Trust and The Art of Social Engineering Matt

Trust and The Art of Social Engineering Matt Williamson

In the beginning… • Physical attacks – Computers, wires, electronics, break-ins – Distributed protocols, redundancy • Syntactic attacks – Software vulnerabilities, bad crypto, Do. S – Detection and Response • Semantic attacks – The weakest link -> users – “Only amateurs attack machines; professionals target people. ”

Today’s Goals • Create our very own semantic attack • Eliminate semantic attacks altogether

Swedish Lemon Angels • • • 1. 2. 3. 1 egg 1/2 cup buttermilk 5 tsp. baking soda 1/2 tsp. vanilla 1 cup lemon juice 1 and 1/4 cups sugar 1 cup flour 3/4 cup sugar 8 tbs. melted butter preheat oven to 375 degrees. In a small bowl beat egg until foamy. Add the butter milk and the vanilla and blend well. Add the baking soda, one teaspoon at a time, sprinkling it in and beating until it is smooth. 4. Add the lemon juice all at once and blend into the mixture. 5. Scoop the mixture out of the bowl useing a spatula and spread onto a floured surface. 6. sift the flour and the sugar and work it into the mixture using your fingertips. 7. With a floured rolling pin, roll the dough out 1/32" thick, and with the tip of a sharp knife, cut out "angel" shapes and sprinkle on some sugar. 8. Brush with butter. 9. Place on ungreased baking sheet and bake for 12 minutes or until the edges curl up. 10. Let cool and serve.

What is social engineering? • “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information”

What is social engineering, cont’d • Common Attacks – Authority Attack • Fake badge or uniform • Claim a friend • Or just claim authority – Knee Jerk Attack • Outlandish statement – Persistent Attack • Continuous harassment • Guilt or intimidation

What is social engineering, cont’d • Common Attacks – Social Attack • Attend social parties • Alcohol – Fake Survey Attack • Win a free trip to Hawaii! • Just tell me your password – Help Desk Attack • Impersonate newbie

Cognitive Biases • Loss Aversion – Tendency for people strongly to prefer avoiding losses over acquiring gains • Just-World Phenomenon – Tendency for people to believe that the world is just and therefore people get what they deserve • Overconfidence Effect – The systematic tendency to overestimate one’s own abilities • Positive Outcome Bias – A tendency in prediction to overestimate the probability of good things happening to them • Illusory Correlation – Beliefs that inaccurately suppose a relationship between a certain type of action and an effect

What is social engineering? • “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information” • “social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust“

What is trust? • Trust is a measure of belief in – Honesty • They told me they’d catch me – Benevolence • They don’t want to hurt me – Competence • They are capable of catching me

What is trust? • Element of risk – Something to lose • Use of legs – Lack of information • Will they catch me – Gamble • Fun, relationship • Hard to gain, easy to lose

What is trust? • Layers – Dispositional • Personality trait – Learned • Dispositional adjusted by general experience – Situational • Learned adjusted by situational factors • Information dependent – More information, the better. • Perfect information -> no need for trust

What is trust? • Heuristic vs. Systematic – Heuristic • Most obvious information • Attractiveness, halo effect – Systematic • Detailed processing • Reputation, information, credibility – Depends on • Motivation (risk) • Mental capability

Trust Design Guidelines 1. 2. 3. 4. 5. … Ensure good ease of use Use attractive design Professional image Don’t mix advertising and content “Real-world” look and feel

Trust Design Guidelines 7. Include seals of approval such as TRUSTe 10. Provide clearly stated security and privacy statements 12. Background information 14. Ensure communication remains open and responsive 15. Offer a personalized service

Jakob Nielsen’s Design Guidelines • Design quality – Professional appearance – Clear navigation – No typos • Up-front disclosure – Ex. shipping costs • Comprehensive, correct, current • Connected to the rest of the web – Links, both in and out – Inspires confidence

Build-A-Scam Workshop • Take 5 minutes to develop the cutest, most adorable plan to rob users of their passwords. – And yes, please make friends in the process.

Solutions? • How can we prevent these? – From an interface perspective? • “Cryptographic magic wands” ? – Digital signatures – Authentication – Integrity • Third Party Vouching • Same as 2 nd Attack? – Detection and Response? • WWKMD? – CSEPS • Certified Social Engineer Prevention Specialist • Law? – GLB • Pretexting of bank records = illegal