1 / 37

The Art of Deception

The Art of Deception. Presented by Skye Hagen Asst Director Office of Information Technology Dr. Carol Taylor Associate Professor EWU Computer Science Department. The Art of Deception. - Or - No tech hacking. Ways to attack a system. Find and exploit a vulnerability

jeroen
Download Presentation

The Art of Deception

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Art of Deception • Presented by Skye Hagen Asst Director Office of Information Technology Dr. Carol Taylor Associate Professor EWU Computer Science Department

  2. The Art of Deception - Or - No tech hacking

  3. Ways to attack a system • Find and exploit a vulnerability • Rare, and requires a fair degree of knowledge • Download an exploit • Common, requires no special skills • Patched systems usually not vulnerable • High value targets well protected against this

  4. Ways to attack a system • Get someone to load bad software on their computer • Proliferate, requires no special skills • Anti-malware systems generally prevent • Get someone to reveal their password • Proliferate, requires no special skills • Only you can prevent this from working

  5. Ways to attack a system • The last two methods use social engineering, and are the areas we are focusing on today. • Can target any number of people, from a single individual up to large numbers of people at once • Can work in a number of non-computer settings

  6. The Art of Deception • Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. • Usually applies to using trickery for information gathering, computer access, or access to restricted access areas.

  7. Other related terms • The following slides will cover some common terms you may see in the press. • Those terms marked new terms are less than a year old. • This shows just how rapidly these kinds of attacks change.

  8. Other related terms • Phishing • E-mail attack used to obtain access to financial systems • On line banking • Credit card numbers • Access to other financial systems • Technology related • Ultimate goal is to steal money • Secondary goal may be to ‘own’ your computer.

  9. Other related terms • Spear phishing (new term) • Phishing attacks directed against a specific, defined group of people • EWU has been subjected to a number of spear phishing attacks this last year • Specifically, several attempts to gain access to web mail accounts • Whaling (new term) • Spear phishing attacks directed against executives of an organization

  10. Other related terms • Pretexting (new term) • Used in the HP Board of Directors scandal • HP hired private investigators who used pretexting to gain call record information from the phone company to try to determine who was leaking information. • Usually used by legitimate companies, such as private investigators • Practice is of questionable legality

  11. Other related terms • Tabloid spam (new term) • Uses tabloid style headlines to attract your attention • May use the exact same e-mail format as various news services • CNN • ESPN • NBC

  12. Other related terms • Vishing (new term) • This is phishing via voice • Up and coming attack • Usually wants you to call a (toll free) number to validate your account • Uses a fairly convincing phone menu tree to get you to get you to divulge financial information

  13. Other related termins • Pharming • A computer attack that misdirects a user to a bogus web site • Often implemented as software downloaded from the Internet

  14. Not limited to computers • Tailgating • Following someone through a secure access point. • Shoulder surfing • Looking over someone’s shoulder to view a password.

  15. Not limited to computers • Cell Phone Camera Identity Theft • Using a cell phone camera to capture check or credit card numbers. • Dumpster Diving • Going through trash (or mailboxes) to obtain account numbers, credit card offers, etc.

  16. How the Internet makes it easy • Inherent trust in computers. • But this trust is misplaced. • No validation of identity. • Lack of knowledge and understanding of computers.

  17. Social Engineering Techniques • E-mail • We see this all the time. • Sometimes the spam filter catches them, sometimes it does not. • Generally sent to a large number of recipients. • Phone calls • Usually used as for directed attacks. • Person attempts to gain specific access.

  18. Social Engineering Techniques • In person • Used to gain physical access • May involve tailgating, pretending to belong, but just can’t get to their access card • Overwhelming the lowly receptionist • Great example in the movie Sneakers.

  19. How does phishing work? • Attack usually starts with an e-mail • User must respond to an event, such as an account suspension. • Must follow link in e-mail. • Does not usually have a phone contact. • Describes serious consequences if you do not take immediate action. • Tries to get you to make a quick decision. • Example of a phishing e-mail.

  20. Phishing attack • Once at the fake web site, they try to get you to enter your account and password information. • Sites are very realistic. • Refer back to example phishing attack. • EWU has been subjected to this attack, trying to obtain webmail accounts and passwords. • Used to send out more phishing and spam.

  21. What can you do about this? • Be careful in all transactions on the Internet. • Know the policies and procedures for the financial organizations that you deal with. • How will your bank contact you if they detect suspicious activity? • How will EWU contact you? • Where does this link really go to? • Look for institutions that use multiple factor authentication.

  22. What can you do about this? • Know what to look for • Analyze the content of the message • Analyze links • Follow security procedures • Verify identity

  23. Know what to look for (content) • Phishing usually falls into one of two types • Fear • Tries to get you to take immediate action • Has dire consequences in action is not taken • Greed • Advance fee programs • Lottery winner • Money launderer • Business agent

  24. Know what to look for (content) • Know the format for toll free numbers • Always begin with ‘8’ • Next two digits are identical • 833 is toll free (but not currently in use) • 800 is toll free • 522 is not toll free • EXCEPTION: 811 and 899 • Or begins with ‘88’ • 888 only one in use, all others reserved

  25. Know what to look for (URL) http://www.ewu.edu/securityawareness Protocol, may also be https:// Computer name, the clues are in this portion. May also look like a number, such as 146.187.3.190. Specific page, irrelevant for analysis http:// www.ewu.edu /securityawareness

  26. Know what to look for (URL) • Look at the link in the status bar, not the text in the message body • See Associated Bank example • If the computer name is a number in the form (146.187.3.190), this is ALWAYS suspect, NEVER click on this kind of link • http://198.43.28.24 is not valid • https://87.34.87.205/paypal/login is not valid

  27. Know what to look for (URL) • Look deeper into the computer name; the last two words (separated by periods) are the domain. Is this valid? (Use Google to check) • http://www.ewu.edu/securityawareness • ewu.edu is owned by EWU • https://paypal.redirect.ru/login • Not valid, PayPal is paypal.com, not redirect.ru • http://login.paypal-verify.com • Not valid, PayPal is paypal.com, not paypal-verify.com

  28. What can you do about this? • Consider using prepaid credit cards for purchases. • Exposure is limited. • Card not tied in any way to your banking accounts. • Card does not impact your credit rating. • Visa offers cards directly. • A number of companies offer branded Visa or MasterCard prepaid cards.

  29. What can you do about this? • Consider credit report monitoring. • Not a be all, end all solution. • Only identifies when your credit is impacted. • Will indirectly show credit card activity. • Does not protect against your accounts being drained. • Shred financial documents, including account statements and credit card offers.

  30. What can you do about this? • Use a different password for each financial account you have. • Yes, this can be a pain to remember. • Use a password manager to help manage your accounts and passwords.

  31. What can you do about this? • Check out the security arrangements before signing up for online banking? • What access controls do they use? • Look for multiple authenticators • Something you know (password, image) • Something you posses (token) • Something you are (fingerprint)

  32. What can you do about this? • Use anti-virus software, and keep it up to date. • Use anti-malware software, and likewise, keep it up to date. • Consider using an anti-phishing tool bar on your web browser. • Built-in in newer browsers. • Keep your system patched.

  33. What to do it you are a victim? • Contact your financial institutions. • Most have help services for identity theft. • Check your state’s web site. • Usually the Attorney General or the Secretary of State. • Check the web site for the Federal Trade Commission. • www.ftc.gov

  34. Test Your Knowledge • Various anti-phishing games • http://www.sonicwall.com/phishing/ • http://survey.mailfrontier.com/survey/quiztest.cgi?themailfrontierphishingiqtest • http://cups.cs.cmu.edu/antiphishing_phil • Google with a search of ‘phishing quiz’.

  35. References • Kevin Mitnick, The Art of Deception • Book about using social engineering techniques to gain access to facilities and systems. Available in Library! • Wikipedia • Search for ‘phishing’, ‘pharming’ and ‘phreaking’. • The Anti-Phishing Working Group • www.antiphishing.org

  36. References (cont’d) • Federal Trade Commission • www.ftc.gov • State Attorney’s General or state trade commissions. • Your bank’s web site • Usually contains privacy and security pages that explain your rights and how the institution safeguards access.

  37. Thanks for attending! • Copy of presentation will be available at… • www.ewu.edu/securityawareness • I have also sent a copy to the QSI people, in case they are assembling a web site.

More Related