Social Engineering

SBA Research & Vienna University of Technology

Edgar R. Weippl

Human Factor

Estimation for Risk Analysis

Social Engineering

Digital Natives

Co

ol h

and

le

Twitter

iPd

ad iP

ho

ne

Mac

Apple Emai

l

Google

To b

uy

stu

ff

Amazon

2: Google m..n@gmail.com

1: Backup email unknown

3: Backup: m…n@me.com

4: forgot PW? Support asks for:

Billing address

Last 4 digits of CC

5: Whois: Address

Billing address

6: Add new CC:

Email, CC (fake) Billing address

7: forgot PW? You need:

Email, CC info Billing address

Last 4 digits of other CCs are visible

Last 4 digits of CC

8: Devices iPhone iPad Mac

9: Post nonsense to Twitter

Knowledge Worker

• It demands that we impose the responsibility for their productivity on the individual knowledge workers themselves. Knowledge workers have to manage themselves. They have to have autonomy.

• Continuous innovation has to be part of the work, the task and the responsibility of knowledge workers.

• Knowledge worker productivity requires that the knowledge worker is both seen and treated as an 'asset' rather than a 'cost'. It requires that knowledge workers want to work for the organization in preference to all other opportunities.”

Source: http://www.knowledgeworkerperformance.com/Peter-Drucker-Knowledge-Worker-Productivity.aspx

• „But in all my experience, I have never been in any accident…of any sort worth speaking about. I have but one vessel in distress in all my years

at sea. I never saw a wreck and never have been wrecked nor was I ever in any predicament

that threatened to end in disaster of any sort.“

Experts

E.J. Smith, 1907, Captain

RMS Titanic

Source: New York Times, April 16, 1912

Experts

• Reliable data is often not available – Example bot nets

How to steal a botnet, Richard Kemmerer https://www.youtube.com/watch?v=2GdqoQJa6r4 Richard A. Kemmerer. 2009. How to steal a botnet and what can happen when you do. In Proceedings of the 11th international conference on Information and Communications Security (ICICS'09), Sihan Qing, Chris J. Mitchell, and Guilin Wang (Eds.). Springer-Verlag, Berlin, Heidelberg, 1-1. DOI=10.1007/978-3-642-11145-7_1 http://dx.doi.org/10.1007/978-3-642-11145-7_1

• Alternate Sources: – Models, Prediction – Estimates, Experience, Guesses

It is not bad to use these methods if one is aware of the

drawbacks

Prediction

• People overestimate their knowledge – „Unknown Unknowns“ (D. Rumsfeld)

• People are bad at evaluating the quality of their knowledge – Example: Anchoring

• People are bad at judging how good their judgment is. – Example: 2% confidence studies

– Effective error rate: 15 - 30%

Social Engineering

• Anatomy of an attack. http://blogs.rsa.com/anatomy-of-an-attack/

• Google hack attack was ultra sophisticated, new details show http://www.wired.com/threatlevel/2010/01/operation-aurora/

• Microsoft hacked: Joins apple, facebook, twitter – InformationWeek http://www.informationweek.com/security/attacks/microsoft-hacked-joins-apple-facebook-tw/240149323

• N. Perlroth. Chinese hackers infiltrate new york times computers. The New York Times, Jan. 2013.

Types of S.E. Attacks

• Physical approaches – Dumpster diving, stealing, …

• Social approaches – Relationships, inside knowledge

• Reverse social engineering – Victim contacts attacker

• Technical approaches – Freely available information, guessing and targeted

attacks.

• Socio-technical approaches – USB sticks, …

SOCIAL APPROACHES

https://www.youtube.com/watch?v=vBPG_OBgTWg

(0:39)

Perception

https://www.youtube.com/watch?v=ubNF9QNEQLA

Perception

https://www.youtube.com/watch?v=IGQmdoK_ZfY

A well-known video…

Human Factors

On Pseudologia

phantastica [with regard

to] the example of the

character Felix Krull from

the homonymous novel

by Thomas Mann and

cognitively induced

biases in stereotypical

judgment

Emotions and Feelings

• Authority

• Strong Emotion

• Overloading

• Reciprocation

• Deceptive Relationships

• Reverse Social Engineering

TECHNICAL APPROACHES

AppInspect: Large-scale Evaluation of Social Networking Apps

• Social networks act as proxies between user and third-party providers

• Personal information is transferred to providers

• App providers themselves rely on third-parties (analytics, advertising products)

• Custom hosting infrastructures

• Approval of apps with authentication dialog

System Architecture for Data Collection

System Architecture for Data Collection

Enumeration

• Exhaustive search in June 2012 with character trigrams • 434,687 unique applications in two weeks • Main obstacle: Facebook account rate limits

Most Popular Apps

• 10,624 most popular app, 94.07% of samples’ cumulative application usage

• Language: English (64.72%), 69 different languages

Permissions per Provider

• 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address

Permissions per Provider

• 4,747 applications belonged to 1,646 distinct providers • 60.24% of all providers requested personal email address

Suspicious Apps

• 40 providers requested more than 10 permissions • 139 web tracking / advertising providers used • Manually verified requested permissions vs. app

functionality • Legitimate uses

– dating and job hunting applications – XBOX application (not available anymore)

• Malpractices – Horoscopo Diario, 2.5 million monthly users

Would only require birthdate, 25 different permissions – Wisdom of the Buddha etc.

Vulnerability

• 55% Apache httpd, nginx (15.63%), Microsoft IIS (9.4%) • 2 hosts source code disclosure vulnerability (CVE-2010-2263) • 8 hosts ProFTPD buffer overflow (CVE-2006-5815, CVE-2010-

4221) • Host with 1.2 million monthly users and sensitive information

Web Bugs

Information Leaks

• 315 apps directly transferred sensitive information (via HTTP parameter)

Information Leaks

• 51 applications leaked unique user identifiers (HTTP Referrer)

• 14 out of these 51 applications also leaked API authorization tokens

Facebook Summary

• Reported our findings to Facebook in November 2012 – Facebook responded within one week – Skype meetings with Facebook – Facebook acknowledged problems and contacted developers – Fixed in May 2013

• Security and privacy implications – Since January 2010 unproxied access to email address – 60% of application developers request email address – Social phishing, context-aware spam – Users trackable with real name

• Hosting – Number of hosts possible vulnerable – FTP/SSH bruteforce – Amazon EC2 community images

Techniques

• Shoulder surfing • Phishing

– Spear phishing

• Google (e.g. intitle:”Live View / – AXIS 210″) • Waterholing • Baiting

– USB stick

• Social Networking Sites – freddi staur – Robin Sage

• IM • Spying, Pretending justified interest • Telephone, Face2face

Is it the users’ fault?

http://www.emarsys.net/u/reg.php?par=sliBLsUjox_194008_111

_2_t_119422470_23396

Hagai Hartman

emarsys eMarketing

Systems AG

office@emarsys.com

Maerzstrasse 1/5 OG 1/5

Wien, 1150, AT

Why do Nigerian Scammers Say They are

from Nigeria? https://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf

Are phishers really stupid?

Lessons learned

• Secure passwords to not solve all problems – Alternate attack vectors

• Phishing, • Social engineering, etc.

• Backup passwords, recovery options are dangerous – Security questions

– Backup email accounts – Support calls

• How can you identify a person? – credit card? – social security number?

– fingerprint?

– Login / password?

Cloud Dienste in mobilen Netzwerken

Christian Platzer

Further reading

Fraud and Abuse: A Survey of Life on the Internet TodayEllen Cram Kowalczyk, Principal Security Program Manager Lead, Microsoft http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1201 Social AuthenticationAlex Rice, Product Security, Facebook http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2012-Sessions/BH1202

• Authority

• Strong Emotion

• Overloading

• Reciprocation

• Deceptive Relationships

• Integrity and Consistency

• Social Proof

Psychological Background

Outline

Information Gathering

Elicitation & Pretexting

APT

Observation & Empirical Research

Observation of complex systems

Empirical Research

• Dropbox Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R. Weippl. Dark clouds on the horizon: Using cloud storage as attack vector and online slack space. USENIX Security, 8/2011.

• WhatsApp Sebastian Schrittwieser, Peter Fruehwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R. Weippl. Guess who is texting you? evaluating the security of smartphone messaging applications. In Network and Distributed System Security Symposium (NDSS 2012), 2 2012.

• Facebook Markus Huber, Sebastian Schrittwieser, Martin Mulazzani, and Edgar Weippl. Appinspect: Large-scale evaluation of social networking apps. In ACM Conference on Online Social Networks (COSN 2013), 2013.

• Amazon Amir Herzberg and Haya Shulman and Johanna Ullrich and Edgar R. Weippl, Cloudoscopy: Services Discovery and Topology Mapping, in Proceedings of the ACM Cloud Computing Security Workshop (CCSW) at ACM CCS 2013, 2013.

Attack scenario

Friend

Friend

Phished

friend

Spammed

friend

Spam

Attack

seed

Spammed

friend

Spam

Spammed

friend

Spam

Spammed

friend

Spam

Phishing

Phished

friend

Spammed

friendSpam

Spammed

friend

Spam

Spammed

friend

Spam

Spammed

friend

Spam

Phishing

Friend

Friend

Friend

Friend

Friend

Friend

Friend

Friend

Friend

Friend

Friend

Friend

1st Iteration 2

nd Iteration 3

rd Iteration ...

Fast Access to Data: Collection of digital evidence through our social snapshot application

Access to Data

Anonymized Social Interconnection Graph

Anonymized Social Interaction Graph using Picture Tags

Social interaction graph using direct messages

Example timeline

Putting it all together …

Information Gathering

Elicitation & Pretexting

APT

Edgar.Weippl@tuwien.ac.at

eweippl@sba-research.org

Hardware Malware