social engineering (ii909) kaido...
TRANSCRIPT
Topic 8: some examples and stories
2018 Kaido Kikkas. This document is dual-licensed under the GNU Free Documentation License (v l.2 or newer) and the Creative Commons Attribution-ShareAlike (BY-SA) 3.0 Estonia or newer license
Social Engineering (II909)
Kaido Kikkas
Examples
● The stories come from various sources, ranging from the beginning (sort of) to today (pictures come from Wikimedia Commons)
● Revisiting some topic 1 material too, with some additional depth gathered from subsequent topics
● In all cases, SE relies of people being too– clueless– nice
It all started in the Garden of Eden● Social engineers are from Hell (apparently) –
the first of them being the Devil himself, deceiving Adam
● Methods used:● Pretexting/masquerading (serpent)● Persuasion (“You will not die”)● Baiting (“You will get to know good and evil, just like
God”)● Woman-in-the-Middle attack (Eve)
https://en.wikipedia.org/wiki/Fall_of_man#/media/File:Michelangelo_S%C3%BCndenfall.jpg
Beware of the Greeks bearing gifts
● The original Trojan Horse (supposedly conceived by Ulysses)
● Methods:● Baiting● Persuasion (Sinon “left behind”)● Ignorance/disbelief (Cassandra)● Assassination (Laocoön killed after
trying to warn Trojans)● Escalation (30-50 men let the army
in)https://en.wikipedia.org/wiki/Trojan_Horse#/media/File:Replica_of_Trojan_Horse_-_Canakkale_Waterfront_-_Dardanelles_-_Turkey_(5747677790).jpg
The promised land in Nowhere
● Gregor MacGregor of Scotland● Fought in Latin America early
18th c.● The Poyais scheme 1821-37● Convinced 250 people to move to
a fictional colony in Venezuela, half of them died; many others lost their ‘investments’
● Was welcomed as a hero back in Venezuela in 1838, after death in 1845 received full military burial
https://en.wikipedia.org/wiki/Gregor_MacGregor#/media/File:General_Gregor_MacGregor_retouched.jpg
A lot of scrap metal in Paris
● Victor Lustig 1925● Sold Eiffel Tower to scrap.
Twice.● Second take backfired, was
forced to flee to the U.S.● Method: brilliant use of an
actual long-time controversy● Ended up in Alcatraz, died in
1947● “Apprentice salesman” listed
as occupation on death certificate
https://en.wikipedia.org/wiki/Victor_Lustig#/media/File:Victor_Lustig.jpg
Lustig’s Commandments● Be a patient listener (it is this, not fast talking, that gets a con man
his coups)
● Never look bored
● Wait for the other person to reveal any political opinions, then agree with them
● Let the other person reveal religious views, then have the same ones
● Hint at sex talk, but don't follow it up unless the other person shows a strong interest
● Never discuss illness, unless some special concern is shown
● Never pry into a person's personal circumstances (they'll tell you all eventually)
● Never boast - just let your importance be quietly obvious
● Never be untidy
● Never get drunk
Collect some toll in NYC
● Charles C. Parker● “And if you believe that, I have a
bridge to sell you”● Sold various NY landmarks to
immigrants, including the Brooklyn bridge (“start collecting toll”)
● Methods: persuasion, pretexting, document forgery
● Died in Sing Sing in 1936
https://en.wikipedia.org/wiki/George_C._Parker#/media/File:Parker_02.png
The Pyramid
● Carlo (Charles) Ponzi 1920● Postal coupon business financed
by expansion (the pyramid or Ponzi scheme)
● Collapse cost: ~20 MUSD● Died as a poor man in Brazil in
1949
https://en.wikipedia.org/wiki/Charles_Ponzi#/media/File:Ponzi1920.jpg
Kevin
● THE social engineer● Greater LA bus hack at school● Looped background ad tape to get into Pacific
Telephone● Donuts left for FBI (after an early warning alarm
started to work)● Employed by Holme, Roberts & Owen law firm
in Denver as Erik Weisz● … (seek and read by yourself)
Three blind mice
● Muzher, Shadde and Munther (Ramy) Badir, three Israeli Arab brothers born blind
● Extensive phreaking and social engineering spree in the 90s
● 44 charges in 1999, ~2M USD● No legislation in Israel that time● Ramy got 47 month, Muzher 6
months of community service
https://www.wired.com/wp-content/uploads/archive/wired/archive/12.02/images/FF_84_phreaks_1.jpg
Viva Las Vegas
● Alex Mayfield and his friends, 1990s (as described by Mitnick’s The Art of Intrusion)
● Reverse-engineered the ROM of gambling machines and managed to swap it in
● Two interesting steps:● Part of the object code was listed in the related patent
application (in a Washington DC library)● Managed to purchase a similar Japanese design in Vegas,
engineered the limitations)
The three (back)doors
● Back Orifice, Sub7 and NetBus (around the turn of the century)
● Classic trojan horses, no self-propagation – spread by social engineering only
● The case in Sweden
Scambaiting
● a.k.a. mugu-baiting, turning the table on (mostly African) scammers
● Some really hilarious stories, e.g. http://scamorama.com/smurf.html
● Morally ambiguous – scamming a scammer is still a scam, OTOH wasting his efforts is essentially good
Conclusion
● The main point to learn from stories – people are good, lazy and try to avoid conflicts
● In the land of the blind, the one-eyed man is king. So is a half-compentent person in the land of ignorants…
● SE is a dark art – it destroys faith in people :)
For further reading
● The Best of 2600: A Hacker Odyssey by Emmanuel Goldstein
● The Art of Deception, The Art of Intrusion and Ghost in the Wires by Kevin Mitnick (also The Art of Invisibility, but it is not about SE)
● Scamorama.com, 419eater.com, whatsthebloodypoint.com