Social engineering: A threat to even well-engineered networks
Despite robust technical defenses, organizations remain vulnerable to cyber espionage and social engineering attacks. This is exemplified through scenarios where sensitive information is targeted through deceptive tactics rather than technical breaches. Social engineering exploits human vulnerabilities to bypass even the most secure networks, making it a crucial aspect of cybersecurity to address.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Cyber Espionage and Social Engineering Attacks Chien-Chung Shen cshen@udel.edu
Can a well-engineered network be broken into? Consider an agent X who is determined to break into a network with the intention of stealing valuable documents belonging to an organization and for the purpose of conducting general espionage on the activities of the organization Assume that the targeted organization is vigilant about keeping up to date with patches and anti-virus software updates operates behind a well-designed firewall hires a security company to periodically carry out vulnerability scans and for penetration testing of all its computers has computers not vulnerable to dictionary attacks In addition, assume that X is physically based in a different country. Therefore, it is not possible for X to gain a physical entry into the organization s premises and install a packet sniffer in its LAN
Can a well-engineered network be broken into? Given the assumptions listed above, it would seem that the organization s network cannot be broken into But that turns out not to be the case. Any network, no matter how secure it is from a purely engineering perspective, can be compromised through what is now commonly referred to as social engineering
Episode (1) Assume that an individual named Bob Clueless is a high official in company A in the US and that this company manufactures night-vision goggles for the military. Pretend that there is a country T out there that is barred from importing military hardware, including night-vision goggles, from the US. So this country decides to steal the design documents stored in the computers of the organization A. Since this country does not want to become implicated in cross-border theft, it outsources the job to a local hacker named X. T supplies X with all kinds of information (generated by its embassy in the US) regarding A, its suppliers base, the cost structure of its products, and so on. On the basis of all this information, X sends the following email to Bob Clueless:
Episode (2) To: Bob Clueless From: Joe Smoothseller Subject: Lower cost light amplifier units Dear Bob, We are a low-cost manufacturer of light-amplifier units. Our costs are low because we pay next to nothing to our workers. (Our workers do not seem to mind --- but that s another story.) The reason for writing to you is to explore the possibility of us becoming your main supplier for the light amplification unit. The attached document shows the pricing for the different types of light-amplification units we make. Please let me know soon if you would be interested in our light amplifier units. Attachment: light-amplifiers.docx
Episode (3) When Bob Clueless received the above email, he was already under a great deal of stress because his company had recently lost significant market share in night-vision goggles to a competing firm. Therefore, no sooner did Bob receive the above email than he clicked on the attachment. What Bob did not realize was that his clicking on the attachment caused the execution of a small binary file that was embedded in the attachment. This resulted in Bob s computer downloading the client gh0st that is a part of the gh0stRAT trojan Subsequently, X had full access to the computer owned by Bob Clueless As is now told, X used Bob s computer to infiltrate into the rest of the network belonging to company A this was the easiest part of the exploit since the other computers trusted Bob s computer. It is further told that, for cheap laughs, X would occasionally turn on the camera and the microphone in Bob s laptop and catch Bob picking his nose and making other bodily sounds in the privacy of his office
Steps of Social Engineering Attack You receive a spoofed e-mail with an attachment The e-mail appears to come from someone you know The contents make sense and talk about real things (and in your language) The attachment is a PDF, DOC, PPT or XLS When you open up the attachment, you get a document on your screen that makes sense, but you also get exploited at the same time The exploit drops a hidden remote access trojan, typically a Poison Ivy or a Gh0st RAT (Remote Administration Tool) variant https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml http://hack2learn.blogspot.com/2011/04/rat-tutorial-poison-ivy.html http://en.wikipedia.org/wiki/Ghost_Rat You are the only one in your organization who receives such an email
Trojan From the standpoint of programming involved, there is no significant difference between bot and trojan The main difference between a trojan and a bot relates to how they are packaged for delivery to an unsuspecting computer bot: random hopping trojan: more targeted Trojan may be embedded in a piece of code that actually does something useful, but that, at the same time, also does things that are malicious Sample CERT advisory on trojan http://www.cert.org/historical/advisories/CA-1999-02.cfm
Challenge in Social Engineering Nagaraja and Anderson (University of Cambridge) This combination of well-written malware with well- designed email lures, which we call social malware, is devastatingly effective. .... The traditional defense against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defenses against social- malware attacks will be a real challenge.
The gh0stRAT Trojan Probably the most potent trojan that is currently in the news. That is not surprising since when a machine is successfully compromised with this trojan, the attackers can gain total control of the machine, even turn on its camera and microphone remotely and capture all the keyboard and mouse events. In addition to being able to run any program on the infected machine, the attackers can thus listen in on the conversations taking place in the vicinity of the infected machine and watch what is going on in front of the computer The trojan, intended for Windows machines, appears to be the main such trojan that is employed today for cyber espionage The many faces of Gh0st Rat download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf Know Your Digital Enemy by McAfee http://www.mcafee.com/us/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
Cyber Espionage http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network describes an espionage network that had infected at least 1295 computers in 103 countries, mostly for the purpose of spying on the various Tibetan organizations, especially the offices of the Dalai Lama in Dharamsala, India Shadows in the Cloud: Investigating Cyber Espionage 2.0 Tracking GhostNet: Investigating a Cyber Espionage Network http://www.infowar-monitor.net/2010/04/shadows-in-the-cloud-an-investigation-into-cyber-espionage-2-0 documents an extensive espionage network that successfully stole from various high offices of the Government of In- dia, the Office of the Dalai Lama, the United Nations The Snooping Dragon: Social-Malware Surveillance of the Tibetan movement http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html http://www.nytimes.com/2010/04/20/technology/20google.html?_r=0 Cyberattack on Google Said to Hit Password System
Social Engineering Attacks designed to trick a victim into providing information through misdirection or deceit Attackers often pretend to be someone they are not, such as someone with authority or a family member, to gain a victim's trust When they are successful, users might have given up passwords, access credentials, or other valuable secrets There are many tools that are available in Kali Linux to assist with a social engineering campaign; however, the most successful attacks are based on understanding your target audience and abusing their trust e.g., obtain sensitive information using fake accounts on social media sources such as LinkedIn and Facebook e.g., Emily Williams Social Engineering
Social-Engineer Toolkit (SET) Was developed by David Kennedy at TrustSec and comes preinstalled with Kali Linux Often used to duplicate trusted websites such as Google, Facebook, and Twitter with the purpose of attracting victims to launch attacks against them As victims unknowingly browse these duplicate websites, attackers can gather the victims' passwords or possibly inject a command shell that gives them full access to the victims' systems A great tool for security professionals to demonstrate the chain of trust as a vulnerability (i.e., demoing how the average person will not pay attention to the location where they enter sensitive information as long as the source looks legit) https://www.trustedsec.com/social-engineer-toolkit
Raspberry Pi Attacks In the following example, we will set up a Raspberry Pi to clone Gmail. As shown in the following image, the goal is to make a victim believe that they are accessing their Gmail account and redirect them to the real Gmail website after they log in but store their login credentials. The trick will be to get the victim to access the SET server; however, that's where your social engineering abilities come into play. For example, you could e-mail a link, post the link on a social media source, or poison the DNS to attack server. The attacker can remotely access the Raspberry Pi Scenario leverage a Raspberry Pi for on-site reconnaissance that can be used to build a successful social engineering attack that is executed from a remote web server Set up a Pi to clone Gmail The goal is to make a victim believe that they are accessing their Gmail account and redirect them to the real Gmail website after they log in but store their login credentials. The trick will be to get the victim to access the SET server; however, that's where your social engineering abilities come into play. For example, you could e-mail a link, post the link on a social media source, or poison the DNS to direct traffic to your attack server The attacker can remotely access the Raspberry Pi to pull down stolen credentials Let's take a look at how to use SET on a Raspberry Pi. To launch SET, type set ool ki t in a command prompt window. You will be prompted to enable bleeding-edge repos. Bleeding-edge repos are a new feature in Kali that includes daily builds on popular tools such as SET. The best practice is to enable the bleeding-edge repos and test your exercise prior to using it in a live penetration test as things can slightly change. The following screenshot shows how to enable bleeding-edge repos: Bleeding-edge repos are a great way to get the latest software packages on popular tools. However, seasoned security professionals be used. The best practice is to disable updates prior to going live with a tool unless you have time to test updates from new releases. [ 100 ] www.it-ebooks.info
Chapter 4 Once SET is launched, you will need to agree to the license and terms of the software program by typing yes. At this point, you will see the main menu of SET, as shown in the following screenshot: Raspberry Pi Attacks Next, we will select of different options. In this test scenario, we will perform a simple credential harvester attack, which is in the following screenshot: . This will bring up a variety as shown Launch SET Chapter 4 tool can cause confusion when developing these types of attacks. When you select the Credential Harvester Attack Method option, you have the option of using a pre-existing template or cloning a website. We found that most templates don't work that well against the average person, so it is best to clone a real website. In addition, websites often change, so cloning a website will give you the latest version that your victim will expect to see. SET is a menu-based attack tool. Unlike other tools, it does not use the command line. This is based around the concept that social engineering attacks are polymorphic in nature and require multiple linear steps to set up. A command-line Once SET is launched, you will need to agree to the license and terms of the software program by typing yes. At this point, you will see the main menu of SET, as shown For this example, we will select . Type setoolkit and enable bleeding-edge repos in the following screenshot: The following screenshot shows the menu under Social Engineering Attacks: When you select the appropriate option, you will be prompted to enter the IP address of the interface that SET should listen on. If you have multiple interfaces, you should enter the IP address of your Internet-facing interface or the victims might have problems accessing your Raspberry Pi attack server. need to enter the full URL of the site that you want to clone such as ht t ps: / / www. f acebook. com. If you select a website template, you will be choosing an existing template from a provided list. The following screenshot shows an example of some available templates. Note that these templates are very basic and dated, meaning they will probably not look like the real thing. This is why you should clone a site when performing a real penetration test. (2) If you selected under Credential Harvester Attack Method, you will Raspberry Pi Attacks Next, we will select of different options. In this test scenario, we will perform a simple credential harvester attack, which is in the following screenshot: . This will bring up a variety (1) as shown SET is a menu-based attack tool. Unlike other tools, it does not use the command line. This is based around the concept that social engineering attacks are polymorphic in nature and require multiple linear steps to set up. A command-line tool can cause confusion when developing these types of attacks. For this example, we will select . The following screenshot shows the menu under Social Engineering Attacks: [ 101 ] (3) select the Credential Harvester Attack Method option to clone Gmail When you select the Credential Harvester Attack Method option, you have the option of using a pre-existing template or cloning a website. We found that most templates don't work that well against the average person, so it is best to clone a real website. In addition, websites often change, so cloning a website will give you the latest version that your victim will expect to see. [ 102 ] Input local IP and the site to clone When you select the appropriate option, you will be prompted to enter the IP address of the interface that SET should listen on. If you have multiple interfaces, you should enter the IP address of your Internet-facing interface or the victims might have problems accessing your Raspberry Pi attack server. www.it-ebooks.info www.it-ebooks.info If you selected need to enter the full URL of the site that you want to clone such as ht t ps: / / www. f acebook. com. If you select a website template, you will be choosing an existing template from a provided list. The following screenshot shows an example of some available templates. Note that these templates are very basic and dated, meaning they will probably not look like the real thing. This is why you should clone a site when performing a real penetration test. under Credential Harvester Attack Method, you will [ 101 ] www.it-ebooks.info [ 102 ] www.it-ebooks.info