Good morning
- Matthias Vermeiren
- Joachim Seminck
Good morning
Hackers... Or not?
Stereotype of a hacker
Uses computers, viruses, trojans, bugs
Steals confidential information through a computer
Stereotype of a hacker
Uses computers, viruses, trojans, bugs
Steals confidential information through a computer
Stereotype of a hacker
Social Engineering...what?
Breaching network using people skills
Powers of observation
Psychologically manupulating people
People are often the weakest link
Social Engineering...what?Social Engineering...what?
Social Engineering...how?Impersonating IT staff
“Your account is disabled, I need your password”
Gives password
EmployeeSocial Engineer Employee
Gives password
Social Engineering...how?
Social Engineering...how?Playing on users’ sympathy Pretending to be worker from the outside
( phone company, ISP,...)
“New on the job, have to check out some wiring, or else I get fired....”
Gaining physical access to computers and servers
In any case: Social engineer appears to be worried, afraid, upset of some dire consequence
Social Engineering...how?
Social Engineering...how?Wooing them with words
When the stakes are high (e.g. Big financial reward for getting into network)
Slowly becoming close friends with target victims
Elaborate, long-term schemes
Initiating and developing a romantic relationship
Victim trusts S.E. Enough to reveal confidential information (and smartcards,...)
Social Engineering...how?Intimidation tactics
S.E. Pretends to be someone important
Big boss from HQ
Government inspector
Someone who strikes fear in the employee’s heart
-Angry and yelling
-Threaten to fire the employee if they don’t get the information
Very few people would say no out of fear of losing their job
Social Engineering...how?
Social Engineering...how?The greed factor
S.E. Offers money or goods in exchange for the information
Usually more subtle
In general: S.E. Promises some benefit
(better paying job at competing company,...)
Social Engineering...how?
Social Engineering...how?Creating confusion
Creating a problem
Taking advantage of it
Social Engineering...how?
Social Engineering...how?Shoulder surfing
“Passive” form of social engineering
Observe victim whilst typing passwords
Without their knowledge Gaining trust so they don’t mind their being there
Social Engineering...how?
Social Engineering...how?Dumpster diving
Predates computers
Looking for hard copies of information to breach the network
S.E. could pose as a janitor
Access to discarted papers, cd’s, discs, etc
Social Engineering...how?
Social Engineering...how?Gone phishing
Well-publicised internet scam
Fake e-mails
Sites that are identical to the originals
Users enter confidential information ( passwords, id’s ,...)
Information gets forwarded to the S.E.
Social Engineering...how?
Social Engineering...how?Reverse social engineering
S.E. gets others to ask him/her the questions
Creating problem with network or software
S.E. is expert coming to fix the problem
Gets full access to the systems
Requires a lot of planning
Social Engineering...how?
Social Engineering...Protection
Number one line of defence :
User Education
Backed up by
Clear (written) policies
Who can enter server room?
To whom can users give their password?
...
Social Engineering...Protection
Social Engineering = Not a technological problem
It does have a technological solution
Multifactor authentication
Social Engineering...Protection
Social Engineering...Case study
Sources
-Ten common social engineering ploysBy Debra Shinder, TechRepublic
-Social Engineering – An attack vector most intricate to tackle!
By Ashish Thapar
-Malware campaign at YouTube uses social engineering tricks
By Dancho Danchev
-Junk mailers get the human touch
By BBC news
Sources
Questions?
Thank you!