Social Engineering

1
Social Engineering

• CS4235 Final Project
• Kenny St. Clair, David Mercer,
• Allen Brewer, Laura Bungenstock

2
Outline

• What is it?
• How is it done?
• Who is at risk?
• CoC Security Audit

3
What is it?

• Social engineering is the oldest form of hacking.
• Social engineers focus on the users of the
  system. By gaining the trust of the user, a
  social engineer can simply ask for whatever
  information he or she wantsand usually get it.

4
The Weakest Link

• As software and hardware becomes increasingly
  secure, the weakest element continues to persist.
• The people that use the network are the weakest
  link!

5
A social engineers mantra

• There is no patch for human stupidity.

6
Definitions

• Social engineering is a use of psychological
  knowledge to trick a target into trusting the
  engineer, and ultimately revealing information
• -Ross Bearman
• involving the use of social skills and personal
  interaction to get someone to reveal
  security-relevant information and perhaps even to
  do something that permits an attack
• -Charles and Shari Pfleeger

7
Definitions

• A hackers clever manipulation of the natural
  human tendency to trust. The hackers goal is to
  obtain information that will allow him to gain
  unauthorized access to a valued system and the
  information that resides on that system
• -Sarah Granger
• uses deception, influence, and persuasion
  against businesses, usually targeting
  information
• -Kevin Mitnick

8
Our Definition

• Social engineering is a psycho-social attack that
  subverts human trust and helpfulness in order to
  attain the attackers goals.

9
Outline

• What is it?
• How is it done?
• Who is at risk?
• CoC Security Audit

10
How is it done?

• Attacks come in various forms
• On the phone, over e-mail, in person
  impersonation

11
Impersonation

• Play the part!
• Social Engineers must
• Anticipate problems
• Know jargon and procedures of the role

12
Impersonation

• And most importantly, knowledge of how to build
  trust with whomever they need information from.
• Social engineers most often impersonate authority
  figures, assistants to authority figure, and new
  employees.

13
More techniques

• Dummy Mode
• Bury the key question
• Research (Google)

14
Over the phone

• The phone is the most popular method of social
  engineering because it is difficult to verify or
  deny someones identity.

15
Over e-mail and IM

• E-mail attacks are very common (phishing).
• E-mail is also used for impersonation.
• Obtaining password for an IM account could lead
  to access to a bank account, other personal data.

16
Dumpster diving

• Digging through trash at corporations in search
  of sensitive data.

17
Outline

• What is it?
• How is it done?
• Who is at risk?
• CoC Security Audit

18
Who is at risk?

• Everyone.
• Everyone with information is a potential target!

19
Real World Examples

• 90 of office workers gave away their password
  for a pen.
• 70 of people who trade their password for a bar
  of chocolate.

20
Real World Examples

• 1/3 of the IRS employees provided their user name
  and changed their password in a 2005 security
  audit.
• USC vs. Cal basketball game

21
Outline

• What is it?
• How is it done?
• Who is at risk?
• CoC Security Audit

22
CoC Security Audit

• Hands-on experience
• Test the weakest link
• Cleared to target CoC faculty, staff, and
  students

23
CoC Security Audit

• GOAL Collect as much data as possible that was
  either sensitive or gave access to sensitive
  data.

24
CoC Security Audit

• Our plan for collecting data
• E-mail impersonation
• Phone impersonation
• Dumpster diving

25
E-mail Impersonation

• Abuse the Georgia Tech alias system
• tso-security_at_gatech.edu
• Eniola.Okeowo_at_gatech.edu

26
E-mail Impersonation

• By using the tso-security alias we could target
  faculty, using Keith Watsons name as the
  signature.
• By using eniola.okeowo we could target our fellow
  students.

27
E-mail Impersonation

• 12 hours later, OIT had revoked our aliases,
  according to
• Section of Policy Violation 2.3.1. User
  Impersonation/False Identity.

28
Plan B

• Change the outgoing address on our e-mail to
  Eniola Okeowo, and use the advantage of the
  random gtg e-mails as the reply-to.
• In total we received 11 replies with GTID
  information.
• 2 replies were sent directly to Eniola.

29
Dumpster Diving

• Professors often put their trashcans outside
  their offices before leaving for the day to allow
  janitors to take away their trash.
• The CoC is rarely (if ever) empty, and searching
  these bins before the janitors arrive is
  difficult.

30
Dumpster Diving

• No sensitive data was found.
• The trash removal policy at the CoC made it
  difficult for us to effectively dumpster dive.

31
Phone impersonations

• Of the professors we reached over the phone, none
  released their passwords to us.
• Common responses were
• I do not give passwords out over the phone.
  click
• Let me check on this and get back to you.

32
Audit Conclusions

• Faculty and staff of the CoC are clearly trained
  how to handle and protect sensitive information.
• Althoughwe are concerned with the students
  understanding of the semi-sensitive nature of the
  GTID, especially if combined with data
  aggregation.

33
Outline

• What is it?
• How is it done?
• Who is at risk?
• CoC Security Audit

34
Questions?

• Any questions?