trust and the art of social engineering matt williamson
TRANSCRIPT
Trust and The Art of Social Engineering
Matt Williamson
In the beginning…
• Physical attacks– Computers, wires, electronics, break-ins– Distributed protocols, redundancy
• Syntactic attacks– Software vulnerabilities, bad crypto, DoS– Detection and Response
• Semantic attacks– The weakest link -> users– “Only amateurs attack machines;
professionals target people.”
Today’s Goals
• Create our very own semantic attack
• Eliminate semantic attacks altogether
Swedish Lemon Angels• 1 egg• 1/2 cup buttermilk• 5 tsp. baking soda• 1/2 tsp. vanilla• 1 cup lemon juice• 1 and 1/4 cups sugar• 1 cup flour• 3/4 cup sugar• 8 tbs. melted butter• preheat oven to 375 degrees. 1. In a small bowl beat egg until foamy.2. Add the butter milk and the vanilla and blend well.3. Add the baking soda, one teaspoon at a time, sprinkling it in and beating until it is
smooth.4. Add the lemon juice all at once and blend into the mixture.5. Scoop the mixture out of the bowl useing a spatula and spread onto a floured
surface.6. sift the flour and the sugar and work it into the mixture using your fingertips.7. With a floured rolling pin, roll the dough out 1/32" thick, and with the tip of a sharp
knife, cut out "angel" shapes and sprinkle on some sugar.8. Brush with butter.9. Place on ungreased baking sheet and bake for 12 minutes or until the edges curl up.10.Let cool and serve.
What is social engineering?
• “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information”
What is social engineering, cont’d
• Common Attacks– Authority Attack
• Fake badge or uniform• Claim a friend• Or just claim authority
– Knee Jerk Attack• Outlandish statement
– Persistent Attack• Continuous harassment• Guilt or intimidation
What is social engineering, cont’d
• Common Attacks– Social Attack
• Attend social parties• Alcohol
– Fake Survey Attack• Win a free trip to Hawaii!• Just tell me your password
– Help Desk Attack• Impersonate newbie
Cognitive Biases• Loss Aversion
– Tendency for people strongly to prefer avoiding losses over acquiring gains
• Just-World Phenomenon– Tendency for people to believe that the world is just and
therefore people get what they deserve
• Overconfidence Effect– The systematic tendency to overestimate one’s own abilities
• Positive Outcome Bias– A tendency in prediction to overestimate the probability of
good things happening to them
• Illusory Correlation– Beliefs that inaccurately suppose a relationship between a
certain type of action and an effect
What is social engineering?
• “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information”
• “social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust“
What is trust?
• Trust is a measure of belief in– Honesty
• They told me they’d catch me
– Benevolence• They don’t want to hurt me
– Competence• They are capable of catching me
What is trust?
• Element of risk– Something to lose
• Use of legs
– Lack of information• Will they catch me
– Gamble• Fun, relationship
• Hard to gain, easy to lose
• Layers– Dispositional
• Personality trait
– Learned• Dispositional adjusted by general
experience
– Situational• Learned adjusted by situational factors
• Information dependent– More information, the better.
• Perfect information -> no need for trust
What is trust?
What is trust?
• Heuristic vs. Systematic– Heuristic
• Most obvious information• Attractiveness, halo effect
– Systematic• Detailed processing• Reputation, information, credibility
– Depends on• Motivation (risk)• Mental capability
Trust Design Guidelines
1. Ensure good ease of use2. Use attractive design3. Professional image4. Don’t mix advertising and content5. “Real-world” look and feel…
Trust Design Guidelines
7. Include seals of approval such as TRUSTe
10.Provide clearly stated security and privacy statements
12. Background information14. Ensure communication remains
open and responsive15. Offer a personalized service
Jakob Nielsen’s Design Guidelines
• Design quality– Professional appearance– Clear navigation– No typos
• Up-front disclosure– Ex. shipping costs
• Comprehensive, correct, current• Connected to the rest of the web
– Links, both in and out– Inspires confidence
Build-A-Scam Workshop
• Take 5 minutes to develop the cutest, most adorable plan to rob users of their passwords.– And yes, please make friends in the process.
Solutions?• How can we prevent these?
– From an interface perspective?
• “Cryptographic magic wands” ?– Digital signatures– Authentication– Integrity
• Third Party Vouching• Same as 2nd Attack?
– Detection and Response?
• WWKMD?– CSEPS
• Certified Social Engineer Prevention Specialist
• Law?– GLB
• Pretexting of bank records = illegal