The art of deception
Download
1 / 37

The Art of Deception - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

The Art of Deception. Presented by Skye Hagen Asst Director Office of Information Technology Dr. Carol Taylor Associate Professor EWU Computer Science Department. The Art of Deception. - Or - No tech hacking. Ways to attack a system. Find and exploit a vulnerability

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The Art of Deception' - jeroen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The art of deception
The Art of Deception

  • Presented by

    Skye Hagen

    Asst Director

    Office of Information Technology

    Dr. Carol Taylor

    Associate Professor

    EWU Computer Science Department


The art of deception1
The Art of Deception

- Or -

No tech hacking


Ways to attack a system
Ways to attack a system

  • Find and exploit a vulnerability

    • Rare, and requires a fair degree of knowledge

  • Download an exploit

    • Common, requires no special skills

    • Patched systems usually not vulnerable

    • High value targets well protected against this


Ways to attack a system1
Ways to attack a system

  • Get someone to load bad software on their computer

    • Proliferate, requires no special skills

    • Anti-malware systems generally prevent

  • Get someone to reveal their password

    • Proliferate, requires no special skills

    • Only you can prevent this from working


Ways to attack a system2
Ways to attack a system

  • The last two methods use social engineering, and are the areas we are focusing on today.

    • Can target any number of people, from a single individual up to large numbers of people at once

    • Can work in a number of non-computer settings


The art of deception2
The Art of Deception

  • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.

  • Usually applies to using trickery for information gathering, computer access, or access to restricted access areas.


Other related terms
Other related terms

  • The following slides will cover some common terms you may see in the press.

    • Those terms marked new terms are less than a year old.

    • This shows just how rapidly these kinds of attacks change.


Other related terms1
Other related terms

  • Phishing

    • E-mail attack used to obtain access to financial systems

      • On line banking

      • Credit card numbers

      • Access to other financial systems

    • Technology related

    • Ultimate goal is to steal money

      • Secondary goal may be to ‘own’ your computer.


Other related terms2
Other related terms

  • Spear phishing (new term)

    • Phishing attacks directed against a specific, defined group of people

      • EWU has been subjected to a number of spear phishing attacks this last year

        • Specifically, several attempts to gain access to web mail accounts

  • Whaling (new term)

    • Spear phishing attacks directed against executives of an organization


Other related terms3
Other related terms

  • Pretexting (new term)

    • Used in the HP Board of Directors scandal

      • HP hired private investigators who used pretexting to gain call record information from the phone company to try to determine who was leaking information.

    • Usually used by legitimate companies, such as private investigators

    • Practice is of questionable legality


Other related terms4
Other related terms

  • Tabloid spam (new term)

    • Uses tabloid style headlines to attract your attention

    • May use the exact same e-mail format as various news services

      • CNN

      • ESPN

      • NBC


Other related terms5
Other related terms

  • Vishing (new term)

    • This is phishing via voice

      • Up and coming attack

      • Usually wants you to call a (toll free) number to validate your account

      • Uses a fairly convincing phone menu tree to get you to get you to divulge financial information


Other related termins
Other related termins

  • Pharming

    • A computer attack that misdirects a user to a bogus web site

    • Often implemented as software downloaded from the Internet


Not limited to computers
Not limited to computers

  • Tailgating

    • Following someone through a secure access point.

  • Shoulder surfing

    • Looking over someone’s shoulder to view a password.


Not limited to computers1
Not limited to computers

  • Cell Phone Camera Identity Theft

    • Using a cell phone camera to capture check or credit card numbers.

  • Dumpster Diving

    • Going through trash (or mailboxes) to obtain account numbers, credit card offers, etc.


How the internet makes it easy
How the Internet makes it easy

  • Inherent trust in computers.

    • But this trust is misplaced.

      • No validation of identity.

  • Lack of knowledge and understanding of computers.


Social engineering techniques
Social Engineering Techniques

  • E-mail

    • We see this all the time.

    • Sometimes the spam filter catches them, sometimes it does not.

    • Generally sent to a large number of recipients.

  • Phone calls

    • Usually used as for directed attacks.

    • Person attempts to gain specific access.


Social engineering techniques1
Social Engineering Techniques

  • In person

    • Used to gain physical access

    • May involve tailgating, pretending to belong, but just can’t get to their access card

    • Overwhelming the lowly receptionist

      • Great example in the movie Sneakers.


How does phishing work
How does phishing work?

  • Attack usually starts with an e-mail

    • User must respond to an event, such as an account suspension.

    • Must follow link in e-mail.

      • Does not usually have a phone contact.

    • Describes serious consequences if you do not take immediate action.

    • Tries to get you to make a quick decision.

    • Example of a phishing e-mail.


Phishing attack
Phishing attack

  • Once at the fake web site, they try to get you to enter your account and password information.

  • Sites are very realistic.

    • Refer back to example phishing attack.

    • EWU has been subjected to this attack, trying to obtain webmail accounts and passwords.

      • Used to send out more phishing and spam.


What can you do about this
What can you do about this?

  • Be careful in all transactions on the Internet.

    • Know the policies and procedures for the financial organizations that you deal with.

      • How will your bank contact you if they detect suspicious activity?

      • How will EWU contact you?

      • Where does this link really go to?

      • Look for institutions that use multiple factor authentication.


What can you do about this1
What can you do about this?

  • Know what to look for

    • Analyze the content of the message

    • Analyze links

    • Follow security procedures

      • Verify identity


Know what to look for content
Know what to look for (content)

  • Phishing usually falls into one of two types

    • Fear

      • Tries to get you to take immediate action

      • Has dire consequences in action is not taken

    • Greed

      • Advance fee programs

        • Lottery winner

        • Money launderer

        • Business agent


Know what to look for content1
Know what to look for (content)

  • Know the format for toll free numbers

    • Always begin with ‘8’

    • Next two digits are identical

      • 833 is toll free (but not currently in use)

      • 800 is toll free

      • 522 is not toll free

      • EXCEPTION: 811 and 899

    • Or begins with ‘88’

      • 888 only one in use, all others reserved


Know what to look for url
Know what to look for (URL)

http://www.ewu.edu/securityawareness

Protocol, may also be https://

Computer name, the clues are in this portion. May also look like a number, such as 146.187.3.190.

Specific page, irrelevant for analysis

http://

www.ewu.edu

/securityawareness


Know what to look for url1
Know what to look for (URL)

  • Look at the link in the status bar, not the text in the message body

  • See Associated Bank example

  • If the computer name is a number in the form (146.187.3.190), this is ALWAYS suspect, NEVER click on this kind of link

    • http://198.43.28.24 is not valid

    • https://87.34.87.205/paypal/login is not valid


Know what to look for url2
Know what to look for (URL)

  • Look deeper into the computer name; the last two words (separated by periods) are the domain. Is this valid? (Use Google to check)

    • http://www.ewu.edu/securityawareness

      • ewu.edu is owned by EWU

    • https://paypal.redirect.ru/login

      • Not valid, PayPal is paypal.com, not redirect.ru

    • http://login.paypal-verify.com

      • Not valid, PayPal is paypal.com, not paypal-verify.com


What can you do about this2
What can you do about this?

  • Consider using prepaid credit cards for purchases.

    • Exposure is limited.

    • Card not tied in any way to your banking accounts.

    • Card does not impact your credit rating.

    • Visa offers cards directly.

    • A number of companies offer branded Visa or MasterCard prepaid cards.


What can you do about this3
What can you do about this?

  • Consider credit report monitoring.

    • Not a be all, end all solution.

    • Only identifies when your credit is impacted.

      • Will indirectly show credit card activity.

    • Does not protect against your accounts being drained.

  • Shred financial documents, including account statements and credit card offers.


What can you do about this4
What can you do about this?

  • Use a different password for each financial account you have.

    • Yes, this can be a pain to remember.

    • Use a password manager to help manage your accounts and passwords.


What can you do about this5
What can you do about this?

  • Check out the security arrangements before signing up for online banking?

    • What access controls do they use?

    • Look for multiple authenticators

      • Something you know (password, image)

      • Something you posses (token)

      • Something you are (fingerprint)


What can you do about this6
What can you do about this?

  • Use anti-virus software, and keep it up to date.

  • Use anti-malware software, and likewise, keep it up to date.

  • Consider using an anti-phishing tool bar on your web browser.

    • Built-in in newer browsers.

  • Keep your system patched.


What to do it you are a victim
What to do it you are a victim?

  • Contact your financial institutions.

    • Most have help services for identity theft.

  • Check your state’s web site.

    • Usually the Attorney General or the Secretary of State.

  • Check the web site for the Federal Trade Commission.

    • www.ftc.gov


Test your knowledge
Test Your Knowledge

  • Various anti-phishing games

    • http://www.sonicwall.com/phishing/

    • http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest

    • http://cups.cs.cmu.edu/antiphishing_phil

  • Google with a search of ‘phishing quiz’.


References
References

  • Kevin Mitnick, The Art of Deception

    • Book about using social engineering techniques to gain access to facilities and systems. Available in Library!

  • Wikipedia

    • Search for ‘phishing’, ‘pharming’ and ‘phreaking’.

  • The Anti-Phishing Working Group

    • www.antiphishing.org


References cont d
References (cont’d)

  • Federal Trade Commission

    • www.ftc.gov

  • State Attorney’s General or state trade commissions.

  • Your bank’s web site

    • Usually contains privacy and security pages that explain your rights and how the institution safeguards access.


Thanks for attending
Thanks for attending!

  • Copy of presentation will be available at…

  • www.ewu.edu/securityawareness

  • I have also sent a copy to the QSI people, in case they are assembling a web site.


ad