Social Engineering (II909) Kaido Kikkasakadeemia.kakupesa.net/arhiiv/SE2018S/lectures/lecture8.pdfExamples The stories come from various sources, ranging from the beginning (sort of)

Topic 8: some examples and stories

2018 Kaido Kikkas. This document is dual-licensed under the GNU Free Documentation License (v l.2 or newer) and the Creative Commons Attribution-ShareAlike (BY-SA) 3.0 Estonia or newer license

Social Engineering (II909)

Kaido Kikkas

Examples

● The stories come from various sources, ranging from the beginning (sort of) to today (pictures come from Wikimedia Commons)

● Revisiting some topic 1 material too, with some additional depth gathered from subsequent topics

● In all cases, SE relies of people being too– clueless– nice

It all started in the Garden of Eden● Social engineers are from Hell (apparently) –

the first of them being the Devil himself, deceiving Adam

● Methods used:● Pretexting/masquerading (serpent)● Persuasion (“You will not die”)● Baiting (“You will get to know good and evil, just like

God”)● Woman-in-the-Middle attack (Eve)

https://en.wikipedia.org/wiki/Fall_of_man#/media/File:Michelangelo_S%C3%BCndenfall.jpg

Beware of the Greeks bearing gifts

● The original Trojan Horse (supposedly conceived by Ulysses)

● Methods:● Baiting● Persuasion (Sinon “left behind”)● Ignorance/disbelief (Cassandra)● Assassination (Laocoön killed after

trying to warn Trojans)● Escalation (30-50 men let the army

in)https://en.wikipedia.org/wiki/Trojan_Horse#/media/File:Replica_of_Trojan_Horse_-_Canakkale_Waterfront_-_Dardanelles_-_Turkey_(5747677790).jpg

The promised land in Nowhere

● Gregor MacGregor of Scotland● Fought in Latin America early

18th c.● The Poyais scheme 1821-37● Convinced 250 people to move to

a fictional colony in Venezuela, half of them died; many others lost their ‘investments’

● Was welcomed as a hero back in Venezuela in 1838, after death in 1845 received full military burial

https://en.wikipedia.org/wiki/Gregor_MacGregor#/media/File:General_Gregor_MacGregor_retouched.jpg

A lot of scrap metal in Paris

● Victor Lustig 1925● Sold Eiffel Tower to scrap.

Twice.● Second take backfired, was

forced to flee to the U.S.● Method: brilliant use of an

actual long-time controversy● Ended up in Alcatraz, died in

1947● “Apprentice salesman” listed

as occupation on death certificate

https://en.wikipedia.org/wiki/Victor_Lustig#/media/File:Victor_Lustig.jpg

Lustig’s Commandments● Be a patient listener (it is this, not fast talking, that gets a con man

his coups)

● Never look bored

● Wait for the other person to reveal any political opinions, then agree with them

● Let the other person reveal religious views, then have the same ones

● Hint at sex talk, but don't follow it up unless the other person shows a strong interest

● Never discuss illness, unless some special concern is shown

● Never pry into a person's personal circumstances (they'll tell you all eventually)

● Never boast - just let your importance be quietly obvious

● Never be untidy

● Never get drunk

Collect some toll in NYC

● Charles C. Parker● “And if you believe that, I have a

bridge to sell you”● Sold various NY landmarks to

immigrants, including the Brooklyn bridge (“start collecting toll”)

● Methods: persuasion, pretexting, document forgery

● Died in Sing Sing in 1936

https://en.wikipedia.org/wiki/George_C._Parker#/media/File:Parker_02.png

The Pyramid

● Carlo (Charles) Ponzi 1920● Postal coupon business financed

by expansion (the pyramid or Ponzi scheme)

● Collapse cost: ~20 MUSD● Died as a poor man in Brazil in

1949

https://en.wikipedia.org/wiki/Charles_Ponzi#/media/File:Ponzi1920.jpg

Kevin

● THE social engineer● Greater LA bus hack at school● Looped background ad tape to get into Pacific

Telephone● Donuts left for FBI (after an early warning alarm

started to work)● Employed by Holme, Roberts & Owen law firm

in Denver as Erik Weisz● … (seek and read by yourself)

Three blind mice

● Muzher, Shadde and Munther (Ramy) Badir, three Israeli Arab brothers born blind

● Extensive phreaking and social engineering spree in the 90s

● 44 charges in 1999, ~2M USD● No legislation in Israel that time● Ramy got 47 month, Muzher 6

months of community service

https://www.wired.com/wp-content/uploads/archive/wired/archive/12.02/images/FF_84_phreaks_1.jpg

Viva Las Vegas

● Alex Mayfield and his friends, 1990s (as described by Mitnick’s The Art of Intrusion)

● Reverse-engineered the ROM of gambling machines and managed to swap it in

● Two interesting steps:● Part of the object code was listed in the related patent

application (in a Washington DC library)● Managed to purchase a similar Japanese design in Vegas,

engineered the limitations)

The three (back)doors

● Back Orifice, Sub7 and NetBus (around the turn of the century)

● Classic trojan horses, no self-propagation – spread by social engineering only

● The case in Sweden

Scambaiting

● a.k.a. mugu-baiting, turning the table on (mostly African) scammers

● Some really hilarious stories, e.g. http://scamorama.com/smurf.html

● Morally ambiguous – scamming a scammer is still a scam, OTOH wasting his efforts is essentially good

Conclusion

● The main point to learn from stories – people are good, lazy and try to avoid conflicts

● In the land of the blind, the one-eyed man is king. So is a half-compentent person in the land of ignorants…

● SE is a dark art – it destroys faith in people :)

For further reading

● The Best of 2600: A Hacker Odyssey by Emmanuel Goldstein

● The Art of Deception, The Art of Intrusion and Ghost in the Wires by Kevin Mitnick (also The Art of Invisibility, but it is not about SE)

● Scamorama.com, 419eater.com, whatsthebloodypoint.com