Ethical Hacking and Countermeasures v6 module 11 social engineering

Trang 1

Social Engineering

Module XISocial Engineering

Ethical Hacking and Countermeasures

Version 6

Ethical Hacking and Countermeasures v6

Module XI: Social Engineering

Exam 312-50

Trang 2

In recent years, the IRS has successfully completed significant efforts in securing its computer network perimeters from external cyber threats Because hackers are unable to gain access through these Internet gateways into the IRS, they are likely to seek other ways to gain access to IRS systems and, ultimately, taxpayer data One such method is social engineering, which involves exploiting the human aspect of computer security for the purpose of gaining insider information about an organization’s computer resources One of the most common tactics is to convince an organization’s employees to reveal their passwords Along with user account names, passwords are needed to identify and authenticate employees before allowing them access to systems and data

In August 2001, with the assistance of a contractor, we conducted social engineering tests on IRS employees as part of our penetration testing efforts We placed calls to 100 IRS employees, asking them to change their password to one we suggested, and found 71 employees were willing to accommodate our requests.1

This review was conducted from our office in Walnut Creek, California, in December 2004 The

audit was conducted in accordance with Government Auditing Standards

Trang 3

Social Engineering

Module Objective

• Social Engineering

• Types of Social Engineering

• Behaviors vulnerable to attacks

• Social Engineering Threats and Defenses

• Countermeasures for Social engineering

• Policies and Procedures

• Impersonating Orkut, Facebook, and MySpace

• Identity Theft

• Countermeasures for Identity theft

This module will familiarize you with:

Module Objective

If you have seen the movie “War Games,” you’ve already seen social engineering in action Arguably one of the best social engineers around, Kevin Mitnick’s story captured on celluloid shows the art of deception

This module will familiarize you with:

 Social Engineering

 Types of Social Engineering

 Behaviors vulnerable to attacks

 Social Engineering Threats and Defenses

 Countermeasures for Social engineering

 Policies and Procedures

 Impersonating Orkut, Facebook, MySpace

 Identity Theft

 Countermeasures for Identity theft

It must be noted that the information contained in this chapter is for the purpose of presenting an overview While this module points out fallacies and advocates effective countermeasures, the possible ways to extract information from another human being are only restricted by the ingenuity of the attacker’s mind While this aspect makes it an art, and the psychological nature of some of these techniques make it a science, the bottom line is that there is no one defense against social engineering; only constant vigilance can circumvent some of the social engineering techniques that attackers use

Trang 4

Social Engineering Threats and Defenses

Countermeasures for Social engineering

Policies and Procedures

Impersonating Orkut, Facebook, and MySpace

Identity Theft

Countermeasures for Identity theft

Module Flow

Trang 5

Social Engineering

There is No Patch to Human Stupidity

Trang 6

What is Social Engineering

Social Engineering is the human side of breaking into a corporate network

Companies with authentication processes, firewalls, virtual private networks, and network monitoring software are still open to attacks

An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they do not know, or even by talking about a project with coworkers at a local pub after hours

What is Social Engineering

 What is Social Engineering

Social engineering is the use of influence and persuasion to deceive people for obtaining sensitive information in order to perform some malicious action It is used to gathering confidential information, authorization details, and access details

All the security measures that the organization adopts go in vain when employees get “social engineered” by strangers Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam email, and bragging to co-workers

Most often, people are not even aware of a security lapse on their part Chances are that they divulge information to a potential hacker inadvertently Attackers take special interest in developing social engineering skills, and can be so proficient that their victims might not even realize that they have been scammed Despite having security policies in place, organization can

be compromised because social engineering attacks prey on the human tendency to be helpful Attackers are always looking for new ways to gather information, they ensure that they know the perimeter and the people on the perimeter—security guards, receptionists, and help desk workers—in order to exploit human oversight People have been conditioned not to be overly suspicious; they associate certain behavior and appearances with known entities For instance,

Trang 7

Social Engineering

upon seeing a man dressed in a uniform and carrying a stack packages for delivery, any individual would take him to be a delivery person

Companies list their employee IDs, names and email addresses on their official websites Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers These bits of information help attackers know what kind of system they're tackling This overlaps with the reconnaissance phase

Trang 8

Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone

 Human Weakness People are usually the weakest link in the security chain Every individual with access to system and other information resources are susceptible to social engineering attacks Access to critical security and financial information is the main motive behind almost all social engineering attempts Attackers target individuals rather than secured information, to gain network access

Detecting the social engineering attack is difficult, as there is no software or hardware to detect such attempts In many cases victims themselves are not aware that they have divulged some critical information

The only countermeasures for social engineering attacks are awareness and education Employees

of the organization need to be educated to defend the social engineering attacks They should be sensitized of social engineering attacks and trained to respond such attacks Social engineering awareness sessions should be conducted regularly to update employees of different tricks used for extracting information Customer support executives and front office staff should be made clear which type of information they can give

Trang 9

Social Engineering

“Rebecca” and “Jessica”

Hackers use the term “Rebecca” and “Jessica” to denote social engineering attacks

Hackers commonly use these terms to social engineer victims

Rebecca and Jessica mean a person who is an easy target for social engineering, such as the receptionist of a company

• “There was a Rebecca at the bank and I am going to call her to extract the privileged information.”

• “I met Ms Jessica, she was an easy target for social engineering.”

• “Do you have any Rebecca in your company?”

Example:

 “Rebecca” and “Jessica”

 Hackers use the terms “Rebecca” and “Jessica” to denote social engineering attacks

 Hackers commonly use these terms in their attempts to “social engineer” victims

 Rebecca or Jessica means a person who is an easy target for social engineering such as the receptionist of a company

 Examples:

o “There is this Rebecca at this bank, and I am going to call her to extract privileged information.”

o “I met Ms Jessica; she was an easy target for social engineering.”

o “Do you have any Rebecca’s in your company?”

Trang 10

Office Workers

Despite having the best firewall, intrusion-detection and antivirus systems, technology has to offer, you are still hit with security breaches

One reason for this may be lack of motivation among workers

Hackers can attempt social engineering attack on office workers to extract sensitive data such as:

Hackers might attempt social engineering attacks on office workers to extract sensitive data such as:

 Security policies

 Sensitive documents

 Office network infrastructure

 Passwords

Trang 11

Social Engineering

Types of Social Engineering

• Human-based:

• Gathers sensitive information by interaction

• Attacks of this category exploits trust, fear, and helping nature of humans

• Computer-Based:

• Social engineering is carried out with the aid of computers

Social Engineering can be divided into two categories:

 Types of Social Engineering

Social Engineering can be broadly divided into two types: human-based and computer-based Human-based social engineering involves human interaction in one manner or another whereas computer-based social engineering depends on computers and Internet systems to carry out the targeted action

The Gartner Group notes six human behaviors for positive response to social engineering Corroborate this with the traits discussed in module I of this course

Reciprocation Someone is given a token and

feels compelled to take action

You buy the wheel of cheese when given a free sample

Consistency Certain behavior patterns are

consistent from person to person

If you ask a question and wait, people will be compelled to fill the pause

Social Validation Someone is compelled to do

what everyone else is doing

Stop in the middle of a busy street and look up; people will eventually stop and do the same

Liking People tend to say yes to those

they like, and also to attractive people

Attractive models are used in advertising

Trang 12

Authority People tend to listen and heed

the advice of those in a position

of authority

"Four out of five doctors recommend "

Scarcity If something is in low supply it

becomes more "precious" and, therefore, more appealing

Furbees or Sony Play station 2

Source: Gartner Research

The social engineering cycle comprises of four distinct phases

Information

Gathering

Development

of Relationship

Exploitation

of Relationship

Execution to Achieve Objective

Trang 13

Social Engineering

Human-Based Social Engineering

• Gives identity and asks for the sensitive information

• “Hi! This is John, from Department X I have forgotten my password Can I

get it?”

Posing as a Legitimate End User

• Posing as a VIP of a target company, valuable customer, etc.

• “Hi! This is Kevin, CFO Secretary I’m working on an urgent project and lost

system password Can you help me out?”

Posing as an Important User

( cont’d)

• Calls as a technical support staff, and requests id & passwords to retrieve data

• ‘Sir, this is Mathew, Technical support, X

company Last night we had a system crash here, and we are checking for the lost data Can u give me your ID and

Password?’

Posing as Technical Support

Human-based Social Engineering

Posing as a Legitimate End User:

An attacker might use the technique of impersonating an employee, and then resorting to unusualmethods to gain access to privileged data He may give a fake identity and ask for sensitive information Another example of this is that a “friend” of an employee might ask to retrieve information that a bedridden employee supposedly needs There is a well-recognized rule in social interaction that a favor begets a favor, even if the original “favor” is offered without a request from the recipient This is known as reciprocation Corporate environments deal with reciprocation on

a daily basis Employees help one another, expecting a favor in return Social engineers try to take advantage of this social trait via impersonation

Example:

“Hi! This is John, from Department X I have forgotten my password Can I get it?”

Posing as an Important User:

Impersonation is taken to a higher level by assuming the identity of an important employee in order to add an element of intimidation The reciprocation factor also plays a role in this scenario

Trang 14

where lower-level employees might go out of their way to help a higher-level employee, so that their favor gets the positive attention needed to help them in the corporate environment Another behavioral tendency that aids a social engineer is people’s inclination not to question authority Often people will do something outside their routine for someone they perceive to be in authority

An attacker posing as an important individual—such as a vice president or director—can often manipulate an unprepared employee This technique assumes greater significance when considering that the attacker may consider it a challenge to get away with impersonating an authority figure For example, a help desk employee is less likely to turn down a request from a vice president who says he/she is pressed for time and needs to get some important information needed for a meeting Social engineer may use authority to intimidate or may even threaten to report employees to their supervisor if they do not provide the requested information

Example:

“Hi! This is Kevin, CFO Secretary I’m working on an urgent project, and lost the system password Can you help me out?”

Posing as Technical Support

Another technique involves an attacker masquerading as a technical support person, particularly when the victim is not proficient in technical areas The attacker may pose as a hardware vendor,

a technician, or a computer-accessories supplier when approaching the victim One demonstration at a hacker meeting had the speaker calling up Starbucks and asking the employee

if his broadband connection was working fine The perplexed employee replied that it was the modem that was giving them trouble The hacker, without giving any credentials, went on to make him read out the credit card number of the last transaction In a corporate scenario, the attacker may ask employees to reveal their login information including a password, in order to sort out a non-existent problem

Trang 15

Social Engineering

Technical Support Example

A man calls a company’s help desk and says he’s forgotten his password In a panic, he adds that if he misses the deadline

on a big advertising project, his boss might fire him The help desk worker feels sorry for him and quickly resets the password unwittingly giving the hacker clear entrance into the corporate network

More Social Engineering

Examples

"Hi, I'm John Brown I'm with the external auditors Arthur Sanderson We've been told by corporate to do a surprise inspection of your disaster recovery procedures Your department has 10 minutes to show me how you would recover from a Website crash."

Trang 16

Examples

"Hi I'm Sharon, a sales rep out of the New York office I know this is short notice, but I have a group of perspective clients out in the car that I've been trying for months to get to outsource their security training needs to us

They're located just a few miles away and I think that if I can give them a quick tour of our facilities, it should

be enough to push them over the edge and get them to sign up

Oh yeah, they are particularly interested in what security precautions we've adopted Seems someone hacked into their Website a while back, which is one of the reasons they're considering our company."

Examples

"Hi, I'm with Aircon Express Services We received a call that the computer room was getting too warm and need to check your HVAC system." Using professional-sounding terms like HVAC (Heating, Ventilation, and Air Conditioning) may add just enough credibility to an intruder's masquerade to allow him or her to gain access to the targeted secured resource

Trang 17

Social Engineering

Human-Based Social Engineering: Eavesdropping

Eavesdropping or unauthorized listening of conversations or reading of messages

Interception of any form such as audio, video, or written

Human-Based Social Engineering: Shoulder Surfing

Looking over your shoulder as you enter a password

Shoulder surfing is the name given to the procedure that identity thieves use to find out passwords, personal identification number, account numbers, and more

Simply, they look over your shoulder or even watch from a distance using binoculars,

in order to get those pieces of information

• Trash-bins

• Printer Trash bins

• user desk for sticky notes etc

Search for sensitive information at target company’s:

Trang 18

Dumpster Diving Example

A man behind the building is loading the company’s paper recycling bins into the back of a truck Inside the bins are lists of employee titles and phone numbers, marketing plans, and the latest company financials

This information is sufficient to launch a social engineering attack on the company

Dumpster Diving Example

For example, if the hacker appears to have a good working knowledge of the staff

in a company department, he

or she will probably be more successful while making an approach; most staff will assume that someone who knows a lot about the company must be a valid employee

Trang 19

Social Engineering

Oracle Snoops Microsoft’s Trash

Bins

"We weren't spying We were trying to expose what Microsoft was doing," said a fiery Ellison when reporters asked repeatedly about the detective agency's attempts at buying garbage

 Oracle Snoops Microsoft’s Trash Bins

Source: news.com.com/Oracle+chief+defends+Microsoft+snooping/2100-1001_3-242560.htmlAccording to news reports, Oracle chief executive Larry Ellison defended his company's decision

to hire detectives to investigate two research groups that supported Microsoft during the antitrust trial Oracle hired Investigative Group International to probe two research organizations, the Independence Institute and the National Taxpayers Union The company sought to verify links between Microsoft and the organizations during its antitrust trial—and even tried to buy trash from another research group having close ties with Microsoft

Oracle told Bloomberg News; it discovered that the two organizations were misrepresenting themselves as independent advocacy groups when they were, in fact, funded by Microsoft Oracle said the company hired the detective agency because the organizations were releasing studies supporting Microsoft during the antitrust trial The financial ties between the organizations werereported by The Wall Street Journal and the Washington Post

"It's absolutely true we set out to expose Microsoft's covert activities," Oracle chief executive Ellison said today during a press conference at Oracle's headquarters in Redwood Shores, California in which the company announced new software products "I feel very good about what

we did."

Ellison said the two research organizations made it appear that it would be best for American taxpayers if Microsoft won the antitrust trial The judge in the case has since ruled that Microsoft

be split into two, a decision being appealed by Microsoft

"They were bogus polls that said, 'If anything hurts Microsoft, our country will really suffer.' These experts were bought and paid for by Microsoft, by two taxpayers, Bill Gates and Steve Ballmer," Ellison said, referring to Microsoft's top executives "They said what Microsoft wanted them to say."

Ellison said he was not aware that Oracle had hired the detective agency to snoop on Microsoft and its relationship with the two organizations

"We weren't spying We were trying to expose what Microsoft was doing," said a fiery Ellison when reporters asked repeatedly about the detective agency's attempts at buying garbage "Maybe our investigation organization may have done things unsavory, but it's not illegal We got the truth out."

Trang 20

Third-party Authorization

 Human-based Social Engineering (cont’d)

 In person

Attackers might try to visit a target site and physically survey the organization for information A great deal of information can be gleaned from the tops of desks, the trash,

or even phone directories and nameplates Hackers may disguise themselves as a courier

or delivery person, a janitor, or they may hang out as a visitor in the lobby Hackers can pose as a businessperson, client, or technician Once inside, attackers can look for passwords on terminals, important papers lying on desks, or they may even try to overhear confidential conversations

o Social engineering in person includes survey of a target company to collect information of:

 Current technologies implemented in the company

 Contact information of employees etc

 Third-party Authorization

Another popular technique for attackers is to represent themselves as agents authorized

by some authority figures to obtain information on their behalf For instance, knowing who is responsible to grant access to desired information, an attacker might keep tabs on him/her and use the individual’s absence to leverage access to the needed data The attacker might approach the help desk or other personnel claiming he/she has approval

to access this information This can be particularly effective if the person is on vacation or out of town, and verification is not instantly possible

Even though there might be a hint of suspicion on the authenticity of the request, people tend to err on the side of being helpful in the workplace People tend to believe that others are expressing their true attitudes when they make a statement

o Refer to an important person in the organization to try to collect data

 “Mr George, our Finance Manager, asked that I pick up the audit reports he needs for his report Will you please provide them to me?”

Trang 21

Social Engineering

• “I forgot my ID badge at home Please help me.”

• An authorized person provides access to an unauthorized person by keeping the secured door open

 “I forgot my ID badge at home Please help me ”

An authorized person provides access to an unauthorized person by keeping the secured door open

Trang 22

( cont’d)

• This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around

• Reverse Social Engineering attack involves

• Sabotage

• Marketing

• Providing Support Reverse Social Engineering

 Human-based Social Engineering (cont’d)

Reverse Social Engineering

In reverse social engineering, a perpetrator assumes the role of a person in authority and has employees asking him/her for information The attacker usually manipulates the types of questions asked to get required information The social engineer will first create a problem, and then present himself/herself as the expert of such problem through general conversation, encouraging employees to ask for solutions For example, an employee may ask about how this problem has affected particular files, servers, or equipment This provides pertinent information

to the social engineer Many different skills and experiences are required to carry out this tactic successfully

Sabotage: Once the attacker gains access, the workstation will be corrupted or will appear to be corrupted Under such circumstances, users seek help as they face problems

Marketing: In order to ensure that the user calls the attacker, the attacker must advertise The attacker can do this by either leaving his/her business cards around the target's office and/or by placing his/her contact number on the error message itself

Support: Although the attacker has already acquired needed information, he or she may continue to provide assistance to users so that they remain ignorant about the hacker’s identity

A good example of reverse engineering virus is the “My Party” worm As stated in the website www.Internetnews.com /dev-news/article.php/962741 “My Party” is a reverse social engineering virus that doesn’t rely on sensational or catchy subject lines, but makes use of harmless, inoffensive and realistic names for its attachments Phrases such as “naked wife” are not used to attract users’ attention By using more realistic words, the attacker gains the user’s trust, confirms the user’s ignorance, and completes the task of information gathering

Trang 23

Social Engineering

Movies to Watch for Reverse Engineering Examples: The Italian Job and Catch Me If You

Can

Trang 24

Computer-Based Social Engineering

Fortunately, the employee was sophisticated enough to understand the danger of a Trojan horse being enclosed, and immediately alerted the IT department, who terminated the Internet connection Later investigations revealed that the computer was infected with SubSeven, the most powerful backdoor then Eventually, the company reloaded the computer, rolled back to the day before with a backup tape (losing a full day of online orders), and stayed offline for three full days overall

 Computer-based social engineering uses software to retrieve information

Pop-up Windows

In this type of social engineering a window appears on the screen informing the user that he/she has lost his/her network connection and needs to reenter his/her username and password A program that the intruder had previously installed will then email the information to a remote site

Mail Attachments

This ploy involves using attachments bearing a title suggestive of a current love affair There are two common forms that may be used The first involves malicious code This code is usually hidden within a file attached to an email message Here the expectation is that an unsuspecting user opens the file allowing the virus code to replicate itself Examples are the “I Love You” and

“Anna Kournikova” worm The latter is also an example of how social engineers try to hide the file extension by giving the attachment a long file name In this case, the attachment is named AnnaKournikova.jpg.vbs If the name is truncated, it will look like a jpeg file and the user may not notice the vbs extension Another more recent example is the “Vote-A” email worm

The second equally effective approach involves sending a hoax email asking users to delete legitimate files (usually system files such as jdbgmr.exe) Another method is clogging email systems by sending false warning email regarding a virus and asking targeted users to forward the

Trang 25

Social Engineering

mail messages to friends and acquaintances Such an attempt can be dangerous to the email system of an organization

Websites

This involves a ruse to get an unwitting user to disclose potentially sensitive data, such as the password used at work Some methods include using advertisements that promote and display messages offering free gifts and holiday trips, and then asking for a respondent’s contact email address, as well as asking the person to create a password This password may be one that is similar, if not the same, as the one that the target user utilizes at work Many employees enter the same password that they use at work, so the social engineer now has a valid username and password to enter into an organization’s network

Trang 26

(cont’d)

• Windows that suddenly pops up, while surfing the Internet and asks for users’

information to login or sign-in

Hoaxes and chain letters

Computer-based Social Engineering (cont’d)

Pop-up Windows

 Windows that suddenly pop up, while surfing the Internet and ask for users’ information,

to login or sign-in

Hoaxes and Chain Letters

 Hoax letters are emails that issue warnings to user on new virus, Trojans or worms that may harm user’s system

 Chain letters are emails that offer free gifts such as money, and software on the condition

of user forwarding the mail to said number of persons

Online Pop-Up Attacks and Costs:

Trang 27

Social Engineering

(cont’d)

Instant Chat Messenger

• Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates and maiden names

• Acquired data is later used for cracking the user’s accounts

(cont’d)

• An illegitimate email falsely claiming to be from a legitimate site attempts to acquire user’s personal or account information

• Lures online users with statements such as

• Verify your account

• Update your information

• Your account will be closed or suspended

• Spam filters, anti-phishing tools integrated with web browsers can be used to protect from Phishers

Phishing

Trang 29

Social Engineering

Insider Attack

If a competitor wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prepare someone to pass the interview, have that person hired, and they will be in the organization

• 60% of attacks occur behind the firewall

• An inside attack is easy to launch

• Prevention is difficult

• The inside attacker can easily succeed

• Difficult to catch the perpetrator

It takes only one disgruntled person to take revenge and your company is compromised

 Insider Attack

A competitor can inflict damages to an organization by stealing sensitive data, and may eventually bring down an organization by gaining access to a company through a job opening by sending a malicious person as a candidate to be interviewed, and—with luck—hired

Other attacks may come from unhappy employees or contract workers It takes just one disgruntled person to take revenge on a company by compromising its computer system

 60% of attacks occur from behind the firewall

 An inside attack is easy to launch

 Prevention is difficult

 An inside attacker can easily succeed

 It can be difficult to identify the perpetrator

Trang 30

Disgruntled Employee

Company Network

Company Secrets

Competitor

Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc

Sends the data to competitors using Steganography

Send the Data to Competitors Using Steganography

Competitor

Most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their job, office politics, no respect, no promotions etc

Trang 31

Social Engineering

Preventing Insider Threat

There is no single solution to prevent an insider threat

Preventing Insider Threat

Recommendations to overcome insider threat: e:

 Logging and auditing:

Logging and auditing must be performed periodically to check if any company resources are being misused

 Legal Policies:

Legal policies must be enforced to prevent employees from misusing the resources of an organization, and for preventing the theft of sensitive data

 Archive critical data:

A record of an organization’s critical data must be maintained in the form of archives to

be used as back-up resources, if needed

Trang 32

Common Targets of Social

Engineering

Receptionists and help desk personnel

Technical support executives

Vendors of target organization

System administrators and users

Trang 33

Social Engineering

Social Engineering Threats and Defenses

Trang 34

Social Engineering Threats and

Defenses

• Online

• Telephone

• Personal approaches

• Reverse social engineering

Major attack vectors that a social engineering hacker uses:

 Social Engineering Threats and Defenses

Social Engineers need to exploit employee’s behavior (manners, enthusiasm towards work, laziness, innocence, etc.) to carry out attacks on any organization Social Engineering attacks are difficult to guard against, as the victim might not be aware that he/she has been duped They are very much similar to other kind of attacks to extract company’s money, information, or IT resources

A company needs to evaluate the kind of attacks, estimate the loss, and spread awareness among the employees to guard against social engineering attacks Some of the methods used for socialengineering attacks are as follows:

Trang 35

Social Engineering

An attack may provide information that enables hacker to make a subsequent malware attack

Solution: Advise staff on how to identify and avoid online social engineering attacks

Source:

http://www.microsoft.com/technet/security/midsizebusiness/topics/complianceandpolicies/so cialengineeringthreats.mspx

In today's connected business world, employees often respond to requests and use information that comes electronically from both inside and outside the company This connectivity enables hackers to make approaches to the staff from the Internet Online attacks are in the form of email, pop-up applications, and instant messages consisting of Trojan horses, worms, or viruses—collectively called as malware This malware damages or subverts computer resources With the implementation of antivirus defenses, these malware attacks can be addressed and prevented.Social engineering hackers persuade a staff member to provide information through a believable ruse, rather than infecting a computer with malware through a direct attack An attack may provide information that enables hacker to make a subsequent malware attack, but this result is not a function of social engineering Therefore, advise staff on how best to identify and avoid online social engineering attacks

Trang 36

Telephone-Based Threats

Telephone offers a unique attack vector for social engineering hackers

It is a familiar medium, but it is also impersonal, because target cannot see the hacker

Communication options for most computer systems can also make Private Branch Exchange (PBX) an attractive target

Stealing either credit card or telephone card PINs at telephone booths is another kind of attack

Telephone-Based Threats

(cont’d)

• Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to computer systems

• Gain access to “free” telephone usage

• Gain access to communications network

There are three major goals for a hacker who attacks a PBX:

Telephony PBX attack

 Telephone-Based Threats

Source:

http://www.microsoft.com/technet/security/midsizebusiness/topics/complianceandpolicies/so cialengineeringthreats.mspx

The telephone offers a unique attacking method for social engineering hackers It is a familiar medium, but it is also impersonal, because the target cannot see the hacker The communications options for most computer systems can also make the Private Branch Exchange (PBX) an attractive target These attacks include stealing either credit card or telephone card PINs at telephone booths Most people are aware that they should be wary of prying eyes when using an ATM, but most people are less cautious when using a PIN in a telephone booth

VoIP is a developing market that offers cost benefits to companies Currently, due to the relatively restricted number of installations, VoIP hacking is not considered to be a major threat However,

as more businesses embrace this technology, VoIP spoofing is set to become as widespread as email and IM spoofing is now

Private Branch Exchange (PBX)

Trang 37

Social Engineering

There are three major goals for a hacker who attacks a PBX:

 Request information, usually through the imitation of a legitimate user, either to access the telephone system itself or to gain remote access to the computer system

 Gain access to “free” telephone usage

 Gain access to communications network

Each of these goals is a variation on a theme, with the hacker calling the company and attempting

to get telephone numbers that provide access directly to a PBX or through a PBX to the public telephone network This is called phreaking The most common approach is where the hacker pretends to be a telephone engineer, requesting either an outside line or a password to analyze and resolve the problems reported on the internal telephone system, as shown below:

Figure: Telephony PBX attacksRequests for information or access over the telephone are relatively risk-free forms of attack If the target becomes suspicious or refuses to comply with a request, the hacker can simply hang up But realizing that such attacks are more complicated, a hacker simply calls a company and asks for the user ID and password The hacker usually presents a scenario, asking for or offering help, before the request for personal or business information, almost as an afterthought

Table: Private Branch Exchange Attacks and Costs

Request for company’s

information

Hacker impersonates as a legitimate user to gain confidential information

Confidential informationBusiness credibilityRequest for telephone

information

Hacker impersonates as a telephone engineer to gain access to the PBX in order to make external calls

ResourcesMoney

Use PBX to access computer

systems

Hacker breaks into computer systems, through PBX, to steal

Trang 38

or manipulate information, infects with malware, or use resources.

Service Desk

The service desk or help desk is one of the mainstay defenses against hackers, but it is, conversely,

a target for social engineering hackers Although support staff is often aware of the threat of hacking, they also train to help and support callers, offering them advice and solving their problems Sometimes, the enthusiasm demonstrated by technical support staff in providing a solution overrides their commitment to adherence to security procedures and presents service desk staff with a dilemma; if they enforce strict security standards, asking for proofs that validate that the request or question comes from an authorized user, they may appear unhelpful or even obstructive

Table: Service Desk Telephony Attacks and Costs

Request for Information Hacker impersonates as a

legitimate user to get business information

Confidential information

Request for Access Hacker impersonates as a

legitimate user to get security access to business systems

Confidential informationBusiness credibilityBusiness availabilityResources

Money

It is more difficult to defend the service desk analyst against an internal or contract worker hacker Such a hacker will have a good working knowledge of internal procedures and will have time to make sure that they have all the information required, before they make a service desk call The security procedures must provide a dual role in this situation:

 The service desk analyst must ensure that there is an audit trail of all actions If a hacker succeeds in gaining unauthorized access to information or resources through a service desk call, the service desk must record all activities so that they can quickly rectify or limit any damage or loss If each call triggers an automated or manual e-mail message stating the problem or request, it will also be easier for an employee who has suffered identity theft to realize what has happened and call the service desk

 The service desk analyst must have a well-structured procedure to handle calls For example, if the employee’s manager must make access change requests by email, there can be no unauthorized or informal changes to security levels

Trang 39

Social Engineering

Personal Approaches

The simplest and cheapest way for a hacker to get information is to ask for it directly

This approach may seem crude and obvious, but it has been bedrock

of confidence tricks since time began

The simplest and cheapest way for a hacker to get information is to ask victim directly This approach may seem crude and obvious, but it has been the bedrock of confidence tricks Four main successful approaches for social engineers are:

 Intimidation: This approach may involve the impersonation of an authority figure to coerce a target to comply with a request

 Persuasion: The most common forms of persuasion include flattery or name dropping

 Ingratiation: This approach is usually a more long-term ploy, in which a subordinate or peer coworker builds a relationship to gain trust and, eventually, information from a target

 Assistance: In this approach, the hacker offers to help the target The assistance will ultimately require the target to divulge personal information that will enable the hacker

to steal the target’s identity

Defending users against these types of personal approach is very difficult Some users are naturally disposed to social engineering by using one of these four attacks The defense against an intimidation attack is the development of a “no fear” culture within a business If normal behavior

is politeness, then the success of intimidation is reduced, because individual staff members are more likely to escalate confrontational situations A supportive attitude within management and supervisory roles toward the escalation of problems and decision-making is the worst thing that can happen to a social engineering hacker Their goal is to encourage a target to make a quick decision With the problem escalated to a higher authority, they are less likely to achieve this goal.Persuasion has always been an important human method of achieving personal goals The hacker will always ask or manufacture a scenario where a user volunteers the restricted information Ongoing awareness campaigns and basic guidance covering security devices such as passwords are the best defense

Hackers need time to ingratiate themselves with users The hacker will need to be in regular contact, probably by taking the role of a coworker For most midsized companies, the main coworker threat comes from regular service or contract personnel Finally, assistance attacks can

Trang 40

be minimized if there is an effective service desk The in-house assistant is often a result of disaffection with existing company support services Enforce two elements in order to make sure that staff contacts the service desk rather than an unauthorized in-house expert or, an expert from outside the company:

 Specify security policy that the service desk is the only point to which users should report issues

 Ensure that the service desk has an agreed response process within the departmental service-level agreement Audit the service desk performance regularly, to make sure that users receive the right level of response and solution

Tiêu đề	Social Engineering
Tác giả	EC-Council
Trường học	EC-Council University
Chuyên ngành	Ethical Hacking
Thể loại	Module
Năm xuất bản	2004
Thành phố	Walnut Creek

Định dạng
Số trang	82
Dung lượng	5,8 MB