Transcript Social Engineering - University of New Mexico

Social Engineering
Survey Results
How much of your personal
information do you share online?
Which topics would you be most interested
in learning about?
6
None All
7%
7% Most
13%
5
4
3
2
1
0
Some
73%
How many times has your email
and/or social media website been
hacked?
4 or
more
6%
0
44%
1-3
50%
What is Social Engineering?
“Social engineering, in the context
of information security, refers to
psychological manipulation of
people into performing actions or
divulging confidential information.”Wikipedia
iCloud Hack Leads to Celebrity Phishing Attacks
Celebrity Victims
• Link from fake tweet and Facebook post
lures people to a fictional website. Users
are prompted to download software to
view the video. Malicious software is
downloaded instead.
• Targets Windows 7 and earlier versions
Information Gathering Techniques
•
•
•
•
•
•
•
•
Telephone calls to a target business or person
Dumpster diving
Phishing emails
Face to face conversations
Internet searches
Parking lots
GPS tracking
Getting a job at the target company
How is Personal Information Stolen?
Source: Iconix
Types of Social Engineering
Phishing
– Voice Phishing
– Spear Phishing
– Clone Phishing
More Types of Social Engineering
• Pretexting
• Shoulder surfing
• Role playing
• Piggybacking
Social Engineering Tools
• Social Engineering Toolkit
• Maltego
• Super Phisher
- 000webhost.com
• Web-console
• Spoof Cards
How to Create a Fake Link
Influence Tactics
• Social engineers often exploit the three fixed action patterns in
order to manipulate a victim.
• Fixed action patterns include the following: Liking, Reciprocity,
and Authority.
• Learning the organization’s lingo, phone number spoofing, or
mimicking an organization's hold music.
• Using the word “because”
The Human Condition
•
•
•
•
•
•
•
•
Appeal to charm
Fear of loss
Willingness to trust
Appeal to authority
Eagerness to receive free stuff
Wanting to be helpful
Appeal to authority
Perceived low impact of information
Prevention Techniques
• Just say no to giving out personal information.
• Be scrupulous with security questions.
• Do you get e-mails about password resets? Be careful.
Contact the service provider to see if the e-mail is
legitimate.
• You’ve probably heard this before, but here it is again:
Never use the same password for multiple accounts!
More Prevention Techniques
• Keep an eye on your account activity i.e. social media
accounts, bank accounts, etc.
• Beware of emails coming from anyone, for any reason
that requires you to click links for any reason. Stop and
think and before you click on the link. You should
research the legitimacy of the email.
• Continue to educate yourself on the different social
engineering techniques.
English-German Glossary
•
•
•
•
•
•
•
Password s Passwort, s Kennwort
Password protection r Passwortschutz
Permission e Berechtigung (-en)
Root directory s Wurzelverzeichnis
Save (v.) Speichern
Security leak s Sicherheitsleck (-s)
Application(s) software e Anwendung
(-en)
• Hacker r Hacker (-), e Hackerin (-nen)
• Information technology (IT) e Informatik
• Update n. e Aktualisierung (-en), e
Änderung (-en)
• Virus snetwork n. s Netzwerk/r Virus
(Viren)
• Trojan horse (virus) r Trojaner
• Database e Datei
• Error message e Fehlermeldung
Questions?? Fragen??
Sources
• http://german.about.com/library/blcomputE_T-Z.htm
• http://www.bloggernews.net/135080
• http://www.csoonline.com/article/2123378/identity-theft-prevention/socialengineering--eight-common-tactics.html
• http:// www.youtube.com/watch?v=yY-lMkeZVuY
• www.infosecwriters.com/text_resources/pdf/Social_Engineering
• http://lifehacker.com/5824481/how-to-convince-people-to-let-you-cut-inline
• http://www.youtube.com/watch?v=V5NRKVgZNFg
• http://www.social-engineer.org/framework/se-tools/physical/gps-trackers/
• http://www.csoonline.com/article/2131550/social-engineering/the-socialengineering-toolkit-s-evolution--goals.html
• http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_
techniques.html
Sources (continued)
•
•
•
•
•
http://iconixtruemark.wordpress.com/2011/09/23/the-security-threat-of-social-engineering/
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Voice_phishing
http://en.wikipedia.org/wiki/Social_engineering_%28security%29
http://arstechnica.com/security/2014/09/celeb-nude-photos-now-being-used-as-bait-byinternetcriminals/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechni
ca%2Findex+%28Ars+Technica++All+content%29http://iconixtruemark.wordpress.com/2011/09/23/the-security-threat-ofsocial-engineering/
• http://www.darkreading.com/perimeter/poll-employees-clueless-about-social-engineering/a/d-id/1316280