Social Engineering Vulnerability Assessment N. Benias, V. Chantzaras July 2016
ΔΙΠΛΩΜΑΤΙKH ΕΡΓΑΣΙΑ Αυτοματοποιημένο σύστημα αποτίμησης κινδύνων από επιθέσεις Κοινωνικής Μηχανικής σε παραγωγικά πληροφοριακά συστήματα Επιβλέπων: Kαθηγητής Δημήτρης Γκρίτζαλης Νικόλαος Μπενίας ΜΜ4140012 Βασίλειος Χαντζάρας ΜΜ4140021
ΚΟΙΝΩΝΙΚΗ ΜΗΧΑΝΙΚΗ Ορισμός Ιστορική αναδρομή Πώς & γιατί λειτουργεί Ποιος τη χρησιμοποιεί Στόχοι
ΠΡΟΒΛΗΜΑΤΑ It s been great, but spying, blocking sites, repurposing people s content, taking you to the wrong websites that completely undermines the spirit of helping people create... We don t have a technology problem, we have a social problem." Tim Berners-Lee
ΑΠΕΙΛΕΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ SEO (Search Engine Optimization) poisoning Follower scams Impersonation of celebrities Impersonation of friends
ΕΠΙΘΕΣΕΙΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ Ανθρώπινη επαφή Μέσω τηλεφώνου (vishing) Shoulder surfing / Στενής ακολουθίας σε παρακολούθηση (tailgating) Έρευνα σε απορρίμματα (Dumpster Diving) Pretexting Τεχνολογικά μέσα Phishing Baiting Diversion theft Quid pro quo Scareware Reverse social engineering Browser exploitation
Άνθρωπος Διαδικασίες Τεχνολογία ΜΕΤΡΑ ΠΡΟΣΤΑΣΙΑΣ You could spend a fortune purchasing technology and services, you can have the best firewalls, encryption tools and such in place, but they will neither detect nor protect you from a social engineering attack, because your network infrastructure could still remain vulnerable to oldfashioned manipulation. Κέβιν Μίτνικ Προτεινόμενη διαδικασία αντιμετώπισης των επιθέσεων τύπου phishing
ΛΥΣΕΙΣ AdVanced SocIal EngineeRing And VuLnerability ASsessment Framework
ΤΕΧΝΙΚΑ ΧΑΡΑΚΤΗΡΙΣΤΙΚΑ Ubuntu 14.04 LTS Virtual machine (latest Oracle VirtualBox) PHP (with Yii), Python Scripts, Javascript Php-resque ( backend for Redis in PHP) Κρίσιμες υπηρεσίες: Apache2 (ver. 2.4.7) postgres (ver. 9.3) redis-server (ver. 2.8.4) supervisor (python implementation)
MVC IN ACTION Use Case: List Campaigns AppComponents AppManagers action perform() ResqueJobs CampaignController action data findall(campaigns) show(campaings) list(campaings) render(campaings) Yii App Commands CampaignModel (ActiveRecort) Campaigns View (ActiveRecort)
ΒΑΣΙΚΑ ΣΤΑΔΙΑ ΛΕΙΤΟΥΡΓΙΑΣ
SOME SPAM REASONS IP and domain Reputation Quality of email subject line, teaser, and content Quality and safety of links in email Presence of images Ratio of images to text and links to text Inclusion of text version of email etc.
ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name in your server Review Your Email Content (SpamAssasin ranking) Use a Corporate Email Account as Your Sender Address Use Descriptive Text Instead of URLs as Link Text Make Sure You Are Not Blacklisted It Matters Where You re From Keep the Format Simple Limit the Number of URL Links Create a Unique Subject Title DNS Optimization Watch out when you spoof your own domain Set PTR Configure an SMTP Banner that matches your domain Avoid using a tracking image Test your IP & Domain reputation
ΠΑΡΟΥΣΙΑΣΗ ΕΦΑΡΜΟΓΗΣ DEMO time!!!
PHISHING
ΕΝ ΙΣΧΥ ΑΝΤΙΓΡΑΦΟ ΙΣΤΟΣΕΛΙΔΑΣ Πραγματική σελίδα: https://webmail.aueb.gr Σελίδα κλώνος: http://aueb-gr.my-free.website/
PASTEJACKING The art of changing what you copy from web pages Demo: https://github.com/dxa4481/pastejacking
BAITING Temptation in disguise
ΜΕΛΛΟΝΤΙΚΗ ΕΞΕΛΙΞΗ Λογικό επίπεδο Προσομοίωση κακόβουλου λογισμικού Διενέργεια Social Engineering Vulnerability Assessment μετά από έγκριση του ιθύνοντος του οργανισμού, μέσα από το ίδιο το framework (ψηφιακή υπογραφή) Τεχνικό επίπεδο Threat intelligence backend Decoupling του server με clients
References 1. Barrett F., Russell A., The psychological construction of emotion, Guilford Press, 2015. 2. Bhunu Shava F., Van Greunen D., Designing user security metrics for a security awareness at Higher and Tertiary Institutions, Proc. of the 8 th International Development Informatics Association Conference, 2014. 3. Falgun R., Handbook on Cyber Crime and Law in India: Cyber Crime, Investigation and Cyber Law, Falgun Rathod, 2014 4. Goodman M., A journey to the dark side of technology and how to survive it, Transworld, 2015. 5. Hadnagy C., Fincher M., Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails, Wiley, 2015. 6. Mitrou L., Kandias M., Stavrou V., Gritzalis D., "Social media profiling: A Panopticon or Omniopticon tool?", Proc. of the 6 th Conference of the Surveillance Studies Network, Spain, April 2014. 7. Orrey K., Cyber Attack: Exploiting the User - There are so many ways!, University of Bedfordshire, 2010. 8. Pipyros K., Mitrou L., Gritzalis D., Apostolopoulos T., "A cyber attack evaluation methodology", Proc. of the 13 th European Conference on Cyber Warfare and Security, pp. 264-270, ACPI, Greece, July 2014. 9. Rocha-Flores W., Holm H., Svensson G., Ericsson G., Using phishing experiments and scenario-based surveys to understand security behaviours in practice, Information Management & Computer Security, 2014. 10. Schacter D., Gilbert D, Wegner D., Psychology, Worth Publishers, 2011. 11. Sudhanshu C., Nutan K., Hacking Web Intelligence: Open Source Intelligence and Web Reconnaissance Concepts and Techniques, Syngress, 2015. 12. Tsalis N., Mylonas A., Gritzalis D., An intensive analysis of the availability of security and privacy browser add-ons, Proc. of the 10 th International Conference on Risks and Security of Internet and Systems, pp. 1-16, Springer, Greece 2015. 13. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., Security Busters: Web browser security vs. suspicious sites, Computers & Security, Vol. 52, pp. 90-105, July 2015. 14. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", Proc. of the 11 th International Conference on Security and Cryptography, pp. 79-87, ScitePress, Austria 2014. 15. Wüest C., The Risks of Social Networking, Symantec, 2010.