Chapter 3 : Protecting Against Social Engineering Attacks

Social Engineering
Social Engineering is a use of psychological knowledge to trick a target into trusting the
engineer, and ultimately revealing information.
It is an art of deception, which is used to bypass IT security defenses by exploiting human
weaknesses.
Social engineering is one of the most difficult security issues to manage, but it is also the
one that most IT professionals spend least time combating, since it has little to do with
computer hardware or software.
Risk associated with Social Engineering is rather high, therefore, security must begin in the
user's mind and cannot be embedded in the technology alone.
An employee handing out vital information unknowingly is endangering the entire security
architecture.
 Social Engineering
Social engineering is the practice of tricking people into revealing passwords.
Three classic social engineering tricks are:
1. Reverse social engineering - the user is persuaded to ask the attacker for help.
2. E-mails and phone calls
3. Authority abuse
Social Engineering: may be defined as obtaining information or resources from victims using coercion (force) or deceit.
Refers to
lying,
Impersonation (pretending to be someone else)

Cheating ( dishonest, corrupt),

 tricking,
Seducing (to lead away from duty, accepted principles, or proper conduct),

Intimidating (use fear to achieve their ends) ,

and even threatening employees into revealing confidential information that can then be used to break into systems
 Most Popular Social Engineering Tactics
1. Pretexting
Pretexting means impersonating someone to obtain sensitive or personal information from
an unsuspecting individual.
Impersonators might pretend to be co-workers, emergency services, tax authorities, or other
seemingly legitimate organisations.
Pretexting attacks are carefully planned to target a specific person or sometimes involve
reaching out to an entire company personnel to achieve their goal. It is said that fear and
greed are a major human motivating factors, so by giving the target a feeling that they have
either inadvertently done something terribly wrong, or that they are in danger of missing out
on something of value, they will be more willing to cooperate with the Social Engineer. In all
cases, research is the key, since mistakes generally make people suspicious.
 Most Popular Social Engineering Tactics
2. Phishing
Phishing is considered to be one of the most common techniques of fraudulently acquiring
sensitive information, such as company’s confidential information, credit card details,
money etc. This happens mostly by masquerading as a trustworthy entity via electronic
communication such as email, fraudulent web page or text message.
The objectives of phishing vary from selling products that do not exist to gathering
personal information.
Phishing emails are generally sent to millions of people in order to find some small
percentage of recipients who would believe it to be true. That is where the tactics got its
name –phishing, which derives from fishing- bait is thrown out with the hope of catching
something
 Most Popular Social Engineering Tactics
3. Diversion Theft
Diversion theft stands for a con against transport or a courier company, which is
supposed to persuade administrative personnel, that a particular delivery is
requested elsewhere.
Since it is not associated with technology and cannot be traced through Internet,
it can be a very effective technique when pulled off.
It does, however, require rehearsal and clever management on many levels.
Most companies do not prepare their worker for this kind of act.
 Most Popular Social Engineering Tactics
4. Quid Pro Quo
The Latin word for Quid pro quo means “This For That” and represents an attack, which
promises you a benefit in exchange for information. The hacker may act as a technician and
ask you to log into your machine and fix a problem. After access is granted, attacker can
launch malware.
The idea is that the hacker will eventually find someone in need of technical help and will
download any “antivirus” program to fix the computer.
A survey carried out for Infosecurity Europe Trade Show 2004, stated that more than 70% of
people would reveal their computer password in exchange for a bar of chocolate. It also
showed that 34% of respondents volunteered to give away their password when asked, without
even needing to be bribed.
 Most Popular Social Engineering Tactics
5. Reverse Social Engineering
Similar to pretexting, but a more advanced method of gaining information
illegally is known as Reverse Social Engineering, which happens when a hacker
creates a persona that appears to be in a position of authority, so that employees
will turn to him for information, rather than the other way around.
This way, hackers can have an even better chance of obtaining valuable data.
However, this is also more advanced and requires extra research and
preparation to be pulled off.
 Most Popular Social Engineering Tactics
6. Tailgating
Compared to the previous one, tailgating is a simple method of Social
Engineering – following someone to get access to a building.
This can be done by letting someone hold the door for you or pretend to have
forgotten the security pass.
Tangible costs of Tailgating that could occur are: theft of equipment and
sensitive hardware, loss of intellectual property or committing violence at
workplace.
Tailgating can also indicate that problems lie elsewhere: employees don’t find
security that important as it creates obstacles and slows the job their doing.
 Most Popular Social Engineering Tactics
7. Shoulder surfing
Shoulder surfing literally means observing a person over their shoulder. Data can be
compromised by looking at personal data while someone is filling out a form, entering a
credit card PIN code or passwords in cyber cafes, for example. It is relatively easy to
stand next to someone and watch as they do it, but it can also be done from long distance,
with the aid of binoculars or other vision-enhancing devices.
8. Dumpster diving
Dumpster Diving is one of the older classical ways of finding out information by going
through the trash of employees.
Some organizations that deal with high security risks do not throw away their documents
but send them through a shedder to avoid any risks.
 Most Popular Social Engineering Tactics

9. Baiting
Baiting is built around human curiosity and a typical scenario involves leaving
malware infected external wear like USB storage or CD in company building in
hopes that someone would plug it in their computer and get infected by
malware. Auto-run devices can start as soon as the device is inserted.
 Famous Social Engineers

1. Kevin Mitnick
Definitely the most popular Social Engineer turned Security Consultant, Public Speaker Kevin Mitnick,
was once FBI’s most wanted man for hacking into 40 major corporations just for a challenge.
He compromised computer systems and telephone networks across the nation, but never spent a dime of
other people’s money or stole their identity.
Despite this, he got into a lot of trouble for his curiosity and was arrested in 1988 for copying software
and in 1995 for wire fraud, unauthorized access to a federal computer etc. This day Mitnick owns his
own security consulting company, Mitnick Security Consulting, LLC that tests organizations security
strengths and weaknesses.
 Famous Social Engineers

2. Badir Brothers
Badir Brothers are three exceptional Israeli men, who, while being completely blind, spent years hacking
into phone systems, including breaking into Israeli army radio station’s telephone system to set up a fake
phone company.
Customers paid the company for long distance calls that were billed to the radio station. They were
charged in 1999 with telecommunications fraud, theft of computer data and impersonation of a police
officer.
The brothers used their excellent Social Engineering skills together with supersensitive hearing, braille-
display computers and code writing skills to acquire codes for trespassing into systems.
 Common social engineering attacks
Email from a friend: criminal manages to hack or socially engineer one person’s email password they
have access to that person’s contact.
Criminal send emails to all the person’s contacts or leave messages on all their friend’s social pages, and
possibly on the pages of the person’s friend’s friends.
These messages may use your trust and curiosity:
Contain a link: you’ll trust the link and click–and be infected with malware.

Contain a download: pictures, music, movie, document, etc., that has malicious software embedded,

you’ll trust and download- will become infected.

These messages may create a compelling story or pretext:
Urgently ask for your help: your friend is in danger and need money- they need you to send money

so they can get home and they tell you how to send the money to the criminal.
Asks you to donate to their charitable fundraiser, or some other cause: with instructions on how to

send the money to the criminal.

 Contin…
Phishing attempts: Typically, a phisher sends an e-mail, comment, or text message that appears to
come from a legitimate, popular company, bank, school, or institution.
These messages usually have a scenario or story:
The message may notify you that you’re a ’winner’: criminals email you will lottery,-ask to

provide information about your bank routing or who you are often including your Social
Security Number.
The message may ask for help: Preying on kindness and generosity, these phishes ask for aid or

support for whatever disaster, political campaign, or charity is hot at the moment.
Creating distrust: is all about creating distrust, or starting conflicts; these are often carried out by
people you know and who are angry with you, by nasty people.
The malicious person may then alter sensitive or private communications (including images and

audio) using basic editing techniques and forwards these to other people to create drama,
distrust, embarrassment, etc.
Conti…
Don’t become a victim
Slow down: If the message conveys a sense of urgency, or uses high-pressure sales tactics be

sceptical; never let their urgency influence your careful review.

Research the facts: Be suspicious of any unsolicited messages.

Delete any request for financial information or passwords. If you get asked to reply to a message

with personal information, it’s a scam/cheat.

Reject requests for help or offers of help: if you receive a request for help from a charity or

organization that you do not have a relationship with, delete it.

Don’t let a link in control of where you land: . Stay in control by finding the website yourself

using a search engine to be sure you land where you intend to land.
Secure your computing devices: Install anti-virus software, firewalls, email filters and keep these

up-to-date.
Authenticating hosts
 Addressing Spoofing

The Spoofing Problem Packet routing in IP networks is based on destination

address information only, correctness of source address is not verified
Most (D)DoS attacks consist of packets with spoofed or faked source addresses
in order to disguise the identity of the attacking systems.
Identification of the attacking systems is needed for installing efficient defense
mechanisms.
Some detection mechanisms also require valid information about the attack
sources.
Further issues: legal prosecution of attackers and prevention of new attacks.
 Cont…
Spoofing Attack
A spoofing attack is when a malicious party impersonates another device or user on a network in
order to launch attacks against network hosts, steal data, spread malware or bypass access controls.
There are several different types of spoofing attacks that malicious parties can use to accomplish
this. Some of the most common methods include IP address spoofing attacks, ARP spoofing attacks
and DNS server spoofing attacks.

IP Address Spoofing Attacks

IP address spoofing is one of the most frequently used spoofing attack methods. In an IP address
spoofing attack, an attacker sends IP packets from a false (or “spoofed”) source address in order to
disguise itself. Denial-of-service attacks often use IP spoofing to overload networks and devices with
packets that appear to be from legitimate source IP addresses.
 Cont…
There are two ways that IP spoofing attacks can be used to overload targets with traffic.
 One method is to simply flood a selected target with packets from multiple spoofed addresses. This method works by directly

sending a victim more data than it can handle.

 The other method is to spoof the target’s IP address and send packets from that address to many different recipients on the

network. When another machine receives a packet, it will automatically transmit a packet to the sender in response. Since the
spoofed packets appear to be sent from the target’s IP address, all responses to the spoofed packets will be sent to (and flood)
the target’s IP address.

IP spoofing attacks can also be used to bypass IP address-based authentication. This process can be very
difficult and is primarily used when trust relationships are in place between machines on a network and
internal systems.
Trust relationships use IP addresses (rather than user logins) to verify machines’ identities when
attempting to access systems. This enables malicious parties to use spoofing attacks to impersonate
machines with access permissions and bypass trust-based network security measures.
 Cont…
DNS Server Spoofing Attacks
The Domain Name System (DNS) is a system that associates domain names with IP
addresses. Devices that connect to the internet or other private networks rely on the DNS
for resolving URLs, email addresses and other human-readable domain names into their
corresponding IP addresses. In a DNS server spoofing attack, a malicious party modifies
the DNS server in order to reroute a specific domain name to a different IP address. In
many cases, the new IP address will be for a server that is actually controlled by the
attacker and contains files infected with malware. DNS server spoofing attacks are often
used to spread computer worms and viruses.
 Cont…
Spoofing Attack Prevention and Mitigation
There are many tools and practices that organizations can employ to reduce the threat of spoofing attacks. Common measures
that organizations can take for spoofing attack prevention include:
Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in IP address
spoofing attack prevention because they are capable of filtering out and blocking packets with conflicting source address
information (packets from outside the network that show source addresses from inside the network and vice-versa).
Avoid trust relationships: Organizations should develop protocols that rely on trust relationships as little as possible. It is
significantly easier for attackers to run spoofing attacks when trust relationships are in place because trust relationships only use
IP addresses for authentication.
Use spoofing detection software: There are many programs available that help organizations detect spoofing attacks, particularly
ARP spoofing. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to
be spoofed.
Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other
secure communications protocols bolster spoofing attack prevention efforts by encrypting data before it is sent and authenticating
data as it is received.
 Cont..
How Spammers Spoof Your Email Address (and How to Protect Yourself)

Most of us know spam when we see it, but seeing a strange email from a friend—or worse, from
ourselves—in our inbox is pretty disconcerting.
Spammers have been spoofing email addresses for a long time. Years ago, they used to get contact lists
from malware-infected PCs. Today's data thieves choose their targets carefully, and phish them with
messages that look like they came from friends, trustworthy sources, or even their own account.
 Turn up your spam filters, and use tools like Priority Inbox.
 Never click unfamiliar links or download unfamiliar attachments.
 Solutions for Wireless Networks
Businesses and home users are quickly adopting wireless networking for good
reason.
It's cheap, convenient, easy to set up, and provides great mobility.
In fact, more than one third of PC Magazine readers have already installed

wireless networks in their homes.

The freedom from tangled cables is intoxicating but comes with a price.

A wireless network can broadcast far outside your building.

With a powerful antenna and some widely available hacking software, anyone

sitting near your installation or even driving can passively (without alerting the
target) scan all the data flowing in your network.
 Solutions for Wireless Networks
Here are ten security techniques you can implement right now.
1. Control your broadcast area.
Many wireless APs (access points) let you adjust the signal strength; some even let you adjust
signal direction. Begin by placing your APs as far away from exterior walls and windows as
possible, then play around with signal strength so you can just barely get connections near
exterior walls. This isn't enough, though. Sensitive snooping equipment can pick up wireless
signals from an AP at distances of several hundred feet or more. So even with optimal AP
placement, the signal may leak. Keep reading.
2. Lock each AP.
A lot of people don't bother changing the defaults on their APs, and maintaining the default
administrator password (like admin for Linksys products) makes your system a good target. Use a
strong password to protect each AP. For tips on creating substantial passwords, go to
www.pcmag.com/passwords and click on Password Dos and Don'ts.
 Solutions for Wireless Networks
3. Ban rogue access points.
If an AP is connected to your home or office network, make sure you or the network
administrator put it there. Bob in Accounting isn't likely to secure his rogue AP before
he connects it. Free software like NetStumbler (www.netstumbler.com) lets you sweep
for unauthorized APs.
4. Use 128-bit WEP.
Passively cracking the WEP (Wired Equivalent Privacy) security protocol is merely a
nuisance to a skilled hacker using Linux freeware like AirSnort (
http://airsnort.shmoo.com). Still, the protocol does at least add a layer of difficulty.
5. Use SSIDS wisely.
Change the default Service Set Identifiers (SSIDs) for your APs, and don't use anything
obvious like your address or company name. For corporate setups, buy APs that let you
disable broadcast SSID. Intruders can use programs such as Kismet (
www.kismetwireless.net) to sniff out SSIDs anyway (by observing 802.11x management
frames when users associate with APs), but again, every bit of inconvenience helps.
 Solutions for Wireless Networks
6. Limit access rights.
Chances are, not everyone in your building needs a wireless card. Once you determine who should take
to the airwaves, set your APs to allow access by wireless cards with authorized MAC addresses only.
Enterprising individuals can spoof MAC addresses, however, which brings us to the next tip.
7. Limit the number of user addresses.
If you don't have too many users, consider limiting the maximum number of DHCP addresses the
network can assign, allowing just enough to cover the users you have. Then if everyone in the group
tries to connect but some can't, you know there are unauthorized log-ons.
8. Authenticate users.
Install a firewall that supports VPN connectivity, and require users to log on as if they were dialing in
remotely. The Linksys BEFSX41 router ($99 list) is a great choice for this. Tweak the settings to allow
only the types of permissions that wireless users need.
 Solutions for Wireless Networks
9. Use RADIUS.
Installing a RADIUS server provides another authentication method. The servers tend to be
expensive, but there are open-source options, such as FreeRADIUS (www.freeradius.org), for
UNIX-savvy administrators.
10. Call in the big boys.
If you have billion-dollar secrets to protect, such as the formula to Coca-Cola, you should have
wireless-dedicated hardware security in place. For instance, AirDefense (www.airdefense.net)
is a server appliance that connects to sensors placed near APs. The system monitors activity
and protects all traffic on your wireless LAN—but it doesn't come cheap. Prices start at
$10,000 and can reach $100,000 depending on the number of sensors needed.
Thank You