You are on page 1of 26

Social Engineering

by JL and Firasco

JL and Firasco
www.pizzaratings.com
IT-Security 1
Contents

1. Definitions of Social Engineering (SE)


2. Different types of Social Engineering
3. How a Social Engineer proceeds (6 steps)
4. Live example of Social Engineering (Movie)
5. Why is Social Engineering so successful
6. Is it ethical?

JL and Firasco
www.pizzaratings.com
IT-Security 2
Definitions of Social
Engineering

1. Involves exploiting the trusting nature of human


beings to obtain information (human hacking)
2. The art and science of getting people to comply to
your wishes
3. Is a collection of techniques used to manipulate
people into performing actions or revealing
confidential information

JL and Firasco
www.pizzaratings.com
IT-Security 3
So now…

Raise your hand if you think you have ever been


Social Engineered

JL and Firasco
www.pizzaratings.com
IT-Security 4
Famous targets of Social
Engineering

1. Industrial Spying
2. Data Theft
3. Idenitiy Theft
4. Pizza4free
5. Etc.

JL and Firasco
www.pizzaratings.com
IT-Security 5
Types of Social Engineering

1. Phishing
2. Trojan horse
3. Quid pro Quo
4. Pretexting

JL and Firasco
www.pizzaratings.com
IT-Security 6
Types of Social Engineering:
Phishing

JL and Firasco
www.pizzaratings.com
IT-Security 7
Types of Social Engineering:
Trojan Horse

JL and Firasco
www.pizzaratings.com
IT-Security 9
Types of Social Engineering:
Quid pro Quo (something for something)

JL and Firasco
www.pizzaratings.com
IT-Security 10
Types of Social Engineering:
Pretexting

JL and Firasco
www.pizzaratings.com
IT-Security 11
How a Social Engineer
proceeds

1.) Research
Collect sufficient information about the target
which is going to be Social Engineered
– Internet
– Dumpster diving

JL and Firasco
www.pizzaratings.com
IT-Security 12
How a Social Engineer
proceeds

2.) Establish contact


– Call
– Visit in person (face-to-face)
– Mail

JL and Firasco
www.pizzaratings.com
IT-Security 13
How a Social Engineer
proceeds

3.) Pretend using Pretexing


Be someone you are not
– Customer
– Researcher
– Technical support
– Telephone survey

JL and Firasco
www.pizzaratings.com
IT-Security 14
How a Social Engineer
proceeds

4.) Extract information


Use specific wording in questions to achieve
goal
– Could I just see your ID as an example?
– Are generally interested in advertising
your products?

JL and Firasco
www.pizzaratings.com
IT-Security 15
How a Social Engineer
proceeds

5.) After getting neccessary information


Try hard not to loose the “connections“
– The target may not know that it has been
Social Engineered
– Good “connections“ can always be helpful
in the future so do not mess it up

JL and Firasco
www.pizzaratings.com
IT-Security 16
How a Social Engineer
proceeds

6.) Combine data


Combine the bits and pieces into data
– Most of the times you have only asked for
pieces of information
– A collection of superficial-looking
information can often be combined to
aquire highly sensible data
– Aproximately 5 pieces of supericial data
can get you 1 sensible piece of information

JL and Firasco
www.pizzaratings.com
IT-Security 17
How a Social Engineer
proceeds

Summary:
2. Gathering of information
3. Establish connection
4. Pretend to be someone you are not
5. Work your way to the main goal
6. Keep good relationship with the victim
7. Compile data

JL and Firasco
www.pizzaratings.com
IT-Security 18
Real world example of Social
Engineering (Click HERE to
play our movie)

JL and Firasco
www.pizzaratings.com
IT-Security 19
Why is Social Engineering so
successful

• A human being trusts another human up to a


certain point
• People tend to obey to your orders when they see
you got superior knowledge
• Makes all means of software and hardware
protections USELESS
• Only very few companies and people are actually
aware of the dangers of Social Engineering
• We do not like to say no

JL and Firasco
www.pizzaratings.com
IT-Security 20
Why is Social Engineering so
successful

• Flaws in human logic:


1. Cognitive Biases
2. Attribution Theory
3. Reactance
4. Context confusion
5. Strong Affect
6. Overloading

JL and Firasco
www.pizzaratings.com
IT-Security 21
It’s discussion time

Is it ethical?
JL and Firasco
www.pizzaratings.com
IT-Security 22
Definition of “ethical”

• Ethics is a general term for what is often described


as the "science (study) of morality". In philosophy,
ethical behavior is that which is "good" or "right."

JL and Firasco
www.pizzaratings.com
IT-Security 23
Is it ethical?

JL and Firasco
www.pizzaratings.com
IT-Security 24
Sources

• Wiley Publishing, Inc. - Social Engineering - 2nd


Edition 2007
• http://www.securityfocus.com
• http://en.wikipedia.org
• www.ethicsscoreboard.com/rb_definitions.html

JL and Firasco
www.pizzaratings.com
IT-Security 25
Why Social Engineering is so
successful (continued)

JL and Firasco
www.pizzaratings.com
IT-Security 26