social engineering via social media
DESCRIPTION
How social media can be used as a social engineering tool to gather information and compromise information systems. Intercepting social media communications using connected service enumerations, and the Kill chain (presented in 2011)TRANSCRIPT
![Page 1: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/1.jpg)
The truth shall set you free: exploiting trust within social media
1
Barry Coatesworth
![Page 2: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/2.jpg)
Defense and Offense
2
1. Defending against Anonymous (Real world example - 2011)
2. The taxonomy of an attack using Social media.
![Page 3: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/3.jpg)
Attacks in 2012
3
![Page 4: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/4.jpg)
Attacks in August (15th - 31st) 2012
4
![Page 5: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/5.jpg)
Attacks in August 2012
5
![Page 6: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/6.jpg)
Attacks in August 2012
6
![Page 7: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/7.jpg)
Attacks in 2011
7
![Page 8: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/8.jpg)
Anonymous - LulzSec and #Anti-Sec
8
#AntiSecWelcome to Operation Anti-Security (#AntiSec) - we encourage any vessel, large or small, to open fire on any government or agency that crosses their path.
“Anonymous was never an advanced persistent threat.Their hacktivist ideology (#Anti-Sec) is a persistent threat and will be for some time yet.”
![Page 9: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/9.jpg)
Anonymous Attacks
9
Anonymous Attack Count
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (SELECT) 2
HTTP: SQL Injection (SELECT) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (UNION) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (Boolean Identity) 2
HTTP: SQL Injection Evasion Inline SQL Comment 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 2
![Page 10: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/10.jpg)
Defending the enterprise
10
VLAN
VLAN 49
VLAN 33
VLAN 31
VLAN 32
VLAN 351
Leased Line
Leased Line
Leased Line
Leased Line
Ext
ernal
VLAN 36
Leased Line
VLAN 34
VLAN 37
Immediate action:
Pivot defences to face the threat
Increased alerting & logging
![Page 11: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/11.jpg)
Lock Down
11
Honeypots(Identification & M.O.)
Poisoned Apple(Defensive payload to entice the attacker to surreptitiously reveal their actual location)
Decrease external foot printRemove unneeded services, Labs, development and demo sites.
Forward planning options
![Page 12: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/12.jpg)
Motivation
12
Hacktervists are motivated by political change
Cyber Criminals are motivated by financial gain
State sponsored actors are motivated by military/political dominance or the acquisition of intellectual property and secrets
“An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains to the threat actor’s determination and the resources he is willing to expend to achieve his objectives. It’s not a what, but a who?”Barry Hensley, Director of the Counter Threat Unit/Research Group for Dell SecureWorks.
![Page 13: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/13.jpg)
Attack vectors – Social Engineering Social Media
13
Behavioural Psychology
“Amateurs hack systems, professionals hack people” – Bruce Schneier
![Page 14: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/14.jpg)
Being Sociable
14
![Page 15: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/15.jpg)
Mission Impossible…
15
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
Eavesdropping.
1. Man in the middle
2. Trojan or Key logger
1. 2.
![Page 16: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/16.jpg)
INTERNET
Choose your target
16
Firewalls
IPS
Anti-virus
Corporate network
Home network
![Page 17: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/17.jpg)
Target Acquisition – the “Mark”
17
Employee of pseudo company Acme Defence Solutions
Facebook – public profile
• Likes – dislike• Age• Relationship• Friends• Interests
Through psychological profiling we start to Influence the targets “Schema”.
A schema is how you perceive the world around you
http://en.wikipedia.org/wiki/Schema_%28psychology%29
![Page 18: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/18.jpg)
Target Acquisition – the “Mark”
18
What we know:
MaleLikes champagneLikes Formula 1Works as a programme manager in target company (ACME defence solutions)
Etc..
Start to create a fake profile based on basic information gathered. We begin to tailor the profile to the targets schema, building up layers of trust
![Page 19: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/19.jpg)
The Eve’s dropper…………
19
![Page 20: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/20.jpg)
A friend in need………
20
![Page 21: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/21.jpg)
Trust is a weakness…
21
The attacker (Eve) starts to build up trust between themselves and the target(Mark)
By “recruiting” the targets friends, greater trust will be placed on the attackers profile based on association and common values.
![Page 22: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/22.jpg)
Friends forever……
22
The attacker refines their profile with information acquired from the targets friends postings and social activity. The fake profile is now complete and “seeded” with information that will influence the targets schema, increasing the probability of acceptance as a “friend”
![Page 23: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/23.jpg)
A Phisher of men…
23
To remain undetected, no payload was included in the Phishing email, and there was no redirection to a malicious site. It was also sent via Facebook's own internal messaging.
Its just a harmless link to a blog…..
![Page 24: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/24.jpg)
Now the fun begins…
24
![Page 25: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/25.jpg)
Keep it simple…
25
![Page 26: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/26.jpg)
Password reuse
26
L£m0ns67 (lemons67)
Complex passwords:
1. At least one upper case letter. (A - Z)
2. At least one lower case letter. (a - z)
3. At least one number. (0 - 9)
4. Special Characters: (!ӣ$%^&*)
5. A minimum of 8 character
![Page 27: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/27.jpg)
Password reuse
27
Outside of the corporate network, you have very little control on what security can be enforced on individuals.
The average user has 6.5 passwords, each of which is shared across 3.9 different sites.
Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day. (Microsoft Research 2007)
![Page 28: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/28.jpg)
Connected services
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
28
![Page 29: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/29.jpg)
Connected Services
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
29
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
![Page 30: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/30.jpg)
Integrated API’s
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
30
“An application programming interface (API) is a particular set of rules ('code') and specifications that software programs can follow to communicate with each other.
E.g. Hotmail -> Facebook
![Page 31: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/31.jpg)
Connected service enumeration
31
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
As no malicious payload is delivered to the target, and communications between Alice and Bob have not been Disrupted. Traditional defensive countermeasure (A.V. Firewalls, IPS etc.) are unlikely to alert the target that their communications are being intercepted.
![Page 32: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/32.jpg)
Authorized user view
32
![Page 33: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/33.jpg)
Real-time interception
33
![Page 34: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/34.jpg)
The more the merrier….
34
Legitimate Facebook chat Connected service enumeration
![Page 35: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/35.jpg)
Password Harvesting
35
Your QWERTY.com password is : Appl£s67
Your username is : Mjmes987Your password is : Banana$67
Check your mail here: http://www.IOU.com/inbox.aspx
![Page 36: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/36.jpg)
Password Harvesting
36
Dear mark ,
STEP 1. ACTIVATE your free XYZ access NOW!
---------------------------------------------------------------------------------
Follow the link below to ACTIVATE your ACCESS:
http://www.XYZ.com/act_95SYXCEKGLRCZ37XKZFD.html
---------------------------------------------------------------------------------
You must click the above link to gain access to XYZ. Clicking the above link
ACTIVATES your XYZ access and confirms that you want to receive our
communications; news, periodical reports, service announcements, partner
emails and exciting features from our award winning web site. You may unsubscribe
from our mailing list at any time.
STEP 2. LOG IN
After STEP 1, you can log in and start using the service at http://www.XYZ.com
with the following details:
---------------------------------------------------------------------------------
Your username: mjames2 and password: Strawb£rry67
Dear mark james
The password for your ABC account is P£ach£s67
Should you wish to change your password, login to your account and click 'My ABC' and from the drop down menu select 'Login Details'. Amend as required and click 'Submit'
![Page 37: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/37.jpg)
Analyze this!............
37
Notes
List of
Passwords
gathered from
email:
Strawb£rry67
P£ach£s67
Appl£s67
Banana$67
L£m0ns67
Analysis of personal email:
Password selection and common variables in credentials.
Traffic analysis on email recipients.
• File Attachments• Personal finance (Paypal etc)
• Forwarded work emails• Material for blackmail, extortion
or coercion.• Any information to improve social
engineering techniques
![Page 38: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/38.jpg)
Connected devices
38
![Page 39: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/39.jpg)
iCloud
39
![Page 40: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/40.jpg)
iCloud
40
![Page 41: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/41.jpg)
The way in…
41
Notes
List of
Passwords
gathered from
email:
Strawb£rry67
P£ach£s67
Appl£s67
Banana$67
L£m0ns67
![Page 42: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/42.jpg)
Canonical passwords…
42
Canonical passwords are constructed using a predictable rule
Generic Password policy
•The use of both upper- and lower-case letters inclusion of one or more numerical digits•Inclusion of special characters, e.g. @, #, $ etc.•Prohibition of words found in a dictionary or the user's personal information•Prohibition of passwords that match the format of calendar dates, or other common numbers•Prohibition of use of company name or an abbreviation•Changed every 30 days•Password should not be the same as the last 5
June L£m0ns64
July L£m0ns65
August L£m0ns66
September L£m0ns67
October L£m0ns68
November L£m0ns69
December L£m0ns70
Associated passwords M£l0ns67
Associated passwords Grap£s67
![Page 43: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/43.jpg)
Its good too share…..
43
![Page 44: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/44.jpg)
Remote control..
44
![Page 45: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/45.jpg)
Its all in the timing…
45
A few months later…..
![Page 46: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/46.jpg)
Control…
46
Digital Dead drop – Email is never sent between eves controller/handler as it may be intercepted. Instead an encrypted message is “dropped” in the drafts folders.
KWRGWRNA RG I SIOUF KFUEMYS EYVILGY BWYFY FYIMMT RG NU KIBVW HUF WLSIN GBLKRQRBT. KYUKMY QUN'B FYIVB BU FYIMRBT; BWYT FYIVB BU BWYRF KYFVYKBRUNG UH FYIMRBT. YPY
Draft email
Controller
Eve
![Page 47: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/47.jpg)
“Once more unto the breach, dear friends…” (Henry V)
47
Encrypted IRC
TOR Network
Eve
Eli
Ele
![Page 48: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/48.jpg)
“Cry havoc and let slip the dogs of war” (Shakespeare)
48
![Page 49: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/49.jpg)
Sleeping with the enemy…. Embedded OS
49
Transfer files to and from your client to the HP JetDirect box, using Hijetter.
![Page 50: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/50.jpg)
Pwning...
50
![Page 51: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/51.jpg)
But….
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
51
Why just not log into Facebook?
![Page 52: Social engineering via social media](https://reader033.vdocuments.us/reader033/viewer/2022051610/549c3aa2b47959bd318b46b4/html5/thumbnails/52.jpg)
Thank You.