the art of deception
DESCRIPTION
The Art of Deception. Presented by Skye Hagen Asst Director Office of Information Technology Dr. Carol Taylor Associate Professor EWU Computer Science Department. The Art of Deception. - Or - No tech hacking. Ways to attack a system. Find and exploit a vulnerability - PowerPoint PPT PresentationTRANSCRIPT
The Art of Deception
• Presented bySkye Hagen
Asst DirectorOffice of Information
Technology
Dr. Carol TaylorAssociate ProfessorEWU Computer Science Department
The Art of Deception
- Or -
No tech hacking
Ways to attack a system
• Find and exploit a vulnerability– Rare, and requires a fair degree of knowledge
• Download an exploit– Common, requires no special skills– Patched systems usually not vulnerable– High value targets well protected against this
Ways to attack a system
• Get someone to load bad software on their computer– Proliferate, requires no special skills– Anti-malware systems generally prevent
• Get someone to reveal their password– Proliferate, requires no special skills– Only you can prevent this from working
Ways to attack a system
• The last two methods use social engineering, and are the areas we are focusing on today.– Can target any number of people, from a
single individual up to large numbers of people at once
– Can work in a number of non-computer settings
The Art of Deception
• Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information.
• Usually applies to using trickery for information gathering, computer access, or access to restricted access areas.
Other related terms
• The following slides will cover some common terms you may see in the press.– Those terms marked new terms are less than
a year old.– This shows just how rapidly these kinds of
attacks change.
Other related terms
• Phishing– E-mail attack used to obtain access to
financial systems• On line banking• Credit card numbers• Access to other financial systems
– Technology related– Ultimate goal is to steal money
• Secondary goal may be to ‘own’ your computer.
Other related terms
• Spear phishing (new term)– Phishing attacks directed against a specific,
defined group of people• EWU has been subjected to a number of spear
phishing attacks this last year– Specifically, several attempts to gain access to web mail
accounts
• Whaling (new term)– Spear phishing attacks directed against
executives of an organization
Other related terms
• Pretexting (new term)– Used in the HP Board of Directors scandal
• HP hired private investigators who used pretexting to gain call record information from the phone company to try to determine who was leaking information.
– Usually used by legitimate companies, such as private investigators
– Practice is of questionable legality
Other related terms
• Tabloid spam (new term)– Uses tabloid style headlines to attract your
attention– May use the exact same e-mail format as
various news services• CNN• ESPN• NBC
Other related terms
• Vishing (new term)– This is phishing via voice
• Up and coming attack• Usually wants you to call a (toll free) number to
validate your account• Uses a fairly convincing phone menu tree to get
you to get you to divulge financial information
Other related termins
• Pharming– A computer attack that misdirects a user to a
bogus web site– Often implemented as software downloaded
from the Internet
Not limited to computers
• Tailgating– Following someone through a secure access
point.• Shoulder surfing
– Looking over someone’s shoulder to view a password.
Not limited to computers
• Cell Phone Camera Identity Theft– Using a cell phone camera to capture check
or credit card numbers.• Dumpster Diving
– Going through trash (or mailboxes) to obtain account numbers, credit card offers, etc.
How the Internet makes it easy
• Inherent trust in computers.– But this trust is
misplaced.• No validation of identity.
• Lack of knowledge and understanding of computers.
Social Engineering Techniques
• E-mail– We see this all the time.– Sometimes the spam filter catches them,
sometimes it does not.– Generally sent to a large number of
recipients.• Phone calls
– Usually used as for directed attacks.– Person attempts to gain specific access.
Social Engineering Techniques
• In person– Used to gain physical access– May involve tailgating, pretending to belong,
but just can’t get to their access card– Overwhelming the lowly receptionist
• Great example in the movie Sneakers.
How does phishing work?
• Attack usually starts with an e-mail– User must respond to an event, such as an
account suspension.– Must follow link in e-mail.
• Does not usually have a phone contact.– Describes serious consequences if you do not
take immediate action.– Tries to get you to make a quick decision.– Example of a phishing e-mail.
Phishing attack
• Once at the fake web site, they try to get you to enter your account and password information.
• Sites are very realistic.– Refer back to example phishing attack.– EWU has been subjected to this attack, trying
to obtain webmail accounts and passwords.• Used to send out more phishing and spam.
What can you do about this?
• Be careful in all transactions on the Internet.– Know the policies and procedures for the
financial organizations that you deal with.• How will your bank contact you if they detect
suspicious activity?• How will EWU contact you?• Where does this link really go to?• Look for institutions that use multiple factor
authentication.
What can you do about this?
• Know what to look for– Analyze the content of the message– Analyze links– Follow security procedures
• Verify identity
Know what to look for (content)
• Phishing usually falls into one of two types– Fear
• Tries to get you to take immediate action• Has dire consequences in action is not taken
– Greed• Advance fee programs
– Lottery winner– Money launderer– Business agent
Know what to look for (content)
• Know the format for toll free numbers– Always begin with ‘8’– Next two digits are identical
• 833 is toll free (but not currently in use)• 800 is toll free• 522 is not toll free• EXCEPTION: 811 and 899
– Or begins with ‘88’• 888 only one in use, all others reserved
Know what to look for (URL)
http://www.ewu.edu/securityawareness
http://
www.ewu.edu
/securityawareness
Protocol, may also be https://
Computer name, the clues are in this portion. May also look like a number, such as 146.187.3.190.
Specific page, irrelevant for analysis
Know what to look for (URL)
• Look at the link in the status bar, not the text in the message body
• See Associated Bank example• If the computer name is a number in the
form (146.187.3.190), this is ALWAYS suspect, NEVER click on this kind of link– http://198.43.28.24 is not valid– https://87.34.87.205/paypal/login is not valid
Know what to look for (URL)
• Look deeper into the computer name; the last two words (separated by periods) are the domain. Is this valid? (Use Google to check)– http://www.ewu.edu/securityawareness
• ewu.edu is owned by EWU– https://paypal.redirect.ru/login
• Not valid, PayPal is paypal.com, not redirect.ru– http://login.paypal-verify.com
• Not valid, PayPal is paypal.com, not paypal-verify.com
What can you do about this?
• Consider using prepaid credit cards for purchases.– Exposure is limited.– Card not tied in any way to your banking
accounts.– Card does not impact your credit rating.– Visa offers cards directly.– A number of companies offer branded Visa or
MasterCard prepaid cards.
What can you do about this?
• Consider credit report monitoring.– Not a be all, end all solution.– Only identifies when your credit is impacted.
• Will indirectly show credit card activity.– Does not protect against your accounts being
drained.• Shred financial documents, including
account statements and credit card offers.
What can you do about this?
• Use a different password for each financial account you have.– Yes, this can be a pain to remember.– Use a password manager to help manage
your accounts and passwords.
What can you do about this?
• Check out the security arrangements before signing up for online banking?– What access controls do they use?– Look for multiple authenticators
• Something you know (password, image)• Something you posses (token)• Something you are (fingerprint)
What can you do about this?
• Use anti-virus software, and keep it up to date.
• Use anti-malware software, and likewise, keep it up to date.
• Consider using an anti-phishing tool bar on your web browser.– Built-in in newer browsers.
• Keep your system patched.
What to do it you are a victim?
• Contact your financial institutions.– Most have help services for identity theft.
• Check your state’s web site.– Usually the Attorney General or the Secretary
of State.• Check the web site for the Federal Trade
Commission.– www.ftc.gov
Test Your Knowledge
• Various anti-phishing games– http://www.sonicwall.com/phishing/– http://survey.mailfrontier.com/survey/
quiztest.cgi?themailfrontierphishingiqtest– http://cups.cs.cmu.edu/antiphishing_phil
• Google with a search of ‘phishing quiz’.
References
• Kevin Mitnick, The Art of Deception– Book about using social engineering
techniques to gain access to facilities and systems. Available in Library!
• Wikipedia– Search for ‘phishing’, ‘pharming’ and
‘phreaking’.• The Anti-Phishing Working Group
– www.antiphishing.org
References (cont’d)
• Federal Trade Commission– www.ftc.gov
• State Attorney’s General or state trade commissions.
• Your bank’s web site– Usually contains privacy and security pages
that explain your rights and how the institution safeguards access.
Thanks for attending!
• Copy of presentation will be available at…• www.ewu.edu/securityawareness
• I have also sent a copy to the QSI people, in case they are assembling a web site.