Test taking and cheating
This presentation is the property of its rightful owner.
Sponsored Links
1 / 58

Test Taking and Cheating PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on
  • Presentation posted in: General

Test Taking and Cheating. ISAW 2008 UofU Dave Packham. Don’t Cheat on THIS test, Cheat on the NEXT one. There will be 2 tests today. Cheat on the second one please Please Leave the TEST face down You will have 2 minutes to take the test

Download Presentation

Test Taking and Cheating

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Test taking and cheating

Test Taking and Cheating

ISAW 2008 UofU

Dave Packham


Don t cheat on this test cheat on the next one

Don’t Cheat on THIS test, Cheat on the NEXT one

  • There will be 2 tests today. Cheat on the second one please

  • Please Leave the TEST face down

  • You will have 2 minutes to take the test

  • Please answer everything as accurately as possible on the first test.

  • I will show you the cheats after the test is over and let you take it again.


Test taking and cheating

  • START

  • You have 2 minutes


Test taking and cheating

  • STOP


Test taking and cheating

  • And now for the Test Cheating Info


You were the test

You WERE the TEST


Test taking and cheating

Exploits “layer 8”

  • There is no computer system on Earth that does not rely on humans

  • S.E. completely bypasses all information controls and goes directly after the weakest link:


The osi model

The OSI model

7. application

7. application

6. presentation

5. session

7. application

6. presentation

5. session

4. transport

6. presentation

4. transport

3. network

3. network

2. link

4. transport

5. session

2. link

1. physical (cyberspace)

2. link

3. network

1. physical (cyberspace)


The osi model1

The OSI model

8. human

7. application

6. presentation

7. application

5. session

7. application

6. presentation

5. session

4. transport

6. presentation

4. transport

3. network

3. network

5. session

2. link

4. transport

1. physical (cyberspace)

2. link

2. link

3. network

0. physical (meatspace)

1. physical (cyberspace)


Stuff i seen this week

Stuff I seen THIS WEEK

  • talking to t-mobile op got my new home phone even though they should not

  • fax sent to wrong place.

  • listening to co-workers use automated voice

  • cell phones outer display

  • cell phone conversations on public transit

  • ask someone their name... get their last name and fake that you know there mom and insert a fake middle name in hopes that they correct that

  • DTMF tones are songs and can be memorized

  • Someone Passing out a USB KEY WATCH… the he “FOUND”


Exploits layer 8

Exploits “layer 8”

  • There is no computer system on Earth that does not rely on humans

  • S.E. completely bypasses all information controls and goes directly after the weakest link:


Social engineering

Social engineering

  • The art and science of getting people to comply to your wishes.

  • Not a form of mind control

  • Lots of groundwork

    • Information-gathering

    • Idle chit-chat

    • Amusing accents

    • Most of the work is in preparation


Uh isn t that what selling is

Uh, isn’t that what selling is?

  • To sell: create a spark

  • Predict

    • What the eye will see

    • What the ear will hear

    • What the mind will think

  • The highest form of selling:

    • In a way that the consumer is unaware she is being sold


Social engineering1

Social engineering

  • The art and science of getting people to comply to your wishes.

  • Is the highest form of hacking

    • Can be very easy

    • Often yields largest rewards

  • Natural human desire to help leaves us vulnerable

    • And can undermine all technical countermeasures


Suave and sophisticated

Suave and sophisticated

  • Only amateurs ask for passwords

  • Build emotional bond—even trust

    • Administrators

    • Security personnel

    • Any likely possessor of information

  • Anyone with access is a potential risk

    • Electronic or physical

    • Includes people outside the policy


Cute girls are social

Cute Girls are SOCIAL


Types of exploits

Types of exploits

Diffusion of responsibility

“The veep says you won’t bear any responsibility…”

Chance for ingratiation

“Look at what you might get out of this!”

Trust relationships

“He’s a good guy, I think I can trust him”

Moral duty

“You must help me! Aren’t you so mad about it?”


Types of exploits1

Types of exploits

Guilt

“What, you don’t want to help me?”

Identification

“You and I are really two of a kind, huh?”

Desire to be helpful

“Would you help me here, please?”

Cooperation

“Let’s work together. We can do so much!”


More psychological triggers

More psychological triggers

  • Strong affect

  • Overloading

  • Reciprocation

  • Deceptive relationships

  • Authority

  • Integrity and consistency


Involvement vs influence

Involvement vs. influence


Public access terminals gold

Public access terminals: gold!


The help desk

The help desk

  • People are naturally helpful

  • Its function is to help—to provide answers

    • Like all customer service

  • Generally not trained to question the validity of each call

    • Minimally-educated about security

    • Don’t get paid much

    • Objective: move on to next call


Try it yourself

Try it yourself!

  • Be professional.

  • Be calm.

  • Know your mark.

  • Do not fool a superior scammer.

  • Plan your escape from your scam.

  • Be a woman.

  • Use watermarks.

  • Make business cards and fake names.

  • Manipulate the less fortunate, the unaware, and the stupid.

  • Use a team if you have to.


Why it succeeds

Why It Succeeds


People vs machines

People vs. machines

Six problems that show the inherent conflict between carbon and silicon

  • How do people perceive risk?

  • How do people handle exceptions?

  • Why do people trust computers?

  • Why do we think people can make intelligent security decisions?

  • Are there malicious insiders?

  • Why are people vulnerable to social engineering?


Awkward exception handlnig

Awkward exception handlnig

  • Computer mistakes are rare; people don’t know how to deal with them

    • Sometimes we just ignore or disable the alarm

    • Attackers take advantage of mistakes

  • Drills ensure people know what to do

  • “This computer never makes mistakes, so you must be lying”


My daughters laptop

My Daughters LAPTOP

  • EDU installed a BATCH file to enable security that runs every boot

  • It prompts her to allow it every boot with UAC.

  • She has been conditioned now to accept everything so she can get to work

  • Friend used MS power shell to prompt her for her password….

  • PWNED


Test taking and cheating

Hell not again… we gotta fix that stupid alarm

Damn, this new Whyte Ryce album kicks!

George’ll shut it off when he looks up, he always does


Trusting the computer

Trusting the computer

  • People don’t sign or encrypt stuff…software does!

    • Necessary to securely transfer human volition to computer action

  • Volition can be forged…make the computer lie

    • Trojan horse feeds malicious document into signing system when key is opened to sign something else


Who needs physical access

Who needs physical access?


Making security decisions

Making security decisions

  • People want security…

    …but they don’t want to see it working

  • And will disable or circumvent it if it gets in the way of work

  • Yet good security relies on interaction

    • Checking the name on a digital certificate

    • The allure of email worms with sexy subject lines

    • JavaScript warning dialogs


Malicious insiders

Malicious insiders

  • Implicitly trusted

  • Digital world is rife with insider knowledge

    • Authors of security programs

    • Installers of firewalls

    • Auditors

  • Hire honest people

    • Integrity screening

    • Diffuse trust

    • Public code reviews


Tools and techniques

Tools And Techniques


So you wanna be social engineer

So you wanna be social engineer

  • You need two things:

A telephone

A “mark”

—maybe a former best friend


Other useful bits

Other useful bits

  • ANI (caller ID) if planning a callback scam

  • Voice changer

  • Ability to think quickly


Fingering the mark

Fingering the mark

  • Need collection of information tidbits to create sense of authenticity

  • Obtain a list of employee and computer names

    • whois

    • finger

    • Domain registration records

    • Target organization’s own web site

    • Google, anyone?


Make a site visit

Make a site visit

  • Look good!—blend in

  • Fake ID badge

  • Observe typical entry/exit behavior

  • Stride with confidence; pretend you belong

  • Private offices are best

  • Computer connections

  • Posted lists and notes

  • Ask low-level employees


Dumpster diving

Dumpster diving

  • Memos

  • Phone books

  • Policy manuals

  • Calendars

  • System manuals

  • Disks and tapes

  • Organizational charts

  • Printouts of names and passwords

  • Printouts of source code

  • Old discarded hardware


Building the picture

Building the picture

  • Faking a phone rep could work…

  • Try the written word: built-in trust

    • “You might already be a winner!”

    • “We value your opinion…”

    • Be official-looking mass mail

    • “We will need a password to verify…”

  • Follow up with a phone call

    • Ask for the password and other data

    • Listen to speech pattern


Fingerprinting a system

Fingerprinting a system

  • NMAP

  • ICMP (OfirArkin’s paper)

  • Telnet for banners

  • Domain records and job web sites

  • Portscanning


Mounting the attack

Mounting the attack

  • You’ve got information on—

    • Your mark

    • The computer system

  • Call organization’s help desk

    • Feign inability to log on

    • Can pass verification checks with info you’ve gathered

    • Prey on lack of social skills 

    • “I’ve seen you at work…”

    • Be judicious—don’t ask for too much


Reverse social engineering

Reverse social engineering

  • Sabotage

    • Cause a problem on target’s network

  • Advertising

    • Leave business card around

    • Incorporate contact info in error message

  • Assistance

    • Fix the problem while obtaining info

    • Don’t forget to leave a back door or two…


S e usually ignored

S.E. usually ignored

  • S.E. viewed as attack against intelligence

    • No one wants to admit they were duped

  • Technical people are proud of their knowledge

    • Often like to share

  • Everyone is susceptible, given a sufficiently persuasive social engineer


Don t encourage bad behavior

Don’t encourage bad behavior!


Don t encourage bad behavior1

Don’t encourage bad behavior!


Test taking and cheating

Oh Yeah. Shred that TEST with all your info on it 


Test taking and cheating

Questions?


  • Login