Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS...

19
Social Engineering: A Primary Vulnerability Assessment N. Benias, V. Chantzaras July 2016

Transcript of Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS...

Page 1: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

Social Engineering: A Primary

Vulnerability Assessment

N. Benias, V. Chantzaras

July 2016

Page 2: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

Αυτοματοποιημένο σύστημα αποτίμησης κινδύνων

από επιθέσεις Κοινωνικής Μηχανικής σε παραγωγικά

πληροφοριακά συστήματα

Νικόλαος Μπενίας Βασίλειος Χαντζάρας

ΜΜ4140012 ΜΜ4140021

ΔΙΠΛΩΜΑΤΙKH ΕΡΓΑΣΙΑ

Επιβλέπων: Kαθηγητής Δημήτρης Γκρίτζαλης

Page 3: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΚΟΙΝΩΝΙΚΗ ΜΗΧΑΝΙΚΗ

• Ορισμός

• Ιστορική αναδρομή

• Πώς & γιατί λειτουργεί

• Ποιος τη χρησιμοποιεί

• Στόχοι

Page 4: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

“It’s been great, but spying, blocking sites, repurposing people’s

content, taking you to the wrong websites — that completely

undermines the spirit of helping people create... We don’t have a

technology problem, we have a social problem."

Tim Berners-Lee

ΠΡΟΒΛΗΜΑΤΑ

Page 5: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΑΠΕΙΛΕΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ

• SEO (Search Engine Optimization) poisoning

• Follower scams

• Impersonation of celebrities

• Impersonation of friends

Page 6: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΕΠΙΘΕΣΕΙΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ

Ανθρώπινη επαφή

Μέσω τηλεφώνου (vishing)

Shoulder surfing / Στενής ακολουθίας σε παρακολούθηση (tailgating)

Έρευνα σε απορρίμματα (Dumpster Diving)

Pretexting

Τεχνολογικά μέσα

Phishing

Baiting

Diversion theft

Quid pro quo

Scareware

Reverse social engineering

Browser exploitation

Page 7: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

Άνθρωπος

Διαδικασίες

Τεχνολογία

“You could spend a fortune purchasing technology

and services, you can have the best firewalls,

encryption tools and such in place, but they will

neither detect nor protect you from a social

engineering attack, because your network

infrastructure could still remain vulnerable to old-

fashioned manipulation.”

Κέβιν Μίτνικ

ΜΕΤΡΑ

ΠΡΟΣΤΑΣΙΑΣ

• Προτεινόμενη διαδικασία

αντιμετώπισης των επιθέσεων

τύπου phishing

Page 8: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΛΥΣΕΙΣ

AdVanced SocIal EngineeRing

And

VuLnerability ASsessment Framework

Page 9: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΤΕΧΝΙΚΑ ΧΑΡΑΚΤΗΡΙΣΤΙΚΑ

Ubuntu 14.04 LTS

Virtual machine (latest Oracle VirtualBox)

PHP (with Yii), Python Scripts, Javascript

Php-resque ( backend for Redis in PHP)

Κρίσιμες υπηρεσίες:

Apache2 (ver. 2.4.7)

postgres (ver. 9.3)

redis-server (ver. 2.8.4)

supervisor (python implementation)

Page 10: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

MVC IN ACTION

Use Case: List Campaigns

CampaignController

CampaignModel

(ActiveRecort)

findAll(campaigns)

list(campaings)

Campaigns View

(ActiveRecort)

show(campaings)

render(campaings)

AppComponents ResqueJobsaction perform()

action data

Yii App

Commands

AppManagers

Page 11: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΒΑΣΙΚΑ ΣΤΑΔΙΑ ΛΕΙΤΟΥΡΓΙΑΣ

Page 12: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

SOME SPAM REASONS

IP and domain Reputation

Quality of email subject line, teaser, and content

Quality and safety of links in email

Presence of images

Ratio of images to text and links to text

Inclusion of text version of email

etc.

Page 13: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ANTI-SPAM TIPS

Whitelist your IP or Domain on your Spam Defence or:

Set helo/ehlo SMTP host name in your server

Review Your Email Content (SpamAssasin ranking)

Use a Corporate Email Account as Your Sender Address

Use Descriptive Text Instead of URLs as Link Text

Make Sure You Are Not Blacklisted

It Matters Where You’re “From”

Keep the Format Simple

Limit the Number of URL Links

Create a Unique Subject Title

DNS Optimization

Watch out when you spoof your own domain

Set PTR

Configure an SMTP Banner that matches your domain

Avoid using a tracking image

Test your IP & Domain reputation

Page 14: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

PHISHING

Page 15: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΕΝ ΙΣΧΥ ΑΝΤΙΓΡΑΦΟ ΙΣΤΟΣΕΛΙΔΑΣ

Πραγματική σελίδα:

https://webmail.aueb.gr

Σελίδα κλώνος:

http://aueb-gr.my-free.website/

Page 16: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

The art of changing what you copy from web pages

PASTEJACKING

Demo: https://github.com/dxa4481/Pastejacking

Page 17: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

BAITING

Temptation in disguise

Page 18: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

ΜΕΛΛΟΝΤΙΚΗ ΕΞΕΛΙΞΗ

Λογικό επίπεδο

Προσομοίωση κακόβουλου λογισμικού

Διενέργεια Social Engineering Vulnerability Assessment μετά

από έγκριση του ιθύνοντος του οργανισμού, μέσα από το ίδιο

το framework (ψηφιακή υπογραφή)

Τεχνικό επίπεδο

Threat intelligence backend

Decoupling του server με clients

Page 19: Social Engineering: A Primary Vulnerability Assessment Benias_Chantzaras_MSc.pdf · ANTI-SPAM TIPS Whitelist your IP or Domain on your Spam Defence or: Set helo/ehlo SMTP host name

References

1. Barrett F., Russell A., The psychological construction of emotion, Guilford Press, 2015.

2. Bhunu Shava F., Van Greunen D., “Designing user security metrics for a security awareness at Higher and Tertiary Institutions”, Proc. of

the 8th International Development Informatics Association Conference, 2014.

3. Falgun R., Handbook on Cyber Crime and Law in India: Cyber Crime, Investigation and Cyber Law, Falgun Rathod, 2014

4. Goodman M., A journey to the dark side of technology and how to survive it, Transworld, 2015.

5. Hadnagy C., Fincher M., Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails, Wiley, 2015.

6. Mitrou L., Kandias M., Stavrou V., Gritzalis D., "Social media profiling: A Panopticon or Omniopticon tool?", Proc. of the 6th Confe-

rence of the Surveillance Studies Network, Spain, April 2014.

7. Orrey K., Cyber Attack: Exploiting the User - There are so many ways!, University of Bedfordshire, 2010.

8. Pipyros K., Mitrou L., Gritzalis D., Apostolopoulos T., "A cyber attack evaluation methodology", Proc. of the 13th European Conference

on Cyber Warfare and Security, pp. 264-270, ACPI, Greece, July 2014.

9. Rocha-Flores W., Holm H., Svensson G., Ericsson G., “Using phishing experiments and scenario-based surveys to understand security

behaviours in practice”, Information Management & Computer Security, 2014.

10. Schacter D., Gilbert D, Wegner D., Psychology, Worth Publishers, 2011.

11. Sudhanshu C., Nutan K., Hacking Web Intelligence: Open Source Intelligence and Web Reconnaissance Concepts and Techniques,

Syngress, 2015.

12. Tsalis N., Mylonas A., Gritzalis D., “An intensive analysis of the availability of security and privacy browser add-ons”, Proc. of the 10th

International Conference on Risks and Security of Internet and Systems, pp. 1-16, Springer, Greece 2015.

13. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., “Security Busters: Web browser security vs. suspicious sites”, Computers & Security,

Vol. 52, pp. 90-105, July 2015.

14. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", Proc. of the 11th International Conference on

Security and Cryptography, pp. 79-87, ScitePress, Austria 2014.

15. Wüest C., The Risks of Social Networking, Symantec, 2010.