Social Engineering : Social Engineering December 4, 2006
Copyright 2005 Lighthouse Computer Services, Inc. All rights reserved. Jerry Hughes - Biography: Jerry Hughes - Biography Heads up Lighthouse's IT Governance, Auditing andamp; Compliance practice
Over 20 years of experience
Sarbanes-Oxley, HIPAA, GLBA and Guidance from the FFIEC and related agencies
Certified Information Systems Auditor (CISA)
Certified Project Manager
Certified in COBIT 4.0
Extensive IT audit experience in financial industry
Participated in customer, corporate, federal and state audits
Members of: ISACA.org, TheIIA.org, and PMI.org
Indemnity Agreement: Indemnity Agreement Due to the nature of the information in this presentation, the listener must use this information in a responsible manner
The information presented here is intended to educate and provide information so that the listener can protect against these types of fraud attacks, not launch such an attack
Lighthouse Computer Services, Inc. is not responsible for any use or misuse of the information presented in this presentation
What is Social Engineering?
Questions PART 1: PART 1 Background Fraud Definitions: Fraud Definitions
What is fraud? Fraud Definitions: Fraud Definitions Intentional misrepresentation or concealment of information in order to deceive or mislead. It is illegal.
A deception deliberately practiced in order to secure unfair or unlawful gain.
A piece of trickery; a trick.
One that defrauds; a cheat.
One who assumes a false pose; an impostor.
Ingredients of Fraud: Ingredients of Fraud In a book by author Herbert Snyder, 'Small Change, Big Problems' Snyder defines the common elements that are typical in fraud.
Snyder says 'Fraud requires three conditions: financial need, rationalization, and opportunity. Lax or nonexistent financial management, along with an 'it can’t happen here' attitude, create the quintessential fraud opportunity waiting to happen' http://alastore.ala.org/SiteSolution.taf?_sn=catalog2andamp;_pn=product_detailandamp;_op=1993 Financial Need: Financial Need Poverty – Overview (US Census Bureau)
There were 37 million people in poverty (12.6 percent) in 2005. Both the number and rate were statistically unchanged from 2004.
There were 7.7 million families in poverty in 2005, statistically unchanged from 2004.
US Uniform Crime Report
Crime in the United States accounts for more death, injuries and loss of property then all Natural Disasters combined.
Federal Trade Commission – Consumer Fraud andamp; Identity Theft
Consumers reported fraud losses of over $680 million; the median monetary loss was $350.
Rationalization: Rationalization Perpetrators often rationalize that because it is indirect, it is victimless and therefore 'acceptable'.
The company is so big, 'they can afford it'
'They won’t miss it'
Disgruntled employees – Get Even
Opportunity: Opportunity Poor Controls
Lack of education on the types of Fraud that exist
Lack of employee education on privacy and security
Impact of Fraud: Impact of Fraud Actual loss of money
Loss of consumer confidence
Loss of trust
Not only measured in dollars and cents…
Loss of market-share / business
Loss of employees
PART 2: PART 2 What is Social Engineering? Definitions: Definitions According to Merriam Webster's dictionary, social engineering is the 'management of human beings in accordance with their place and function in society, applied social science.'1
'It is the practical application of sociological principles to particular social problems.'2
'the art and science of getting people to comply with your wishes'3 Definitions: Definitions 'an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to a system'4
'getting needed information (for example, a password) from a person rather than breaking into a system'5
'Social Engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders'
Notable Quotes: Notable Quotes Notorious hacker Kevin Mitnick said, 'The weakest link in the security chain is the human element,' 6
According to a March 2000 article in the Washington Post. He went on to say that in more than half of his successful network exploits he gained information about the network, sometimes including access to the network, through social engineering. 6
'You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.' 6
Notable Quotes: Notable Quotes Kevin Mitnick, renowned and reformed hacker, in his book The Art of Deception, goes further to explain that 'people inherently want to be helpful and therefore are easily duped.'
'They assume a level of trust in order to avoid conflict.'
'It's all about, gaining access to information that people think is innocuous when it isn't.'
Slide18: Approach: Approach Social engineers use tactics to leverage trust, helpfulness, easily attainable information, knowledge of internal processes, authority, technology and any combination there of
They often use several small attacks to put them in the position to reach their final goal
Social engineering is all about taking advantage of others to gather information and infiltrate an attack Approach: Approach The information gained in a phone book may lead to a phone call. The information gained in the phone call may lead to another phone call
A social engineer builds on each tidbit of information he or she gains to eventually stage a final, deadly attack
A successful social engineering attempt could result in great financial loss for the target company. A motivated attacker will be willing to gain information in any way possible
Social Engineering Examples in Movies: Social Engineering Examples in Movies Independence Day: Using an old space ship as cover for two humans to infiltrate the alien mother ship and upload a virus to destroy it.
Hackers: Dumpster diving in the target company's trash in order to obtain financial data from printouts.
War Games: Password cracking the military computer system by studying its creator.
Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend excused from school through multiple phone calls and answering machine recordings.
Star Wars: R2-D2 gaining access to the death star main computer and shutting down the garbage dispensers.
Beverly Hills Cop 2
Slide22: Approach Summary: Approach Summary Small bits of info
Seemingly meaningless info
Approach Summary: Approach Summary Don’t need to compromise all employees, only one
Employ use of Authority
Driving Factors: Driving Factors Typical Order of Events…: Typical Order of Events… Demand Technology Implementation Fraud Controls Ideal Order of Events…: Ideal Order of Events… Demand Technology Implementation Fraud Controls PART 3: PART 3 Techniques Techniques: Techniques The Web
Phone System - PBX
Techniques: Techniques E-mail Spoofing
Techniques: Techniques Keyboard Logging or Ghost
Caller ID Spoofing
Techniques: Techniques Wireless Access Point
Piggy-Back door entry
Techniques: Techniques Dumpster Diving
USB Jump Drive
Combinations of all Payroll PART 4: PART 4 Prevention Prevention: Prevention Ongoing Education of Staff
Update of Security Policies
Enforcement of Policies
IT Risk Assessments
Data Classification Prevention: Prevention Network Vulnerability Assessments
Intrusion Detection Systems
Unannounced Social Engineering Audits Prevention: Prevention Filter e-mail to stop spoofing
Background Checks andamp; References
Stay Informed/Educated on current technology, threats andamp; fraud schemes
Conclusion : Conclusion The weakest point is the people not the systems
Train Employees regularly
Set/Update andamp; Enforce Security Policies Conclusion : Conclusion Spot Check unannounced
IT Risk Assessments are critical Questions: Questions Resources: Resources 1 http://www.m-w.com/cgi-bin/dictionary?book=Dictionaryandamp;va=social+engineering
2 The American Heritage® Dictionary of the English Language, Fourth Edition
3 (Bernz 2) http://packetstorm.decepticons.org/docs/social-engineering/socialen.txt
4 (Palumbo) http://www.sans.org/infosecFAQ/social/social.htm
5 (Berg) http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html
6 Otis, Brig, 'Physical Security/Social Engineering'
Social Engineering Fundamentals, Part I: Hacker Tactics Sarah Granger 2001-12-18
Information Systems Control Journal, Volume 2, 2002
Lighthouse Computer Services, Inc: Lighthouse Computer Services, Inc If you have additional questions or would like more information, please contact me at:
Jerry Hughes, CISA
Case Studies – HP - Pretexting: Case Studies – HP - Pretexting Fuzzy Laws Come Into Play in the H.P. Pretexting Case
By DAMON DARLIN and MATT RICHTEL
Published: September 19, 2006
SAN FRANCISCO, Sept. 18 — Despite the California attorney general’s assertion that he has enough evidence to press charges against people inside and outside Hewlett-Packard, a criminal case may be hard to prosecute, legal specialists say.
Hewlett-Packard fraudulently obtained private phone records of its own board members while trying to trace a media leak, according to a former trustee who resigned when he learned of the action.
Tom Perkins, one of the founders of Silicon Valley venture capital giant Kleiner Perkins Caufield and Byers and an HP board member until May, resigned after learning that HP consultants posed as Perkins and other board members to obtain their confidential telecommunications records -- a tactic known as pretexting. Case Studies – HP – Pretexting (Cont.): Case Studies – HP – Pretexting (Cont.) The California prosecutors are still collecting evidence and have filed no charges. But they think people hired by Hewlett-Packard or a string of subcontractors used fraudulent means to gain access to phone records, thereby violating some or all of four state statutes, Tom Dresslar, a spokesman for Attorney General Bill Lockyer, said Monday.
Those laws are being used to go after people who the prosecutors believe pretended to be someone else to get private phone records, a practice known as pretexting. Hewlett-Packard has acknowledged that the method was used in an investigation of news leaks from its board. Records of directors, employees and reporters were obtained. Case Study – Paris Hilton – Phone Scam: Case Study – Paris Hilton – Phone Scam Paris Hilton Hack Started With Old-Fashioned Con Source Says Hacker Posed as T-Mobile Employee to Get Access to Information By Brian Krebs washingtonpost.com Staff Writer Thursday, May 19, 2005; 3:24 PM
The caper had all the necessary ingredients to spark a media firestorm -- a beautiful socialite-turned-reality TV star, embarrassing photographs and messages, and the personal contact information of several young music and Hollywood celebrities.
When hotel heiress Paris Hilton found out in February that her high-tech wireless phone had been taken over by hackers, many assumed that only a technical mastermind could have pulled off such a feat. But as it turns out, a hacker involved in the privacy breach said, the Hilton saga began on a decidedly low-tech note -- with a simple phone call.
Computer security flaws played a role in the attack, which exploited a programming glitch in the Web site of Hilton's cell phone provider, Bellevue, Wash.-based T-Mobile International. But one young hacker who claimed to have been involved in the data theft said the crime only succeeded after one member of a small group of hackers tricked a T-Mobile employee into divulging information that only employees are supposed to know. Case Study – Paris Hilton – Phone Scam: Case Study – Paris Hilton – Phone Scam T-Mobile declined to comment on the details of the hacker's account of the Paris Hilton incident, saying through a spokesman that the company cannot discuss an ongoing investigation. The spokesman said the company 'will work with federal law enforcement agencies to investigate and prosecute anyone that attempts to gain unauthorized access to T-Mobile systems.'
Getting Access In the months leading up to the Hilton incident, the hacker group freely exploited a security glitch in the Web site of wireless phone giant T-Mobile, according to the hacker, who described himself as the youngest member of the group. The group had found that a tool on the T-Mobile site that allowed users to reset their account passwords contained a key programming flaw.
By exploiting the flaw, the group's members were able to gain access to the account of any T-Mobile subscriber who used a 'Sidekick,' a pricey phone-organizer-camera combination device that stores videos, photos and other data on T-Mobile's central computer servers.
The hackers could only exploit the Web site vulnerability if they actually knew a Sidekick user's phone number. The loose-knit group had grown bored of using the flaw to toy with friends and acquaintances who owned Sidekicks and decided to find a high-profile target, one that would ensure their exploits were reported in the press, the young hacker said. They ultimately settled on Hilton, in part because they knew she owned a Sidekick; Hilton had previously starred in a commercial advertising the device.
Case Study: Case Study Social Engineering Fundamentals, Part I: Hacker Tactics by Sarah Granger last updated December 18, 2001
A True Story One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they 'lost' their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. Case Study: Case Study They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system. In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.)
Slide49: Slide50: Slide51: Jerry Hughes, CISA of Lighthouse delivers an incredible presentation on Social Engineering once again!