DEFCON 23, Las VegasAugust, 2015

Heng Guan

Classify Targets To Make Social Engineering Easier To Achieve

Agenda00. Overview01. Information leakage02. The best time to commit03. Always choose the weaker04. According to the physiological characteristics of women's special05. Younger people and older people06. Big Data involved07. Based on the event08. Give limited time09. The arts of force10. SRC and whitehats11. Senior worker & HRs12. Mitigation & Conclusion13. Q & A

BIO and Disclaimer

This is a discussion about how to bypass the human WAF according to different characteristics, as a complement to existing research. Though my talk is aiming to prevent and warn people, but standing mainly on an attacker's aspect. CAN NOT be used to launch attack.NO one were tested during this research.I was/am/will not responsible for what you were/are/will do according to this talk.You have been warned...And will be warn again and again…

One of the few women security researcher & engineer Chinese Bachelor of Computer Science and Technology, though like genetic much more, but for some reason, at last, majored in software engineeringConstructed part of Attack-With-Defence platform XCTF use

Overview# As you know, in some countries, the research of Social Engineering only means dumping databases and searching items. The coming talk will not include this. Despite of different culture and social environment, human beings have something in common.# Many factors (culture, age, gender, the level of vigilance, the time we choose, the current psychological/physical states...) will affect the realization of each Social Engineering action.# This is a talk mainly about how to execute BigData-based highly accurate massive social engineering attack by use different characteristics of different groups.# Social engineering strategies in China is not just rely on who give this attack. # Regardless of what the method is, in an attacker’s view, it’s all about earning money and destroying company.

Information leakageAttack highly secured company without collecting necessary information is very time consuming. As an attacker, what he will do first is to find the weakest link, the points people ignore, listed is some example:# fingerprint# express box# official files# personal info # sharing# flyers # drivers# card # take-away service# same mobile phone number, company, house# twitter/facebook# search engine# GPS

Example: Lucky MoneyThere is an example of how to take time, age, event, emotion factors into consideration:In the mid-February of 2015, Chinese people had a long time Happy New Year, the majority of young people happy collecting "Lucky Money" by simple clicking the picture.(or link) shown in the mobile phone. ("Lucky Money" is some money people send to kids in the new year.)Though the number of money they can get by per click maybe only 0.01~1.00 RMB or 0.

News report: people scrambling for Lucky Money* Audio is in Chinese, hope you don’t care

The best time to commit# People cannot keep clear-headed for 7*24hours, in every country, human beings need work and relax, we will feel tired, will sick, will make mistakes, will hurry, will in need# Many social engineering fraud failed because of committing at wrong time# To facilitate invasion, what attackers care about is how often the protect systems become unstable, when will the emergency team absence# After big company's career talk# When people are too tired or hurry up doing another thing

Always choose the weakerSome people are born with defense capability of being cheated, some are not.# The groups that often complain about being cheated# Use asymmetric information# People in need# People around the target# The more a guy dreaming of, the more vulnerability he will be

According to the physiological characteristics of women's special# Women are more kindhearted, show more mercy, easier to believe something, and closer to important target.# They are playing a receiving role in the past long term polygamy species evolution.Two mainly evolution method used:One is choose the best and born a best child she can have, sacrifice quantity for quality. One is born multiple children with a large number of male, sacrifice quality for quantity.These two method both have their advantages, it’s hard to say which is better. But if not limited, quantitative lead to qualitative changes.# In my opinion, male do not so clear about how to choose female, making a vicious circle.# After long term committing crimes, attackers will feel boring, their aim will be causing some severe problem.# But the cyber experts and guards are mostly male, they cannot prevent the attacks come from female nature.

Younger people and older peopleOlder people:Use electronic devices lessBiologically hard to learn new things and easy forgettingNeed more accompanyGive more understanding and forgiveness

Younger people:Like cool thingsAdolescent are impulse, pure, easily get excited and can be used by loveChildren are new to this world, fulfilled of curious, just cost a lollipop

The worst thing is: you can’t manage them every minute and second.

Big Data involved

# This two picture is a Big Data based automatic risk controlling system, help to judge whether a user is he himself in these aspects: account, device, location, behavior, relationship and preference to prevent malicious transaction, by this way, even other people have your password, because he may not use the same device on your hand, he lives in another city, he login in at the time you never logins, he tries to buy something you never cares about, and the total amount is abnormal, risk controlling system will refuse transaction. # When a programmer leaves, he will take the part of project he involved away.# Image this scenario: when one day the high level artificial intelligence based on Big Data achieved. Artificial intelligence can simulate both the words, the sound and everything of your trusted family member just as they are really talking to you, and ask for your credential, how to verify your mother is your mother? If millions of computers call millions of people automatic? In my eye, a little optimizing can make the RISK CONTROL this model.

Based on the event# As mentioned in the former chapter:Annual festivalImportant examination After meeting ended Graduation season and new staff coming inEmployment state change # Event in hacker’s eye always different: Gay marriage maybe means "Hi guys, another way to get American Green Card!"# Attackers care what is happening and what will happenIf they go further, collect, analyze current information and prepared for all the scenarios he think will happen, and at the correct time do something, like: let the press publish fake news, or let busy working politician read a wrong paper given by temperate worker’s mistake, it will be much easier than through technical method.

Give limited timeIf people have no time to think twice or in urgent, no matter what your malicious link looks like, they will shut down anti-virus software and click on it.How to commit still depends on the target attacker choose.To attack normal people, and pursue the quantity, according to what the specific group care about, give them what they want, like Lucky Money or coupon, let big picture showing 12 remains in total 100000 and a transparent picture link covering at the top. Give job seeker the fake offer, saying “you should submit in 5 minutes”, and let them login in.To attack specific people, give a fake link and fake picture:Sell his house at amazon or ebaySell the night of his daughterIf the picture shows only 1 or 2 minutes left, most people will click, because people think these two things are much more important than cyber security.

The arts of forceJust threaten people what will happen have little use of forcing.In many places in the world, attackers wait people who have done wrong, or give some seemingly easy work to new comers, but let them modify and modify and modify, at last, due to afraid of being fired, some bad contracts signed.As said in the formal chapter, the goal is not always database, maybe cause some trouble.Live online is another way to force, when betray happened, victims can’t refute on the spot.If you want to force someone to tell you the truth, direct ask may not work, but if you come across appealing near his house, seem know some important guys who will affect he's life by chance, wait until target have meal alone, go straight and sit beside, no need to tell him anything, he will feel it’s time to talk to you.

SRC and whitehatsSome findings ignored by the SRCBut not every SRC staff know how to deal with all types of vulnerabilitiesSome SRC ask for so much but give littleSome SRC tells hackers how to launch attack

Senior worker & HRsHackers can be easily annoyed by HRs, they are not CTOs, maybe don’t know how to hire security guys, some judging by obsolete rules, refusing characterized people not only hackers. What's more, some HRs like sharing.Some senior workers in your company setting obstacles to useful people.New worker's security settings.How female HRs treat beautiful female candidates.

Mitigation & ConclusionAfter discuss these characteristics classify needed, let’s see two mitigation method:One is to train people, it’s a long campaign, but this is what we need now. If not start training and practicing, building models, other countries will.Another is to born children with defend capability and good character in nature.In this hypothesis, male can choose the best eggs to have descendants, female can choose the best cell to have descendants too. Then choose a partner the best fit to live with. I mention the second method because what we lack is not people, but talented workforce, maybe someone will think that we shouldn't let a minority of elites have more children than others to ensure the equality, but the reality is, bad or irresponsible guys having more children instead of the elites, human being's average quality keep descending. You can see some 3rd party countries, overpopulation and reverse evolution promoting each other. In conclusion, with the database evolvement, rights limited, download speed limited, harder to execute add, delete, modify and search action, database contains petabyte or terabyte information leakage, most confidential archives are physically not connected to the Internet, the future will be social engineers’. It’s time to do.

Q & A

Because of the visa, I can’t attend to the conference, so it’s hard to answer your questions immediately, if have questions, please send email to: polyic@163.com or 325006233@qq.com I will reply to each email, if not hacked

Thank you for your time.