This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Social Engineering and Social Engineering and Phishing
Erik Golen Definitions Definitions
• • “the art and science of getting people to comply to your wishes” “an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system” Bernz 2: “The complete Social Engineering FAQ!” Palumbo, John “Social Engineering: What is it, why is so little said about it and what can be done?”, SANS Institute, July 26, 2000 • “getting needed information (for example, a password) from a person rather than breaking into a system” Berg, Al: “Al Berg Cracking a Social Engineer,” by, LAN Times Nov. 6, 1995. Why do it? Why do it?
• • • • •
commit fraud network intrusion industrial espionage identity theft simply disrupt the system or network Targets Targets
• • • • • •
telephone companies answering services bigname corporations financial institutions military and government agencies hospitals Publicity? Publicity?
• • • •
Embarrassing Financial repercussion Organization’s reputation Can they really be sure there was a social engineering attack or not? Why start with social engineering? Why start with social engineering?
• It’s easy!!!! The Cycle The Cycle http://www.sans.org/reading_room/whitepapers/engineering/529.php?portal=1aa8fee2084cf87f96967291f5195ebf 1. Information Gathering: a variety of techniques can be used by an aggressor to 1. a phone list; 2. birth dates; 3. an organization’s organizational chart. gather information about the target(s). Once gathered, this information can then be used to build a relationship with either the target or someone important to the success of the attack. Information that might be gathered includes, but is not limited to: 1. Developing Relationship: an aggressor may freely exploit the willingness of a target to be trusting in order to develop rapport with them. While developing this relationship, the aggressor will position himself into a position of trust which he will then exploit. 1. Exploitation: the target may then be manipulated by the ‘trusted’ aggressor to reveal information (e.g. passwords) or perform an action (e.g. creating an account or reversing telephone charges) that would not normally occur. This action could be the end of the attack or the beginning of the next stage. cycle is complete. 1. Execution: once the target has completed the task requested by the aggressor, the The Human Factor The Human Factor
• Manipulating trust • Goal: gain unauthorized access to something of value Two Methods Two Methods
– workplace, phone, trash, online – impersonation, ingratiation, conformity, diffusion of responsibility, plain old friendliness • Psychological/Persuasion Prevention Prevention
– “One of the advantages of policies is that they remove the responsibility of employees to make judgment calls regarding a hacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the hacker's request.” Policies Policies
• Specific or general? • Include:
– – – – – – – – information access controls setting up accounts access approval password changes Locks IDs shredding violations – enforced? Physical Protection Physical Protection
• • • • • • •
Passwords Door locks Filing cabinets (locked?!) Server rooms (locked?!) Shredding PINs Access control lists Training Training
• • •
Personnel must know policies Ongoing awareness Spotting an attack
– – – – – Refusal to give contact information Rushing Namedropping Intimidation Small mistakes (misspellings, misnomers, odd questions) – Requesting forbidden information Area of Risk Phone (Help Desk) Building entrance Office Phone (Help Desk) Hacker Tactic Impersonation and persuasion Unauthorized physical access Shoulder surfing Impersonation on help desk calls Combat Strategy Area of Risk Office Mail room Hacker Tactic Wandering through halls looking for open offices Insertion of forged memos Combat Strategy Machine Attempting to gain access, room/Pho remove equipment, and/or ne closet attach a protocol analyzer to grab confidential data Phone & PBX Stealing phone toll access Area of Risk IntranetInternet Hacker Tactic Combat Strategy Dumpsters Dumpster diving Creation & insertion of mock software on intranet or internet to snarf passwords Stealing sensitive documents Office GeneralImpersonation & Psychologi persuasion cal Area of Risk Phone (Help Desk) Building entrance Office Hacker Tactic Impersonation and persuasion Combat Strategy Train employees/help desk to never give out passwords or other confidential info by phone Tight badge security, employee training, and security officers present Don’t type in passwords with anyone else present (or if you must, do it quickly!) All employees should be assigned a PIN specific to help desk support Unauthorized physical access Shoulder surfing Phone (Help Desk) Impersonation on help desk calls Area of Risk Office Mail room Hacker Tactic Wandering through halls looking for open offices Insertion of forged memos Combat Strategy Require all guests to be escorted Lock & monitor mail room Keep phone closets, server rooms locked at all times and keep updated inventory on equipment Control overseas & longdistance calls, trace calls, refuse transfers Machine Attempting to gain access, room/Pho remove equipment, and/or ne closet attach a protocol analyzer to grab confidential data Phone & PBX Stealing phone toll access Area of Risk Hacker Tactic Combat Strategy Keep all trash in secured, monitored areas, shred important data, erase magnetic media Dumpsters Dumpster diving IntranetInternet Creation & insertion of Continual awareness of mock software on intranet system and network changes, or internet to steal training on password use passwords Stealing sensitive documents Mark documents as confidential & require those documents to be locked, penalties for not doing so Keep employees on their toes through continued awareness and training programs Office GeneralImpersonation & Psychologi persuasion cal Kevin Mitnick Quote Kevin Mitnick Quote
• “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to oldfashioned manipulation.” Phishing Phishing • Phishing is a type of social engineering attack that attempts to trick the potential victim into revealing private information that can be used for identity theft. • Phishing usually occurs when an attacker sends spoofed messages through email or instant messaging that appear to be from a legitimate financial institution or retailer. The victim clicks on a link in the message and is taken to a website that purports to be the website of the legitimate financial institution or retailer. The victim is prompted to enter personal identity information. The attacker then captures this information and either uses it himself to impersonate the user, or more commonly sells the identity information collected through a broker to criminals who then use it for identity theft . targeted at specific individuals. • Phishing emails are sent out in the thousands and normally are not • Pharming Phishing Variants Phishing Variants
– A phishing variant where an attacker hacks into a DNS server and changes the IP address of targeted sites such as financial institutions. Users attempting to access the targeted sites are redirected to spoofed web sites that capture their account names and passwords, enabling the attacker access to the victims’ financial accounts. – Spoofing phone numbers using VoIP and posing as a legitimate business in order to extract account numbers and other information from victims. User is told to call a different number and enter their information at that point • Vishing History History
• The first reported phishing occurred to AOL users back in 199596 (James, 11). Hackers would pose as AOL administrators and trick AOL users into revealing their credit card information by telling them that there was a problem with their billing. Phishing attacks against financial institutions were first reported in 2003 (A Brief History of Phishing.) Until 2003, phishing emails were easily recognizable because of their poor grammar and spelling errors. Beginning in 2003, phishing became more sophisticated as attackers created more legitimate looking emails and began using other techniques. • Techniques Techniques
• The use of similar URLs. (For example, they would • • •
register a domain name of “eday” instead of “ebay.”) Use of the @ symbol in URLs. Internet browsers ignore everything to the left of the @ symbol, so firstname.lastname@example.org links to awconfirm.us, not www.visa.com. Masking URLs (Although the email message may display what appears to be the correct URL in the hyperlink, the hyperlink actually links to a different web site.) Other techniques took advantage of vulnerabilities in Internet browsers or actual compromises of the financial institutions’ web sites. Growth and Impacts Growth and Impacts
• The growth of phishing has been dramatic. – MessageLabs (Intelligence, 1) estimates that by September 2007, one of every 87.2 emails was a phishing attack. Phishing has reached these numbers through the use of botnets, compromised computers under the control of an attack, that send out millions of spam and phishing emails each day. – APWG, the AntiPhishing Working Group (June 2007) received 28,888 unique phishing reports and identified 31,709 unique phishing sites, most of which are in the United States (~32%). They also report that 80% of phishing is conducted against 14 different brands, all financial institutions. – Estimates of annual consumer losses from phishing range as high as $2.8 billion (Gartner 2006). Solutions Solutions
– Although legislation has lagged behind advances in technology, the following laws are being used to reduce phishing • CANSPAM Act of 2003 • AntiPhishing Act of 2005 (proposed) • Various State laws (NCSL) Solutions Solutions
• Education and awareness
– Because social engineering such as phishing relies on tricking consumers, awareness education is a key component in reducing consumer losses to phishing. – A number of government and private entities have created web sites designed to educate consumers about the threats of phishing. These sites include • FTC OnGuard Online. • AntiPhishing Working Group • MillerSmiles Solutions Solutions
• Safe computing practices provide a strong defense against phishing:
– Never click on links directly from an email. – Use File/Properties to find out which website you are really on. – Look for the proper symbol to indicate you’re on a secure web site. • Secure web sites use a technique called SSL (SecureSocket Layer) that ensures the connection between you and the web site is private. • This is indicated by “https://” instead of “http://” at the beginning of the address AND by a padlock icon which must be found either at the right end of the address bar or in the bottom righthand corner of your browser window. • A padlock appearing anywhere else on the page does not represent a secure site. Solutions Solutions
– Although avoiding phishing attempts is typically a matter of following safe practices, there are a number of browser helpers available to help warn you of suspicious web sites. – Browser helpers normally work as another toolbar in your browser. Use one or more for your protection. – Internet Explorer 7 and Firefox 2 also provide limited protection by denying access to many known phishing sites. – Spam filters may also intercept many phishing attempts. What can I do? What can I do?
• Company • Individual
– SpamAssassin – Brightmail – Spam filters – Caution!! – Be observant!! 97% of all email to RIT is spam >100 pieces of spam per mailbox per day
Average Spam to RIT (per Day)
Rejected E-mai l 3.50 3.00 2.50 2.00 1.50 Volume (Millions) 1.00 0.50 0.00 Spam Identifi ed D eli vered E-mai l Total RIT and Spam RIT and Spam 04/2001 10/2001 04/2002 10/2002 04/2003 10/2003 04/2004 10/2004 04/2005 10/2005 04/2006 10/2006 04/2007 10/2007 est. Month Browser extensions Browser extensions
Netcraft AntiPhishing toolbar (for IE & FF) Other toolbars
– eBay – EarthLink – Etc. • Firefox extensions • Move address bar to the top – Adblock – Noscript (only trusted domains) Netcraft Netcraft http://toolbar.netcraft.com/ • Giant neighborhood watch scheme • The Toolbar also: – Blocks reported URLs, it is blocked for community members as they subsequently access the URL. – Widely disseminated attacks (people constructing phishing attacks send literally millions of electronic mails in the expectation that some will reach customers of the bank) simply mean that the phishing attack will be reported and blocked sooner. – Traps suspicious URLs containing characters which have no common purpose other than to deceive. – Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls. – Clearly displays sites' hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union). Other Phishinglike Scams Other Phishinglike Scams
• Disaster Relief
– There were more than 170 tsunamirelated phishing sites – More than 4000 Katrinarelated domain names were registered. The FBI estimated 60% were fraudulent – There were reports of fraudulent sites related to the Va. Tech shootings – Mutually beneficial business transactions – Unclaimed funds from plane crash victims • Nigerian 419 Schemes (Advance Fee Fraud) Urban Legends and Myths Urban Legends and Myths Debunked
– http://vil.nai.com/vil/hoaxes.aspx – http://www.symantec.com/avcenter/hoax.html – http://www.scambusters.com/ • Symantec • ScamBusters Online Phishing Quiz Online Phishing Quiz
• http://www.sonicwall.com/phishing/ Spam Assassin Spam Assassin
http://spamassassin.apache.org/ • Widespectrum: SpamAssassin uses a wide variety of local and • • • • network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft theirmessages to work around. Free software: it is distributed under the same terms and conditions as other popular opensource software packages such as the Apache web server. Easy to extend: Antispam tests and configuration are stored in plain text, making it easy to configure and add new rules. Flexible: SpamAssassin encapsulates its logic in a welldesigned, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others. Easy Configuration: SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. Once classified, site and user specific policies can then be applied against spam. Policies can be applied on both mail servers and later using the user's own mail user agent application. Brightmail Brightmail
http://www.brightmail.com/ • Symantec Brightmail AntiSpam Version • 6.0 Symantec Brightmail AntiSpam™ Version 6.0 is a high performance software solution that blocks spam at the Internet gateway. Combining several patented techniques, Symantec Brightmail AntiSpam offers the best accuracy rate available in spam filtering technology, with an industry leading false positive rate of fewer than 1 false positive in every 1 million messages identified as spam ...
View Full Document
This note was uploaded on 05/27/2009 for the course NSSA 4050-220 taught by Professor Golen during the Fall '08 term at RIT.
- Fall '08