid 5. Once bidding begins, you have five minutes to conclude your business, and accounts will be settled then
*www.nytimes.com/2009/11/15/business/economy/15view.html?_r=0 © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -10
Commitment and Consistency ► Most people would like to think of themselves as having character and being steadfast • This can be turned into a vulnerability ► Getting a target to take a small step is a major victory • If they’ve taken steps 1 and 2, it is necessary to take step 3 ► For example: • A person might ask if you like working with people • The odds become much higher that you will later be willing to discuss details of the people with whom you work ► Some auction sites on the Internet are founded on this principle • DealDash.com • QuiBids.com ► Bidders will engage in behaviors that in the long run are mathematically doomed to failure
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -11
Trust Survey
Do Now
1. You will now take a survey on trust 2. The instructor will start the bidding system on Kali Linux: a. In terminal: service apache2 start b. The address of the Instructor Kali Linux host will be displayed: ifconfig eth0 3. Students will connect to the bidding application: http:///survey/ 4. With the survey open, take no more than five minutes to indicate your trust choices as you observe each picture • Simply choose “Trust” or “No trust” 5. Once done, a graph will present the results 6. The graph will update as the results from other students arrive • This will lead into the next discussion topic
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -12
Liking ► We do things for people we like ► This can be based on • A pleasing appearance • Familiarity • Positive reinforcement • Appreciation ► However, much of our attitude toward others is based on how we think they view us • Stated simply: You are more apt to like someone who already seems to like you ► Consider beauty • Someone may be beautiful, and that is fine • But, if they believe we are beautiful, it is even better © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -13
The Halo Effect ► What is beautiful is good* ► We are more likely to adapt to the values of a person who is considered attractive than one who is not • Beautiful people get their way ► A study demonstrated that women who were about to date a man who was considered attractive were far more likely to change their values to more closely match the man’s
Discussion question: How could this be used by a social engineer?
*Source: Dion, Karen, Ellen Berscheid, and Elaine Walster. “What is Beautiful Is Good.” Journal of Personality and Social Psychology. Vol. 24, No. 3, pp. 285–290. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -14
Contents ► Pretexting and Manipulating Behavior
Mindlessness ► Social Proof and Authority ► Resisting Persuasion
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -15
Mindlessness ► It is not brainlessness—mindlessness describes people working and living largely in an autopilot state • They function properly and even with excellence • But are not truly aware of their environment or situation ► An example: • Have you ever driven home from work and realized that you remember nothing about the ride home? ◦ You navigated a moving vehicle correctly ◦ Hundreds of speed and course corrections were made ◦ The route was optimized and hazards were avoided ◦ Yet there was nothing about the trip you could recall ► Many things we do each day are reflexive, not thoughtful ► We will continue to discuss Cialdini’s other motivators, once this section has provided additional useful information
Source: Partida, Alberto. “Security and Risk.” Notes on interview with Ellen Langer. onbeing.org/programs/ellen-langer-science-of-mindlessness-and-mindfulness-nov2017/. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -16
The Roots of Mindlessness ► To function, we create rules and routines • Life would be exhausting or frightening if we had to continually observe, learn, adapt, and react in every new moment of life • Rules and routines allow us to respond to common tasks ► Conversely, awareness of context and perspective are necessary to identify when something is • Wrong • An exception • Dangerous
“Certainty breeds mindlessness.”* —Dr. Ellen Langer
*Source: Langer, Ellen J. On Becoming an Artist: Reinventing Yourself Through Mindful Creativity. Ballantine, 2006. http://www.hoffmanstermer.com/on_becoming_an_artist_reinventing_yourself_through_mindful_creativity.pdf © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -17
Everyday Examples of Mindlessness ► Consider the following activities—they involve simple mistakes that occur because of falling into a routine: • After meeting someone, saying, “I’m doing good,” even though he or she never asked, “How are you?” • Writing a check in January with last year as the date • When trying to use updated 2015 software and failing, attempting January 3, 2014 the same procedures several times ► The game Simon Says is based on mindlessness ► None of these errors are serious security issues; however, they are examples of operating in an autopilot mode
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -18
Interpreting and Recognizing ► In approaching a situation or environment, we should (logically) perform these actions • Interpret what we see to discover its attributes • Recall how to deal with the environment ◦ Based on evidence of our senses ► However, this is often reversed • A person may try to recall how to best respond • Then, they act out a response that is appropriate ► Observations don’t create the environment • They are a reflection of it
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -19
Exploiting Mindlessness ► In research conducted by Dr. Ellen Langer, she found mindlessness facilitated unusual requests • Her studies found that when posed with a request, people were very likely to agree, as long as any excuse was given ► Examples: • Person: • Guard: • Person: • Guard:
I need to go over there Why? Because I have to be there OK
► This is an example of the brain acting out a script without interpreting the situation Discussion question: How could this be used in pretexting or in eliciting by a social engineer?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -20
The Yes Set ► A simple form of manipulation is called a Yes Set • The tendency of people to always answer “Yes” once they have already said it three to eight times • Most people dislike saying “No” ► A social engineer can prey on this, along with • Natural dislikes • Habits • A mindless state ► The mind can get into a “beat” • A pattern of behavior that repeats ► The Yes Set principle can be applied to more than just saying the word “Yes”
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -21
Performing Math
Do Now
1. The instructor will provide you with a series of easy numbers to add 2. Do not write your totals down; do the math in your head 3. After each number is given to you, add the number to the previous one, starting from zero, and announce it out loud 4. When the list is complete, quickly write down the total and give it to the instructor 5. The instructor will announce the scoring and correct total 6. Did you get it right? 7. What principle was at work here?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -22
Use of a Yes Set ► At political rallies, politicians often ask a series of rhetorical questions: • Do you want to keep your personal and economic freedoms? • Do you want a stronger country? • Do you want your children to be safe and happy? • Are you willing to work hard for a better future? • Should good government help you? • Will you donate now to this noble cause? ► It is a simple Yes Set • Who could say “No!” to the last one after shouting “Yes!” to the first five? ► A general rule is that if a person says “Yes” three to eight times, the last “Yes” is assured © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -23
Contents ► Pretexting and Manipulating Behavior ► Mindlessness
Social Proof and Authority ► Resisting Persuasion
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -24
Social Proof ► Also called consensus ► You are a unique individual • Just like everybody else ► People take many cues on how to behave from those around them • Often a mindless activity ► Often, when introduced to a new or confusing situation, one will look to those nearby and mimic their behavior • What would you do if you saw a crowd of people all gathered on a street corner looking up into the sky? • If someone at your work site was asking everyone for ID, and all others were complying, would you question his or her authority? ► It is most effective when the target is in unfamiliar circumstances
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -25
Why Social Proofing Occurs ► The urge to stay within the norms or a group is often stronger than • Our own common sense • Trusting in our own senses ► In 1951, Solomon Asch conducted an experiment to measure this • Several people were placed in a room and shown pictures of lines ◦ The group was asked which lines were of equal length ◦ Two were of equal length; the others were clearly shorter or longer • All but one person was a “plant” and they would all raise their hands and make wrong selections • The one person not in on the ploy would often join the others by choosing unequal lines
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -26
Debriefing Previous Assignments
Do Now
1. Previously, you were assigned some activities • Post a URL 2. What were the results? • Check in on your USB drives: securitytutoring.com/usbhit.html Your hit count: ____________
Do Now © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -27
Authority ► An orderly society has an authority structure • From a young age, many of us are taught to respect it ► People generally yield to authority • Real or perceived ► Authority may be perceived in these contexts • Legal • Organizational • Social/religious • Familial and cultural
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -28
Why We Yield to Perceived Authority ► Social context clues • What others and the environment tell us about someone ► Social proofing ► Surroundings • The physical surroundings • Décor • Formality ► Nonverbal cues • Uniforms • Formal attire • Body language Would yielding to authority be more likely online or in person? Why?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -29
Recognizing Authority ► For effective social engineering, authority must be recognized ► Recognition may come from • Diplomas, certifications • Uniforms • Titles and rank • Name dropping • Name tags and business cards • Symbols or signs • Body language or appearance • Behavior of others ► To a social engineer, these are props
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -30
Authority Need Not Be Stated ► The environment can convey authority and is a key factor • Surroundings that suggest a person has power will vouch for that person • Décor and the trappings of power lend credibility ◦ Title or rank ◦ An expensively printed business card ◦ Office furniture ► References from mutually trusted parties are valuable • Third parties are effective endorsements of authority • Endorsements do not have to be in person ◦ Degrees on the wall ◦ Certifications ◦ Photographs with key people ► The environment and references do not have to be genuine © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -31
Authority and Social Proofing
Instructor-Led Demo
1. Open the Documents folder on the desktop of the Windows 10 virtual machine, and go to the Chapter 7 folder 2. Open and view the video “Authority and Social Proofing”* 3. How is social proofing or conformance shown here? 4. In what way is authority being used? 5. How could this be used to influence or compel behavior in others?
*Source: Ruthie Santiago, www.youtube.com/user/ruthiessantiago © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -32
The Milgram Experiment ► In 1961, Stanley Milgram devised a test to assess the strength of perceived authority upon ordinary people • Subjects were placed in a room with “a researcher” in a lab coat, another person, and equipment that would allegedly deliver varying levels of electrical shocks • The subjects were told by the “researcher” they should push buttons to deliver shocks to the other person, should that person fail a memory test ► The “researcher” and “other person” were actually actors, playing out roles, and no actual shocks were administered • As the other person would fail more and more tests, the “researcher” was able to convince the subjects to deliver ever higher levels of shocks ► In the end, 26 of the 40 subjects were convinced to administer allegedly lethal doses of electricity ► Many subjects were traumatized for life
Source: Milgram, Stanley. Behavioral Study of Obedience. Journal of Abnormal and Social Psychology. Vol. 67, No. 4 (1963), pp. 371–378. © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -33
Contents ► Pretexting and Manipulating Behavior ► Mindlessness ► Social Proof and Authority
Resisting Persuasion
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -34
Defending Against Human Nature ► Situational awareness—knowing your surroundings is a skill • Reciprocity ◦ Nothing is free • Scarcity and greed ◦ A bigger loss would be to violate policy • Commitment and consistency ◦ Don’t make commitments that lead to violating trust • Liking ◦ If someone likes you, it is worth questioning • Social proof and consensus ◦ Perform your role and follow policy • Authority ◦ Question authenticity ► Learn to interpret, then recognize • Not the other way around
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -35
Developing Situational Awareness ► Certainty breeds mindlessness • Overly familiar environments are prime conditions for mindlessness • Breeding an open mind is key ► Be aware that there is no specific defense against social proof ► Implementing small changes into the day helps to get out of habits and routine • It allows us to be more focused and sharp • Include audits to keep people aware ► Be wary • Not all friendly people are friends • You have things of value that others want • Everything can be part of a disguise ► Never act in a hurry
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -36
Recognizing Risky Situations ► Learn to recognize the signs of a pretext and manipulation • Refusal to provide call-back information • Inability to describe their own work environment • Odd or probing questions • An offer that is too good, in exchange for some information or access ► Whatever the situations are, they are all social engineering that leads to some violation of policy • By omission • By commission ► Report all suspected social engineering attempts
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -37
Objectives ► Examine the psychological principles of persuasion ► Discover key motivators that lead to manipulation ► Enumerate the dangers of a mindless state ► Uncover the power of social proofing and authority ► Specify defenses against impersonation ploys
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -38
Review Questions
Review
1. Which is more effective for a social engineer: fear of loss or possible gain? Why?
2. What psychological factor does a dollar auction prey on?
3. What is the key to being liked?
4. What are some things that lend authority to a person, deserved or not?
5. What is mindlessness?
6. What is situational awareness?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
7 -39
Chapter 8
Countermeasures
Objectives ► Examine the countermeasures to social engineering ► Enumerate the elements of conducting a penetration test ► Examine legal issues and social concerns ► Assemble a list of policies to defend against social engineering ► Develop a list of best practices for awareness training
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -2
Contents Assessing Vulnerability ► Legal and Social Concerns ► Hands-On Exercise 8.1 ► Developing Policies ► Building Awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -3
Assessing Vulnerability ► It is commonplace and often required for technology to be evaluated with penetration tests • Social engineering is at least as important • People control technology ► Without a rigorous social engineering penetration test, you do not know the • Easy information leaks that exist • Faults in organization communication • Susceptibility of personnel to pretexting and manipulation ► Social engineering penetration tests are needed to test the human part of the equation
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -4
Outline of a Penetration Test ► Social engineering testing depends greatly on the targets and objectives • The specific details of performing a penetration test (pentest) are flexible • Imagination and creativity play a large role • The business side is straightforward ► The following elements are typical of penetration testing engagements: 1. Client briefing to tester ◦ The client describes the goals and issues to the security tester 2. Intensive job scoping and research ◦ Penetration tester formulates a model of likely threats and creates a proposed statement of work and a scope 3. Creation of attack scenarios that are based on risks and the client threat model ◦ Attacks are devised, planned, and approved by the client 4. Execution of social engineering plans ◦ This is the phase where the targets undergo reconnaissance, elicitation, and pretexting
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -5
Outline of a Penetration Test 5. After-action debriefing ◦ Initial results are given to the client ◦ This is not a comprehensive report or discussion 6. Report creation ◦ A written report is produced, documenting all significant activities and results 7. Report presentation ◦ The client is debriefed in detail ◦ Q&A session follows
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -6
Examples of Pentest Elements ► Briefing of authorities, if needed, should issues arise • Courtesy notification ahead of test • Counterfeit uniforms, etc. ► Certain elements of a penetration must be negotiated ahead of time • Types and intensity of reconnaissance and observation allowed • Destruction of small assets (e.g., breaking a lock) • Satisfactory proof of compromise ◦ Take assets; photograph or mark them in some way ◦ Discuss legal and social issues • Off-limits areas • Desired assets or information to exfiltrate from the targets • Counterfeiting allowed (badges, RFID, tokens, and uniforms) • Custodial requirements and/or return of stolen assets ► Liaison for unanticipated issues or for being caught
RFID = radio-frequency identification © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -7
Skills Needed ► Interpersonal skills • Ability to listen • A good observer • Ability to lie • Ability to like many types of people ► Personality traits • Self-aware • Situationally aware • Problem solver • Persistent • Calm in a chaotic and fluid environment
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -8
Skills Needed ► Knowledge required • Legal knowledge • Strong networking knowledge for client-side attacks • Technical access controls • Locksmithing ► Certifications • Locksmith
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -9
Contents ► Assessing Vulnerability
Legal and Social Concerns ► Hands-On Exercise 8.1 ► Developing Policies ► Building Awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -10
Legal and Social Concerns ► Performing an in-depth assessment requires authorization from an officer of the organization • A mid- or low-level employee cannot give permission ► Embarrassment • When a target is successfully fooled or had something stolen from them, many emotions may arise ◦ Fear ◦ Anger ◦ Resentment over loss of job or status • Nondisclosure is a necessary component ► Police being called • A signed contract, liaison, and prior briefing to authorities defuse the issue ► Handling of Personally Identifiable Information (PII) and IP • Should PII or other sensitive information be exfiltrated, arrangements must be made to safeguard the assets
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -11
Impersonation and Disguises ► Impersonation and disguises may or may not require special legal permission • HVAC repair personnel No • CEO No • Police Yes • Firefighter Varies • Government official Yes • Government site Yes • Commercial site working under secrecy laws Yes ► Impersonating a public official without permission may yield good results • Huge legal liability • This applies in person or remotely (via telephone) ► Perform due diligence and research these issues, and stay within a legal scope of work
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -12
Marking vs. Stealing ► Often, the goal of a penetration test is to steal assets • Tangible • Intellectual ► Alternatives to removing an asset are • Marking or tagging ◦ Place a tag or marker on any asset that could have been stolen • Photographing ◦ Show proof that the asset was within grasp ► These have the benefit of • Being safer for the asset • Having less liability for possession of it ► Classification and legal issues • Some assets are extremely valuable or dangerous in the wrong hands • The tester may require a clearance to possess the asset
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -13
Contents ► Assessing Vulnerability ► Legal and Social Concerns
Hands-On Exercise 8.1 ► Developing Policies ► Building Awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -14
Hands-On Exercise 8.1
Exercise Manual
In your Exercise Manual, please refer to Hands-On Exercise 8.1: Inspecting a Penetration Test Report
Exercise Manual © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -15
Contents ► Assessing Vulnerability ► Legal and Social Concerns ► Hands-On Exercise 8.1
Developing Policies ► Building Awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -16
Developing Policies ► The findings of DEF CON Social Engineering Capture The Flag (SECTF) contests have consistently shown that people are still the weakest link in organization security • Technology defenses get better • But people control technology ► Key policy areas seen as deficient: • A failure to performing social engineering penetration tests • Verification policies • Social media, career sites, and blogging • Awareness training that is memorable
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -17
Social Engineering Audits Are Necessary ► Just as many organizations perform technology penetration tests, social engineering evaluations are also needed • Many organizations see technology penetration tests as necessary ◦ Payment Card Industry (PCI) standards require an annual test • Social engineering is just as pressing a need ► It is such a high-interest area that DEF CON now holds a Capture the Flag contest • Teams and pitted against each other to gather data points about pre-assigned organizations
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -18
Verification Policies ► Much of social engineering will be ineffective if verification is sought by a target before responding especially for verbal and e-mailed exchanges ► Simple measures may be implemented • Before information is released to an unverified party, ask for a piece of simple information ◦ Like security questions used for password resets • Plant false questions to detect impersonation ◦ Questions that have no correct answer or are irrelevant to the person ► Questioning authenticity is good
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -19
Social Media, Career Sites, and Blogs ► Continuously make all personnel aware of the dangers of online postings ► Social media policies • Likely the biggest leak of intelligence* • Social media is a gold mine for social engineers • Employees, partners, and vendors must be held accountable for posting organization-related information ◦ Clear definitions and examples should be provided ► It is difficult to regulate and monitor social networks • By the sheer quantity of sites, employees, and postings ◦ Google Hacking can help target searches • Legality ◦ Privacy issues must be addressed ◦ Nondisclosure agreements should address use of social media ► The same is true of blogs and career and job sites
*Source: Hadnagy, Christopher J., and James O’Gorman. Social-Engineer.org. “Social Engineering Capture the Flag Results, Defcon 19.” www.social-engineer.com/downloads/SocialEngineer_Defcon_19_SECTF_Results_Report.pdf .
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -20
Contents ► Assessing Vulnerability ► Hands-On Exercise 8.1 ► Legal and Social Concerns ► Developing Policies
Building Awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -21
Building Awareness ► The results from the DEF CON 23 SECTF showed there was no correlation between spending on security awareness and effectiveness* • The most effective programs seemed related to being memorable and the “style and frequency of security education” ► Question: How does one create an organizational culture of constructive paranoia? ► Answer: Have simple talking points • We all have information/access that others want • Use real-life examples • Recognize the value of information • Follow policy • Report incidents • Overcome the “not me” • Verify • Training must be practical, interactive, and applicable *Source: Hadnagy, Christopher, and Eric Maxwell. “Social Engineering Capture the Flag Results, Defcon 23.” http://www.social-engineer.org/ctf/the-social-engineering-capturethe-flag-def-con-23-report/ © Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -22
Key Awareness Talking Points ► Do follow policy ► Do remember the sensitivity of information you possess ► Do check with the data owner first ► Do ask others when in doubt ► Do offer to call back—verify ► Do verify why information or access is needed ► Do record what happened ► Do ask probing questions ► Do trust your judgment: If it sounds suspicious, it probably is ► Do distrust physical access controls
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -23
Key Personnel Mistakes ► Don’t discuss work issues in public postings or discussions ► Don’t respond to immediate pressure ► Don’t assume others’ duties in trying to help ► Don’t make data owner decisions ► Don’t give away seemingly unrelated bits of information ► Don’t say “Yes” just to get someone off the phone ► Don’t view owed favors as reasons to violate policy ► Don’t forget your responsibility to secure organizational resources
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -24
Objectives ► Examine the countermeasures to social engineering ► Enumerate the elements of conducting a penetration test ► Examine legal issues and social concerns ► Assemble a list of policies to defend against social engineering ► Develop a list of best practices for awareness training
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -25
Review Questions
Review
1. What is the most necessary item of preparation before beginning a social engineering penetration test?
2. What are some socially difficult issues associated with performing a social engineering penetration test?
3. What is an alternative to stealing a physical asset in a penetration test?
The video links used in this course are available from securitytutoring.com/2012/Links.txt
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -26
Review Questions
Review
4. What is the biggest priority/issue for performing security awareness for social engineering? What are some solutions?
5. What was the biggest single source at DEF CON for online intelligence gathering?
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
8 -27
Chapter 9
Course Summary
Course Objectives ► Defend against social engineering deceptions that threaten organizational security ► Plan, execute, and evaluate security assessments for human weaknesses ► Explore the dangers of psychological manipulation ► Measure and report your organization’s preparedness for social engineering attacks ► Implement procedures and policies to defeat deceptions ► Mitigate personnel vulnerabilities with education and security awareness
© Learning Tree International, Inc. All rights reserved. Not to be reproduced without prior written consent.
9 -2