social engineering abuses l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Social Engineering Abuses PowerPoint Presentation
Download Presentation
Social Engineering Abuses

Loading in 2 Seconds...

play fullscreen
1 / 24

Social Engineering Abuses - PowerPoint PPT Presentation


  • 309 Views
  • Uploaded on

Social Engineering Abuses CIS 5370 - Computer Security Kasturi Pore Ravi Vyas What is it? Public Definition from wikipedia.org “Social engineering is the art of manipulating people into performing actions or divulging confidential information” Gartner Research Group :

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Social Engineering Abuses' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
social engineering abuses

Social Engineering Abuses

CIS 5370 - Computer Security

Kasturi Pore

Ravi Vyas

what is it
What is it?

Public Definition from wikipedia.org

“Social engineering is the art of manipulating people into performing actions or divulging confidential information”

Gartner Research Group :

“the manipulation of people, rather than machines, to successfully breach the security systems.”

does it work
Does it Work?

Kevin Mitinic was incarcerated in February1995 with more 25 charges.

In his book “Art of deception” he stated he did not use any hacking tools or software programs but used social engineering to obtain the passwords and secrets.

does it work4
Does it Work?

Three Israli brothers: Ramy, Muzher, and Shadde Badir had 44 charges against them.

  • Telecommunications fraud
  • Theft of computer data
  • Impersonation of a police officer

Damages around $2 million

does it work5
Does it Work?

On September 16, 2008 an internet activist group 'anonymous‘gained access to governor Palin's email account gov.palin@yahoo.com.

gov.palin@yahoo.comDOB 2/11/64ZIP 99687

why social engineering
Why Social Engineering?
  • Its easier to ask the user instead of hacking the system
  • With the exponential increase in technology it is becoming harder to hack in to systems
why does it work
Why does it work?
  • Humans
    • We are emotionally weak and like to help
    • We easily succumb to pressure
    • We cant correctly judge if someone is lying – bias towards truth and stereotypical thinking
  • Current defense mechanisms
    • Security policies – single loop
    • Employee training
  • Security policies
    • Has humans involved in creation
    • Are not updated
    • Are not followed
why does it work9
Why does it work?
  • Information is readily and easily available
how does it work
How does it work?
  • First attain easily available data
  • Use it to fake authority
  • Attain more confidential information
  • Feedback loop - result of each action is fed back to get a better result in the next action
  • Final deadly attack on obtaining enough information
  • Devise attacks to minimize reaction and weaken security
types of social engineering
Types of Social Engineering
  • Pretexting
    • Creating a scenario that does not exist in an attempt to pressure a victim in leaking information
    • Generate cues to build the victim’s trust
types of social engineering12
Types of Social Engineering
  • Phishing:

The attacker typically sends an email that appears to come from a legitimate source like a bank or credit card company, asking to verify some information and warns of dire consequences if action is not taken

types of social engineering13
Types of Social Engineering
  • IVR or phone phishing:

The attacker created a very legitimate sounding copy of an organization’s IVR(Interactive voice response) system. The attacker will send an email urging people to call on the toll free number to verify information. On calling, they will readily give their information

types of social engineering14
Types of Social Engineering
  • Trojan horse:

They take advantage of the greed and curiosity of people to propagate malware. They come as email attachments with attractive subject lines which, when opened introduce a virus in the system

types of social engineering18
Types of Social Engineering
  • Baiting:

These are like physical Trojan horses. The attacker leaves malware infected physical media like CD ROM with legitimate but curious labels around the workplace which when inserted by any attacker will cause the system to be infected.

types of social engineering19
Types of Social Engineering
  • Online Social Engineering
    • Users repeat a single password for all their accounts
    • attacker sends an email to sign up for some interesting site or some important update asking for a username and a password
types of social engineering20
Types of Social Engineering
  • Reverse social engineering
    • Make people come to you instead of you
    • Attacker sabotages a network, causing a problem
    • Advertise that he is the appropriate person to fix the problem
    • When he comes to fix the network problem, he requests of information from the employees
combat strategies
Combat strategies
  • Physical protection
  • Security policies that separate documents into different levels or compartments, separation of duty, double loop
  • Employee training
  • Lie detectors
bibliography
Bibliography:
  • Goodchild, J. (2008, Nov). Social Engineering: 8 Common Tactics. Retrieved Nov 2008, from NetworkWorld: http://www.networkworld.com/news/2008/110608-social-engineering-eight-common.html
  • Granger, S. (2001, Dec). Social Engineering Fundamentals, Part I: Hacker Tactics. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1527
  • Granger, S. (2002, Jan). Social Engineering Fundamentals, Part II: Combat Strategies. Retrieved Nov 2008, from SecurityFocus: http://www.securityfocus.com/infocus/1533
  • Jose J. Gonzalez, J. M. (2006). A Framework for Conceptualizing Social Engineering. CRITIS 2006, LNCS 4347 , 79-90.
  • Wikipedia. (n.d.). Social engineering (security). Retrieved Nov 2008, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security)
bibliography23
Bibliography:
  • VP contender Sarah Palin hacked http://wikileaks.org/wiki/VP_contender_Sarah_Palin_hacked
  • Three Blind Phreaks http://www.wired.com/wired/archive/12.02/phreaks_pr.html
  • U.S. vs. Mitnick and DePayne http://www.cnn.com/SPECIALS/1999/mitnick.background/indictment/page01.html
  • New Trojan Bait: CNN Videos http://blog.trendmicro.com/new-trojan-bait-cnn-videos/