Social Engineering Vulnerability Assessment

Social Engineering Vulnerability Assessment N. Benias, V. Chantzaras July 2016

ΔΙΠΛΩΜΑΤΙKH ΕΡΓΑΣΙΑ Αυτοματοποιημένο σύστημα αποτίμησης κινδύνων από επιθέσεις Κοινωνικής Μηχανικής σε παραγωγικά πληροφοριακά συστήματα Επιβλέπων: Kαθηγητής Δημήτρης Γκρίτζαλης Νικόλαος Μπενίας ΜΜ4140012 Βασίλειος Χαντζάρας ΜΜ4140021

ΚΟΙΝΩΝΙΚΗ ΜΗΧΑΝΙΚΗ Ορισμός Ιστορική αναδρομή Πώς & γιατί λειτουργεί Ποιος τη χρησιμοποιεί Στόχοι

ΠΡΟΒΛΗΜΑΤΑ It s been great, but spying, blocking sites, repurposing people s content, taking you to the wrong websites that completely undermines the spirit of helping people create... We don t have a technology problem, we have a social problem." Tim Berners-Lee

ΑΠΕΙΛΕΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ SEO (Search Engine Optimization) poisoning Follower scams Impersonation of celebrities Impersonation of friends

ΕΠΙΘΕΣΕΙΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ Ανθρώπινη επαφή Μέσω τηλεφώνου (vishing) Shoulder surfing / Στενής ακολουθίας σε παρακολούθηση (tailgating) Έρευνα σε απορρίμματα (Dumpster Diving) Pretexting Τεχνολογικά μέσα Phishing Baiting Diversion theft Quid pro quo Scareware Reverse social engineering Browser exploitation

Άνθρωπος Διαδικασίες Τεχνολογία ΜΕΤΡΑ ΠΡΟΣΤΑΣΙΑΣ You could spend a fortune purchasing technology and services, you can have the best firewalls, encryption tools and such in place, but they will neither detect nor protect you from a social engineering attack, because your network infrastructure could still remain vulnerable to oldfashioned manipulation. Κέβιν Μίτνικ Προτεινόμενη διαδικασία αντιμετώπισης των επιθέσεων τύπου phishing

ΛΥΣΕΙΣ AdVanced SocIal EngineeRing And VuLnerability ASsessment Framework

ΤΕΧΝΙΚΑ ΧΑΡΑΚΤΗΡΙΣΤΙΚΑ Ubuntu 14.04 LTS Virtual machine (latest Oracle VirtualBox) PHP (with Yii), Python Scripts, Javascript Php-resque ( backend for Redis in PHP) Κρίσιμες υπηρεσίες: Apache2 (ver. 2.4.7) postgres (ver. 9.3) redis-server (ver. 2.8.4) supervisor (python implementation)

MVC IN ACTION Use Case: List Campaigns AppComponents AppManagers action perform() ResqueJobs CampaignController action data findall(campaigns) show(campaings) list(campaings) render(campaings) Yii App Commands CampaignModel (ActiveRecort) Campaigns View (ActiveRecort)

ΒΑΣΙΚΑ ΣΤΑΔΙΑ ΛΕΙΤΟΥΡΓΙΑΣ

SOME SPAM REASONS IP and domain Reputation Quality of email subject line, teaser, and content Quality and safety of links in email Presence of images Ratio of images to text and links to text Inclusion of text version of email etc.

ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name in your server Review Your Email Content (SpamAssasin ranking) Use a Corporate Email Account as Your Sender Address Use Descriptive Text Instead of URLs as Link Text Make Sure You Are Not Blacklisted It Matters Where You re From Keep the Format Simple Limit the Number of URL Links Create a Unique Subject Title DNS Optimization Watch out when you spoof your own domain Set PTR Configure an SMTP Banner that matches your domain Avoid using a tracking image Test your IP & Domain reputation

ΠΑΡΟΥΣΙΑΣΗ ΕΦΑΡΜΟΓΗΣ DEMO time!!!

PHISHING

ΕΝ ΙΣΧΥ ΑΝΤΙΓΡΑΦΟ ΙΣΤΟΣΕΛΙΔΑΣ Πραγματική σελίδα: https://webmail.aueb.gr Σελίδα κλώνος: http://aueb-gr.my-free.website/

PASTEJACKING The art of changing what you copy from web pages Demo: https://github.com/dxa4481/pastejacking

BAITING Temptation in disguise

ΜΕΛΛΟΝΤΙΚΗ ΕΞΕΛΙΞΗ Λογικό επίπεδο Προσομοίωση κακόβουλου λογισμικού Διενέργεια Social Engineering Vulnerability Assessment μετά από έγκριση του ιθύνοντος του οργανισμού, μέσα από το ίδιο το framework (ψηφιακή υπογραφή) Τεχνικό επίπεδο Threat intelligence backend Decoupling του server με clients

References 1. Barrett F., Russell A., The psychological construction of emotion, Guilford Press, 2015. 2. Bhunu Shava F., Van Greunen D., Designing user security metrics for a security awareness at Higher and Tertiary Institutions, Proc. of the 8 th International Development Informatics Association Conference, 2014. 3. Falgun R., Handbook on Cyber Crime and Law in India: Cyber Crime, Investigation and Cyber Law, Falgun Rathod, 2014 4. Goodman M., A journey to the dark side of technology and how to survive it, Transworld, 2015. 5. Hadnagy C., Fincher M., Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails, Wiley, 2015. 6. Mitrou L., Kandias M., Stavrou V., Gritzalis D., "Social media profiling: A Panopticon or Omniopticon tool?", Proc. of the 6 th Conference of the Surveillance Studies Network, Spain, April 2014. 7. Orrey K., Cyber Attack: Exploiting the User - There are so many ways!, University of Bedfordshire, 2010. 8. Pipyros K., Mitrou L., Gritzalis D., Apostolopoulos T., "A cyber attack evaluation methodology", Proc. of the 13 th European Conference on Cyber Warfare and Security, pp. 264-270, ACPI, Greece, July 2014. 9. Rocha-Flores W., Holm H., Svensson G., Ericsson G., Using phishing experiments and scenario-based surveys to understand security behaviours in practice, Information Management & Computer Security, 2014. 10. Schacter D., Gilbert D, Wegner D., Psychology, Worth Publishers, 2011. 11. Sudhanshu C., Nutan K., Hacking Web Intelligence: Open Source Intelligence and Web Reconnaissance Concepts and Techniques, Syngress, 2015. 12. Tsalis N., Mylonas A., Gritzalis D., An intensive analysis of the availability of security and privacy browser add-ons, Proc. of the 10 th International Conference on Risks and Security of Internet and Systems, pp. 1-16, Springer, Greece 2015. 13. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., Security Busters: Web browser security vs. suspicious sites, Computers & Security, Vol. 52, pp. 90-105, July 2015. 14. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", Proc. of the 11 th International Conference on Security and Cryptography, pp. 79-87, ScitePress, Austria 2014. 15. Wüest C., The Risks of Social Networking, Symantec, 2010.