the art of deception
Download
Skip this Video
Download Presentation
The Art of Deception

Loading in 2 Seconds...

play fullscreen
1 / 37

The Art of Deception - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

The Art of Deception. Presented by Skye Hagen Asst Director Office of Information Technology Dr. Carol Taylor Associate Professor EWU Computer Science Department. The Art of Deception. - Or - No tech hacking. Ways to attack a system. Find and exploit a vulnerability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The Art of Deception' - jeroen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the art of deception
The Art of Deception
  • Presented by

Skye Hagen

Asst Director

Office of Information Technology

Dr. Carol Taylor

Associate Professor

EWU Computer Science Department

the art of deception1
The Art of Deception

- Or -

No tech hacking

ways to attack a system
Ways to attack a system
  • Find and exploit a vulnerability
    • Rare, and requires a fair degree of knowledge
  • Download an exploit
    • Common, requires no special skills
    • Patched systems usually not vulnerable
    • High value targets well protected against this
ways to attack a system1
Ways to attack a system
  • Get someone to load bad software on their computer
    • Proliferate, requires no special skills
    • Anti-malware systems generally prevent
  • Get someone to reveal their password
    • Proliferate, requires no special skills
    • Only you can prevent this from working
ways to attack a system2
Ways to attack a system
  • The last two methods use social engineering, and are the areas we are focusing on today.
    • Can target any number of people, from a single individual up to large numbers of people at once
    • Can work in a number of non-computer settings
the art of deception2
The Art of Deception
  • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.
  • Usually applies to using trickery for information gathering, computer access, or access to restricted access areas.
other related terms
Other related terms
  • The following slides will cover some common terms you may see in the press.
    • Those terms marked new terms are less than a year old.
    • This shows just how rapidly these kinds of attacks change.
other related terms1
Other related terms
  • Phishing
    • E-mail attack used to obtain access to financial systems
      • On line banking
      • Credit card numbers
      • Access to other financial systems
    • Technology related
    • Ultimate goal is to steal money
      • Secondary goal may be to ‘own’ your computer.
other related terms2
Other related terms
  • Spear phishing (new term)
    • Phishing attacks directed against a specific, defined group of people
      • EWU has been subjected to a number of spear phishing attacks this last year
        • Specifically, several attempts to gain access to web mail accounts
  • Whaling (new term)
    • Spear phishing attacks directed against executives of an organization
other related terms3
Other related terms
  • Pretexting (new term)
    • Used in the HP Board of Directors scandal
      • HP hired private investigators who used pretexting to gain call record information from the phone company to try to determine who was leaking information.
    • Usually used by legitimate companies, such as private investigators
    • Practice is of questionable legality
other related terms4
Other related terms
  • Tabloid spam (new term)
    • Uses tabloid style headlines to attract your attention
    • May use the exact same e-mail format as various news services
      • CNN
      • ESPN
      • NBC
other related terms5
Other related terms
  • Vishing (new term)
    • This is phishing via voice
      • Up and coming attack
      • Usually wants you to call a (toll free) number to validate your account
      • Uses a fairly convincing phone menu tree to get you to get you to divulge financial information
other related termins
Other related termins
  • Pharming
    • A computer attack that misdirects a user to a bogus web site
    • Often implemented as software downloaded from the Internet
not limited to computers
Not limited to computers
  • Tailgating
    • Following someone through a secure access point.
  • Shoulder surfing
    • Looking over someone’s shoulder to view a password.
not limited to computers1
Not limited to computers
  • Cell Phone Camera Identity Theft
    • Using a cell phone camera to capture check or credit card numbers.
  • Dumpster Diving
    • Going through trash (or mailboxes) to obtain account numbers, credit card offers, etc.
how the internet makes it easy
How the Internet makes it easy
  • Inherent trust in computers.
    • But this trust is misplaced.
      • No validation of identity.
  • Lack of knowledge and understanding of computers.
social engineering techniques
Social Engineering Techniques
  • E-mail
    • We see this all the time.
    • Sometimes the spam filter catches them, sometimes it does not.
    • Generally sent to a large number of recipients.
  • Phone calls
    • Usually used as for directed attacks.
    • Person attempts to gain specific access.
social engineering techniques1
Social Engineering Techniques
  • In person
    • Used to gain physical access
    • May involve tailgating, pretending to belong, but just can’t get to their access card
    • Overwhelming the lowly receptionist
      • Great example in the movie Sneakers.
how does phishing work
How does phishing work?
  • Attack usually starts with an e-mail
    • User must respond to an event, such as an account suspension.
    • Must follow link in e-mail.
      • Does not usually have a phone contact.
    • Describes serious consequences if you do not take immediate action.
    • Tries to get you to make a quick decision.
    • Example of a phishing e-mail.
phishing attack
Phishing attack
  • Once at the fake web site, they try to get you to enter your account and password information.
  • Sites are very realistic.
    • Refer back to example phishing attack.
    • EWU has been subjected to this attack, trying to obtain webmail accounts and passwords.
      • Used to send out more phishing and spam.
what can you do about this
What can you do about this?
  • Be careful in all transactions on the Internet.
    • Know the policies and procedures for the financial organizations that you deal with.
      • How will your bank contact you if they detect suspicious activity?
      • How will EWU contact you?
      • Where does this link really go to?
      • Look for institutions that use multiple factor authentication.
what can you do about this1
What can you do about this?
  • Know what to look for
    • Analyze the content of the message
    • Analyze links
    • Follow security procedures
      • Verify identity
know what to look for content
Know what to look for (content)
  • Phishing usually falls into one of two types
    • Fear
      • Tries to get you to take immediate action
      • Has dire consequences in action is not taken
    • Greed
      • Advance fee programs
        • Lottery winner
        • Money launderer
        • Business agent
know what to look for content1
Know what to look for (content)
  • Know the format for toll free numbers
    • Always begin with ‘8’
    • Next two digits are identical
      • 833 is toll free (but not currently in use)
      • 800 is toll free
      • 522 is not toll free
      • EXCEPTION: 811 and 899
    • Or begins with ‘88’
      • 888 only one in use, all others reserved
know what to look for url
Know what to look for (URL)

http://www.ewu.edu/securityawareness

Protocol, may also be https://

Computer name, the clues are in this portion. May also look like a number, such as 146.187.3.190.

Specific page, irrelevant for analysis

http://

www.ewu.edu

/securityawareness

know what to look for url1
Know what to look for (URL)
  • Look at the link in the status bar, not the text in the message body
  • See Associated Bank example
  • If the computer name is a number in the form (146.187.3.190), this is ALWAYS suspect, NEVER click on this kind of link
    • http://198.43.28.24 is not valid
    • https://87.34.87.205/paypal/login is not valid
know what to look for url2
Know what to look for (URL)
  • Look deeper into the computer name; the last two words (separated by periods) are the domain. Is this valid? (Use Google to check)
    • http://www.ewu.edu/securityawareness
      • ewu.edu is owned by EWU
    • https://paypal.redirect.ru/login
      • Not valid, PayPal is paypal.com, not redirect.ru
    • http://login.paypal-verify.com
      • Not valid, PayPal is paypal.com, not paypal-verify.com
what can you do about this2
What can you do about this?
  • Consider using prepaid credit cards for purchases.
    • Exposure is limited.
    • Card not tied in any way to your banking accounts.
    • Card does not impact your credit rating.
    • Visa offers cards directly.
    • A number of companies offer branded Visa or MasterCard prepaid cards.
what can you do about this3
What can you do about this?
  • Consider credit report monitoring.
    • Not a be all, end all solution.
    • Only identifies when your credit is impacted.
      • Will indirectly show credit card activity.
    • Does not protect against your accounts being drained.
  • Shred financial documents, including account statements and credit card offers.
what can you do about this4
What can you do about this?
  • Use a different password for each financial account you have.
    • Yes, this can be a pain to remember.
    • Use a password manager to help manage your accounts and passwords.
what can you do about this5
What can you do about this?
  • Check out the security arrangements before signing up for online banking?
    • What access controls do they use?
    • Look for multiple authenticators
      • Something you know (password, image)
      • Something you posses (token)
      • Something you are (fingerprint)
what can you do about this6
What can you do about this?
  • Use anti-virus software, and keep it up to date.
  • Use anti-malware software, and likewise, keep it up to date.
  • Consider using an anti-phishing tool bar on your web browser.
    • Built-in in newer browsers.
  • Keep your system patched.
what to do it you are a victim
What to do it you are a victim?
  • Contact your financial institutions.
    • Most have help services for identity theft.
  • Check your state’s web site.
    • Usually the Attorney General or the Secretary of State.
  • Check the web site for the Federal Trade Commission.
    • www.ftc.gov
test your knowledge
Test Your Knowledge
  • Various anti-phishing games
    • http://www.sonicwall.com/phishing/
    • http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest
    • http://cups.cs.cmu.edu/antiphishing_phil
  • Google with a search of ‘phishing quiz’.
references
References
  • Kevin Mitnick, The Art of Deception
    • Book about using social engineering techniques to gain access to facilities and systems. Available in Library!
  • Wikipedia
    • Search for ‘phishing’, ‘pharming’ and ‘phreaking’.
  • The Anti-Phishing Working Group
    • www.antiphishing.org
references cont d
References (cont’d)
  • Federal Trade Commission
    • www.ftc.gov
  • State Attorney’s General or state trade commissions.
  • Your bank’s web site
    • Usually contains privacy and security pages that explain your rights and how the institution safeguards access.
thanks for attending
Thanks for attending!
  • Copy of presentation will be available at…
  • www.ewu.edu/securityawareness
  • I have also sent a copy to the QSI people, in case they are assembling a web site.
ad