SlideShare a Scribd company logo

Social Engineering

N
Neelu Tripathy
Technology
1 of 20
Agenda What is it? Real life cases Traits Exploited Phishing Methodology Scenarios Tricks of the Trade Physical Pen testing? Defenses Demo!
Watch it! Human Link is the weakest in the Security Chain Perception Authority, Slow Response, Fear & Anxiety http://www.youtube.com/watch?v=q7V4U2RUaeg&feature=related Hackers Mentalist Rockford Files James Bond!
Engineering the Socials & The Rest Manipulation of Human Trust (and Traits) to elicit information. This could be further used to directly/indirectly steal data, identity, money, etc., get access to systems, further manipulate others, for financial gain or otherwise. A combination of the standard security checks was identified by engineering and ethically manipulating the processes, trust levels and human aspect of day to day operations in the company. Modes: • Human Based • Computer Based
Traits Exploited[Generally.. ;P] Helplessness Through Guilt Situations Anxiety Urgency Fear[Authority] Impersonation- Partially Known Factors Trust Persuasion Moral Duty Request Helpfulness Orders/Demand Cooperation .. Delegated Responsibility Technology[Modems, Malware, OSINT, Exploits, Phishing, Spoofing, Websites, other computer based techniques and Help Desk ;) ]
Phishing - Vishing 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond Phone Phishing (IVRs) A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. (courtesy – Wikipedia)
Barge In! Fake ID Fake Authorization Letter Uniform? Recorder Videos Bag? Suit Up!
Target Asset Identification – Information? No I don’t have a Gun Diversion theft - "going straight out" or "urgently required somewhere else". Passive - Tailgating, Eavesdropping, Shouldersurfing Baiting Cold Calling Backdoors, Rootkits, keyloggers Device!
Catch Me if you can Frank Abegnale Vistor Lustig Kevin Mitnick Badir Brothers – Again Mike Ridpath
Frank William Abagnale Notorious in the 1960s for passing $2.5 million worth of meticulously forged checks across 26 countries over the course of five years, beginning when he was 16 years old He attained eight separate identities as an airline pilot, a doctor, a U.S. Bureau of Prisons agent, and a lawyer. He escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary
Cases Lustig had a forger produce fake government stationery for him Invited six scrap metal dealers to a confidential There, Lustig introduced himself as the deputy director-general of the Ministry of Posts and Telegraphs. Lustig told the group that the upkeep on the Eiffel Tower was so outrageous that the city could not maintain it any longer, and wanted to sell it for scrap. Due to the certain public outcry, he went on, the matter was to be kept secret until all the details were thought out. Lustig said that he had been given the responsibility to select the dealer to carry out the task. The idea was not as implausible in 1925 as it would be today. Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustig kept Capone's money in a safe deposit box for two months, then returned it to him, claiming that the deal had fallen through. Impressed with Lustig's integrity, Capone gave him $5,000. It was, of course, all that Lustig was after
Cases Contd.. 1st Source Information Specialists Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.
Involves - C*****S**** Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping, stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs, badges, etc] Perimeter Security General Intelligence Emails, Phishing, Websites, OSINT[social networks, forums, portals, public knowledge] Research Social Engineering ;) .. TRUST
Scenarios - 1 Social Engineering “They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. ” LUCK You have won “ 100000$”!
what I call a chain reaction Mr. Smith:Hello? Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily. Mr. Smith:Uh, okay. I’ll be home by then, anyway. Caller:Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith? Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they? Caller:No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files? Mr. Smith:My password is tuesday, in lower case letters. Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there. Mr. Smith:Thank you. Bye. [- Taken from Melissa Guenther]
Defenses Least Privileges Layered Security Password Policy Access Controls Safe Disposal Physical Removable Device Policy Process Latest Set Up Content Management and filtering Tech Change Management Monitoring Awareness
References http://www.symantec.com/connect/articles/social-engineering- fundamentals-part-i-hacker-tactics https://www.trustedsec.com/ http://en.wikipedia.org/wiki/Social_engineering_(security) http://www.social-engineer.org/se-resources/

Recommended

Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...n|u - The Open Security Community
 
Computer crime
Computer crimeComputer crime
Computer crimeUc Man
 
Cybe Crime & Its Type
Cybe Crime & Its TypeCybe Crime & Its Type
Cybe Crime & Its TypeDeepak Kumar (D3)
 
Cyber crime
Cyber crimeCyber crime
Cyber crime24sneha
 
Phishing
PhishingPhishing
PhishingDeepak Kumar (D3)
 
Cyber crime- a case study
Cyber crime- a case studyCyber crime- a case study
Cyber crime- a case studyShubh Thakkar
 
Cyber crime and issues
Cyber crime and issuesCyber crime and issues
Cyber crime and issuesRoshan Mastana
 
[Exposicion] Computer and Internet Crime
[Exposicion] Computer and Internet Crime[Exposicion] Computer and Internet Crime
[Exposicion] Computer and Internet CrimeGerman Teran
 

Recommended

Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...n|u - The Open Security Community
 
Computer crime
Computer crimeComputer crime
Computer crimeUc Man
 
Cybe Crime & Its Type
Cybe Crime & Its TypeCybe Crime & Its Type
Cybe Crime & Its TypeDeepak Kumar (D3)
 
Cyber crime
Cyber crimeCyber crime
Cyber crime24sneha
 
Phishing
PhishingPhishing
PhishingDeepak Kumar (D3)
 
Cyber crime- a case study
Cyber crime- a case studyCyber crime- a case study
Cyber crime- a case studyShubh Thakkar
 
Cyber crime and issues
Cyber crime and issuesCyber crime and issues
Cyber crime and issuesRoshan Mastana
 
[Exposicion] Computer and Internet Crime
[Exposicion] Computer and Internet Crime[Exposicion] Computer and Internet Crime
[Exposicion] Computer and Internet CrimeGerman Teran
 
Final Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research EssayFinal Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research EssayCallum Craigie
 
Cyber crime lecture pp update
Cyber crime lecture pp updateCyber crime lecture pp update
Cyber crime lecture pp updateyahooteacher
 
Module vi mis
Module vi misModule vi mis
Module vi misArnav Chowdhury
 
Greendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copyGreendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copyDee Green
 
Powerpoint
PowerpointPowerpoint
PowerpointMarcelomazzocato
 
Traditional problem associated with cyber crime
Traditional problem associated with cyber crimeTraditional problem associated with cyber crime
Traditional problem associated with cyber crimevishalgohel12195
 
Cyber crime against children
Cyber crime against childrenCyber crime against children
Cyber crime against childrenAnchalanshri Dixit
 
Computer crime
Computer crime Computer crime
Computer crimeAnika Rahman Orin
 
Statutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in indiaStatutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in indiaDr. Arun Verma
 
Computer Crimes
Computer CrimesComputer Crimes
Computer CrimesIvy Rose Recierdo
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Types Of Computer Crime
Types Of Computer CrimeTypes Of Computer Crime
Types Of Computer CrimeAlexander Zhuravlev
 
Unit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hrUnit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hrTushar Rajput
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Computer crime
Computer crimeComputer crime
Computer crimeVinil Patel
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Digital citizenship
Digital citizenshipDigital citizenship
Digital citizenshipstephensc
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crimehomeworkping4
 
Cyber crime
Cyber crimeCyber crime
Cyber crimePardeep Kumar
 
Code & Creativity
Code & CreativityCode & Creativity
Code & CreativityPeepCode Screencasts
 
La pascua
La pascuaLa pascua
La pascuajuanfelipegarcia
 

More Related Content

What's hot

Final Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research EssayFinal Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research EssayCallum Craigie
 
Cyber crime lecture pp update
Cyber crime lecture pp updateCyber crime lecture pp update
Cyber crime lecture pp updateyahooteacher
 
Greendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copyGreendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copyDee Green
 
Traditional problem associated with cyber crime
Traditional problem associated with cyber crimeTraditional problem associated with cyber crime
Traditional problem associated with cyber crimevishalgohel12195
 
Statutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in indiaStatutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in indiaDr. Arun Verma
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Unit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hrUnit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hrTushar Rajput
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Digital citizenship
Digital citizenshipDigital citizenship
Digital citizenshipstephensc
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crimehomeworkping4
 

What's hot (20)

Final Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research EssayFinal Copy Cyber Crime Research Essay
Final Copy Cyber Crime Research Essay
 
Cyber crime lecture pp update
Cyber crime lecture pp updateCyber crime lecture pp update
Cyber crime lecture pp update
 
Module vi mis
Module vi misModule vi mis
Module vi mis
 
Greendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copyGreendeana unit 8 project cj216 copy
Greendeana unit 8 project cj216 copy
 
Powerpoint
PowerpointPowerpoint
Powerpoint
 
Traditional problem associated with cyber crime
Traditional problem associated with cyber crimeTraditional problem associated with cyber crime
Traditional problem associated with cyber crime
 
Cyber crime against children
Cyber crime against childrenCyber crime against children
Cyber crime against children
 
Computer crime
Computer crime Computer crime
Computer crime
 
Statutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in indiaStatutory laws pertaining to cybercrimes in india
Statutory laws pertaining to cybercrimes in india
 
Computer Crimes
Computer CrimesComputer Crimes
Computer Crimes
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Types Of Computer Crime
Types Of Computer CrimeTypes Of Computer Crime
Types Of Computer Crime
 
Unit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hrUnit 3 Cyber Crimes and Torts 8 hr
Unit 3 Cyber Crimes and Torts 8 hr
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing Awareness
 
Computer crime
Computer crimeComputer crime
Computer crime
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & Forensics
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Digital citizenship
Digital citizenshipDigital citizenship
Digital citizenship
 
87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime87161911 selected-case-studies-on-cyber-crime
87161911 selected-case-studies-on-cyber-crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 

Viewers also liked

Redes sociales e internet
Redes sociales e internet Redes sociales e internet
Redes sociales e internet andresdacoca
 
VMM desde PowerShell
VMM desde PowerShellVMM desde PowerShell
VMM desde PowerShellDiego Gancedo
 
Influential Strategies Case Studies
Influential Strategies Case StudiesInfluential Strategies Case Studies
Influential Strategies Case StudiesMichael Teeling
 
7th math -c2--l9--sept7
7th math -c2--l9--sept77th math -c2--l9--sept7
7th math -c2--l9--sept7jdurst65
 
Connecting prototype
Connecting prototypeConnecting prototype
Connecting prototype예인 조
 
CS core presentation
CS core presentationCS core presentation
CS core presentationshilpa447
 
Nova orchestra overview
Nova orchestra overviewNova orchestra overview
Nova orchestra overviewMrIthen
 
Plan De Gestion De Tic
Plan De Gestion De TicPlan De Gestion De Tic
Plan De Gestion De TicJORGE FIGUEROA
 
Exploring Our Solar System Part 1
Exploring Our Solar System Part 1Exploring Our Solar System Part 1
Exploring Our Solar System Part 1guest9a7a6a
 
La Présentation de Jobingenieur
La Présentation de JobingenieurLa Présentation de Jobingenieur
La Présentation de JobingenieurEdineos
 
100 guilherminos haicais_encadeados
100 guilherminos haicais_encadeados100 guilherminos haicais_encadeados
100 guilherminos haicais_encadeadosJosé Marins
 

Viewers also liked (20)

Code & Creativity
Code & CreativityCode & Creativity
Code & Creativity
 
La pascua
La pascuaLa pascua
La pascua
 
07 septima sesion
07 septima sesion07 septima sesion
07 septima sesion
 
Redes sociales e internet
Redes sociales e internet Redes sociales e internet
Redes sociales e internet
 
VMM desde PowerShell
VMM desde PowerShellVMM desde PowerShell
VMM desde PowerShell
 
Influential Strategies Case Studies
Influential Strategies Case StudiesInfluential Strategies Case Studies
Influential Strategies Case Studies
 
7th math -c2--l9--sept7
7th math -c2--l9--sept77th math -c2--l9--sept7
7th math -c2--l9--sept7
 
Em presento...
Em presento...Em presento...
Em presento...
 
Connecting prototype
Connecting prototypeConnecting prototype
Connecting prototype
 
CS core presentation
CS core presentationCS core presentation
CS core presentation
 
Nova orchestra overview
Nova orchestra overviewNova orchestra overview
Nova orchestra overview
 
Plan De Gestion De Tic
Plan De Gestion De TicPlan De Gestion De Tic
Plan De Gestion De Tic
 
三到
三到三到
三到
 
Exploring Our Solar System Part 1
Exploring Our Solar System Part 1Exploring Our Solar System Part 1
Exploring Our Solar System Part 1
 
Romane Galleria Vittorio Emanuele
Romane Galleria Vittorio EmanueleRomane Galleria Vittorio Emanuele
Romane Galleria Vittorio Emanuele
 
Open services
Open servicesOpen services
Open services
 
La Présentation de Jobingenieur
La Présentation de JobingenieurLa Présentation de Jobingenieur
La Présentation de Jobingenieur
 
100 guilherminos haicais_encadeados
100 guilherminos haicais_encadeados100 guilherminos haicais_encadeados
100 guilherminos haicais_encadeados
 
Associatie Willem
Associatie WillemAssociatie Willem
Associatie Willem
 
피피티
피피티피피티
피피티
 

Similar to Social Engineering

Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterJose L. Quiñones-Borrero
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
International-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxInternational-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxchrixymae
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionBharat Thakkar
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Shawon Raffi
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securityMuhammad Hamza
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasuresJorge Sebastiao
 
Phishing & spamming
Phishing & spammingPhishing & spamming
Phishing & spammingKavis Pandey
 
Chapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxChapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxPrinceKumar851167
 

Similar to Social Engineering (20)

Hacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR ChapterHacker risks presentation to ACFE PR Chapter
Hacker risks presentation to ACFE PR Chapter
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
Hackers
HackersHackers
Hackers
 
Security Primer
Security PrimerSecurity Primer
Security Primer
 
Ethical Hacking Essay
Ethical Hacking EssayEthical Hacking Essay
Ethical Hacking Essay
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
International-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptxInternational-Dimensions-of-Cybercrime (1).pptx
International-Dimensions-of-Cybercrime (1).pptx
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
 
Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi Hacking Presentation v2 By Raffi
Hacking Presentation v2 By Raffi
 
Cyber Threat Landscape
Cyber Threat LandscapeCyber Threat Landscape
Cyber Threat Landscape
 
Social Engineering 2.0
Social Engineering 2.0Social Engineering 2.0
Social Engineering 2.0
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Phishing & spamming
Phishing & spammingPhishing & spamming
Phishing & spamming
 
Seminar
SeminarSeminar
Seminar
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Chapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptxChapter 1_Cyber Security.pptx
Chapter 1_Cyber Security.pptx
 
Cyber crime and forensic
Cyber crime and forensicCyber crime and forensic
Cyber crime and forensic
 
Cyber crime ethics and un ethics
Cyber crime ethics and un ethicsCyber crime ethics and un ethics
Cyber crime ethics and un ethics
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Social Engineering

  • 1.
  • 2. Agenda What is it? Real life cases Traits Exploited Phishing Methodology Scenarios Tricks of the Trade Physical Pen testing? Defenses Demo!
  • 3. Watch it! Human Link is the weakest in the Security Chain Perception Authority, Slow Response, Fear & Anxiety http://www.youtube.com/watch?v=q7V4U2RUaeg&feature=related Hackers Mentalist Rockford Files James Bond!
  • 4. Engineering the Socials & The Rest Manipulation of Human Trust (and Traits) to elicit information. This could be further used to directly/indirectly steal data, identity, money, etc., get access to systems, further manipulate others, for financial gain or otherwise. A combination of the standard security checks was identified by engineering and ethically manipulating the processes, trust levels and human aspect of day to day operations in the company. Modes: • Human Based • Computer Based
  • 5. Traits Exploited[Generally.. ;P] Helplessness Through Guilt Situations Anxiety Urgency Fear[Authority] Impersonation- Partially Known Factors Trust Persuasion Moral Duty Request Helpfulness Orders/Demand Cooperation .. Delegated Responsibility Technology[Modems, Malware, OSINT, Exploits, Phishing, Spoofing, Websites, other computer based techniques and Help Desk ;) ]
  • 6. Phishing - Vishing 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond Phone Phishing (IVRs) A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. (courtesy – Wikipedia)
  • 7. Barge In! Fake ID Fake Authorization Letter Uniform? Recorder Videos Bag? Suit Up!
  • 8. Target Asset Identification – Information? No I don’t have a Gun Diversion theft - "going straight out" or "urgently required somewhere else". Passive - Tailgating, Eavesdropping, Shouldersurfing Baiting Cold Calling Backdoors, Rootkits, keyloggers Device!
  • 9. Catch Me if you can Frank Abegnale Vistor Lustig Kevin Mitnick Badir Brothers – Again Mike Ridpath
  • 10. Frank William Abagnale Notorious in the 1960s for passing $2.5 million worth of meticulously forged checks across 26 countries over the course of five years, beginning when he was 16 years old He attained eight separate identities as an airline pilot, a doctor, a U.S. Bureau of Prisons agent, and a lawyer. He escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary
  • 11. Cases Lustig had a forger produce fake government stationery for him Invited six scrap metal dealers to a confidential There, Lustig introduced himself as the deputy director-general of the Ministry of Posts and Telegraphs. Lustig told the group that the upkeep on the Eiffel Tower was so outrageous that the city could not maintain it any longer, and wanted to sell it for scrap. Due to the certain public outcry, he went on, the matter was to be kept secret until all the details were thought out. Lustig said that he had been given the responsibility to select the dealer to carry out the task. The idea was not as implausible in 1925 as it would be today. Later, Lustig convinced Al Capone to invest $50,000 in a stock deal. Lustig kept Capone's money in a safe deposit box for two months, then returned it to him, claiming that the deal had fallen through. Impressed with Lustig's integrity, Capone gave him $5,000. It was, of course, all that Lustig was after
  • 12. Cases Contd.. 1st Source Information Specialists Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker – First Data Solutions, Inc.
  • 13.
  • 14. Involves - C*****S**** Physical Security [Dumpster Diving, Shoulder surfing, Eavesdropping, stealing in Remote Devices, covert entry/exits] impersonation , dressing, IDs, badges, etc] Perimeter Security General Intelligence Emails, Phishing, Websites, OSINT[social networks, forums, portals, public knowledge] Research Social Engineering ;) .. TRUST
  • 15. Scenarios - 1 Social Engineering “They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. ” LUCK You have won “ 100000$”!
  • 16. what I call a chain reaction Mr. Smith:Hello? Caller:Hello, Mr. Smith. This is Fred Jones in tech support. Due to some disk space constraints, we’re going to be moving some user’s home directories to another disk at 8:00 this evening. Your account will be part of this move, and will be unavailable temporarily. Mr. Smith:Uh, okay. I’ll be home by then, anyway. Caller:Good. Be sure to log off before you leave. I just need to check a couple of things. What was your username again, smith? Mr. Smith:Yes. It’s smith. None of my files will be lost in the move, will they? Caller:No sir. But I’ll check your account just to make sure. What was the password on that account, so I can get in to check your files? Mr. Smith:My password is tuesday, in lower case letters. Caller:Okay, Mr. Smith, thank you for your help. I’ll make sure to check you account and verify all the files are there. Mr. Smith:Thank you. Bye. [- Taken from Melissa Guenther]
  • 17.
  • 18. Defenses Least Privileges Layered Security Password Policy Access Controls Safe Disposal Physical Removable Device Policy Process Latest Set Up Content Management and filtering Tech Change Management Monitoring Awareness
  • 19.