Trust and The Art of Social Engineering Matt
- Slides: 27
Trust and The Art of Social Engineering Matt Williamson
In the beginning… • Physical attacks – Computers, wires, electronics, break-ins – Distributed protocols, redundancy • Syntactic attacks – Software vulnerabilities, bad crypto, Do. S – Detection and Response • Semantic attacks – The weakest link -> users – “Only amateurs attack machines; professionals target people. ”
Today’s Goals • Create our very own semantic attack • Eliminate semantic attacks altogether
Swedish Lemon Angels • • • 1. 2. 3. 1 egg 1/2 cup buttermilk 5 tsp. baking soda 1/2 tsp. vanilla 1 cup lemon juice 1 and 1/4 cups sugar 1 cup flour 3/4 cup sugar 8 tbs. melted butter preheat oven to 375 degrees. In a small bowl beat egg until foamy. Add the butter milk and the vanilla and blend well. Add the baking soda, one teaspoon at a time, sprinkling it in and beating until it is smooth. 4. Add the lemon juice all at once and blend into the mixture. 5. Scoop the mixture out of the bowl useing a spatula and spread onto a floured surface. 6. sift the flour and the sugar and work it into the mixture using your fingertips. 7. With a floured rolling pin, roll the dough out 1/32" thick, and with the tip of a sharp knife, cut out "angel" shapes and sprinkle on some sugar. 8. Brush with butter. 9. Place on ungreased baking sheet and bake for 12 minutes or until the edges curl up. 10. Let cool and serve.
What is social engineering? • “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information”
What is social engineering, cont’d • Common Attacks – Authority Attack • Fake badge or uniform • Claim a friend • Or just claim authority – Knee Jerk Attack • Outlandish statement – Persistent Attack • Continuous harassment • Guilt or intimidation
What is social engineering, cont’d • Common Attacks – Social Attack • Attend social parties • Alcohol – Fake Survey Attack • Win a free trip to Hawaii! • Just tell me your password – Help Desk Attack • Impersonate newbie
Cognitive Biases • Loss Aversion – Tendency for people strongly to prefer avoiding losses over acquiring gains • Just-World Phenomenon – Tendency for people to believe that the world is just and therefore people get what they deserve • Overconfidence Effect – The systematic tendency to overestimate one’s own abilities • Positive Outcome Bias – A tendency in prediction to overestimate the probability of good things happening to them • Illusory Correlation – Beliefs that inaccurately suppose a relationship between a certain type of action and an effect
What is social engineering? • “Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information” • “social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust“
What is trust? • Trust is a measure of belief in – Honesty • They told me they’d catch me – Benevolence • They don’t want to hurt me – Competence • They are capable of catching me
What is trust? • Element of risk – Something to lose • Use of legs – Lack of information • Will they catch me – Gamble • Fun, relationship • Hard to gain, easy to lose
What is trust? • Layers – Dispositional • Personality trait – Learned • Dispositional adjusted by general experience – Situational • Learned adjusted by situational factors • Information dependent – More information, the better. • Perfect information -> no need for trust
What is trust? • Heuristic vs. Systematic – Heuristic • Most obvious information • Attractiveness, halo effect – Systematic • Detailed processing • Reputation, information, credibility – Depends on • Motivation (risk) • Mental capability
Trust Design Guidelines 1. 2. 3. 4. 5. … Ensure good ease of use Use attractive design Professional image Don’t mix advertising and content “Real-world” look and feel
Trust Design Guidelines 7. Include seals of approval such as TRUSTe 10. Provide clearly stated security and privacy statements 12. Background information 14. Ensure communication remains open and responsive 15. Offer a personalized service
Jakob Nielsen’s Design Guidelines • Design quality – Professional appearance – Clear navigation – No typos • Up-front disclosure – Ex. shipping costs • Comprehensive, correct, current • Connected to the rest of the web – Links, both in and out – Inspires confidence
Build-A-Scam Workshop • Take 5 minutes to develop the cutest, most adorable plan to rob users of their passwords. – And yes, please make friends in the process.
Solutions? • How can we prevent these? – From an interface perspective? • “Cryptographic magic wands” ? – Digital signatures – Authentication – Integrity • Third Party Vouching • Same as 2 nd Attack? – Detection and Response? • WWKMD? – CSEPS • Certified Social Engineer Prevention Specialist • Law? – GLB • Pretexting of bank records = illegal
- Northern trust charitable trust
- Social thinking social influence social relations
- Social thinking social influence social relations
- Social trust
- Social trust
- Forward engineering in software engineering
- Hát kết hợp bộ gõ cơ thể
- Ng-html
- Bổ thể
- Tỉ lệ cơ thể trẻ em
- Voi kéo gỗ như thế nào
- Chụp tư thế worms-breton
- Alleluia hat len nguoi oi
- Môn thể thao bắt đầu bằng từ chạy
- Thế nào là hệ số cao nhất
- Các châu lục và đại dương trên thế giới
- Công thức tính độ biến thiên đông lượng
- Trời xanh đây là của chúng ta thể thơ
- Mật thư anh em như thể tay chân
- Làm thế nào để 102-1=99
- độ dài liên kết
- Các châu lục và đại dương trên thế giới
- Thể thơ truyền thống
- Quá trình desamine hóa có thể tạo ra
- Một số thể thơ truyền thống
- Cái miệng nó xinh thế
- Vẽ hình chiếu vuông góc của vật thể sau
- Nguyên nhân của sự mỏi cơ sinh 8