1. Information Systems 365/765
Information Systems Security and Strategy
Lecture 7
Lecture 7
Social Engineering

2. Today’s Chocolate Bar
• Nestle Crunch,
created in 1938
• Current slogan is
“For the kid in
you”….BORING
• Bunch-a-crunch
controversy
• "Betcha Can't
Crunch This!"

3. Warning

4. WARNING
• I use REAL people as
examples in this presentation
• I do this not to mock them, or
intimidate them, but to
impress upon them in the
most real way I know of, the
importance of sharing
information about themselves
only on a “need to know
basis” in public forums

5. Social Engineering
• No matter how many security
measures you introduce, there
is one which proves to be the
most challening…
• How do we secure human
beings?

6. Social Engineering Defined
• The use of psychological tricks
in order to get useful
information about a system
• Using psychological tricks to
build inappropriate trust
relationships with insiders

7. Kevin Mitnick
• World’s most famous Social
Engineer
• “The weakest link in the
security chain is the human
element”
• Half of his exploits involved
using social engineering
• See the master in action!

8. Social Engineering
• Social Engineering goes back
to the first lie ever told and
will continue into the future.
• Social Engineering is
successful because people are
generally helpful, especially to
those who are:
• Nice
• Knowledgeable
• Insistent

9. Three Primary Methods of Social
Engineering
• Flattery
• Authority Impersonation
• Threatening Behavior

10. Helpful By Default
• We don’t see a motive to hack
our network. “If I see it
everyday, it can’t be
important.“
• Industrial Espionage
• Revenge
• Just for fun

11. How Does It Happen?
• “An ounce of prevention is
worth a pound of cure!”
• The Social Engineer uses
simple information found
online, or by making a basic
phone call into the office
• That stuff really isn’t that easy
to get…Don’t be dramatic!

12. Let’s Setup a Case Scenario
Using a Method Called
Pretexting
• Meet Angry Cow
• Computer Science Student at
UW-Madison
• Angry Cow just got an eviction
notice

13. Case Continued – Simple Public
Information is Found
• Angry Cow lives at the
Regent
• The Regent’s website
indicates that it is
owned by Steve Brown
Properties
• Angry Cow wants to
“fix” Steve Brown’s
record keeping
spreadsheet to show
that rent has been paid

14. Next – Finding A Way In…
• Facebook is Angry Cow’s first
weapon of choice because it is an
unofficial source of information
• Poor controls over data sharing
• Lots of important information there
that might not seem important,
but could be his first step in…
• Go to Facebook and search:
“Steve Brown Apartments” to find an
appropriate unknowing accomplice

16. Let’s See – Danielle Treu
• Born July 24, 1988
• Enjoys playing in the rain,
drinking coffee and spending
money
• Works at Subway and as a
Resident Assistant for Steve
Brown Apartments

17. Let’s See – David Klabanoff
• Born April 21, 1979
• Likes Star Wars and
The Muppet Movie
• Is a Concierge for
Steve Brown
Apartments

18. Let’s See – Andrew Baldinger –
I think I might know this guy!
• March 30, 1986
• Likes kayaking,
exploring, and
getting lost
• Lives at the
Regent
• Works as a
Technology
Support Specialist
for Steve Brown
Apartments!

19. Let’s Start with Danielle Treu
• Her Facebook profile is public,
but she is intelligent. She
keeps her contact information
private
• But, her profile does say that
she attends UW-Madison…
• I wonder if they have some
more public information about
her

20. The Research, Phase II
• I’m so thankful for the UW
Whitepages!
• Remember, this is PUBLIC
information!
• I got her email address!

21. Primary Contact

22. Establishing the Trust
• Danielle talks to David, and
since David trusts Danielle as
an “insider”, this trust
transfers to the fake Andrew
• Angry Cow shows up later that
day, David is expecting him
• Angry Cow identifies himself
as Andrew and asks David for
key to server room

23. The Hack
• Angry Cow, gets physical
access to server, uses
Ophcrack (just like we did in
class to get Admin username)
• Angry Cow logs into server
and alters accounting files to
indicate that his rent has been
paid

24. Summary of This Example
• Search for public information
about your target, using both
official and unofficial sources
• Build a trust ladder, Julie
trusts Andrew and David
trusts Julie, therefore David
will trust Andrew—even if
“Andrew” really is Angry Cow!
• Built a credible story
• Based on PRETEXTING

25. Let’s Watch Another Example
• Silence of the Lambs Movie
scene
• Notice how they both establish
trust through the use of
kindness or perceived
kindness

26. How to Keep Social Engineering
From Working
• Administrators need to:
• Establish Policies
• Train Employees
• Run Drills
• Office Workers:
• Need to be aware of Social
Engineering tactics
• Follow policies

27. Let’s Watch the AT@T Internal
Social Engineering Training
Video
• Which Social Engineering
techniques can you identify in
the video? (Flattery,
Authority, Threats)
• How would you CLASSIFY this
video (remember Data
Classification)
• What is going on at AT&T?

28. Pretexting
• Pretexting is the
act of creating
and using an
invented scenario
(the pretext) to
persuade a
targeted victim to
release
information or
perform an action
and is typically
done over the
telephone.

29. Pretexting
• It's more than a simple lie as it
most often involves some prior
research or set up and the use of
pieces of known information (e.g.
for impersonation: date of birth,
Social Security Number, last bill
amount) to establish legitimacy in
the mind of the target.

30. Is This Really a Threat to
Businesses? PRETEXTING
• So far, this just looks
like a technique
employed by angry
individuals.
• Did you know that
Hewlett Packard
regularly engaged in
Social Engineering?
• They used the method
of PRETEXTING in
order to get phone
records
• Let’s watch the
testimony of Patricia
Dunn, Director of HP

31. Pretexting Will Likely Continue
• As most U.S. companies still
authenticate a client by asking
only for a Social Security
Number, date of birth, or
mother's maiden name, the
method is effective in many
criminal situations and will
likely continue to be a security
problem in the future.
• Pretexting is the most
common form of Social
Engineering

32. Phishing
• Phishing is the use of email as a
means to extract personal
information from a user
• A variant is called IVR Phone
Phishing

33. Phishing Continued
• Direct you towards bogus
(fake) websites
• Purpose is to harvest
information
• PayPal example – I don’t even
have a PayPal account!
• Use common sense!
• Don’t click on links directly!
• Phishing Filter!

34. TROJAN HORSE
• Is a virus or malware, disguised in
such as way as to appeal to a
person’s curiosity or greed
• Usually arrives in the form of an
email with an attachment
• ILOVEYOU virus is an example of
a Trojan Horse
• Adware hiding inside downloads is
another example

35. Road Apples
• Road Apples are also known as
Baiting
• Uses physical media and relies on
the curiosity or greed of the
victim
• USB drives or CDs found in the
parking lot, with label: 3M
Executive Salaries
• Autorun on inserted media

36. Quid Pro Quo
• Means “something for
something”
• A person contacts people one
by one, until he/she finds a
person with a problem
• When they find a person, they
“fix” their problem by
introducing malware to their
machine

37. Summary – Today’s Take Aways
• Social Engineering involves
manipulating others to get
access
• Main techniques are: Flattery,
Authority, Threatening
• Main types are: Pretexting,
Phishing, Trojan Horses and
Quid Pro Quo

38. Ways to Combat Social
Enginering
• Good security policy
• Make sure your employees
understand dangers and
threats
• Make sure employees
understand what Data
Classification means and what
type of information you
publicly give away

39. Most Important Gem of Wisdom
in Defeating Social Engineering
• Never, Never give out username,
password, account number, SSN,
etc over the same channel used
to initiate the request
• For example, if a phone call
comes in, asking for a SSN, send
the SSN via email or regular mail