PEOPLE HACKING - Information Systems Security...
Transcript of PEOPLE HACKING - Information Systems Security...
WHY IS THIS
IMPORTANT?
According to a March 2000 article in the Washington
Post. Mitnick went on to say that,
“You could spend a fortune purchasing
technology and services…and your
network…could still remain vulnerable
to old-fashioned manipulation.”
“The weakest link in the security
chain is the human element.” -Kevin Mitnick
PEOPLE WANT TO
HELP
“...people inherently want to be helpful
and therefore are easily duped.”
“They assume a level of trust in order to avoid
conflict.”
“It’s all about, gaining access to information that
people think is innocuous when it isn’t.”
From Kevin Mitnick’s book The Art of Deception:
WHAT IS PEOPLE
HACKING!?
Social Engineering
Mind Control
Cheap Tricks
Stage Hypnotists
Magicians
Scam Artists
Con Artists
BRAINS ARE JUST
LIKE COMPUTERS
• You can read and write to them
• You can give them instructions
• The brain has limits on memory
• Make them do what you “program”
them to do
BUT…there is no
anti-virus protection
QUICK RUNDOWN OF
SINAPTS
SiNAPTS or “Synapse” is service that is unique to
Tevora with a funny acronym. Social Networking Advanced Persistent Threat Survey
Information included in these reports are gathered from
publicly available repositories.
Advanced Persistent Threat (APT) usually refers to an
attacker with both the capability and the intent to
persistently and effectively target a specific entity.
SINAPTS IN ACTION
Within an hour… Within minutes…
Brother
Father
http://www.facebook.com/profile.php?id=10################509
http://www.pownetwork.org/bios/######.htm
http://www.usmilitariaforum.com/forums/lofiversion/##############.html
INFORMATION GATHERED
Graduated from Georgia State University
Went to General H.H. Arnold High School
Wife’s maiden name Palmer
Favorite pet’s name Whiskers
Mother’s maiden name Wallace
He married his wife Annette on April 23, 1991 in Los
Angeles
He was born October 26, 1950
Middle name Frank
Father’s full name Herbert James Thorne
Lives in Calabasas, CA
Brother was George Thorne MIA 12/13/1968
WHY IS THIS IMPORTANT?
• What high school did you go to? Gen. H. H. Arnold
• What is your high school mascot? Warriors
• What is your wife’s maiden name? Palmer
• What is your anniversary date? April 23, 1991
• What is your father’s middle name? James
• What is your mother’s maiden name? Wallace
• What is your sign? Libra
• What is the name of your favorite pet? Whiskers
• When is your birthday? October 26, 1950
RESULT
Next steps: • Request password for another account linked to this one.
• Look for previous emails containing passwords
• Escalate my privileges on up the chain and eventually gain access to ACME’s network through SiNAPTS
4 THINGS TO THINK
ABOUT
1) Same tricks, new technology
2) More sophisticated
techniques and attacks
3) Social Networking
4) Social Engineering
Automated
PROXEMICS
The study of the cultural,
behavioral, and sociological
aspects of spatial distances
between individuals
KINESICS
Reading body language
Facial Expressions
Observing involuntary facial movements
These can be mix and matched to form various physical manifestations of known emotions
• Posture
• Mannerisms
• Vocal Pitch
• Foot Position
• Shifting Weight
• Eye Movements
• Skin Temp.
• Clenching Fists
• Eyebrow Position
NEURO LINGUISTIC
PROGRAMING
Often used in hypnosis and stage hypnosis
Takes advantage of typical programmed responses
Can be used to temporarily influence people
Can be used to overwrite thoughts/feelings
Is prominent in commercials, marketing etc…
PUT IT ALL TOGETHER
TO HACK A HUMAN
Gather Intelligence nmap –sV –T4 –O –F –v HUMAN
Becoming Likeable and Friendly adduser yourUID theirGID
Ask/Tell Them To Do Something use exploit/windows/smb/ms08_067_netapi
Assuming Everything Worked $>whoami root
HOW TO HELP PREVENT
SOCIAL ENGINEERING
• Internal Audits
• Staff Training
• SiNAPTS
• Policies
• External Audits
• Be Aware
• Roleplaying
SOME TAKEAWAYS
• A system is only as secure as the
people who run them
• People genuinely want to help
• People want to be liked
• The old tricks still work, but can be
enhanced
• Works in any social situation
• Scratching the surface
RECOMMENDED
READING
The Art of Deception: Controlling the Human Element of Security
The Art of Intrusion: The Real Stories Behind the Exploits of
Hackers, Intruders and Deceivers
Social Engineering: The Art of Human Hacking
Liars and Outliers
http://en.wikipedia.org/wiki/Proxemics
http://en.wikipedia.org/wiki/Cold_Reading
http://en.wikipedia.org/wiki/Metacommunicative_Competence
http://www.paulekman.com
Q&A
Matt Mosley Sr. Information Security Consultant
Office: 949.340.6932 | Mobile: 661.317.9765
Email: [email protected]
Web: www.tevora.com | www.massivelabs.com
https://www.linkedin.com/in/mattmosley1/
THANK YOU!