OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Social Engineering Data set

From: Frynge Customer Support (fryngefrynge.com)
Date: Thu Oct 12 2006 - 01:19:27 CDT


Social Engineering Attack examples

Social engineering attacks are usually done to exploit the laziness of
people, or people with good manners, or even people that want to help you.
This is what makes it very hard to guard against a SE attack because the
people involved may not realize that they are being fooled and will never
admit this to anyone. The SE attempts to persuade someone to provide
information that will allow them to use your system or resources as if they
were his own. This is most commonly referred to as the "confidence trick".

These are the 5 main attacks that I know of

1: Personal approaches including the confidence trick
2: Online attacks (includes all the email phishing attacks)
3: Telephone
4: Waste management
5: Reverse Social engineering

1: Online Attacks

They include:
A) Email threats like phishing
B) Confidence tricks and attacks
C) Online pop up attacks
D) Instant messaging

Here is one example

Pop ups or dialog boxes

One of the most popular goals is to embed a mail engine within your computer
environment through which the hacker can launch phishing or other e-mail
attacks on other companies or individuals.
The phishing attack will show a hyperlink that appears to link to a secure
account management site, while the status bar shows that it takes the user
to, is the hacker's site. Hackers can suppress or reformat the status bar
information to whatever they want. Most people will not look or know to
look. This way, the hacker is given the information via a neat form they
have created. All this was done from a simple email, that the hacker sends
impersonating the company.

2: Telephone

Attacks on AOL

Aol was attacked and approximately 200 accounts were compromised. It was a
simple human SE attack in which the hacker would talk to tech support for a
long time. It seemed the longer the hacker talked, the more confident and
friendly the employee became.

At the point of most confidence the hacker mentions that he had a car for
sale at a great price. The employee had shown interest and then it was as
simple as sending an email. The hacker then sent an email with an executable
trojan backdoor instead of the picture of the car. Upon viewing the email
it executed. The email basically said, that he may have did something wrong
by sending the picture, did you get it? At this point the damage has
already been done and the system compromised.

This trojan backdoor then opens a port from AOL through the firewall. It
was then an open door for the hacker to come back at a later date in order
to check out the system, gather passwords and hide the evidence. This is a
common way to gain entrance to a secure system. Why go through all the
defences created, when they let you in the backdoor :)

This next example below includes these techniques
1: confidence attack
2: reverse engineering
3: waste management
4: telephone SE attacks

Reverse social engineering describes a situation where the TARGET will offer
the hacker the information. This may seem unlikely, but people of
authority, often receive vital personal information, such as user IDs and
passwords, because they are above suspicion.

Example 2:

A group of hackers walk in to a large shipping firm and walked out with the
entire companies corporate network.

What did they do?

This technique is called the syphon. Small amounts of information, can be
useless, but to a hacker, bit by bit, you can collect a large portion of the
puzzle. The key is to gather this from different employees.

You will see as in the last example, its not through the bars of the prison
they come, but through its weakness, which is its employees.

First, there was a small period of data collecting on the company. Calling,
going through trash that is set outside. (waste management) They also need
to get familiar with the roles, they must know who they are dealing with.
It is very important to become the person or become your role. They had
learned key employees' names by simply calling the company and inquiring
about shipping and receiving (telephone SE attacks). Next, they pretend to
lose their key to the front door and as simple as that, they are in the
front door :) (confidence SE attacks)

Then they lost their identity badges when entering a very secure area, they
just smiled, were very calm and a friendly employee let them right in. Most
will not assume you shouldnt be there or your not who you say you are.
(again confidence or personal SE attacks)

The hackers already had known previously, that the CFO was out of town, so
they knew which offices to enter before hand. They went in to obtain
financial data off his computer. The went through the trash which is a very
common practise and you would be surprised what you can find in the trash,
the people do not shred. (waste and trash management) After getting all
types of useful documents, they asked a janitor for a garbage pail and then
placed all the data in this and carried it straight out of the building with
permission.

The hackers had talked previously to the CFO and knew his voice and
mannerisms. So they then called up, pretending they were the CFO in a
hurry, and desperately needed the network password. From there, they used
regular hacking techniques and tools to gain super user access to the
system, with not one person the wiser. (telephone reverse engineering
attacks)

In this case, the "hackers" were network consultants performing a security
audit for the CFO without any other employees' knowledge. They were never
given any privileged information from the CFO but were able to obtain all
the access they wanted through social engineering. (This story was recounted
by Kapil Raina, currently a security expert at Verisign and co-author of
mCommerce Security: A Beginner's Guide, based on an actual workplace
experience with a previous employer.)

Security is all about trust. Trust in protection and authenticity. Generally
agreed upon as the weakest link in the security chain, the natural human
willingness to accept someone at his or her word, leaves many of us
vulnerable to attack.

Kelly Sigethy
http://www.frynge.com

----- Original Message -----
From: "xun dong" <xundongcs.york.ac.uk>
To: <pen-testsecurityfocus.com>; <security-basicssecurityfocus.com>
Sent: Wednesday, October 11, 2006 4:31 AM
Subject: Social Engineering Data set

> Hello list;
>
> I am currently doing research on Social Engineering Attacks. Unlike the
> technical hack, I found that there is few useful and well documented SE
> attack examples on the Internet. So I decided to create a data set for SE
> attacks, and I am willing to publish it for free on the Internet.
>
> However, I think only my own experience would not be able to make this
> dataset as comprehensive as possible. So I would like to ask for help on
> this list. If you think you have SE attack examples, you can email me. Of
> course for confidential reason you should not use the real name in your
> example. If you don't mind I will also publish your name along with the
> example you provided. Thanks a lot in advance. I hope this could be a step
> forwards in protecting against SE attacks.
>
> --
> Xun Dong
> Research Associate
> Department of Computer Science
> University of York
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence
> in Information Security. Our program offers unparalleled Infosec
> management education and the case study affords you unmatched consulting
> experience. Using interactive e-Learning technology, you can earn this
> esteemed degree, without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------