From: xun dong (xundong@cs.york.ac.uk)
Date: Thu Oct 12 2006 - 18:23:42 EDT
Thanks for your suggestion. I certainly think those attacks are
instances of social engineering attacks, and I have included them in the
data set already.
CTaylor 2121 wrote:
> What about the one in which a disk or CD is left in the employee rest
> room with an enticing title written on it? Or the free software (game
> or program) that is given away at a trade-show? Both would contain
> trojans. Where would you classify those types of attacks?
>
>
> Thanks,
> C Taylor
> CTaylor2121@hotmail.com <mailto:CTaylor2121@hotmail.com>
> "Retirement is just a PowerBall away"
>
>
> ------------------------------------------------------------------------
> > From: frynge@frynge.com
> > To: xundong@cs.york.ac.uk; pen-test@securityfocus.com;
> security-basics@securityfocus.com
> > Subject: Re: Social Engineering Data set
> > Date: Thu, 12 Oct 2006 00:19:27 -0600
> >
> > Social Engineering Attack examples
> >
> > Social engineering attacks are usually done to exploit the laziness of
> > people, or people with good manners, or even people that want to
> help you.
> > This is what makes it very hard to guard against a SE attack because
> the
> > people involved may not realize that they are being fooled and will
> never
> > admit this to anyone. The SE attempts to persuade someone to provide
> > information that will allow them to use your system or resources as
> if they
> > were his own. This is most commonly referred to as the "confidence
> trick".
> >
> > These are the 5 main attacks that I know of
> >
> > 1: Personal approaches including the confidence trick
> > 2: Online attacks (includes all the email phishing attacks)
> > 3: Telephone
> > 4: Waste management
> > 5: Reverse Social engineering
> >
> >
> > 1: Online Attacks
> >
> > They include:
> > A) Email threats like phishing
> > B) Confidence tricks and attacks
> > C) Online pop up attacks
> > D) Instant messaging
> >
> > Here is one example
> >
> > Pop ups or dialog boxes
> >
> > One of the most popular goals is to embed a mail engine within your
> computer
> > environment through which the hacker can launch phishing or other
> e-mail
> > attacks on other companies or individuals.
> > The phishing attack will show a hyperlink that appears to link to a
> secure
> > account management site, while the status bar shows that it takes
> the user
> > to, is the hacker's site. Hackers can suppress or reformat the
> status bar
> > information to whatever they want. Most people will not look or know to
> > look. This way, the hacker is given the information via a neat form
> they
> > have created. All this was done from a simple email, that the hacker
> sends
> > impersonating the company.
> >
> >
> > 2: Telephone
> >
> > Attacks on AOL
> >
> > Aol was attacked and approximately 200 accounts were compromised. It
> was a
> > simple human SE attack in which the hacker would talk to tech
> support for a
> > long time. It seemed the longer the hacker talked, the more
> confident and
> > friendly the employee became.
> >
> > At the point of most confidence the hacker mentions that he had a
> car for
> > sale at a great price. The employee had shown interest and then it
> was as
> > simple as sending an email. The hacker then sent an email with an
> executable
> > trojan backdoor instead of the picture of the car. Upon viewing the
> email
> > it executed. The email basically said, that he may have did
> something wrong
> > by sending the picture, did you get it? At this point the damage has
> > already been done and the system compromised.
> >
> > This trojan backdoor then opens a port from AOL through the
> firewall. It
> > was then an open door for the hacker to come back at a later date in
> order
> > to check out the system, gather passwords and hide the evidence.
> This is a
> > common way to gain entrance to a secure system. Why go through all the
> > defences created, when they let you in the backdoor :)
> >
> >
> > This next example below includes these techniques
> > 1: confidence attack
> > 2: reverse engineering
> > 3: waste management
> > 4: telephone SE attacks
> >
> > Reverse social engineering describes a situation where the TARGET
> will offer
> > the hacker the information. This may seem unlikely, but people of
> > authority, often receive vital personal information, such as user
> IDs and
> > passwords, because they are above suspicion.
> >
> > Example 2:
> >
> > A group of hackers walk in to a large shipping firm and walked out
> with the
> > entire companies corporate network.
> >
> > What did they do?
> >
> > This technique is called the syphon. Small amounts of information,
> can be
> > useless, but to a hacker, bit by bit, you can collect a large
> portion of the
> > puzzle. The key is to gather this from different employees.
> >
> > You will see as in the last example, its not through the bars of the
> prison
> > they come, but through its weakness, which is its employees.
> >
> > First, there was a small period of data collecting on the company.
> Calling,
> > going through trash that is set outside. (waste management) They
> also need
> > to get familiar with the roles, they must know who they are dealing
> with.
> > It is very important to become the person or become your role. They had
> > learned key employees' names by simply calling the company and
> inquiring
> > about shipping and receiving (telephone SE attacks). Next, they
> pretend to
> > lose their key to the front door and as simple as that, they are in the
> > front door :) (confidence SE attacks)
> >
> > Then they lost their identity badges when entering a very secure
> area, they
> > just smiled, were very calm and a friendly employee let them right
> in. Most
> > will not assume you shouldnt be there or your not who you say you are.
> > (again confidence or personal SE attacks)
> >
> > The hackers already had known previously, that the CFO was out of
> town, so
> > they knew which offices to enter before hand. They went in to obtain
> > financial data off his computer. The went through the trash which is
> a very
> > common practise and you would be surprised what you can find in the
> trash,
> > the people do not shred. (waste and trash management) After getting all
> > types of useful documents, they asked a janitor for a garbage pail
> and then
> > placed all the data in this and carried it straight out of the
> building with
> > permission.
> >
> > The hackers had talked previously to the CFO and knew his voice and
> > mannerisms. So they then called up, pretending they were the CFO in a
> > hurry, and desperately needed the network password. From there, they
> used
> > regular hacking techniques and tools to gain super user access to the
> > system, with not one person the wiser. (telephone reverse engineering
> > attacks)
> >
> > In this case, the "hackers" were network consultants performing a
> security
> > audit for the CFO without any other employees' knowledge. They were
> never
> > given any privileged information from the CFO but were able to
> obtain all
> > the access they wanted through social engineering. (This story was
> recounted
> > by Kapil Raina, currently a security expert at Verisign and
> co-author of
> > mCommerce Security: A Beginner's Guide, based on an actual workplace
> > experience with a previous employer.)
> >
> > Security is all about trust. Trust in protection and authenticity.
> Generally
> > agreed upon as the weakest link in the security chain, the natural
> human
> > willingness to accept someone at his or her word, leaves many of us
> > vulnerable to attack.
> >
> > Kelly Sigethy
> > http://www.frynge.com
> >
> > ----- Original Message -----
> > From: "xun dong" <xundong@cs.york.ac.uk>
> > To: <pen-test@securityfocus.com>; <security-basics@securityfocus.com>
> > Sent: Wednesday, October 11, 2006 4:31 AM
> > Subject: Social Engineering Data set
> >
> >
> > > Hello list;
> > >
> > > I am currently doing research on Social Engineering Attacks.
> Unlike the
> > > technical hack, I found that there is few useful and well
> documented SE
> > > attack examples on the Internet. So I decided to create a data set
> for SE
> > > attacks, and I am willing to publish it for free on the Internet.
> > >
> > > However, I think only my own experience would not be able to make
> this
> > > dataset as comprehensive as possible. So I would like to ask for
> help on
> > > this list. If you think you have SE attack examples, you can email
> me. Of
> > > course for confidential reason you should not use the real name in
> your
> > > example. If you don't mind I will also publish your name along
> with the
> > > example you provided. Thanks a lot in advance. I hope this could
> be a step
> > > forwards in protecting against SE attacks.
> > >
> > > --
> > > Xun Dong
> > > Research Associate
> > > Department of Computer Science
> > > University of York
> > >
> > >
> ---------------------------------------------------------------------------
> > > This list is sponsored by: Norwich University
> > >
> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > > The NSA has designated Norwich University a center of Academic
> Excellence
> > > in Information Security. Our program offers unparalleled Infosec
> > > management education and the case study affords you unmatched
> consulting
> > > experience. Using interactive e-Learning technology, you can earn
> this
> > > esteemed degree, without disrupting your career or home life.
> > >
> > > http://www.msia.norwich.edu/secfocus
> > >
> ---------------------------------------------------------------------------
> > >
> > >
> > >
> >
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> >
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
>
> ------------------------------------------------------------------------
> Check the weather nationwide with MSN Search Try it now!
> <http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:11 EDT