2.4 - Social Engineering

Question 1

Effective social engineering

Answer 1

• Constantly changing - You never know what they’ll use next
• May involve multiple people
  – And multiple organizations
  – There are ties connecting many organizations
• May be in person or electronic
  – Phone calls from aggressive “customers”
  – Emailed funeral notifications of a friend or associate

Question 2

Phishing

Answer 2

• Social engineering with a touch of spoofing
  – Often delivered by email, text, etc.
• Don’t be fooled - Check the URL
• Usually there’s something not quite right
  – Spelling, fonts, graphics
• Vishing (Voice phishing) is done over
  the phone or voicemail
  – Caller ID spoofing is common
  – Fake security checks or bank updates

Question 3

Shoulder surfing

Answer 3

• You have access to important information
  – Many people want to see
  – Curiosity, industrial espionage, competitive advantage
• This is surprisingly easy
  – Airports / Flights, hallway-facing monitors,
  or coffee shops
• Surf from afar
  – Binoculars / Telescopes (easy in the big city)
  – Webcam monitoring

Question 4

Preventing shoulder surfing

Answer 4

• Control your input
  – Be aware of your surroundings
• Use privacy filters
  – It’s amazing how well they work
• Keep your monitor out of sight
  – Away from windows and hallways
• Don’t sit in front of me on your flight
  – I can’t help myself

Question 5

Spear phishing

Answer 5

• Targeted phishing with inside information
  – Makes the attack more believable
• Spear phishing the CEO is “whaling”
  – Targeted phishing with the possibility of a large catch
  – The CFO (Chief Financial Officer) is commonly speared
• These executives have direct access to the corporate
  bank account
  – The attackers would love to have those credentials

Question 6

Tailgating and piggybacking

Answer 6

• Tailgating uses an authorized person to gain
  unauthorized access to a building
  – The attacker does not have consent
  – Sneaks through when nobody is looking
• Piggybacking follows the same process, but the
  authorized person is giving consent
  – Hold the door, my hands are full of donut boxes
  – Sometimes you shouldn’t be polite
• Once inside, there’s little to stop you
  – Most security stops at the border

Question 7

Watching for tailgating

Answer 7

• Policy for visitors - You should be able to identify
  anyone
• One scan, one person
  – A matter of policy or mechanically required
• Access Control Vestibule / Airlock
  – You don’t have a choice
• Don’t be afraid to ask
  – Who are you and why are you here?

Question 8

Impersonation

Answer 8

• Pretend to be someone you aren’t
  – Halloween for the fraudsters
• Use some of those details you got from the dumpster
  – You can trust me, I’m with your help desk
• Attack the victim as someone higher in rank
  – Office of the Vice President for Scamming
• Throw tons of technical details around
  – Catastrophic feedback due to the
  depolarization of the differential magnetometer
• Be a buddy
  – How about those Cubs?

Question 9

Dumpster diving

Answer 9

• Mobile garbage bin
  – United States brand name “Dumpster”
  – Similar to a rubbish skip
• Important information thrown out with the trash
  – Thanks for bagging your garbage for me!
• Gather details that can be used for a different attack
  – Impersonate names, use phone numbers
• Timing is important
  – Just after end of month, end of quarter
  – Based on pickup schedule

Question 10

Wireless evil twins

Answer 10

• Looks legitimate, but actually malicious
  – The wireless version of phishing
• Configure an access point to look like
  an existing network
  – Same (or similar) SSID and security
  settings/captive portal
• Overpower the existing access points
  – May not require the same physical location
• WiFi hotspots (and users) are easy to fool
  – And they’re wide open
• You encrypt your communication, right?
  – Use HTTPS and a VPN