Cyber Security Essay

Hacking_the_Hacker_----_4_Social_Engineering1.pdf

Home >Government homework help >Cyber Security Essay

4 Social Engineering

In the computer world, social engineering can be described as tricking some-one into doing something, often detrimental, to themselves or others. Social engineering is one of the most common forms of hacking because it is so often successful. It’s often the most frustrating for the defender because it cannot be prevented using technology alone.

Social Engineering Methods Social engineering can be accomplished many ways, including over a com- puter, using a phone call, in-person, or using traditional postal mail. There are so many ways and varieties of social engineering that any list purporting to catalog all the ways is going to missing some of the methods. When social engineering originates on the computer, it’s usually done using email or over the web (although it has also been done using instant messaging and just about every other computer program type).

Phishing A common social engineering target is to capture a user’s logon credentials, using what is called phishing. Phishing emails or web sites attempt to trick the user into supplying their legitimate logon credentials by posing as a legiti- mate web site or administrator that the end-user is familiar with. The most common phishing ploy is to send an email purporting to be from a web site administrator claiming that the user’s password must be verified or else their access to the site will be cut off.

Spearphishing is a type of phishing attempt that is particularly targeted against a specific person or group using non-public information that the targets would be familiar with. An example of spearphishing is a project manager

Grimes, Roger A.. <i>Hacking the Hacker</i>, John Wiley & Sons, Incorporated, 2017. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/socal/detail.action?docID=4845208. Created from socal on 2019-07-31 09:30:47.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Hacking the Hacker28

being sent a document in email supposedly from a project member purport- ing to be related to a project they are working on, and when they open the document it executes malicious commands. Spearphishing is often involved in many of the most high-profile corporate compromises.

Trojan Horse Execution Another just as popular social engineering ploy is used to get the unsuspect- ing end-user to execute a Trojan Horse program. It can be done via email, either as a file attachment or in an embedded URL. It is done on web sites just as frequently. Often a legitimate web site is compromised, and when a visiting trusting user loads the web page, the user is instructed to execute a file. The file can be a “needed” third-party add-on, a fake antivirus detector, or a “needed” patch. The legitimate web site can be directly compromised, or another independently involved element, such as a third-party banner ad service, is. Either way, the user, who often trusts the legitimate web site after years of visiting without a problem, has no reason to suspect that the trusted web site has been compromised.

Over the Phone Scammers can also call users purporting to be either technical support, a popular vendor, or from a government agency.

One of the most popular scams is when the user is called from someone claiming to be from tech support claiming that a malware program has been detected on the user’s computer. They then request that the user download an “anti-malware” program, which proceeds, not unsurprisingly, to detect many, many malware programs. They then get the user to download and execute a remote access program, which the fake tech support person then uses to log on to the victim’s computer to plant more malicious software. The bogus tech support program culminates when the victim buys a fake anti-malware program using their credit card number.

Over-the-phone scammers can also purport to be from tax collection ser- vices, law enforcement, or other government agencies, looking to get paid so that the end-user will avoid stiff penalties or jail.

Purchase Scams Another very popular scam is carried out against people buying or selling goods on web sites, such as auction sites or Craigslist-like web sites. The innocent victim is either buying or selling something.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Social Engineering 29

In buying scams, the buyer quickly replies, usually offers to pay the full purchase price plus shipping and asks the seller to use their “trusted” escrow agents. They then send the victim a fake check for more than the agreed upon purchase amount, which the victim deposits into their bank account. (Unfortunately, banks readily accept these fake checks but ultimately make the victim responsible for the lost money.) The buyer asks the victim seller to return the “extra” money to their shipper or escrow agent. The seller victim is usually out at least that amount in the end.

In selling scams, the victim buyer sends the funds but never receives the goods. The average selling scam is at least a thousand dollars. The average buying scam can be tens of thousands of dollars.

In-Person Some of the most notorious social engineering scams are those that have been accomplished in-person by the hacker themselves. In the next chapter, notorious previous blackhat, Kevin Mitnick, is profiled. Decades ago, he was one of the most brazen physical social engineers we had. Mitnick thought nothing of dressing up as a telephone repair person or service technician to enter an otherwise secure location. Physical social engineers are well known for walking into banks and installing keylogging devices on employee termi- nals while posing as computer repair people. As distrusting as people are by nature of strangers, they are surprisingly disarmed if that stranger happens to be a repair person, especially if that service person says something like, “I hear your computer has been acting slow lately.” Who can refute that state- ment? The repair person obviously knows about the ongoing problem and is finally here to fix it.

Carrot or Stick The end-user is often either threatened with a penalty for not doing something or promised a reward for doing something. The ruse begins by putting the vic- tim under duress, as people don’t weigh risk as carefully during stress events. They have to either pay a fine or go to jail. They have to run the program or risk having their computer stay infected and their bank account emptied. They have to send money or someone they care about will remain in a foreign jail. They have to change the boss’s password or else get in trouble with the boss.

One of my favorite social engineering ruses when I’m pen testing is to send an email out to a company’s employees purporting to be from the CEO or CFO and announcing that the employee’s company is merging with their

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Hacking the Hacker30

next biggest rival. I tell them to click on the attached, boobytrapped document to see if their jobs are affected by the merger. Or I send a legal-looking email to the male employees purporting to be from their ex-wife’s lawyer asking for more child support. You’d be amazed how successful these two trick emails are.

Social Engineering Defenses Defending against social engineering attacks takes a combination of training and technology.

Education Anti–social engineering training is one of the best, most essential defenses against social engineering. The training must include examples of the most common types of social engineering and how potential victims can spot the signs of illegitimacy. At my current company, each employee is required to watch an anti–social engineering video each year and take a short test. The most successful trainings have included other very smart, trusted, and well- liked employees who share their personal experience of having been success- fully tricked by a particular type of common social engineering ploy.

I think every company should have fake phishing campaigns where their employees are sent phish-looking emails asking for the credentials. Employees providing their credentials should be given additional training. There are a variety of resources, both free and commercial, for doing fake phishing campaigns, with the commercial ones obviously offering easier use and sophistication.

All computer users need to be taught about social engineering tactics. People buying and selling goods on the Internet need to be educated about purchase scams. They should only use legitimate escrow services and follow all the web site’s recommendations for an untainted transaction.

Be Careful of Installing Software from Third-Party Websites Users should be taught never to install any software program directly from a web site they are visiting unless it is the website of the legitimate vendor who created the software. If a web site says you need to install some piece of third- party software to continue to view it, and you think it is a legitimate request,

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

Social Engineering 31

leave the web site and go to the software vendor’s web site to install it. Never install another vendor’s software from someone else’s web site. It might actu- ally be legitimate software, but the risk is too great.

EV Digital Certificates Web surfers should be taught to look for the “extended validation” (EV) digital certificates (https://en.wikipedia.org/wiki/Extended_Validation_ Certificate) on many of the most popular websites. EV web sites are often highlighted in some way (usually a green address bar or highlighted green name) to confirm to the user that the web site’s URL and identity have been confirmed by a trusted third party. For an EV example, go to https:// www.bankofamerica.com.

Get Rid of Passwords Credential phishing can’t work if the employee can’t give away their logon credential. Simple logon names with passwords are going away in favor of two-factor authentication (2FA), digital certificates, logon devices, out-of-band authentication, and other logon methods that cannot be phished.

Anti–Social Engineering Technologies Most anti-malware, web filtering software, and email anti-spam solutions try to minimize social engineering done using computers. Anti-malware software will try to detect execution of malicious files. Web filtering software will try to identify malicious web sites as the visitor’s browser tries to load the page. And email anti-spam solutions often filter out social engineering emails. However, technology will never be completely successful, so end-user training and other methods must be used in conjunction.

Social engineering is a very successful hacking method. Some computer security experts will tell you that you cannot do enough training to success- fully make all employees aware of social engineering tactics. They are wrong. A combination of enough training and the right technologies can significantly diminish the risk of social engineering.

In the next chapter, we profile social engineering expert Kevin Mitnick. His experiences as a social engineering hacker have helped him better defend his customers for decades.

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed

https://en.wikipedia.org/wiki/Extended_Validation_Certificate

https://www.bankofamerica.com

C op

yr ig

ht ©

2 01

7. J

oh n

W ile

y &

S on

s, In

co rp

or at

ed . A

ll rig

ht s

re se

rv ed