SlideShare una empresa de Scribd logo

Isys20261 lecture 10

Descargar como PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli

The document discusses social engineering techniques used to manipulate people into providing confidential information or performing actions. It describes various social engineering attacks like pretexting, phishing, phone phishing, baiting, and quid pro quo. Pretexting involves creating a fake scenario to get information, while phishing uses fraudulent emails. Phone phishing replicates legitimate phone systems to steal information. Baiting leaves infected devices in public places, and quid pro quo offers to help with technical issues in exchange for access.

1 de 17
Computer Security Management (ISYS20261) Lecture 10 - Social Engineering Module Leader: Dr Xiaoqi Ma School of Science and Technology
Today ... … we will discuss: • Pretexting • Phishing • IVR or phone phishing • Baiting • Quid pro quo Computer Security Management Page 2
Social Engineering • Manipulating people into performing actions or providing confidential information • Social engineering techniques are based on specific attributes of human decision-making known as cognitive biases • These biases are exploited in various combinations to create criminal attack techniques • Examples of social engineering: – Pretexting – Phishing – IVR or phone phishing – Baiting – Quid pro quo – Etc. Computer Security Management Page 3
Social Engineering Attacks • Attacker might pose as: – fellow employee – employee of a vendor, partner company, law enforcement – Someone with authority – Systems manufacturer offering system patch or update – Offering help if problem occurs, then making the problem to occur • Attacker might use software: – Sending free software of patch to victim to install (Trojan) – Sending viruses or Trojans as email attachment – Using a false pop-up window asking user to log in – Leaving a CD with malicious software lying around • Others – Offering prize for registering on Web site – Dropping document in mail room for intra-office delivery Computer Security Management Page 4
Pretexting (1) • Creating and using an invented scenario (pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone • Often involves some prior research or set up and the use of pieces of known information, e.g. for impersonation: name, date of birth, last bill amount, to establish legitimacy in the mind of the target • Used for example to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives • As most companies authenticate clients by asking only for a name, date of birth, or mother's maiden name, the method is effective in many situations Computer Security Management Page 5
Pretexting (2) • Can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim • The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet Computer Security Management Page 6
Example (1) • Mary arrived early to a head start on what she expected to be a long day and was surprised to find her phone ringing. She picked it up and gave her name: Hi, this is Peter Sheppard. I’m with Arbuckle Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer connecting to the network? Computer Security Management Page 7
Example (2) • She told him she didn’t know yet. She turned her computer on and while it was booting he explained what he wanted to do: I’d like to run a couple of tests with you. I’m able to see on my screen the keystrokes you type and I want to make sure they’re going across the network correctly. So every time you type a stroke I want you to tell me what it is and I’ll see if the same letter or number is appearing here. Okay? Computer Security Management Page 8
Example (3) • With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him: I have the login screen and I’m going to type in my ID. I’m typing it in: M A R Y Great so far. I’m seeing that here. Now go ahead and type your password but don’t tell me what it is. You should never tell anybody your password not even tech support. I’ll just see asterisks here – your password is protected so I can’t see it. Computer Security Management Page 9
Example (4) • None of this was true but it made sense to Mary. And then he said: Let me know once your computer has started up. • When she said it was running he had her open two of her applications and she reported that they launched just fine • Mary was relieved to see that everything seemed to be working. Peter said: I’m glad I could make sure you’ll be able to use your computer ok. And listen, we just installed an update that allows people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right? Computer Security Management Page 10
Example (5) • She was grateful for the help he had given her and readily agreed. Peter walked her through the steps of launching her application that allows a user to change passwords (a standard element of Windows operating system) • Peter said: Go ahead and enter your password but remember not to say it loud. • When she had done so, Peter said: just for this quick test, when it asks for your new password enter ‘test123’. Then type it again in the verification box and click Enter. • He talked her through the process of disconnecting from the server. He told her to wait a couple of minutes, then connect again, this time trying to log on with her new password. It worked fine and Peter seemed pleased. He talked her through changing it back to her original password once more cautioning her not to say it out loudly. Computer Security Management Page 11
Example (6) • Well Mary Peter said we didn’t find any trouble and that’s great. If any problems come up just ring us at Arbuckle. I’m usually on a special project but anyone here can help you. • Analysing the con: – Ringing reception at 7:30 – emergency, need to talk to anyone in accounting – Call Mary, say there is problems, give her jitters so she is keen for help – After giving ‘help’ ask for favour – Quickly logged on with temporary password and installed his own program and cleared access from logs • Common: – Con is embedded into long palaver – If con would be at the end of the day Mary would remember this last thing but after a busy working day she will forget Computer Security Management Page 12
Phishing • criminal technique of fraudulently obtaining private information • Typically, the phisher sends an e-mail that appears to come from a legitimate business (e.g. a bank, or credit card company) requesting "verification" of information and warning of some dire consequence if it is not provided • e-mail usually contains a link to a fraudulent web page that seems legitimate (I.e. with company logos and content) and has a form requesting everything from a home address to an ATM card's PIN Computer Security Management Page 13
Phone Phishing (IVR phishing) • Uses a fake Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system • Typically victim receives an e-mail asking to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information • A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords • More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning Computer Security Management Page 14
Baiting • Trojan Horse that uses physical media and relies on the curiosity or greed of the victim • Attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity- piquing label, and simply waits for the victim to use the device • Examples could be: – Installation disks for expensive Office software – Fake electronic executive reports (infected spreadsheets) – Fake demo programs Computer Security Management Page 15
Quid pro quo • “Something for something” • An attacker calls random numbers at a company claiming to be calling back from technical support • Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them • The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware (see pretexting example!) Computer Security Management Page 16
Summary Today we learned: • Social engineering exploits human cognitive biases • Manipulating people into performing actions or providing confidential information • Social engineering techniques include: – Pretexting – Phishing – IVR or phone phishing – Baiting – Quid pro quo Computer Security Management Page 17

Recomendados

Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingBinit Kumar
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Network Threats
Network ThreatsNetwork Threats
Network ThreatsDan Oblak
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)Wail Hassan
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 

Recomendados

Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingBinit Kumar
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)Wail Hassan
 
Network Threats
Network ThreatsNetwork Threats
Network ThreatsDan Oblak
 
Module 3 (scanning)
Module 3 (scanning)Module 3 (scanning)
Module 3 (scanning)Wail Hassan
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and PrivacyCH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacymalik1972
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
New internet security
New internet securityNew internet security
New internet securityuniversity of mumbai
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.Khushboo Aggarwal
 
Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSlick Cyber Systems
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)Wail Hassan
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Social engineering for security attacks
Social engineering for security attacksSocial engineering for security attacks
Social engineering for security attacksmasoud khademi
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
185
185185
185vivatechijri
 
Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...Quinnipiac University
 
Computer Security
Computer SecurityComputer Security
Computer SecurityVaibhavi Patel
 
Skypeprezzi
SkypeprezziSkypeprezzi
SkypeprezzimunZikins
 
GOLD MUSEUM
GOLD MUSEUMGOLD MUSEUM
GOLD MUSEUMjanethleguizamon
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstationsWiliam Ferraciolli
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02Wiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016Gene Ferro
 
Information security
Information securityInformation security
Information securityVijayananda Mohire
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKaushal Solanki
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Kate Brew
 

Más contenido relacionado

La actualidad más candente

Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSlick Cyber Systems
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)Wail Hassan
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4leahg118
 
Social engineering for security attacks
Social engineering for security attacksSocial engineering for security attacks
Social engineering for security attacksmasoud khademi
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...Quinnipiac University
 

La actualidad más candente (10)

New internet security
New internet securityNew internet security
New internet security
 
Ethical hacking.
Ethical hacking.Ethical hacking.
Ethical hacking.
 
Security in the enterprise - Why You Need It
Security in the enterprise - Why You Need ItSecurity in the enterprise - Why You Need It
Security in the enterprise - Why You Need It
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
 
Giarritano concept paper 4
Giarritano concept paper 4Giarritano concept paper 4
Giarritano concept paper 4
 
Social engineering for security attacks
Social engineering for security attacksSocial engineering for security attacks
Social engineering for security attacks
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
185
185185
185
 
Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...Ethical Hacking A high-level information security study on protecting a comp...
Ethical Hacking A high-level information security study on protecting a comp...
 
Computer Security
Computer SecurityComputer Security
Computer Security
 

Destacado

Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 

Destacado (6)

Skypeprezzi
SkypeprezziSkypeprezzi
Skypeprezzi
 
GOLD MUSEUM
GOLD MUSEUMGOLD MUSEUM
GOLD MUSEUM
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Isys20261 lecture 02
Isys20261 lecture 02Isys20261 lecture 02
Isys20261 lecture 02
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 

Similar a Isys20261 lecture 10

The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016Gene Ferro
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKaushal Solanki
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Kate Brew
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service DeskNorthCoastHDI
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecuritycentralohioissa
 
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Ron Pierce
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end usersNetWatcher
 
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfUnit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfSujanTimalsina5
 
Living in the IT Era - Lesson 6.pptx
Living in the IT Era - Lesson 6.pptxLiving in the IT Era - Lesson 6.pptx
Living in the IT Era - Lesson 6.pptxFroilan Cantillo
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Vishwan Aranha
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarDaniel Versola
 

Similar a Isys20261 lecture 10 (20)

The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness Presentation
 
SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016SANS OUCH Newsletter April 2016
SANS OUCH Newsletter April 2016
 
Information security
Information securityInformation security
Information security
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl"
 
Security and the Service Desk
Security and the Service DeskSecurity and the Service Desk
Security and the Service Desk
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about CybersecurityMark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
 
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
Free Report 16 Critical Questions You Must Ask Before Hiring Any IT Company -...
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdfUnit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
Unit 03 Computer and Internet Crime [5 hrs] v1.2.pdf
 
What you should know about tech support scams
What you should know about tech support scamsWhat you should know about tech support scams
What you should know about tech support scams
 
What you should know about tech support scams
What you should know about tech support scamsWhat you should know about tech support scams
What you should know about tech support scams
 
Living in the IT Era - Lesson 6.pptx
Living in the IT Era - Lesson 6.pptxLiving in the IT Era - Lesson 6.pptx
Living in the IT Era - Lesson 6.pptx
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
 
Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508Ncsam 2019-cybersecurity-awareness-trivia final-508
Ncsam 2019-cybersecurity-awareness-trivia final-508
 
Information security management
Information security managementInformation security management
Information security management
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security Seminar
 
COMPUTER ETHICS.pptx
COMPUTER ETHICS.pptxCOMPUTER ETHICS.pptx
COMPUTER ETHICS.pptx
 

Más de Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

Más de Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Isys20261 lecture 05
Isys20261 lecture 05Isys20261 lecture 05
Isys20261 lecture 05
 
Isys20261 lecture 04
Isys20261 lecture 04Isys20261 lecture 04
Isys20261 lecture 04
 
Isys20261 lecture 03
Isys20261 lecture 03Isys20261 lecture 03
Isys20261 lecture 03
 

Isys20261 lecture 10

  • 1. Computer Security Management (ISYS20261) Lecture 10 - Social Engineering Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Today ... … we will discuss: • Pretexting • Phishing • IVR or phone phishing • Baiting • Quid pro quo Computer Security Management Page 2
  • 3. Social Engineering • Manipulating people into performing actions or providing confidential information • Social engineering techniques are based on specific attributes of human decision-making known as cognitive biases • These biases are exploited in various combinations to create criminal attack techniques • Examples of social engineering: – Pretexting – Phishing – IVR or phone phishing – Baiting – Quid pro quo – Etc. Computer Security Management Page 3
  • 4. Social Engineering Attacks • Attacker might pose as: – fellow employee – employee of a vendor, partner company, law enforcement – Someone with authority – Systems manufacturer offering system patch or update – Offering help if problem occurs, then making the problem to occur • Attacker might use software: – Sending free software of patch to victim to install (Trojan) – Sending viruses or Trojans as email attachment – Using a false pop-up window asking user to log in – Leaving a CD with malicious software lying around • Others – Offering prize for registering on Web site – Dropping document in mail room for intra-office delivery Computer Security Management Page 4
  • 5. Pretexting (1) • Creating and using an invented scenario (pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone • Often involves some prior research or set up and the use of pieces of known information, e.g. for impersonation: name, date of birth, last bill amount, to establish legitimacy in the mind of the target • Used for example to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives • As most companies authenticate clients by asking only for a name, date of birth, or mother's maiden name, the method is effective in many situations Computer Security Management Page 5
  • 6. Pretexting (2) • Can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim • The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet Computer Security Management Page 6
  • 7. Example (1) • Mary arrived early to a head start on what she expected to be a long day and was surprised to find her phone ringing. She picked it up and gave her name: Hi, this is Peter Sheppard. I’m with Arbuckle Support, the company that does tech support for your firm. We logged a couple of complaints over the weekend from people having problems with the computers there. I thought I could troubleshoot before everybody comes into work this morning. Are you having any problems with your computer connecting to the network? Computer Security Management Page 7
  • 8. Example (2) • She told him she didn’t know yet. She turned her computer on and while it was booting he explained what he wanted to do: I’d like to run a couple of tests with you. I’m able to see on my screen the keystrokes you type and I want to make sure they’re going across the network correctly. So every time you type a stroke I want you to tell me what it is and I’ll see if the same letter or number is appearing here. Okay? Computer Security Management Page 8
  • 9. Example (3) • With nightmare visions of her computer not working and a frustrating day of not being able to get any work done, she was more than happy to have this man help her. After a few moments, she told him: I have the login screen and I’m going to type in my ID. I’m typing it in: M A R Y Great so far. I’m seeing that here. Now go ahead and type your password but don’t tell me what it is. You should never tell anybody your password not even tech support. I’ll just see asterisks here – your password is protected so I can’t see it. Computer Security Management Page 9
  • 10. Example (4) • None of this was true but it made sense to Mary. And then he said: Let me know once your computer has started up. • When she said it was running he had her open two of her applications and she reported that they launched just fine • Mary was relieved to see that everything seemed to be working. Peter said: I’m glad I could make sure you’ll be able to use your computer ok. And listen, we just installed an update that allows people to change their passwords. Would you be willing to take a couple of minutes with me so I can see if we got it working right? Computer Security Management Page 10
  • 11. Example (5) • She was grateful for the help he had given her and readily agreed. Peter walked her through the steps of launching her application that allows a user to change passwords (a standard element of Windows operating system) • Peter said: Go ahead and enter your password but remember not to say it loud. • When she had done so, Peter said: just for this quick test, when it asks for your new password enter ‘test123’. Then type it again in the verification box and click Enter. • He talked her through the process of disconnecting from the server. He told her to wait a couple of minutes, then connect again, this time trying to log on with her new password. It worked fine and Peter seemed pleased. He talked her through changing it back to her original password once more cautioning her not to say it out loudly. Computer Security Management Page 11
  • 12. Example (6) • Well Mary Peter said we didn’t find any trouble and that’s great. If any problems come up just ring us at Arbuckle. I’m usually on a special project but anyone here can help you. • Analysing the con: – Ringing reception at 7:30 – emergency, need to talk to anyone in accounting – Call Mary, say there is problems, give her jitters so she is keen for help – After giving ‘help’ ask for favour – Quickly logged on with temporary password and installed his own program and cleared access from logs • Common: – Con is embedded into long palaver – If con would be at the end of the day Mary would remember this last thing but after a busy working day she will forget Computer Security Management Page 12
  • 13. Phishing • criminal technique of fraudulently obtaining private information • Typically, the phisher sends an e-mail that appears to come from a legitimate business (e.g. a bank, or credit card company) requesting "verification" of information and warning of some dire consequence if it is not provided • e-mail usually contains a link to a fraudulent web page that seems legitimate (I.e. with company logos and content) and has a form requesting everything from a home address to an ATM card's PIN Computer Security Management Page 13
  • 14. Phone Phishing (IVR phishing) • Uses a fake Interactive Voice Response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system • Typically victim receives an e-mail asking to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information • A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords • More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning Computer Security Management Page 14
  • 15. Baiting • Trojan Horse that uses physical media and relies on the curiosity or greed of the victim • Attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity- piquing label, and simply waits for the victim to use the device • Examples could be: – Installation disks for expensive Office software – Fake electronic executive reports (infected spreadsheets) – Fake demo programs Computer Security Management Page 15
  • 16. Quid pro quo • “Something for something” • An attacker calls random numbers at a company claiming to be calling back from technical support • Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them • The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware (see pretexting example!) Computer Security Management Page 16
  • 17. Summary Today we learned: • Social engineering exploits human cognitive biases • Manipulating people into performing actions or providing confidential information • Social engineering techniques include: – Pretexting – Phishing – IVR or phone phishing – Baiting – Quid pro quo Computer Security Management Page 17