social engineering via social media
DESCRIPTION
How social media can be used as a social engineering tool to gather information and compromise information systems. Intercepting social media communications using connected service enumerations, and the Kill chain (presented in 2011)TRANSCRIPT
The truth shall set you free: exploiting trust within social media
1
Barry Coatesworth
Defense and Offense
2
1. Defending against Anonymous (Real world example - 2011)
2. The taxonomy of an attack using Social media.
Attacks in 2012
3
Attacks in August (15th - 31st) 2012
4
Attacks in August 2012
5
Attacks in August 2012
6
Attacks in 2011
7
Anonymous - LulzSec and #Anti-Sec
8
#AntiSecWelcome to Operation Anti-Security (#AntiSec) - we encourage any vessel, large or small, to open fire on any government or agency that crosses their path.
“Anonymous was never an advanced persistent threat.Their hacktivist ideology (#Anti-Sec) is a persistent threat and will be for some time yet.”
Anonymous Attacks
9
Anonymous Attack Count
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (Benchmark) 1
HTTP: SQL Injection (SELECT) 2
HTTP: SQL Injection (SELECT) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (UNION) 1
HTTP: SQL Injection Evasion SQL Comment Terminator 1
HTTP: SQL Injection (Boolean Identity) 2
HTTP: SQL Injection Evasion Inline SQL Comment 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 1
HTTP: SQL Injection (Boolean Identity) 2
Defending the enterprise
10
VLAN
VLAN 49
VLAN 33
VLAN 31
VLAN 32
VLAN 351
Leased Line
Leased Line
Leased Line
Leased Line
Ext
ernal
VLAN 36
Leased Line
VLAN 34
VLAN 37
Immediate action:
Pivot defences to face the threat
Increased alerting & logging
Lock Down
11
Honeypots(Identification & M.O.)
Poisoned Apple(Defensive payload to entice the attacker to surreptitiously reveal their actual location)
Decrease external foot printRemove unneeded services, Labs, development and demo sites.
Forward planning options
Motivation
12
Hacktervists are motivated by political change
Cyber Criminals are motivated by financial gain
State sponsored actors are motivated by military/political dominance or the acquisition of intellectual property and secrets
“An APT is not characterized by the sophistication of an adversary’s malware. Rather, it pertains to the threat actor’s determination and the resources he is willing to expend to achieve his objectives. It’s not a what, but a who?”Barry Hensley, Director of the Counter Threat Unit/Research Group for Dell SecureWorks.
Attack vectors – Social Engineering Social Media
13
Behavioural Psychology
“Amateurs hack systems, professionals hack people” – Bruce Schneier
Being Sociable
14
Mission Impossible…
15
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
Eavesdropping.
1. Man in the middle
2. Trojan or Key logger
1. 2.
INTERNET
Choose your target
16
Firewalls
IPS
Anti-virus
Corporate network
Home network
Target Acquisition – the “Mark”
17
Employee of pseudo company Acme Defence Solutions
Facebook – public profile
• Likes – dislike• Age• Relationship• Friends• Interests
Through psychological profiling we start to Influence the targets “Schema”.
A schema is how you perceive the world around you
http://en.wikipedia.org/wiki/Schema_%28psychology%29
Target Acquisition – the “Mark”
18
What we know:
MaleLikes champagneLikes Formula 1Works as a programme manager in target company (ACME defence solutions)
Etc..
Start to create a fake profile based on basic information gathered. We begin to tailor the profile to the targets schema, building up layers of trust
The Eve’s dropper…………
19
A friend in need………
20
Trust is a weakness…
21
The attacker (Eve) starts to build up trust between themselves and the target(Mark)
By “recruiting” the targets friends, greater trust will be placed on the attackers profile based on association and common values.
Friends forever……
22
The attacker refines their profile with information acquired from the targets friends postings and social activity. The fake profile is now complete and “seeded” with information that will influence the targets schema, increasing the probability of acceptance as a “friend”
A Phisher of men…
23
To remain undetected, no payload was included in the Phishing email, and there was no redirection to a malicious site. It was also sent via Facebook's own internal messaging.
Its just a harmless link to a blog…..
Now the fun begins…
24
Keep it simple…
25
Password reuse
26
L£m0ns67 (lemons67)
Complex passwords:
1. At least one upper case letter. (A - Z)
2. At least one lower case letter. (a - z)
3. At least one number. (0 - 9)
4. Special Characters: (!ӣ$%^&*)
5. A minimum of 8 character
Password reuse
27
Outside of the corporate network, you have very little control on what security can be enforced on individuals.
The average user has 6.5 passwords, each of which is shared across 3.9 different sites.
Each user has about 25 accounts that require passwords, and types an average of 8 passwords per day. (Microsoft Research 2007)
Connected services
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
28
Connected Services
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
29
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
Integrated API’s
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
30
“An application programming interface (API) is a particular set of rules ('code') and specifications that software programs can follow to communicate with each other.
E.g. Hotmail -> Facebook
Connected service enumeration
31
Main Objective:
To covertly intercept the social media communications of the targeted individual, in order to help perpetuate further attacks against a target of opportunity, and the acquisition of sensitive information......
As no malicious payload is delivered to the target, and communications between Alice and Bob have not been Disrupted. Traditional defensive countermeasure (A.V. Firewalls, IPS etc.) are unlikely to alert the target that their communications are being intercepted.
Authorized user view
32
Real-time interception
33
The more the merrier….
34
Legitimate Facebook chat Connected service enumeration
Password Harvesting
35
Your QWERTY.com password is : Appl£s67
Your username is : Mjmes987Your password is : Banana$67
Check your mail here: http://www.IOU.com/inbox.aspx
Password Harvesting
36
Dear mark ,
STEP 1. ACTIVATE your free XYZ access NOW!
---------------------------------------------------------------------------------
Follow the link below to ACTIVATE your ACCESS:
http://www.XYZ.com/act_95SYXCEKGLRCZ37XKZFD.html
---------------------------------------------------------------------------------
You must click the above link to gain access to XYZ. Clicking the above link
ACTIVATES your XYZ access and confirms that you want to receive our
communications; news, periodical reports, service announcements, partner
emails and exciting features from our award winning web site. You may unsubscribe
from our mailing list at any time.
STEP 2. LOG IN
After STEP 1, you can log in and start using the service at http://www.XYZ.com
with the following details:
---------------------------------------------------------------------------------
Your username: mjames2 and password: Strawb£rry67
Dear mark james
The password for your ABC account is P£ach£s67
Should you wish to change your password, login to your account and click 'My ABC' and from the drop down menu select 'Login Details'. Amend as required and click 'Submit'
Analyze this!............
37
Notes
List of
Passwords
gathered from
email:
Strawb£rry67
P£ach£s67
Appl£s67
Banana$67
L£m0ns67
Analysis of personal email:
Password selection and common variables in credentials.
Traffic analysis on email recipients.
• File Attachments• Personal finance (Paypal etc)
• Forwarded work emails• Material for blackmail, extortion
or coercion.• Any information to improve social
engineering techniques
Connected devices
38
iCloud
39
iCloud
40
The way in…
41
Notes
List of
Passwords
gathered from
email:
Strawb£rry67
P£ach£s67
Appl£s67
Banana$67
L£m0ns67
Canonical passwords…
42
Canonical passwords are constructed using a predictable rule
Generic Password policy
•The use of both upper- and lower-case letters inclusion of one or more numerical digits•Inclusion of special characters, e.g. @, #, $ etc.•Prohibition of words found in a dictionary or the user's personal information•Prohibition of passwords that match the format of calendar dates, or other common numbers•Prohibition of use of company name or an abbreviation•Changed every 30 days•Password should not be the same as the last 5
June L£m0ns64
July L£m0ns65
August L£m0ns66
September L£m0ns67
October L£m0ns68
November L£m0ns69
December L£m0ns70
Associated passwords M£l0ns67
Associated passwords Grap£s67
Its good too share…..
43
Remote control..
44
Its all in the timing…
45
A few months later…..
Control…
46
Digital Dead drop – Email is never sent between eves controller/handler as it may be intercepted. Instead an encrypted message is “dropped” in the drafts folders.
KWRGWRNA RG I SIOUF KFUEMYS EYVILGY BWYFY FYIMMT RG NU KIBVW HUF WLSIN GBLKRQRBT. KYUKMY QUN'B FYIVB BU FYIMRBT; BWYT FYIVB BU BWYRF KYFVYKBRUNG UH FYIMRBT. YPY
Draft email
Controller
Eve
“Once more unto the breach, dear friends…” (Henry V)
47
Encrypted IRC
TOR Network
Eve
Eli
Ele
“Cry havoc and let slip the dogs of war” (Shakespeare)
48
Sleeping with the enemy…. Embedded OS
49
Transfer files to and from your client to the HP JetDirect box, using Hijetter.
Pwning...
50
But….
ecrimes congress October 2011 www.kitd.com ©KIT digital All Rights Reserved
51
Why just not log into Facebook?
Thank You.