web.ewu.edu

Download Report

Transcript web.ewu.edu 

The Art of Deception
• Presented by
Skye Hagen
Asst Director
Office of Information
Technology
Dr. Carol Taylor
Associate Professor
EWU Computer
Science Department
The Art of Deception
- Or -
No tech hacking
Ways to attack a system
• Find and exploit a vulnerability
– Rare, and requires a fair degree of knowledge
• Download an exploit
– Common, requires no special skills
– Patched systems usually not vulnerable
– High value targets well protected against this
Ways to attack a system
• Get someone to load bad software on their
computer
– Proliferate, requires no special skills
– Anti-malware systems generally prevent
• Get someone to reveal their password
– Proliferate, requires no special skills
– Only you can prevent this from working
Ways to attack a system
• The last two methods use social
engineering, and are the areas we are
focusing on today.
– Can target any number of people, from a
single individual up to large numbers of
people at once
– Can work in a number of non-computer
settings
The Art of Deception
• Social engineering is a collection of
techniques used to manipulate people into
performing actions or divulging confidential
information.
• Usually applies to using trickery for
information gathering, computer access, or
access to restricted access areas.
Other related terms
• The following slides will cover some
common terms you may see in the press.
– Those terms marked new terms are less than
a year old.
– This shows just how rapidly these kinds of
attacks change.
Other related terms
• Phishing
– E-mail attack used to obtain access to
financial systems
• On line banking
• Credit card numbers
• Access to other financial systems
– Technology related
– Ultimate goal is to steal money
• Secondary goal may be to ‘own’ your computer.
Other related terms
• Spear phishing (new term)
– Phishing attacks directed against a specific,
defined group of people
• EWU has been subjected to a number of spear
phishing attacks this last year
– Specifically, several attempts to gain access to web mail
accounts
• Whaling (new term)
– Spear phishing attacks directed against
executives of an organization
Other related terms
• Pretexting (new term)
– Used in the HP Board of Directors scandal
• HP hired private investigators who used pretexting
to gain call record information from the phone
company to try to determine who was leaking
information.
– Usually used by legitimate companies, such
as private investigators
– Practice is of questionable legality
Other related terms
• Tabloid spam (new term)
– Uses tabloid style headlines to attract your
attention
– May use the exact same e-mail format as
various news services
• CNN
• ESPN
• NBC
Other related terms
• Vishing (new term)
– This is phishing via voice
• Up and coming attack
• Usually wants you to call a (toll free) number to
validate your account
• Uses a fairly convincing phone menu tree to get
you to get you to divulge financial information
Other related termins
• Pharming
– A computer attack that misdirects a user to a
bogus web site
– Often implemented as software downloaded
from the Internet
Not limited to computers
• Tailgating
– Following someone through a secure access
point.
• Shoulder surfing
– Looking over someone’s shoulder to view a
password.
Not limited to computers
• Cell Phone Camera Identity Theft
– Using a cell phone camera to capture check
or credit card numbers.
• Dumpster Diving
– Going through trash (or mailboxes) to obtain
account numbers, credit card offers, etc.
How the Internet makes it easy
• Inherent trust in
computers.
– But this trust is
misplaced.
• No validation of identity.
• Lack of knowledge
and understanding of
computers.
Social Engineering Techniques
• E-mail
– We see this all the time.
– Sometimes the spam filter catches them,
sometimes it does not.
– Generally sent to a large number of
recipients.
• Phone calls
– Usually used as for directed attacks.
– Person attempts to gain specific access.
Social Engineering Techniques
• In person
– Used to gain physical access
– May involve tailgating, pretending to belong,
but just can’t get to their access card
– Overwhelming the lowly receptionist
• Great example in the movie Sneakers.
How does phishing work?
• Attack usually starts with an e-mail
– User must respond to an event, such as an
account suspension.
– Must follow link in e-mail.
• Does not usually have a phone contact.
– Describes serious consequences if you do not
take immediate action.
– Tries to get you to make a quick decision.
– Example of a phishing e-mail.
Phishing attack
• Once at the fake web site, they try to get
you to enter your account and password
information.
• Sites are very realistic.
– Refer back to example phishing attack.
– EWU has been subjected to this attack, trying
to obtain webmail accounts and passwords.
• Used to send out more phishing and spam.
What can you do about this?
• Be careful in all transactions on the
Internet.
– Know the policies and procedures for the
financial organizations that you deal with.
• How will your bank contact you if they detect
suspicious activity?
• How will EWU contact you?
• Where does this link really go to?
• Look for institutions that use multiple factor
authentication.
What can you do about this?
• Know what to look for
– Analyze the content of the message
– Analyze links
– Follow security procedures
• Verify identity
Know what to look for (content)
• Phishing usually falls into one of two types
– Fear
• Tries to get you to take immediate action
• Has dire consequences in action is not taken
– Greed
• Advance fee programs
– Lottery winner
– Money launderer
– Business agent
Know what to look for (content)
• Know the format for toll free numbers
– Always begin with ‘8’
– Next two digits are identical
•
•
•
•
833 is toll free (but not currently in use)
800 is toll free
522 is not toll free
EXCEPTION: 811 and 899
– Or begins with ‘88’
• 888 only one in use, all others reserved
Know what to look for (URL)
http://www.ewu.edu/securityawareness
http://
Protocol, may also be https://
www.ewu.edu
Computer name, the clues are in this
portion. May also look like a
number, such as 146.187.3.190.
/securityawareness Specific page, irrelevant for analysis
Know what to look for (URL)
• Look at the link in the status bar, not the
text in the message body
• See Associated Bank example
• If the computer name is a number in the
form (146.187.3.190), this is ALWAYS
suspect, NEVER click on this kind of link
– http://198.43.28.24 is not valid
– https://87.34.87.205/paypal/login is not valid
Know what to look for (URL)
• Look deeper into the computer name; the
last two words (separated by periods) are the
domain. Is this valid? (Use Google to check)
– http://www.ewu.edu/securityawareness
• ewu.edu is owned by EWU
– https://paypal.redirect.ru/login
• Not valid, PayPal is paypal.com, not redirect.ru
– http://login.paypal-verify.com
• Not valid, PayPal is paypal.com, not paypal-verify.com
What can you do about this?
• Consider using prepaid credit cards for
purchases.
– Exposure is limited.
– Card not tied in any way to your banking
accounts.
– Card does not impact your credit rating.
– Visa offers cards directly.
– A number of companies offer branded Visa or
MasterCard prepaid cards.
What can you do about this?
• Consider credit report monitoring.
– Not a be all, end all solution.
– Only identifies when your credit is impacted.
• Will indirectly show credit card activity.
– Does not protect against your accounts being
drained.
• Shred financial documents, including
account statements and credit card offers.
What can you do about this?
• Use a different password for each financial
account you have.
– Yes, this can be a pain to remember.
– Use a password manager to help manage
your accounts and passwords.
What can you do about this?
• Check out the security arrangements
before signing up for online banking?
– What access controls do they use?
– Look for multiple authenticators
• Something you know (password, image)
• Something you posses (token)
• Something you are (fingerprint)
What can you do about this?
• Use anti-virus software, and keep it up to
date.
• Use anti-malware software, and likewise,
keep it up to date.
• Consider using an anti-phishing tool bar
on your web browser.
– Built-in in newer browsers.
• Keep your system patched.
What to do it you are a victim?
• Contact your financial institutions.
– Most have help services for identity theft.
• Check your state’s web site.
– Usually the Attorney General or the Secretary
of State.
• Check the web site for the Federal Trade
Commission.
– www.ftc.gov
Test Your Knowledge
• Various anti-phishing games
– http://www.sonicwall.com/phishing/
– http://survey.mailfrontier.com/survey/quiztest.
cgi?themailfrontierphishingiqtest
– http://cups.cs.cmu.edu/antiphishing_phil
• Google with a search of ‘phishing quiz’.
References
• Kevin Mitnick, The Art of Deception
– Book about using social engineering
techniques to gain access to facilities and
systems. Available in Library!
• Wikipedia
– Search for ‘phishing’, ‘pharming’ and
‘phreaking’.
• The Anti-Phishing Working Group
– www.antiphishing.org
References (cont’d)
• Federal Trade Commission
– www.ftc.gov
• State Attorney’s General or state trade
commissions.
• Your bank’s web site
– Usually contains privacy and security pages
that explain your rights and how the institution
safeguards access.
Thanks for attending!
• Copy of presentation will be available at…
• www.ewu.edu/securityawareness
• I have also sent a copy to the QSI people, in
case they are assembling a web site.