Social Engineering Abuses - PowerPoint PPT Presentation

About This Presentation
Title:

Social Engineering Abuses

Description:

CIS 5370 - Computer Security. Kasturi Pore. Ravi Vyas. Public Definition from wikipedia.org ' ... Wikipedia. ( n.d.). Social engineering (security) ... – PowerPoint PPT presentation

Number of Views:2007
Avg rating:3.0/5.0
Slides: 25
Provided by: Rav9
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Social Engineering Abuses


1
Social Engineering Abuses
  • CIS 5370 - Computer Security
  • Kasturi Pore
  • Ravi Vyas

2
What is it?
  • Public Definition from wikipedia.org
  • Social engineering is the art of
    manipulating people into performing actions or
    divulging confidential information
  • Gartner Research Group
  • the manipulation of people, rather than
    machines, to successfully breach the security
    systems.

3
Does it Work?
  • Kevin Mitinic was incarcerated in February1995
    with more 25 charges.
  • In his book Art of deception he stated he did
    not use any hacking tools or software programs
    but used social engineering to obtain the
    passwords and secrets.

4
Does it Work?
  • Three Israli brothers Ramy, Muzher, and Shadde
    Badir had 44 charges against them.
  • Telecommunications fraud
  • Theft of computer data
  • Impersonation of a police officer
  • Damages around 2 million

5
Does it Work?
  • On September 16, 2008 an internet activist group
    'anonymousgained access to governor Palin's
    email account gov.palin_at_yahoo.com.
  • gov.palin_at_yahoo.comDOB 2/11/64ZIP 99687

6
Why Social Engineering?
  • Its easier to ask the user instead of hacking the
    system
  • With the exponential increase in technology it is
    becoming harder to hack in to systems

7
Why Social Engineering?
VS
8
Why does it work?
  • Humans
  • We are emotionally weak and like to help
  • We easily succumb to pressure
  • We cant correctly judge if someone is lying
    bias towards truth and stereotypical thinking
  • Current defense mechanisms
  • Security policies single loop
  • Employee training
  • Security policies
  • Has humans involved in creation
  • Are not updated
  • Are not followed

9
Why does it work?
  • Information is readily and easily available

10
How does it work?
  • First attain easily available data
  • Use it to fake authority
  • Attain more confidential information
  • Feedback loop - result of each action is fed back
    to get a better result in the next action
  • Final deadly attack on obtaining enough
    information
  • Devise attacks to minimize reaction and weaken
    security

11
Types of Social Engineering
  • Pretexting
  • Creating a scenario that does not exist in an
    attempt to pressure a victim in leaking
    information
  • Generate cues to build the victims trust

12
Types of Social Engineering
  • Phishing
  • The attacker typically sends an email that
    appears to come from a legitimate source like a
    bank or credit card company, asking to verify
    some information and warns of dire consequences
    if action is not taken

13
Types of Social Engineering
  • IVR or phone phishing
  • The attacker created a very legitimate sounding
    copy of an organizations IVR(Interactive voice
    response) system. The attacker will send an email
    urging people to call on the toll free number to
    verify information. On calling, they will readily
    give their information

14
Types of Social Engineering
  • Trojan horse
  • They take advantage of the greed and curiosity
    of people to propagate malware. They come as
    email attachments with attractive subject lines
    which, when opened introduce a virus in the system

15
Types of Social Engineering
16
Types of Social Engineering
17
Types of Social Engineering
18
Types of Social Engineering
  • Baiting
  • These are like physical Trojan horses. The
    attacker leaves malware infected physical media
    like CD ROM with legitimate but curious labels
    around the workplace which when inserted by any
    attacker will cause the system to be infected.

19
Types of Social Engineering
  • Online Social Engineering
  • Users repeat a single password for all their
    accounts
  • attacker sends an email to sign up for some
    interesting site or some important update asking
    for a username and a password

20
Types of Social Engineering
  • Reverse social engineering
  • Make people come to you instead of you
  • Attacker sabotages a network, causing a problem
  • Advertise that he is the appropriate person to
    fix the problem
  • When he comes to fix the network problem, he
    requests of information from the employees

21
Combat strategies
  • Physical protection
  • Security policies that separate documents into
    different levels or compartments, separation of
    duty, double loop
  • Employee training
  • Lie detectors

22
Bibliography
  • Goodchild, J. (2008, Nov). Social Engineering 8
    Common Tactics. Retrieved Nov 2008, from
    NetworkWorld http//www.networkworld.com/news/200
    8/110608-social-engineering-eight-common.html
  • Granger, S. (2001, Dec). Social Engineering
    Fundamentals, Part I Hacker Tactics. Retrieved
    Nov 2008, from SecurityFocus http//www.securityf
    ocus.com/infocus/1527
  • Granger, S. (2002, Jan). Social Engineering
    Fundamentals, Part II Combat Strategies.
    Retrieved Nov 2008, from SecurityFocus
    http//www.securityfocus.com/infocus/1533
  • Jose J. Gonzalez, J. M. (2006). A Framework for
    Conceptualizing Social Engineering. CRITIS 2006,
    LNCS 4347 , 79-90.
  • Wikipedia. (n.d.). Social engineering (security).
    Retrieved Nov 2008, from Wikipedia
    http//en.wikipedia.org/wiki/Social_engineering_(s
    ecurity)

23
Bibliography
  • VP contender Sarah Palin hacked
    http//wikileaks.org/wiki/VP_co
    ntender_Sarah_Palin_hacked
  • Three Blind Phreaks
    http//www.wired.com/wired/
    archive/12.02/phreaks_pr.html
  • U.S. vs. Mitnick and DePayne http//www.cnn.com/SP
    ECIALS/1999/mitnick.background/indictment/page01.h
    tml
  • New Trojan Bait CNN Videos
    http//blog.trendmicro.com/new-trojan-bait-cnn-vid
    eos/

24
Questions?
Write a Comment
User Comments (0)
About PowerShow.com