SlideShare una empresa de Scribd logo

Social Engineering Case Study by Wasim Halani

n|u - The Open Security Community
n|u - The Open Security Community
Tecnología
1 de 31
Descargar para leer sin conexión
Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
 Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
“Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
www.niiconsulting.com
www.niiconsulting.com
 Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
 Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
 IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
 Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
 Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
www.niiconsulting.com
 Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
 Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
 Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
 We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
www.niiconsulting.com
 About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
 Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
www.niiconsulting.com
 Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
www.niiconsulting.com
 Confidential… www.niiconsulting.com
Contact:  wasim.halani@niiconsulting.com  http://www.niiconsulting.com  @washalsec www.niiconsulting.com

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Management Insights LLC
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentNicholas Davis
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
IT Security for Healthcare Professionals
IT Security for Healthcare ProfessionalsIT Security for Healthcare Professionals
IT Security for Healthcare ProfessionalsNicholas Davis
 
issue and trend in integrative media
issue and trend in integrative mediaissue and trend in integrative media
issue and trend in integrative mediaAnies Syahieda
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)Wail Hassan
 

Recomendados

NII Social Engineering Case Study
NII Social Engineering Case StudyNII Social Engineering Case Study
NII Social Engineering Case StudyNetwork Intelligence India
 
Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Protect against id fraud workshop 2 of 2
Protect against id fraud workshop 2 of 2Management Insights LLC
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentNicholas Davis
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
IT Security for Healthcare Professionals
IT Security for Healthcare ProfessionalsIT Security for Healthcare Professionals
IT Security for Healthcare ProfessionalsNicholas Davis
 
issue and trend in integrative media
issue and trend in integrative mediaissue and trend in integrative media
issue and trend in integrative mediaAnies Syahieda
 
Disadvantages of Digital Identity
Disadvantages of Digital IdentityDisadvantages of Digital Identity
Disadvantages of Digital IdentityDigital-identity
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)Wail Hassan
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Com Ed 8 Finals
Com Ed 8 FinalsCom Ed 8 Finals
Com Ed 8 Finalsbluejayjunior
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Protecting Personal Privacy
Protecting Personal PrivacyProtecting Personal Privacy
Protecting Personal PrivacyDoubleXDS
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetProf. (Dr.) Tabrez Ahmad
 
Social Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessSocial Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessWasim Halani
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentNicholas Davis
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenVidaB
 
Social Engineering
Social EngineeringSocial Engineering
Social EngineeringMuhanned Alaqili
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018PKF Francis Clark
 
How encryption works
How encryption worksHow encryption works
How encryption worksTakuya Okamoto
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Hovhannes Aghajanyan
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeMohan Robert
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9NehaRohtagi1
 
3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of DataMomina Mateen
 

Más contenido relacionado

La actualidad más candente

Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008eComm2008
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & ForensicsHarshita Ved
 
Protecting Personal Privacy
Protecting Personal PrivacyProtecting Personal Privacy
Protecting Personal PrivacyDoubleXDS
 

La actualidad más candente (8)

Cybertorts
CybertortsCybertorts
Cybertorts
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & Forensics
 
Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008Tony Nadalin' presentation at eComm 2008
Tony Nadalin' presentation at eComm 2008
 
Com Ed 8 Finals
Com Ed 8 FinalsCom Ed 8 Finals
Com Ed 8 Finals
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & Forensics
 
Cyber Law & Forensics
Cyber Law & ForensicsCyber Law & Forensics
Cyber Law & Forensics
 
Protecting Personal Privacy
Protecting Personal PrivacyProtecting Personal Privacy
Protecting Personal Privacy
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. Internet
 

Similar a Social Engineering Case Study by Wasim Halani

Social Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessSocial Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessWasim Halani
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attackPankaj Dubey
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security Lokender Yadav
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentNicholas Davis
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenVidaB
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018PKF Francis Clark
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9NehaRohtagi1
 
3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of DataMomina Mateen
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxBangHendroz1
 
Managing Your Digital Footprint - 2012 National BDPA Conference Presentation
Managing Your Digital Footprint - 2012 National BDPA Conference PresentationManaging Your Digital Footprint - 2012 National BDPA Conference Presentation
Managing Your Digital Footprint - 2012 National BDPA Conference PresentationShauna_Cox
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Abzetdin Adamov
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-CommerceJitendra Tomar
 

Similar a Social Engineering Case Study by Wasim Halani (20)

Social Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human WeaknessSocial Engineering - Exploiting the Human Weakness
Social Engineering - Exploiting the Human Weakness
 
Social engineering hacking attack
Social engineering hacking attackSocial engineering hacking attack
Social engineering hacking attack
 
Ethical Hacking & Network Security
Ethical Hacking & Network Security Ethical Hacking & Network Security
Ethical Hacking & Network Security
 
IT Security in a Scientific Research Environment
IT Security in a Scientific Research EnvironmentIT Security in a Scientific Research Environment
IT Security in a Scientific Research Environment
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
 
Chapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce JenChapter 17 a fraud in e commerce Jen
Chapter 17 a fraud in e commerce Jen
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Breakfast Briefings - February 2018
Breakfast Briefings - February 2018Breakfast Briefings - February 2018
Breakfast Briefings - February 2018
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9
 
3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data3.5 Online Services and Security and Privacy of Data
3.5 Online Services and Security and Privacy of Data
 
SECURITY AWARENESS.pptx
SECURITY AWARENESS.pptxSECURITY AWARENESS.pptx
SECURITY AWARENESS.pptx
 
Masterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy BasicsMasterclass_ Cybersecurity and Data Privacy Basics
Masterclass_ Cybersecurity and Data Privacy Basics
 
Managing Your Digital Footprint - 2012 National BDPA Conference Presentation
Managing Your Digital Footprint - 2012 National BDPA Conference PresentationManaging Your Digital Footprint - 2012 National BDPA Conference Presentation
Managing Your Digital Footprint - 2012 National BDPA Conference Presentation
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....Steps and Tips to Protect Yourself and your Private Information while Online....
Steps and Tips to Protect Yourself and your Private Information while Online....
 
6. Security Threats with E-Commerce
6. Security Threats with E-Commerce6. Security Threats with E-Commerce
6. Security Threats with E-Commerce
 

Más de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Más de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Social Engineering Case Study by Wasim Halani

  • 1. Exploiting the human weakness www.niiconsulting.com Presentation by: Wasim ‘washal’ Halani Network Intelligence India Pvt. Ltd.
  • 2. Network Intelligence, incorporated in 2001, is a committed and well-recognized provider of services, solutions and products in the IT Governance, Risk Management, and Compliance space. Our professionals have made a mark for themselves with highly satisfied clients all across the globe supported by our offices in India and the Middle East. As an ISO 27001-certified company ourselves, we are strongly positioned to understand your needs and deliver the right answers to your security and compliance requirements. We have won accolades at numerous national and international forums and conferences. Our work truly speaks for itself and our clients are the strongest testimony to the quality of our services!
  • 3. Information security at every organization is one of the most important aspects!  It is people who handle this information  Social Engineering is exploiting the weakness link – the employees www.niiconsulting.com
  • 4. “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of lying.” [Source: Wikipedia] www.niiconsulting.com
  • 7.
  • 8.
  • 9. Wordpress vulnerability on the blogs of their websites Kevin ‘don’t call me a security expert’ Mitnick Dan ‘I smile when I am hacked’ Kaminsky www.niiconsulting.com
  • 10.
  • 11.  Phishing  Baiting  Identity Theft  Dumpster Diving  Email Scams  Use of Authority  Request for Help  Indulging Curiosity  Exploiting Greed =Abuse of Trust www.niiconsulting.com
  • 12. IT/ITES Company  Two offices  About 400 – 500 employees  We had previously conducted other security projects for them  Guards were familiar with us  We also knew a few people from our previous projects www.niiconsulting.com
  • 13.
  • 14. Only 3 people in the organization aware of the exercise  Obtain ‘get-out-of-jail-free’ card!  Bought a spy pen-cam  Create fake authorization letters ◦ Fake letterhead (thank-you Photoshop) ◦ Fake signatures ◦ Fake content  Understand the organization’s process flow  Obtain employee list  Define ‘targets’
  • 15. Security Auditor ◦ Surprise audit on behalf of Government Agency ◦ Chinese attacks on Indian institution (same-day newspaper headlines )  College Student ◦ Research project  Customer ◦ Call-center  Phishing  Social Networking
  • 17. Visit the office  Convince the guard to let me in for the surprise security audit ◦ “It won’t be a surprise if you tell anyone”  Once again we interviewed people ◦ Some suspicious ◦ Reading is not verifying  Dumpster diving www.niiconsulting.com
  • 18. Gain unauthorized access  Stay back late, after almost all employees left ◦ Photograph the office  ‘Steal’ sensitive documents ◦ From open drawers  Check personal folders kept on desks
  • 19.
  • 20. Sensitive information on technologies used  Network architecture revealed  Lot of technical information revealed to “college student” doing a project, as well as journalist  Found bundle of official letter heads in store- room  Gained access to the Server Rooms www.niiconsulting.com
  • 21.
  • 22. We registered a domain with a single letter difference ◦ Registered email accounts  Prepared a ‘Employee Complaint/Feedback Form’ ◦ Company header, styling etc.  Sent out mails to on behalf of HR person  Employees are asked to enter their ‘credentials’ to log in to the system  The final page has a PDF that is to be downloaded as a ‘unique token number’ www.niiconsulting.com
  • 24. About 10 users entered their credentials which we captured  No one downloaded the PDF   Took about 10-15 mins. for HR dept. to be alerted ◦ They sent out an email denying the fake email  One employee had a discussion with HR and responded back to our email address www.niiconsulting.com
  • 25. Linkedin ◦ Fake employee profile  Searched for people not listed in the network ◦ Joined the company ‘network’ ◦ Sent out invites  Facebook ◦ Multiple fake profiles  Added each other as friends www.niiconsulting.com
  • 27.
  • 28. Turns out they had a new employee  Everyone thought his was the ‘fake’ profile  Very difficult to identify the real profile  ‘Attractive’ profiles  receive friend requests www.niiconsulting.com
  • 30. Confidential… www.niiconsulting.com