the icloud hack - university of richmond · • to get paris hilton’s phone number, the attackers...
TRANSCRIPT
2
Social Engineering
Many of the slide here deal with Social Engineering.
Thanks for those slides go to: The late Dr. Yosef Sherif, unknown colleague at UW-Madison,
Mathew Sullivan at Iowa State, Tanya L. Crenshaw at U. Portland, various other
colleagues and contributors
iCloud Hack info
Thanks to Nik Cubrilovichttps://www.nikcub.com/posts/
notes-on-the-celebrity-data-theft/
3
The iCloud Hack: What happened?
• Personal and private nude photos of celebs started appearing on online image boards and forums–First pics posted a week before the scam became public
o Not public because images were being ransomed (only censored images distributed, and then only to entice folks to buy)
o Once uncensored images published, scam blew up–Over 400 individual images and vids
o Over a dozen celebs, at least 100 individuals had data compromised
4
Apparently...!
• This scam only scratches the surface–There are private communities and trading networks
where data that is stolen remains private–Horizontally Organized
o People carrying out specific taskso Loosely organizedo Communication via private email and IM
5
The Goal!
• Steal private media from phones that utilize cloud backup services integrated into iPhones, Android, and Windows phones
• Accessing backup requires –User ID and Password OR–Authentication token
6
Scammer Network Roles
• Users who troll social networks looking for targets and collecting information–Utilize public record services and buy credit reports–Setup fake profiles–Friending target or friends of target–Extract info that helps answer secret questions
7
Scammer Network Roles• Folks who use the gathered data to determine
password of other authentication token. Methods:o (Most with online tutorials!)
–RATS (Remote Access Tools)o Target tricked into installing via private message ORo Target receives email link or attachment that installs RAT ORo Friend of target installs RAT on phone or computer via physical
access–Phishing: Target receives password reset or other tricks
that cause target to enter password into a hacker-controlled site
–Password reminder: after gaining control of email, have “reminder link” sent to access cloud storage
–Password reset: answering birth and security question challenges (often easily broken with public info) 8
Scammer Network Roles
• Folks who use the authentication info to “rip” cloud-based backup services using pirates software specifically engineered to dump entire cloud backup set– Including messages and deleted photos
9
Scammer Network Roles• Collectors: Organize stolen data info folders–Via Dropbox and Google Drive
• Create preview images for each set of data, then email potential clients (i.e., their contacts)
• Email addresses for collectors or for those willing to trade or sell are typically available by referral, often by someone offering a hacking or ripping service
10
Disturbing...• Frequent source of new leads are folks who know
someone they want to hack (e.g., friends of celebs)and who have stumbled onto a scammer network via search terms or forums
• Contributor offers up Facebook profile along with enough info to figure out authentication tokens (possibly even offering to install RAT via physical access)
• In return, contributor gets access to photos and harvested data
11
FindMyPhone API Brute Force• An attack on the protocol that allows someone to
find a lost iPhone, for example.
• Given the success rate with the “social engineering” methods mentioned earlier, either this was not necessary, or possibly the hackers were not aware of it.
12
iCloud a Popular Target• because Picture Roll backups are enabled by
default and iPhone is a popular platform
• Windows Phone backups are available on all devices, but not enabled by default
13
Apple accounts particularly vulnerable• Because of recovery process–Broken into steps that fail at each point!– iCloud doesn’t reveal if an email is a valid iCloud address
as part of recovery processo BUT they do indicate whether email is valid if one attempts to
open a new account with the same email (thus allowing brute force)
–Second step is date of birtho And step succeeds or fails solely on the basis of date of birth, so it
can be guessed– Last step is the two security questions
o Which can often be guessed based on harvested information
14
Apple accounts particularly vulnerable• Solutions?
• Apple should disable interface that indicates whether email is available for iCloud account
• Recovery process should be one big step–Where all data is validated at once (so no way to know
which step failed) –And user not given specific error message–Should also have rate limits and strict lockout on the
recovery process on per-account basiso Ability to post to POST email address to link and getting validity
response with little rate limiting is a serious bug
15
OPSEC level of average scammer • Was not impressive
• 98% of email addresses provided in forums as part of advertising or promotions are with the popular providers (gmail, outlook, yahoo)–None of these are TOR friendly
• Users spoke of using VPNs when breaking into accounts, and suggesting which VPNs are best, fastest, and “most anonymous”.
• It was incredibly easy to publicly identify those responsible
16
Tracking one distributor• Posted a screenshot as part of an ad to sell 60
photos and vids for a single celeb, but didn’t black out his machine name or the machine names of the other computers on his local network–A user on one of reddit did a Google search and tracked
down the company where the distributor worked.–Tracking each of the macine names lead to reddit account
that posted a screen shot of the exact same explorer interface o Dude apparently liked to take screen shots of his own machine
–Worse, the pics belonged to gymnast McKayla Maroney, who was a minor when the pics were takeno Thus the screen shot is an admission of possession of child
pornography17
So, How to Stay Secure• Pick a better password
• Set security answers to be long random strings
• Enable two-factor authentication
• Ring-fence email –Two different email addresses, one for public
consumption, another for private accounts
• If you are a celeb, get a second phone that uses an alias
18
Social Engineering: Definition!• Social Engineering: “the practice of obtaining
confidential information by manipulation of legitimate users.” (from Wikipedia.com)
• Attackers “trick” employees into revealing sensitive information, usually to gain access to a computer system: user-ID, password, IP address, etc.
21
Social Engineering: Definition!
• A Social Engineer is basically a flavor of “Con-Man” (“Con-Person?)
• Historically, Con-Men have been highly successful at convincing victims to give them valuable items (money, jewelry, etc).
• Social Engineers employ similar methods aided by modern technology to obtain valuable data from system users.
22
Social Engineering: Definition!
• Con-Men and social engineers see their attacks as an art form or a social trade.–The pride themselves on their ability to manipulate a
person’s natural tendency to trust others
–They are highly skilled and use very effective psychological methods
–Some work for personal edification; other work for profit
23
Social Engineering
¨ The end user is usually the weakest link of a system¤ People are often lazy, ignorant to security, or simply
gullible¨ Social engineering is a journey into social
psychology!¤ Yes I know, that probably doesn’t sound very fun¤ Well guess what… it is, so deal with it!
Case Scenario: Meet Angry Cow!
• Angry Cow is a Computer Science student at UW-Madison
• Angry Cow just got an eviction notice!
26
Simple Public Information is Found• Angry Cow lives at the
Regent
• The Regent’s website indicates that it is owned by Steve Brown Properties
• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
27
Finding A Way In...
• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information
• Poor controls over data sharing• Lots of important information there that
might not seem important, but could be his first step in…
• Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice
28
Letʼs See -- Danielle Treu
• Born July 24, 1988
• Enjoys playing in the rain, drinking coffee, and spending money
• Works at Subway and as a Resident Assistant for Steve Brown Apartments
30
Letʼs See -- David Klabanoff
• Born April 21, 1979
• Likes Star Wars and The Muppet Movie
• Is a Concierge for Steve Brown Apartments31
Letʼs See -- Andrew Baldinger (who made these slides?)• Born March 30, 1986
• Likes kayaking, exploring, and getting lost
• Lives at the Regent
• Works as a Technology Support Specialist for Steve Brown Apartments
32
Letʼs Start with Danielle Treu
• Her Facebook profile is pubic, but she is intelligent. She keeps her contact information private
• But her profile does say that she attends UW-Madison...
• I wonder if they have some more public information about her
33
More Research
• UW Whitepages is PUBLIC information
• That conveniently provides her email address
34
Establishing the Trust!
• Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew
• Angry Cow shows up later that day. David is expecting him.
• Angry Cow identifies himself as Andrew and asks David for key to server room
36
The Hack
• Angry Cow gets physical access to server, uses a standard password cracking program to get Admin username, password
• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
37
Summary of This Example
• Search for public information about your target, using both official and unofficial sources
• Build a trust ladder, Danielle trusts Andrew and David trusts Danielle, therefor David will trust Andrew -- even if “Andrew” is really Angry Cow!
• Built a credible story
• Based on pretexting
38
Pretexting
• Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
• It’s more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
39
Is This Really a Threat to Businesses?• So far, this just looks like a
technique employed by angry individuals
• Did you know that Hewlett Packard regularly engaged in Social Engineering?
• They used the method of pretexting in order to get phone records
• Watch the testimony of Patricia Dunn, former Director of HP: http://pra-blog.blogspot.com/2006/10/patricia-dunns-incredible- 40
Pretexting Will Likely Continue!
• As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.
• Pretexting is the most common form of social engineering.
• Pretexting is the most common
41
Example: Hacking Paris Hiltonʼs Phone
• In 2005, Paris Hilton’s phone was hacked. The contents of her T-Mobile Sidekick were posted to illmog.org, including the phone numbers of Eminem, Vin Diesel, Lindsay Lohan, and Anna Kournikova.
42
The Steps...
• The attackers learn of a programming glitch on the T-Mobile website. They found that a tool on the website contained a vulnerability in a tool on the site that allowed users to reset their account password.
• They figure out how to reset the password of any user whose phone was a Sidekick.
43
The Steps...• To get Paris Hilton’s phone number, the attackers
get a caller-ID spoofer and call a T-Mobile sales store in California
• The conversation goes something like this:–Attacker: “This is [whoever] from T-Mobile Headquarters
in Washington. We heard you’ve been having problems with your customer account tools?”
–Employee: “No, we haven’t had any problems really. Just a couple of slow downs.”
–Attacker: “Yes, that is what is described here in this report. We’re going to have to look into this for a quick second.”
44
The Steps...• The T-Mobile rep gave out the URL of the internal
T-Mobile site used to manage customer accounts.
• Also gave the username and password used by employees to login.
• With Hilton’s phone number, they could use the glitch to reset her password.
• This caused a text message to be sent to her phone.
• The attackers then called her, using their caller-ID spoofer.
45
The Steps...• Attacker: “There are some network difficulties.
Have you been getting any SMS about a password reset? What were the contents of the message?
• At this point, she has no idea that her password has really been changed and her account hacked
• Since videos and data on the Sidekick are stored on T-Mobile’s central servers, they could download all of Hilton’s info to their own phones.
• The hackers were teenagers.–Who appreciated that Hilton had nude photos saved on
her Sidekick...46
Also, gratuitous Matrix sidestory!
• Hackers also called Laurence Fishburne, demanding that he “GIVE US THE SHIP!”
47
Social Psychology: Persuasion
¨ A number of variables influence the persuasion process:¤ The Communicator (Who?)¤ The Message (What?)¤ The Audience (Whom?)¤ The Channel (How?)
¨ For now, let’s focus on “The Communicator”
Social Psychology: Persuasion
¨ The Communicator (Who?):¤ Credibility¤ Expertise¤ Trustworthiness¤ Attractiveness
Social Psychology: Persuasion
¨ Credibility: “The Milgram Experiment”¤ The “assistant” will give electric shocks in increasing
voltages to the “test subject” they can hear via a covered window, but can not see
¤ The “test subject” is actually an actor and is not really getting shocked
Social Psychology: Persuasion
¨ Credibility: “The Milgram Experiment”¤ After a few shocks, “test subject” actor begins yelling in
pain, banging on wall, begging for the shocks to stop¤ “assistant” members would ask the man in the white coat
what to do, upon being told to continue, 65% of “assistants” would go on to administer 450-volt shocks from the switch labeled “dangerous”n By the time the 450-volt switch is reached, the actor has
already been dead silent for many minutes
Social Psychology: Persuasion
¨ So what’s the moral of the story?¤ Most people will obey the man in the white coat¤ In social engineering, creating the aura of an authority
figure allows the adversary to persuade easily, because she has established credibility!
Social Psychology: Persuasion
¨ The Communicator (Who?):¤ Credibility¤ Expertise¤ Trustworthiness¤ Attractiveness
Source: http://en.wikipedia.org/wiki/Social_psychology_(psychology)
Social Psychology: Persuasion
In general, will social engineering attacks be more successful if the adversary, instead of looking like this…
Social Psychology: Persuasion
…looks like this?
The answer is YES! (and that’s true regardless of sex)
Social Psychology: Persuasion
…looks like this?
The answer is YES! (and that’s true regardless of sex)
Social Psychology: Persuasion
Would my social engineering attack have been more successful if this… …looked like this instead?
Side note: women are more likely to trust women, and men are more likely to trust men
Source: "Gender pairing bias in trustworthiness" from Journal of Socio-Economics, Volume 38, Issue 5, October 2009, Pages 779-789
Social Psychology: Illusory Superiority
¨ I bet you are thinking, “That wouldn’t happen to me, I know better!”¤ Oh really? Don’t be so sure! Social Engineers have a
nearly 50% success rate with minimal effort¤ It’s easy for you to say you wouldn’t be fooled, because
you are currently suffering from bias!n This bias is called illusory superiorityn Causes people to overestimate their positive qualities and
abilities and to underestimate their negative qualities, relative to others
So… people are dumb
¨ Amazing statistics, for your enjoyment:¤ In a 2003 information security survey, 90% of office
workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen
¤ In another study, 70% of people claimed they would reveal their computer password in exchange for a bar of chocolate
¤ 34% of respondents volunteered their password when asked without even needing to be bribed
* Researchers made no attempt to validate the passwords
Source: http://news.bbc.co.uk/1/hi/technology/3639679.stm
Popular Methods of Attack• Dumpster Diving
• Shoulder Surfing
• Malicious E-mail Attachments
• Deception and Manipulation
• “Phishing”
• “Pharming”
• Reverse Social Engineering
• PBX Disguise
62
Dumpster Diving• Searching through a
company’s trash bins for sensitive/internal documents–Memos–Company Directories–Account Statements
63
Shoulder Surfing• Observing an employee
using his/her computer:–Witness userID and/or
password entry–Observe system resources–Obtain customer information
64
Malicious Email Attachments!
• E-mail messages carefully written to entice readers to download malicious files.–Usually sent as “spam” to multiple employees listed in a
company directory or email list, but can target a specific employee
–Messages appear to be harmless, sometimes using common names to pose as a coworker or friend: John, Richard, Judy, Cindy, etc.
65
Malicious Email Attachments!–Attachments can be downloaded directly by user’s
request or automatically through embedded images.–Malicious files may include keystroke loggers, password
stealers, viruses, worms, and/or trojan horses.
66
Related: “Roadside Apples”
• Also known as “Baiting”
• Uses physical media and relies on the curiosity or greed of the victim
• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries
• Autorun on inserted media
67
Deception and Manipulation!• Impersonation: Pretending to be a customer, Tech
Support Specialist, manager, etc.
• Ingratiation: motivating the victim to comply in order to improve or protect their reputation with management.
• Conformity: motivation the victim to comply because it is a standard practice.
• Peer Pressure: motivating the victim through flattery, flirtation, intimidation and/or guilt.
68
Example:
• “Hi Jim, this is Steve from tech support. I’m showing your boss, Rick, has a virus on his desktop computer. I understand Rick is on a business trip and I can’t seem to get a hold of him at the hotel. You wouldn’t happen to have his user ID handy, would you? I’d like to clean his computer before he gets back. I’m sure he’d appreciate your help.”
69
Pharming• An in-depth phishing scheme involving– cracking into a local DNS server– changing the IP routing information of a popular website
to a phishing website
• Users trust the phishing website because the internet address has been requested directly and shows correctly (http://www.citibank.com).
71
Reverse Social Engineering!• A method used to get the user to seek the social
engineer for help!
• Three step process:–Sabotage:
o Attacker causes an application on the victim’s computer to fail–Advertising:
o Attacker advertises his/her phone number for the victim to call for help
–Assisting:o The attacker asks for personal or sensitive information while
pretending to assist the user
72
Related: Quid Pro Quo
• Means “something for something”
• A person contacts people one by one until he/she finds a person with a problem
• When they find a person, they “fix” their problem by introducing malware to their machine
73
PBX Disguise
• PBX (Public Business eXchange) an attacker manipulates the company’s internal caller-ID system to impersonate someone of authority
• PBX system can be cracked/hacked to generate a false caller-ID for the attacker
• Usually done by convincing someone of authority to “blind transfer” the attacker’s call to the victim
74
PBX Disguise Example!• Attacker: “Hello? Who is this? Tech Support? Oh,
I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me please? I’m in a hurry.”
• <Tech Support blind transfers the call.>
• Attacker: “Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password...”
75
Attack Template!• Any combination of methods are strategically
employed by the social engineer for each situation
• Attacks usually follow four steps:–Preparation–Confidence Build–Exploitation–Retrieval
76
Attack Template• Preparation: attacker researches information that
will build credibility with the victim
• Confidence Build: attackers uses research to gain the victim’s confidence.
• Exploitation: attacker motivates the victim to divulge sensitive information.
• Retrieval: attacker uses sensitive information for profit or to prepare for a higher level attack
77
Example• Preparation: Attacker dumpster dives for an old
copy of the company directory from a trash bin behind the company’s main headquarters; collects names and phone numbers to impersonate and target.
• Confidence Build: Attacker uses deception to pose as a department manager, mentioning names of other coworkers in the field (from the directory) to buy credibility
78
Example (cont.)• Exploitation: Attacker manipulates a victim business
manager from another location to unwittingly reveal the physical location of a data center holding a customer information database.
• Retrieval: attacker uses this information to target employees at the data center, who further reveal information used to gain access to the database; customer information is later used to commit credit fraud for personal profit.
79
Kevin Mitnick
¨ In 1981, at the age of 17, Mitnick and his gang of hackers decided to physically break into COSMOS, a database used for controlling the phone system’s basic recordkeeping functions
¨ In broad daylight on a Saturday, the group talked their way past security and into the room where the database system was located
¨ From that room, the gang lifted combination lock codes for nine Pacific Bell offices and the COSMOS system’s operating manuals
Source :http://www.takedown.com/bio/mitnick.html
Kevin Mitnick
¨ To ensure continued access, they placed fake names and phone numbers into a company rolodex, which would have allowed them to call in and further social engineer, if needed¤ Take-home point: hackers always leave a way back in
¨ A manager soon realized the names were fraudulent and contacted police; Mitnick was later tied to the theft by a conspirator’s former girlfriend¤ Take-home point: don’t tell your girlfriend about your crime
attempts, especially when they constitute a felony J
Source :http://www.takedown.com/bio/mitnick.html
Kevin Mitnick!• Hacked into the National Security Agency system
using Hughes Aircraft’s network in 1985
• Convicted in 1995 of theft and fraud on over 20,000 credit cards, and for hacking into systems at Motorola & Sun Microsystems.
• Sentenced to 5 years in prison, 8 months of which he was held in solitary confinement; lifetime probation from using computers.
83
Ways to Combat Social Engineering• Good security policy
• Make sure your employees understand dangers and threats
• Make sure employees understand what Data Classification means and what type of information you publicly give away
84
Most Important Gem of Wisdom• Never, ever give out username, password, account
number, SSN, etc., over the same channel used to initiate the request!
• For example, if a phone call come in asking for a SSN, send the SSN via email or regular mail
85