Social Engineering and Identity Theft

©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.

Social Engineering and Identity Theft How to avoid being a

victim

Scott Teipe – CISSP, CISMManager of Information Security

©2011 Gogo Inc. and Affiliates. Proprietary & Confidential.2

Social Engineering and Identity Theft Cases

Frank Abagnale (1969)– http://en.wikipedia.org/wiki/Frank_Abagnale

Lifelock (2007)– http://en.wikipedia.org/wiki/Lifelock

HBGary vs. Anonymous (2011)

– http://en.wikipedia.org/wiki/HBGary

Amar Singh (2012)– http://www.huffingtonpost.com/2012/08/07/largest-id-theft

-in-history_n_1751241.html

http://en.wikipedia.org/wiki/Frank_Abagnale

http://en.wikipedia.org/wiki/Lifelock

http://en.wikipedia.org/wiki/HBGary

http://www.huffingtonpost.com/2012/08/07/largest-id-theft-in-history_n_1751241.html

http://www.huffingtonpost.com/2012/08/07/largest-id-theft-in-history_n_1751241.html


Identity Theft Statistics• One of the most common cybercrimes

worldwide!

The 2013 Identity Fraud Report released by Javelin Strategy & Research indicates:

In 2012 identity fraud incidents increased by more than one million victims.

Fraudsters stole more than $21 billion, the highest amount since 2009.

12.6 million victims in the United States in 2012.

1 new victim every 3 seconds!!!


Identity Theft

Javelin Strategy & Research Reporthttps://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail

https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail

https://www.javelinstrategy.com/news/1387/92/More-Than-12-Million-Identity-Fraud-Victims-in-2012-According-to-Latest-Javelin-Strategy-Research-Report/d,pressRoomDetail


Identity Theft

Once your personal data is obtained, it can be used to:

• Apply for a job• Charge utilities• File for bankruptcy• File fraudulent tax returns• Open new accounts on your name• Commit a crime or get into legal trouble• Drain your checking account and savings• Go on a spending spree, purchase a car, appliances,

services, etc.


Social Engineering• Social Engineering - New term for

an old problem: being scammed.• Exploit Human Nature Weakness

– Desire to Help– Fear of Authority– Use of logic(mask a small lie within

a series of true statements)– Exploit necessities and desires

(money, sex, free services/entertainment, etc.)

• Technical and Non Technical– Phone, email, trash, face to face– Target: Your personal information or

third party information for which you have access.


Social Engineering Techniques• Phishing and Spearphishing• Dumpster Diving

– Be aware of what you throw in the trash. Someone’s trash is someone else’s treasure.

• Shoulder surfing– Always check to ensure nobody is peeking over your

shoulder when entering security credentials (PIN, Password, etc)

Some of these techniques allow the attacker to bypass security controls (passwords, firewalls, etc)

https://en.wikipedia.org/wiki/Phishing

http://en.wiktionary.org/wiki/spearphishing

http://en.wikipedia.org/wiki/Dumpster_diving

http://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)


Scenario 1• You find a USB key in the parking lot at your

workplace, once you plug it in, you find a program that offer free access to a website in order to watch pirated first-run movies.


Scenario 2• You work in IT support and receive a phone call. The

person on the other side of the line claims to be the new VP of the company and has forgotten his/her security credentials (pin/password) and asks you to reset their password.


Strategy• Awareness and Common

Sense– If its too good to be true…

• Discipline and Education• If in doubt, look for

confirmation• Efficient use of defensive

technologies• Proper use, storage and

disposal of your information


Technology Defense Mechanisms• Security in depth: Multiple overlapping defenses

– Remember there is no single solution that protects 100% against an attack

• Proactive vs. Reactive • Firewall, Antivirus, System Patches • Most Modern operating systems have user friendly

security features built-in• Passwords security• Data disposal


Action Center• Windows 7/8

– Antivirus: • Win8: Windows Defender• Win7: Windows security essentials

– Firewall: Windows Firewall– Patch Management: Windows Update– Other features:

• Data Privacy/Protection (BitLocker Win7/8)• Antiphishing (Win8 Windows SmartScreen)• Family Safety (Win 8)


Action Center• Display Important messages• Windows update: Make sure Windows Update is

configured correctly and turned on!


Windows Defender

• Antivirus Real time protection

• Status color coded: Green, Yellow, Red


Windows Smart Screen

• Real time protection against malware

• Offers phishing protection within IE in real time.


Password Security• Length: 16 or more characters• Complexity

– Avoid Dictionary words and personally identifiable information

– Change the order - use numbers, symbols then letters.• Human nature is to use a capital letter then lower case

then numbers and symbols to form a password. Hacking programs know this!

– Use password generators• https://www.grc.com/passwords.htm• http://passwordsgenerator.net/

• Too many passwords? Try a password manager• Free Password Manager – Keepass

– http://keepass.info/

https://www.grc.com/passwords.htm

http://passwordsgenerator.net/

http://keepass.info/


Two Factor Authentication• Offers an extra layer of security• It requires an additional

authentication factor• One of the following besides

username and password:– Something you have: Security

token– Something you know: PIN or

pattern– Something you are: Biometrics

like fingerprint, voice, etc• Google and Yahoo started offering

two factor authentication as an additional security feature back in 2011.


Digital Fingerprints• Where we are leaving traces

of our lives:– Social Media (Twitter,

Facebook, LinkedIN, etc)– Old Devices: Cellphones

• What are we leaving behind:– Date/Place of birth– Family Members

Information (Nicknames/Dates/etc)

– Social Security Numbers, Phone Numbers, etc.


How to Manage Your Information• Install a data sanitation

utility and use it to delete any important and/or personal information.

• If you are going to sell/transfer a device wipe the storage device clean including the memory card!

• Another excellent protection is to encrypt your sensitive information.


Free Tools for Secure Erase• Eraser

– http://eraser.heidi.ie/download.php• Ccleaner

– http://www.piriform.com/ccleaner/download• File Shredder

– http://www.fileshredder.org/

http://eraser.heidi.ie/download.php

http://www.piriform.com/ccleaner/download

http://www.fileshredder.org/


Free Tools for Data Wipe• Secure Erase

– http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml• MHDD

– http://hddguru.com/software/2005.10.02-MHDD/• Hard disk vendors offer utilities to wipe the contents of their

HD• Always wipe the Hard disk before disposing or donating an old

computer!!!• Don’t become a victim of old personal data.

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

http://hddguru.com/software/2005.10.02-MHDD/


Free Tools for Data Encryption• Truecrypt

– http://www.truecrypt.org/• Safehouse Explorer Encryption

– http://www.safehousesoftware.com/• Windows 7/8 Bitlocker

– http://windows.microsoft.com/en-hk/windows7/products/features/bitlocker

Encrypt data on removable storage (USB thumb drives, SD cards)

http://www.truecrypt.org/

http://www.safehousesoftware.com/

http://windows.microsoft.com/en-hk/windows7/products/features/bitlocker




Free Anti-virus– Avast:

http://www.avast.com/index

– AVG: http://free.avg.com/ww-en/homepage

– Avira: http://www.avira.com/en/avira-free-antivirus



http://free.avg.com/ww-en/homepage

http://free.avg.com/ww-en/homepage

http://www.avira.com/en/avira-free-antivirus

http://www.avira.com/en/avira-free-antivirus


Email

Basic principles– Avoid clicking on links contained within e-mail

messages.– Type the webpage into the browser instead of clicking

on the link.– If in doubt, confirm the validity of the e-mail with the

sender.

WHY???– It is very easy for hackers to forge the sender’s

identity.– It is easy to forge the e-mail format to make it look

legitimate.– Clicking on a legitimate looking link may install

malicious software without your consent or knowledge.


Email

No official UN or HSBC email addresses

Take a look to the header


Internet Browsing• Most vulnerabilities require you to click on

something within the website to activate the vulnerability and cause your computer to crash or become very slow.

• Websites make it difficult to choose the right place to click. Often times, buttons are just images coaxing you to perform an action such as clicking on a link embedded in an image.

• Critical: keep your browser and computer updated with the latest versions and patches!!!


Conclusions• Be aware, educated and

disciplined.• Keep it simple (i.e: Just

install the applications that you really need).

• There are no silver bullets, having a strategy in conjunction with the proper use of technology will help you to minimize your exposure to fraud.


Questions??

Social Engineering and Identity Theft

Documents

Transcript of Social Engineering and Identity Theft