[COURSE_PTHE] 9. 社会工程

1. 简介:社会工程学(Social Engineering)

    Get introduced to the concepts and practices of Social Engineering as it relates to penetration testing and ethical hacking.

    Module 10 of our Penetration Testing course series introduces you to the concepts and practices of Social Engineering as it relates to penetration testing and ethical hacking. This intro video explains the topics you’ll address regarding social engineering, including common attack vectors, how to perform it and the consequences that follow.

 

    Leo Dregier here. I want to talk about social engineering. Now this module is particularly special module because it is both an art and science. There is tons of books written on the subject of social engineering indeed this is one of those fields where it can take a lifetime to master the art of social engineering. So we are going to discuss that now there are different types in which you can socially engineer someone you can do it on a computer. You can do it live in person. Nowadays you can even extend that over the mobile networks or even through the social sites. Now mostly the consequence here is disclosure of information that you are going to use. But if you can get a username or password or some sort of critical information out of someone. It ultimately can result into billions and billions of dollars of just wasted money or have a very significant impact to a company. So we were going to cover everything. How to actually do it the most common attack vectors? Ultimately the harm that can be done. This is in extremely powerful subject here, you should not be using this information to go social engineer people inside the airport we have to put on our big boy and big girl hats here and act responsibly. So in the scope of penetration testing if you are ever going to perform a social engineering attack make sure you have got your pass. Make sure you have it documented. Make sure you got everything documented so that ultimately you can show to the person you are doing the social engineering test that will actually works. Get your permission slips so let us go ahead and start dissecting social engineering.

2. 框架

    In this Whiteboard lecture we discuss Social Engineering. Social engineering is a physical form of hacking that can be extremely effective. Organizations strive to make end users aware of the most common types of social engineering attacks so that they can try to avoid them. It can be something as simple as a link on an email from a seemingly legitimate source.

    I wanted to start this module with a little bit of a quote. Obstacles in the mind are much more important than obstacles along the journey. And the reason I want to start off with a quote you got to dissect this code apart. Obstacles in the mind in social engineering what you are doing is you are taking away removing or elevating these obstacles in the mind. Then someone may have to overcome what obstacles maybe in the journey let us say we want something like password or something like that – well if you could strategically plant information in someone’s mind well they might strategically voluntarily give you some information that could yield a password. So keep that quote in mind as we move through our social engineering. Let us take a look – the targets here. The targets are often office workers because they are the closest to your assets or the closest to the things that corporations typically want to protect. Certainly not limited office workers realistically anybody can be socially engineered but the context of this module will keep it at social or office workers. The skills in which you need to be good at social engineering really have two foundations. One is based in the science and other is based in the arts. So there is technical ways to do this but there is very much an artistic craft to social engineering as well so good interpersonal skills add to the value of the person doing the social engineering. It is also helpful to be very very talkative the more talkative you are the more conversational you can be the more information you could ultimately get out of someone. Also it is a great idea to be creative. Why try to break AES256 bit encryption when you can social engineer the password and get access to what you need. So we always want to take the path of least resistance. Good communication skills aid in being talkative and creative as well. The most common mechanism in which we carry out social engineering attacks are basically emails. On the phone or in person. Anyone of those mediums is fair game in terms of carrying out a social engineering attack let us go into the techniques. There is a lot of different techniques in which you can apply but here is just a handful of the basics here. From doing this on the computer someone could be socially engineered through spam. Just send someone email “you want a million dollars Click Here Now!” Through chat. Chat is an easy mechanism because we typically don’t authenticate chat conversations or we assume that the person at the other end of the chat line is the person which their name on the handle is. Chain letters hoaxes even popup phishing attacks or derivatives of phishing attacks. Later we will talk about spear phishing specifically. It could be a fake application or through sms text you could easily text message. Hey I lost my contacts and my phone please validate and that is a easy way to do it just over your phone text. Or even over social sites. Being that we are all connected socially there has been surplus of fake profiles that have made it to LinkedIn, Facebook and twitter and things like YouTube and things like that. So while the computer is – while computer technics are very very popular certainly not limited to that. Human – you could just show up in person alive one on one. Pretending to be a legitimate person or a important person like a CEO or a new hire or something to that capacity or the most common is probably being part of the support staff. Hey I am so and so. I am here to fix your computer give me your username and password and I will go ahead and fix it and get you back to work. Pretending to be support staff. Spear phishing very, very targeted phishing. Phishing is just fake emails they go out pretending to be someone but spear phishing is now you are targeting because you are throwing out a net and seeing what you catch. Now you are just doing that in a highly targeted manner. You net becomes a lot smaller or a lot focused to your target. Nowadays we can also do it over the phone. So it happens in the mobile application there has been a handful of malicious apps could be something as simple as everybody wants additional batteries battery power on the cellphone. Maybe there is a fake app – hey boost your battery life by 35% in somebody in their app store and they got – they downloaded this malicious app profiles their phone and then exfoliates data from their phone. It could be eavesdropping just passively listening and paying attention to certain things depending on where you are. It could be while you are on a customer service line. It could be while you on a lunch line. Something as simple as that. Shoulder surfing you could in an office place and just happen to be looking over someone’s shoulder and gain access to information or basically watch them type their password a bunch of times and each time you focus on a different finger. I mean if they use this finger how many times when they log in to a site. Well at least you know what characters their password is made up of you can slowly start building that password. Dumpster diving simply going through the trash. Tailgating following someone through an access control point. Make it happen in person you have reverse social engineering there is books on this subject of reverse social engineering. in other words instead of me trying to social engineer you. I present myself and in some way where you feel inclined to voluntarily give me the information instead of me trying to get it out of you, you voluntarily give the information to me in hopes of some reward later. Or pee whacking which is a derivative of tailgating now the impact here organization can suffer drastically for a variety of reasons. Social engineering just happens to be one of those ways which you can suffer large amounts of impacts. Let us look at what impact means, it could be a loss of privacy. It could be something as simple as a password but that password could get you access to more sensitive information like confidential documents. It could result in loss of goodwill a loss of reputation to an organization. In the worst case scenario you can go out of business depending on what the nature is of social engineered you certainly could find yourself out of business. Nowadays you are seeing in terrorism financial loss what if it is secret ingredients or colonel sanders secret recipe. If that proprietary information it is critical for a company to survive and now all of a sudden everybody can make that great chicken while then the information is no longer confidential and your competitive edge maybe lost. Theft – now traditional theft would yield bank accounts and credit card numbers and things like that but there is really nothing that you could not limit yourself to. I identity theft that is a big topic on itself what is the identity theft market worth these days. Last I heard it is multiple billions of dollars. So why does all of this happen? Right. It happens because in the world of social engineering you are taking advantage of human nature. Using your social skills to strategically get something out of someone. So people want to naturally be helpful if you can use that to your advantage there is a penetration test there then you do. Also ignorance while this is the – I didn’t know I was not supposed to give him that if they didn’t know they weren’t trained that is why you can get this valuable information or why you can be socially engineered. Open promisese that is just a another one you can promise something somebody give you something and then you never make good on that promise. Meanwhile you already have what you need. You perform your penetration testing attack this often ends in the context of I will be back in a few minutes and Iwill give you the information that I promised you meanwhile you never come back. They feel morally obligated to him, right. They wanted to be helpful this is where you pretend I have to work here late and it is going to take me five hours to do this but if I just had that password. I could leave with you, all the person that you are telling that to, they may feel morally obligated to you. I will just give you my credentials so you can get the job done faster. So you don’t have to stay here all night. No training. Simply stated people aren’t trained they are not aware. Look at the demographics of office space. So if people are not getting trained they don’t know half the stuff. They don’t know when they are getting social engineered. When they are not getting socially engineered. That makes getting a password 60 & 70% of the time very, very likely. Also a lot of this information is easily accessible so you are just naturally walking around the workspace or office space and if things aren’t easily accessible because you don’t have a clean desk policy or something to that nature well that could result in a social engineering attack. With policies and also it is difficult to detect in the world of viruses and trojans. It is pretty easy to write a signature to say okay here meet this criteria alert. If people aren’t trained tying into it being difficult to detect. How do you really know if you are being socially engineered? How do you know the person isn’t trying to be a good person. So these are some of the top reasons on why social engineering happens, the value here in which the penetration tester is generally going after. We chalk this up to confidential information ideally you would like to get some sort of authentication or authorization information so that you can get access things that a regular user or in this case the pen tester doesn’t have access to. Some sort of authentication or access control those are very, very valuable in the scope of social engineering some of the tools that we will use are the social engineering toolkit this is the first really major project where there is a computer program and it walks you through a wizard or tutorial and you can craft your phishing attack or crack your social engineering toolkit attack and then go ahead and launch it. Primarily in computer based attacks but there are some script oriented things for being in person. So let us go ahead and talk about some of the counter measures. If you want to stop social engineering to the organization well best practices apply here simply stated change your password because we are looking for authentication and access control something as simple as a change of password on a regular basis and not using the same password over and over again. They reduces the likelihood of the penetration tester being successful. Also you will see these in the financial world, account lockouts, account log out functions or account explorations. That is not limited to the banking or financial world but you will see this a little bit more if you go to you bank account if you have fifteen minutes of inactivity you get locked out or logged off rather training if people were trained on what social engineering is then they might be inclined to not participate in what they would think would be a social engineering attack. Also keep sensitive information secret or private. It is just that simple if you know what is sensitive because you have a classification system well then you are not going to disclose it to people who don’t have that access. Also when it comes to a facility any sort of guests should ultimately be escorted and those escorts should stay with the people that they are escorting. Shred your documents have strict access control techniques use a classification program. One of my favorites since I have a background in incident response is actually have a capability to identify detect contain or eradicate and recover social engineering attacks along with any other attacks whatever it be. Also do a lot of preschool screening before you hire someone make sure that it is someone that you actually want to give access to. Don’t just hire people off the street and say okay. Here is the access to my sensitive information make sure that they are of good solid background in the sort of criminal background that should help. Just the background checks in itself kind of is a screening piece of it also use two factor authentication remember the multi factor and the two factor this is based on something you know something that you have and something that you are. So instead of authenticating with something that you know. Use two factor means now you are known and something you have or something that you have and something that you are. So we call that two factor or multi factor. Use a change management program. Contract changes throughout the organization or improvements and then of course in a virus and a phishing software. Now with the whole subject of social engineering there is a whole landscape here in which the penetration tester can be very, very creative and ultimately get sensitive information. Again this is an art and a science but let us go back to the core from the beginning obstacles in the mind are more important than obstacles along the journey. We are going to use these obstacles in the mind and overcome them in someone’s mind so that we don’t have those obstacles throughout the journey or throughout the journey we want to get some sort of sensitive or critical information. If we can tap into somebody’s mind using our social skills well then – they may voluntarily just give us the account information and give us the passwords. And that is why it is really important to approach this as not only a science and all the computer stuff but also using your interpersonal skills and communication skills. So that you can achieve your objective. So that is the basic make up of social engineering.

posted @ 2015-09-30 21:54  It's_Lee  阅读(148)  评论(0编辑  收藏  举报