Social Engineering - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Social Engineering

Description:

Impersonation ... E-mail is also used for impersonation. ... E-mail Impersonation ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 35
Provided by: laurabun
Category:

less

Transcript and Presenter's Notes

Title: Social Engineering


1
Social Engineering
  • CS4235 Final Project
  • Kenny St. Clair, David Mercer,
  • Allen Brewer, Laura Bungenstock

2
Outline
  • What is it?
  • How is it done?
  • Who is at risk?
  • CoC Security Audit

3
What is it?
  • Social engineering is the oldest form of hacking.
  • Social engineers focus on the users of the
    system. By gaining the trust of the user, a
    social engineer can simply ask for whatever
    information he or she wantsand usually get it.

4
The Weakest Link
  • As software and hardware becomes increasingly
    secure, the weakest element continues to persist.
  • The people that use the network are the weakest
    link!

5
A social engineers mantra
  • There is no patch for human stupidity.

6
Definitions
  • Social engineering is a use of psychological
    knowledge to trick a target into trusting the
    engineer, and ultimately revealing information
  • -Ross Bearman
  • involving the use of social skills and personal
    interaction to get someone to reveal
    security-relevant information and perhaps even to
    do something that permits an attack
  • -Charles and Shari Pfleeger

7
Definitions
  • A hackers clever manipulation of the natural
    human tendency to trust. The hackers goal is to
    obtain information that will allow him to gain
    unauthorized access to a valued system and the
    information that resides on that system
  • -Sarah Granger
  • uses deception, influence, and persuasion
    against businesses, usually targeting
    information
  • -Kevin Mitnick

8
Our Definition
  • Social engineering is a psycho-social attack that
    subverts human trust and helpfulness in order to
    attain the attackers goals.

9
Outline
  • What is it?
  • How is it done?
  • Who is at risk?
  • CoC Security Audit

10
How is it done?
  • Attacks come in various forms
  • On the phone, over e-mail, in person
    impersonation

11
Impersonation
  • Play the part!
  • Social Engineers must
  • Anticipate problems
  • Know jargon and procedures of the role

12
Impersonation
  • And most importantly, knowledge of how to build
    trust with whomever they need information from.
  • Social engineers most often impersonate authority
    figures, assistants to authority figure, and new
    employees.

13
More techniques
  • Dummy Mode
  • Bury the key question
  • Research (Google)

14
Over the phone
  • The phone is the most popular method of social
    engineering because it is difficult to verify or
    deny someones identity.

15
Over e-mail and IM
  • E-mail attacks are very common (phishing).
  • E-mail is also used for impersonation.
  • Obtaining password for an IM account could lead
    to access to a bank account, other personal data.

16
Dumpster diving
  • Digging through trash at corporations in search
    of sensitive data.

17
Outline
  • What is it?
  • How is it done?
  • Who is at risk?
  • CoC Security Audit

18
Who is at risk?
  • Everyone.
  • Everyone with information is a potential target!

19
Real World Examples
  • 90 of office workers gave away their password
    for a pen.
  • 70 of people who trade their password for a bar
    of chocolate.

20
Real World Examples
  • 1/3 of the IRS employees provided their user name
    and changed their password in a 2005 security
    audit.
  • USC vs. Cal basketball game

21
Outline
  • What is it?
  • How is it done?
  • Who is at risk?
  • CoC Security Audit

22
CoC Security Audit
  • Hands-on experience
  • Test the weakest link
  • Cleared to target CoC faculty, staff, and
    students

23
CoC Security Audit
  • GOAL Collect as much data as possible that was
    either sensitive or gave access to sensitive
    data.

24
CoC Security Audit
  • Our plan for collecting data
  • E-mail impersonation
  • Phone impersonation
  • Dumpster diving

25
E-mail Impersonation
  • Abuse the Georgia Tech alias system
  • tso-security_at_gatech.edu
  • Eniola.Okeowo_at_gatech.edu

26
E-mail Impersonation
  • By using the tso-security alias we could target
    faculty, using Keith Watsons name as the
    signature.
  • By using eniola.okeowo we could target our fellow
    students.

27
E-mail Impersonation
  • 12 hours later, OIT had revoked our aliases,
    according to
  • Section of Policy Violation 2.3.1. User
    Impersonation/False Identity.

28
Plan B
  • Change the outgoing address on our e-mail to
    Eniola Okeowo, and use the advantage of the
    random gtg e-mails as the reply-to.
  • In total we received 11 replies with GTID
    information.
  • 2 replies were sent directly to Eniola.

29
Dumpster Diving
  • Professors often put their trashcans outside
    their offices before leaving for the day to allow
    janitors to take away their trash.
  • The CoC is rarely (if ever) empty, and searching
    these bins before the janitors arrive is
    difficult.

30
Dumpster Diving
  • No sensitive data was found.
  • The trash removal policy at the CoC made it
    difficult for us to effectively dumpster dive.

31
Phone impersonations
  • Of the professors we reached over the phone, none
    released their passwords to us.
  • Common responses were
  • I do not give passwords out over the phone.
    click
  • Let me check on this and get back to you.

32
Audit Conclusions
  • Faculty and staff of the CoC are clearly trained
    how to handle and protect sensitive information.
  • Althoughwe are concerned with the students
    understanding of the semi-sensitive nature of the
    GTID, especially if combined with data
    aggregation.

33
Outline
  • What is it?
  • How is it done?
  • Who is at risk?
  • CoC Security Audit

34
Questions?
  • Any questions?
Write a Comment
User Comments (0)
About PowerShow.com