Categories Top Downloads
Login Register Upload

Microsoft PowerPoint 2007 (pptx @ 1574kb)

January 25, 2018 | Author: Anonymous | Category: Social Science, Psychology, Conformity
Share Embed Donate
Report this link


Short Description

Download Microsoft PowerPoint 2007 (pptx @ 1574kb)...

Description

Social Engineering 101 August 31st, 2010

www.iac.iastate.edu/iasg | facebook.com/infasgroup

Social Engineering 

The end user is usually the weakest link of a system  People

are often lazy, ignorant to security, or simply

gullible 

Social engineering is a journey into social psychology!  Yes

I know, that probably doesn’t sound very fun  Well guess what… it is, so deal with it!

Social Psychology: Persuasion 

A number of variables influence the persuasion process:  The

Communicator (Who?)  The Message (What?)  The Audience (Whom?)  The Channel (How?) 

We’ll be discussing “The Communicator” in particular. Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)

Social Psychology: Persuasion 

The Communicator (Who?):  Credibility  Expertise  Trustworthiness  Attractiveness

Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)

Social Psychology: Persuasion 

Credibility: “The Milgram Experiment”

white lab coat

Source: http://www.nytimes.com/slideshow/2008/06/30/science/070108-MIND_2.html

Social Psychology: Persuasion 

Credibility: “The Milgram Experiment”  The

“assistant” will give electric shocks in increasing voltages to the “test subject” they can hear via a covered window, but can not see  The “test subject” is actually an actor and is not really getting shocked

Social Psychology: Persuasion 

Credibility: “The Milgram Experiment”  After

a few shocks, “test subject” actor begins yelling in pain, banging on wall, begging for the shocks to stop  “assistant” members would ask the man in the white coat what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous”  By

the time the 450-volt switch is reached, the actor has already been dead silent for many minutes

Social Psychology: Persuasion 

So what’s the moral of the story?  Most

people will obey the man in the white coat  In our social engineering experiment, I was temporarily an authority figure, and was able to persuade easily, because I have established credibility

Social Psychology: Persuasion 

The Communicator (Who?):  Credibility  Expertise  Trustworthiness  Attractiveness

Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)

Social Psychology: Persuasion Would my social engineering attack have been more successful if this…

Social Psychology: Persuasion Would my social engineering attack have been more successful if this… …looked like this instead?

The answer is YES! (and that’s true regardless of sex)

Social Psychology: Persuasion Would my social engineering attack have been more successful if this… …looked like this instead? Side note: women are more likely to trust women, and men are more likely to trust men

Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789

Social Psychology: Illusory Superiority 

I bet you are thinking, “That wouldn’t happen to me, I know better!”  Oh

really? Don’t be so sure! We had a nearly 50% success rate with minimal effort  It’s easy for you to say you wouldn’t be fooled, because you are currently suffering from bias!  This

bias is called illusory superiority  Causes people to overestimate their positive qualities and abilities and to underestimate their negative qualities, relative to others Source: http://en.wikipedia.org/wiki/Illusory_superiority

Back to the Video 

Let’s hear from you:  What

made my social engineering attack successful?  What could I have done better?

So… people are dumb 

Amazing statistics, for your enjoyment:  In

a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen  In another study, 70% of people claimed they would reveal their computer password in exchange for a bar of chocolate  34% of respondents volunteered their password when asked without even needing to be bribed * Researchers made no attempt to validate the passwords

Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm

Phishing 

Remember we talked about the need for credibility? A

good phishing attempt will look like one of these examples (which, if you were here last year, I used in my Ettercap lecture): http://129.186.201.46/service/

Spear Phishing 

Simply put, spear phishing is targeted phishing  Spear

phishing terrifies the government, large corporations, small businesses, and the average individual  It does not always occur via e-mail; works over the phone quite well too!  Dumpster diving can make it easy to find useful information

Carnegie Mellon SSL Certificate Study 

In an online study conducted among 409 participants, researchers found

that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found. 





50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard.

The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. The participants were shown an invalid certificate warning when they navigated to their bank’s website. 69% of technologically savvy Firefox 2 users ignored an expired certificate warning from their own bank. Source: http://news.cnet.com/8301-1009_3-10297264-83.html

ISU WebCT SSL Certificate Invalidation 



 

Two years ago, the certificate for WebCT was not renewed before its expiration ITS was immediately inundated with calls and requests for support; employees walked users through how to ignore the certificate error The certificate remained invalid for two days Such problems train the average user to simply ignore these types of warnings  “I’ve

seen this before, and they just told me to click ignore last time.”

Reverse Social Engineering: A New Spin on S.E. 

An attacker makes the victim come to him directly!  Example:

Hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets the data or credential information that he really came for. The victims may never know an attack took place, because the network problem goes away, leaving everyone happy in the end.  This also builds future credibility for the hacker

Who is this? 

Hint: possibly the greatest social engineer ever born…

Source: http://img.thesun.co.uk/multimedia/archive/00039/F_200705_May07ed_img_39143a.jpg

Who is this? 



Hint: possibly the greatest social engineer ever born… …and the worst person to have walked the earth in the 20th century

Source: http://blog.verdylives.com/wp-content/uploads/2009/10/2865398363_ba996e4e0d.jpg

Adolf Hitler 



In Hitler’s early writings, the future dictator discusses Jews as the perfect scapegoats for Germany’s postWWI problems; he does show distain for the race at this time, but does not propose violence against them By the mid 1930s, Adolf had already quickly gained support via social engineering the people of Germany 



Specifically, he rode on anti-communist hysteria and published extreme propaganda

In Hilter’s later writings (circa 1940s), it becomes clear that Adolf has come to believe in his own party’s propaganda Source :http://www.takedown.com/bio/mitnick.html

Who is this?

Source: http://ils.unc.edu/~neubanks/inls187/home/fugitive.html

Kevin Mitnick 





In 1981, at the age of 17, Mitnick and his gang of hackers decided to physically break into COSMOS, a database used for controlling the phone system’s basic recordkeeping functions In broad daylight on a Saturday, the group talked their way past security and into the room where the database system was located From that room, the gang lifted combination lock codes for nine Pacific Bell offices and the COSMOS system’s operating manuals Source :http://www.takedown.com/bio/mitnick.html

Kevin Mitnick 



To ensure continued access, they placed fake names and phone numbers into a company rolodex, which would have allowed them to call in and further social engineer, if needed  Take-home point: hackers always leave a way back in A manager soon realized the names were fraudulent and contacted police; Mitnick was later tied to the theft by a conspirator’s former girlfriend 

Take-home point: don’t tell your girlfriend about your crime attempts, especially when they constitute a felony  Source :http://www.takedown.com/bio/mitnick.html

Next Meeting: September 7 2010 ISU Cyber Defense Competition Saturday October 9th, 8:00am – 5:00pm Howe Hall Atrium (more information at next meeting)

Still Have Questions? General Inqiries: IASG Cabinet Specific To This Lecture: Matthew Sullivan Lectures are usually video recorded and are made available via our website within 48 hours.

www.iac.iastate.edu/iasg | facebook.com/infasgroup

View more...

Comments

Copyright � 2017 NANOPDF Inc.
SUPPORT NANOPDF