Social Engineering Abuses - PowerPoint PPT Presentation

About This Presentation
Title:

Social Engineering Abuses

Description:

Social Engineering Abuses Sean Toh BJ Bayha Overview What is Social Engineering? What does the survey say ? Case Studies Case 1: Kevin Mitnick Case 2: Melissa Virus ... – PowerPoint PPT presentation

Number of Views:147
Avg rating:3.0/5.0
Slides: 21
Provided by: Sean1157
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Social Engineering Abuses


1
Social Engineering Abuses
  • Sean Toh
  • BJ Bayha

2
Overview
  • What is Social Engineering?
  • What does the survey say ?
  • Case Studies
  • Case 1 Kevin Mitnick
  • Case 2 Melissa Virus
  • Conclusion
  • Q and A

3
Define Terms
  • Social Engineering (n)
  • Term used among experts for cracking
    techniques that rely on weaknesses in humans
    rather than software the aim is to trick people
    into revealing passwords or other information
    that compromises a target system's security.
  • -- The Jargon File aka The New Hackers
    Dictionary

4
Define Term Contd
  • Valid uses of Social Engineering
  • Abuses of Social Engineering
  • Computer exploits without the use of social
    engineering

5
Statistical Review
  • FBI Unified Crime Reports does not bother to
    survey computer crime.
  • National Crime Victimization Survey collects data
    but does not differentiate between
    computer-related and traditional crimes.
  • I dont think there is a good figure on that
    kind of crime. There is no definitive report
    on computer crime.
  • -- Cecil Greek, PhD.
  • Asst. Prof. Criminology

6
What does the survey say?
  • Why survey does not produce accurate statistics?
  • Without quantification and accuracy, recognized
    body cannot acknowledge the problem.
  • Reasons for not reporting information leak
  • Lack of knowledge
  • Sometimes, user does not even know that it had
    leaked information.
  • Confidence factor institution fear that if news
    of information leak is out, it may jeopardize its
    image and confidence among its customers.

7
Damage figures that include the retail value of
software copied or telephone and computer
services used by hackers are usually
overestimates. -- A Gift of Fire Sec. Ed.
8
Case Study 1 Kevin Mitnick
  • Habitual prankster and phone service thief.
  • Regularly switched large phone bills to victims
    and interrupted utility services.
  • Used compromised access keys to use private
    computer and phone resources.
  • Violated parole, late 1992.
  • Stole cellular phone drivers and worm code from
    Tsutomo Shimomura, December 24th, 1995.

9
Case Study 1 Kevin Mitnick
  • What is the problem?
  • Subverted corporate procedures to gain access to
    computers and resources.
  • Undermined trust in employees.
  • Major time served was for parole violation.
  • Currently a security consultant with the FBI and
    popular speaker on computer security.
  • No accountability for his actions.
  • There is no law to that can be directly applied
    to this behavior.

10
Case Study 2 Melissa Virus
  • Written by David Smith
  • CERT Advisory March 27, 1999
  • Exploited holes in MS Office and MS Outlook to
    propagate as an e-mail attachment.
  • Required recipient to execute attached script
    (disguised as a MS Word document).
  • Later variants managed to propagate itself if the
    user merely previewed the message.

11
Case Study 2 Melissa Virus
  • What is the problem?
  • The script hijacked e-mail accounts from trusted
    sources.
  • Users did not realize unexpected and unverified
    attachments are dangerous.
  • Arrested in 7 days due to ego.
  • What is the cost?
  • Countless personal electronic artifacts were
    lost.
  • Again, how can we quantify these losses?

12
Similarity between both Case Studies
  • Common vector of infection the non-technical
    users.
  • Attacked source authentication procedures.
  • Both required intervention from internal, trusted
    users.

13
Concerns
  • Is there law to prevent it? Is it sufficient? Or
    Can a law be formulated to prevent it?
  • No cost attached.
  • Case study Melissa Virus.
  • No legal protection from acts of private
    citizens, but legal protection of officials from
    government institution that is trying to protect
    us.

14
Mitigation Prevention
  • Educate users.
  • De-stigmatize victimization.
  • Study and quantify problem.
  • Scope
  • Cost
  • Increase awareness of programs like FDLE/FSUs
    CyberSafety

15
Conclusion
  • Remember the human factor in security
    instillations and procedures.
  • Vigilance and user education are key elements of
    any security procedures.
  • More research has to be done to quantify scope
    and nature of the problem.

16
Questions Answers
17
Bibliography
  • Books
  • Sara Baase. A Gift of Fire (2nd. Ed.). 2003.
    Prentice Hall. Upper Saddle River, NJ.
  • Matt Bishop. Computer Security Art and
    Science. 2003. Addison-Wesley. Boston, MA.
  • Buck BloomBecker. Spectacular Computer Crimes.
    1990. Dow Jones-Irwin. Homewood, IL.
  • Brian D. Loader and Douglas Thomas.
    Cybercrime. 2000. Routledge. New Yor, NY.
  • John Markoff and Tsutomu Shimomura. Takedown.
    1996. Hyperion, New York, NY.
  • Michelle Slatalla and Joshua Quittner. Masters
    of Deception. 1995. HarperCollins. New York,
    NY.

18
Bibliography Contd
  • Films
  • Dimension Films. 2000. Takedown
  • United Artists. 1995. Hackers.

19
Bibliography Contd
  • Websites
  • Bureau of Justice Statistics Crime and Victims
    Statistics,http//www.ojp.usdoj.gov/bjs/cvict.htm
    (Accessed 3/2005)
  • Federal Bureau of Investigation Uniform Crime
    Reports,http//www.fbi.gov/ucr/ucr.htm (Accesses
    3/2005)
  • J-037 W97M.Melissa Word Macro Virus,
  • http//www.securityfocus.com/advisories/1178
    (Accessed 3/2005)
  • Thwarting Evil Geniuses, http//www.spokanejourn
    al.com/spokane_idarticlesub2275 (Accesses
    3/2005)

20
Bibliography Contd
  • Personal Interview
  • Phone interview. Cecil E. Greek, PhD. Associate
    Professor, Florida State University Criminology
    Department. 1326, 3/02/2005.
  • Personal interview. Melody McGuire.
    Participant, Florida Department of Law
    Enforcement/Florida State University
    CyberSecurity Program.
Write a Comment
User Comments (0)
About PowerShow.com