SOCIAL ENGINEERING: THE ART OF HUMAN HACKING Mohammed Asad Hashmi
[email protected] School of Electronics and Computer Science, University of Southampton
use of social networking websites, lots of information about a person can be gathered from social networking websites (SNS). Moreover SNSs provide data in machine readable form, thus helping the automation of attacks. [2]. Social engineering attacks have a high success rate due to limited education and meagre awareness regarding social engineering [3].
Abstract Uses of antivirus programs and anti spyware programs, protect our data and provides security from hackers and their technical expertise. But now hackers have advanced their skill, now they not only rely and use their technical skills but also utilize and exploit human skills to con. Now they study human habits and behaviour to exploit their weaknesses in order to gain access to information way easier and cheaper, and thus are termed as social engineers. This technical report looks deep into the working of social engineering, how is social engineering so successful? What methods do social engineers employ to exploit a victim? And then we look into the research being done to detect and defend against this attack.
2. Impact of social engineering attacks A Social Engineering attack can have a high impact on an organization. A single attack can drain out millions of dollars spent on firewalls, security policies, secure routers and all other such guards. [4]. A single successful attack makes the system penetrable and can be used to achieve different goals. Therefore social engineers do not “burn” their sources, as an undetected Social Engineering attack can be used repeatedly for different goals.[4].According to U.S Federal Trade Commission (FTC) , social engineering – related issues cost individuals and business approximately $52.6 billion in 2004 and it approximately effects 10 million Americans each year.[5]. White house has blocked access to twitter website for undisclosed reasons, though President Barack Obama is known to have two twitter accounts. Researchers say this has been done for privacy control, the staff members in white house might use this site in order to provide information over the website which might turn out be exploited. [6]. An individual‟s information can easily be obtained nowadays from their profiles over a social networking website. The design of social networking websites allure users to enter more information into their profiles and in turn create a more valuable data pool to generate more profits [7][16].This is one the main weapons of an attacker in the information gathering phase of an attack. Furthermore social
1. Introduction Security is not a technological problem anymore. Earlier use of antivirus and firewall programs enhanced the security of the organization to a mighty level. But that is not the case anymore, meagre use of antivirus and firewall programs is not enough for the security of an organization. Developers continually invent and enhance security technologies making it difficult to exploit technical vulnerabilities. What remains easily exploitable is the human element [1]. Cracking the human element is easy, requires just a phone call and has minimal risk [1]. Social engineering is the art of exploiting the human factor of security. Victims are deceived to let in confidential information to the attackers or perform malicious actions [2]. Social engineering usually starts with acquiring background information of the target. The initial information is gathered via phone calls, dumpster diving etc. But now due to emerging
1
networking‟s websites help in the automation of attacks, by maintaining data in machine readable format [18]. The goal of automation is to reduce the time spent on information gathering by a human, as developing and maintaining a rapport with the victim is a time consuming task and hence the attack becomes expensive [7]. Tools such as “Social Engineering Toolkit” make it easy for the attacker to automate an attack with any preferred method [15].
f)
3. Types and skills of Social engineering Attacks
can contain personal information, credit card details or company‟s organizational chart which aids in the information gathering for an attack. Phishing: Phishing is the technique of attempting to gain information such as passwords, usernames, credit card numbers etc. by masquerading as an authorized and trustworthy entity. An exact of replica of a website of an authorized firm is made and the user is persuaded and trick into entering valuable information, which the attacker utilizes for personal benefits.
g) Phone Phishing ( Vishing )
Attacks are direct (face to face) or indirect with the use of technology and electronic media. Here we evaluate some of them. [19][13] a) Hoaxing: Attempt to trick someone into believing something false to be real. This results in taking a rash decision to due to the fear of an untoward accident. The attacker takes advantage of this fear developed and eludes the victim into performing an action which the attacker wants. b) Impersonating staff: A scenario is created by impersonating as someone from inside the company in order to gain confidential information from the target or persuade to perform malicious actions usually via telephone or email. c) Intimidation tactics The attacker pretends to be someone from a high authority, someone important, an inspector from the government, as someone who can instil fear into the regular working employees of the organization. He already comes yelling and in a furious way to make an entrance and threatens to fire the employee if the employee doesn‟t provide the information at the instance. The employee, scared, provides all the information without any thought for authorization. d) Creating Confusion: This tactic involves creating a problem to take advantage. Such as setting off the alarm, so that everyone vacates the premises without logging off their sessions. Thus logged-on session is used by the attacker for exploitation. e) Dumpster Diving: Office documents or mails which are thrown away without being totally ripped off or shredded, are a great source of information for social engineering attackers. It
Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into providing personal, financial or other confidential information for the purpose of financial reward. The term “vishing” is derived from a combination of “voice” and “phishing. [29][30].
4. Defending against social engineering attacks User education is the most powerful defence against social engineering attacks backed up by strong and clear policies.[13][14][17] With limited strictly controlled scientific studies on social engineering, we need to have conceptualize social engineering attacks so as to detect them.[12] We discuss ways to detect and prevent social engineering attacks.
4.1SEADM – Social engineering detection model
attack
We hereby discuss social engineering detection model (SEADM) [8] as illustrated in Figure 1[8]. It is often difficult for an individual to make rational decisions in a limited time frame. With the complexity of the attack and the skill of the social engineer, an individual can only make an educated guess regarding the likelihood of an attack. What an individual would need is a predefined set of guidelines to determine the likelihood of an attack. This model suggests a practical application model to determine if a social engineering attack is being
2
performed. [8] The model specifies a set of guidelines in the form of a flowchart in order to determine an attack. Though it is said to detect, there is more of prevention involved, because by any means if it is felt that there is a level of discomfort in providing the required information, it is advised to elevate the request. [8]
(POI) with both written and oral conversations with the help of ontological semantics [9].The person of interest (POI) is the attacker who gathers information for the attack. This system understands Natural language (NL) text to extract and calculate
4.2 OST (Ontological Semantic Technology) We discuss here a computational system for detection and automatic extraction of hidden semantic information from verbal output of a person of Interest
3
check if use of neural networks can be useful for the same. ii) Extracting Features from the call – This stage identifies certain attributes and features from the phone call or the caller which would help the system to easily identify whether is it an SE attack. This is done by identifying keywords, which are used in numerical training vectors to be used for neural network learning, fed for neural network processing. iii)Feed features to NN(Neural Networks) – Matlab NN toolbox is used for this process. The extracted information is fed into with the appropriate data tuning and a minimum training error is sort after. Training error determines the ability of the NN box to detect SE attacks. [11] Drawbacks: Carried out on an experimental data set and not real case scenarios. Heavy cost involved to integrate this model into all call centres.
information that POI gives away unintentionally. For example suppose the POI, in one conversation mentions that he went to Florida on vacation, and in another mentions “The Birth of Venus” was worth seeing. The system detects the contradiction in the conversation by understanding natural language and with the help of access to an encyclopaedia and specific knowledge about paintings. (“The Birth of Venus” is in Florence, Italy, not Florida). OST consists of repositories of linguist knowledge and repositories of world used to disambiguate different meanings of words and sentences. They contain language independent knowledge and concept, one lexicon per language which is used to represent their meaning along with the Proper Name Dictionary (PND), which contains names of people, organizations, countries etc. along with their description, interlinking them with other PND entries. (StAn), Semantic Text Analyzer is software that produces text meaning representations (TMRs) from text that it processes. The TMRs are fed into InfoStore, a knowledge resource of Ontological semantic technology, from which information is processed and reasoned according to the requirements to be determined which in our case is to detect contradictions in conversations. [9]
4.4 A Multi-layered defence against Social Engineering David Gragg in [13] has defined a multi-layered defence mechanism against social engineering. Due to the defence being multi-layered there is a strong chance that the attack gets detected in anyone of the layers, even if it manages to get through some of them. The security policies are made such that they address numerous areas in order to be a foundation for social engineering, such as access controls; setting up accounts, access approval etc.
4.3 Social attacks detection using Neural
Networks
5. CONCLUSION Social engineering attacks are widespread and very difficult to detect as the engineers are skilled and possess various effective techniques. People have limited knowledge about the attacks due to which the attacks go unnoticed. Though some feel that as it involves human factor there are limited ways to identify an attack and defend against it, new ways are being discussed about as described in this report. We also look into applying artificial intelligence for the detection and prevention of these attacks, which has not been looked into for the same. Though prevention and defence mechanisms are being sought, the best solution is to educate people about it and define strong and clear policies. [13] [14] [17] Conducting awareness and education programs in the organization, and that being checked by auditing programs to monitor policy compliance, so as to prevent and reduce the impact of social engineering.
Figure 2 The term “Neural Networks” refers to the computational model which depicts the biological neurons in the human brain. [10]. A neural node is programmed to act as a biological neuron. This model works in 3 steps in figure 2.[10] i)Benchmark Data – A data set was generated by [8]Dr.Marcus Rogers, in Cyber Forensics Program at Purdue University who proposed a solution which relies on computer systems to analyze telephonic conversations to detect if the receiver is being deceived. Here benchmark data is used in order to
4
References the 2010 workshop on New security paradigms.Pages 115-128
1. Hacking Human: Data-Archaeology and Surveillance in Social Networks. Jason Nolan and Michelle Levesque ACM SIGGROUP Bulletin – Special issue on virtual communities Volume 25 Issue 2, February 2005, Pages 33-37
9. V. Rao and H. Rao, “C++ Neural Networks and Fuzzy Logic”, MIS Press, New York, 1993.
2. Towards Automating Social Engineering Using Social Networking Sites Huber, M.; Kowalski, S.; Nohlberg, M.; Tjoa, S.; This paper appears in: Computational Science and Engineering, 2009. CSE '09. International Conference on Issue Date: 29-31 Aug. 2009 On page(s): 117 - 124
10. Social Engineering Detection using Neural Networks. Sandouka, H.; Cullen, A.J.; Mann, I.; This paper appears in: CyberWorlds, 2009. CW '09. International Conference on Issue Date: 7-11 Sept. 2009 On page(s): 273 - 278
3. The use of formal social engineering techniques to identify weaknesses during a computer vulnerability competition . Derek Kyedar , Michael nettis , Steven P. Fulton .Journal of computing sciences in colleges Volume 26 Issue 2 ,December 2010 Pages 80-87
11. A Framework for Conceptualizing Social Engineering Attacks. Jose J. Gonzalez, Jose M. Sarriegi and Alazne Gurrutxaga Critical Information Infrastructures Security First International Workshop, CRITIS 2006, Samos, Greece, August 31 - September 1, 2006. Revised Papers
4. Social Engineering: The “Dark Art”. Tim Thornburgh.InfoSecCD 2004 Proceedings of the 1st annual conference on Information security curriculum development. Pages 133-135
12. An attack vector for deception through persuasion used by hackers and crackers. Hasan, M.I.; Prajapati, N.B.; This paper appears in: Networks and Communications, 2009. NETCOM '09. First International Conference on Issue Date: 27-29 Dec. 2009 On page(s): 254 - 258
5. An Investigation of Heuristics of Human Judgment in Detecting Deception and Potential Implications in Countering Social Engineering. Tiantian Qi; This paper appears in: Intelligence and Security Informatics, 2007 IEEE Issue Date: 23-24 May 2007 On page(s): 152 - 159
13. Preventing Social Engineering in Ubiquitous Environment. Nyamsuren, E.; Ho-Jin Choi; This paper appears in: Future Generation Communication and Networking (FGCN 2007) Issue Date: 6-8 Dec. 2007 On page(s): 573 - 577
6. Analysis of a Social Engineering Threat to Information Security Exacerbated by Vulnerabilities Exposed Through the Inherent
14. Social Engineering Toolkit - A Systematic Approach to Social Engineering. Pavkovic, N.; Perkov, L.; This paper appears in: MIPRO, 2011 Proceedings of the 34th International Convention Issue Date: 23-27 May 2011 On page(s): 1485 - 1489
Nature of Social Networking Websites. David mills InfoSec 2009 Information Security Curriculum Development Conference .Pages 139-141. 7. Social Engineering Attack Detection Model: SEADM. Bezuidenhout, M.; Mouton, F.; Venter, H.S.; This paper appears in: Information Security for South Africa (ISSA), 2010 Issue Date: 2-4 Aug. 2010 On page(s): 1 - 8
15. Cheap and Automated Socio-Technical Attacks based on Social Networking Sites. Markus Huber,Martin Mulazzani,Sebastian crittwieser,Edgar Weippl. AISec 2010 Proceedings of the 3rd ACM workshop on Artificial intelligence and security. Pages 61-64
8. Ontological Semantic Technology for Detecting Insider Threat and Social Engineering. Victor Ruskin and Julia M. Taylor. NSPW 20120 Proceedings of
16. Social Engineering in Information Assurance Curricula. Douglas P. Twitchell. InfoSecCD '06
5
‟04 : Proceedings of the 5th conference on Information technology education.Pages 177-181
Proceedings of the 3rd annual conference on Information security curriculum development. Pages 191-193.
24. Two methodologies for physical penetration testing using social engineering .Trajce Dimkov, André van Cleeff, Wolter Pieters, Pieter Hartel. ACSAC‟10:Proceedings of the 26th Annual Computer Security Applications Conference.Pages 399-408
17. Data Retrieval from Online Social Network Profiles for Social Engineering Applications. Alim, S.; Abdul-Rahman, R.; Neagu, D.; Ridley, M.; This paper appears in: Internet Technology and Secured Transactions, 2009. ICITST 2009. International Conference for Issue Date: 9-12 Nov. 2009 On page(s): 1 - 5
25. Social engineering: a serious underestimated problem.Guido Rößling, Marius Müller.ITiCSE ‟09:Proceedings of the 14th annual ACM SIGCSE conference on Innovation and technology in computer science education.Pages 384-384
18. Case study on social engineering techniques for persuasion. Mosin Hasan, Nilesh Prajapati, Safvan Vohara. International journal on applications of graph theory in wireless ad hoc networks and sensor networks 2.2 (2010) Pages: 17-23
26. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick and William L. Simon . ISBN: 978-0764569593.Wiley
19.Social engineering based attacks : Model and new Zealand perspective. Proceedings of the International Multiconference on Computer Science and Information Technology pp. 847–853
27. K. Mitnick, W.L. Simon, “The Art of Deception: Controlling the Human Element of Security”, John Wiley and Sons, October 2002
20. Security Analysis of Information Systems taking into account Social Engineering Attacks. Kotenko, I.; Stepashkin, M.; Doynikova, E.; This paper appears in: Parallel, Distributed and NetworkBased Processing (PDP), 2011 19th Euromicro International Conference on Issue Date: 9-11 Feb. 2011 On page(s): 611 - 618
28.The Vishing Guide, G Ollmann - IBM Global Technology Services, 2007 29.Vishing. Slade E. Griffin, Casey C. Rackley .InfoSecCD ‟08 Proceedings of the 5th annual conference on Information security curriculum development.Pages 33-35 .
21. Hacking tricks toward security on network environments. Tzer-Shyong Chen; Fuh-Gwo Jeng; Yu-Chia Liu; This paper appears in: Parallel and Distributed Computing, Applications and Technologies, 2006. PDCAT '06. Seventh International Conference on Issue Date: Dec. 2006 On page(s): 442 - 447
30. Phishing: Phishing. Anti-phishing software, Confidence trick, E-mail spoofing, Pharming, Social engineering (security), Vishing, Transport Layer Security, Phreaking, Copyright infringement of software ,John McBrester, Frederic P. Miller , Agnes F. Vandome . Alpha Press
22. A Low-cost Secure Schemes for Authentications and Access Control with the Use of Multiple Public IC Cards. Kuo-Yi Chen; Chin-Yang Lin; Ting-Wei Hou; This paper appears in: Advanced Computer Theory and Engineering (ICACTE), 2010 3rd International Conference on Issue Date: 20-22 Aug. 2010 On page(s): V3-609 - V3-613
31. A social-engineering-centric data collection initiative to study phishing Federico Maggi,Alessandro Sisto,Stefane Zanero. BADGERS „11 Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security. Pages 107-108
23. The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems .Gregory L. Orgill, Gordon W. Romney, Michael G. Bailey, Paul M. Orgill . CITC5
6