Social Engineering Abuses - Florida State University

Social Engineering Abuses - Florida State University

Social Engineering Abuses Sean Toh BJ Bayha Overview What is Social Engineering? What does the survey say ? Case Studies Case 1: Kevin Mitnick Case 2: Melissa Virus

Conclusion Q and A Define Terms Social Engineering (n): Term used among [experts] for cracking techniques that rely on weaknesses in [humans] rather than software; the aim is to trick people into revealing passwords or other information that compromises a

target system's security. -- The Jargon File aka The New Hackers Dictionary Define Term Contd Valid uses of Social Engineering Abuses of Social Engineering Computer exploits without the use of social engineering Statistical Review FBI Unified Crime

Reports does not bother to survey computer crime. National Crime Victimization Survey collects data but does not differentiate between computer-related and traditional crimes. I dont think there

is a good figure on that kind of crime. There is no definitive report on computer crime. -- Cecil Greek, PhD. Asst. Prof. Criminology What does the survey say? Why survey does not produce accurate statistics?

Without quantification and accuracy, recognized body cannot acknowledge the problem. Reasons for not reporting information leak Lack of knowledge Sometimes, user does not even know that it had leaked information. Confidence factor; institution fear that if news of information leak is out, it may jeopardize its image and confidence among its customers.

Damage figures that include the retail value of software copied or telephone and computer services used by hackers are usually overestimates. -- A Gift of Fire Sec. Ed. Case Study 1 : Kevin Mitnick Habitual prankster and phone service thief.

Regularly switched large phone bills to victims and interrupted utility services. Used compromised access keys to use private computer and phone resources. Violated parole, late 1992. Stole cellular phone drivers and worm code from Tsutomo Shimomura, December 24th, 1995. Case Study 1 : Kevin Mitnick

What is the problem? Subverted corporate procedures to gain access to computers and resources. Undermined trust in employees. Major time served was for parole violation. Currently a security consultant with the FBI and popular speaker on computer security. No accountability for his actions. There is no law to that can be directly applied to this behavior.

Case Study 2 : Melissa Virus Written by David Smith CERT Advisory March 27, 1999 Exploited holes in MS Office and MS Outlook to propagate as an e-mail attachment. Required recipient to execute attached script (disguised as a MS Word document). Later variants managed to propagate itself if the user merely previewed the message. Case Study 2 : Melissa Virus

What is the problem? The script hijacked e-mail accounts from trusted sources. Users did not realize unexpected and unverified attachments are dangerous. Arrested in 7 days due to ego. What is the cost? Countless personal electronic artifacts were lost. Again, how can we quantify these losses?

Similarity between both Case Studies Common vector of infection: the non-technical users. Attacked: source authentication procedures. Both required intervention from internal, trusted users. Concerns

Is there law to prevent it? Is it sufficient? Or Can a law be formulated to prevent it? No cost attached. Case study: Melissa Virus. No legal protection from acts of private citizens, but legal protection of officials from government institution that is trying to protect us. Mitigation & Prevention

Educate users. De-stigmatize victimization. Study and quantify problem. Scope Cost Increase awareness of programs like FDLE/FSUs CyberSafety Conclusion Remember the human factor in

security instillations and procedures. Vigilance and user education are key elements of any security procedures. More research has to be done to quantify scope and nature of the problem. Questions & Answers Bibliography Books

Sara Baase. A Gift of Fire (2nd. Ed.). 2003. Prentice Hall. Upper Saddle River, NJ. Matt Bishop. Computer Security Art and Science. 2003. Addison-Wesley. Boston, MA. Buck BloomBecker. Spectacular Computer Crimes. 1990. Dow Jones-Irwin. Homewood, IL. Brian D. Loader and Douglas Thomas. Cybercrime. 2000. Routledge. New Yor, NY. John Markoff and Tsutomu Shimomura. Takedown. 1996. Hyperion, New York, NY. Michelle Slatalla and Joshua Quittner. Masters of

Deception. 1995. HarperCollins. New York, NY. Bibliography Contd Films Dimension Films. 2000. Takedown United Artists. 1995. Hackers. Bibliography Contd Websites Bureau of Justice Statistics Crime and Victims Statistics,http://www.ojp.usdoj.gov/bjs/cvict.htm

(Accessed 3/2005) Federal Bureau of Investigation Uniform Crime Reports,http://www.fbi.gov/ucr/ucr.htm (Accesses 3/2005) J-037: W97M.Melissa Word Macro Virus, http://www.securityfocus.com/advisories/1178 (Accessed 3/2005) Thwarting Evil Geniuses, http://www.spokanejournal .com/spokane_id=article&sub=2275 (Accesses 3/2005) Bibliography Contd

Personal Interview Phone interview. Cecil E. Greek, PhD. Associate Professor, Florida State University Criminology Department. 13:26, 3/02/2005. Personal interview. Melody McGuire. Participant, Florida Department of Law Enforcement/Florida State University CyberSecurity Program.

Recently Viewed Presentations

  • Gas Condensate PVT A worked example to estimate

    Gas Condensate PVT A worked example to estimate

    Gas Condensate PVT A worked example to estimate Condensate and gas recovery from a gas condensate reservoir produced by depletion CGR as a function of reservoir pressure
  • Entry Level & Entry Pathways Entry Level &

    Entry Level & Entry Pathways Entry Level &

    They have been designed as a one- or two-year course that can be delivered in schools alongside GCSEs Entry Level Certificate Given the changes to qualifications in England and Wales, WJEC thought the time was right to reform the Entry...
  • Protect Yourself and the Equipment Against Electrical Dangers

    Protect Yourself and the Equipment Against Electrical Dangers

    Never use Dell power supply with non-Dell motherboard. Pinout verification or pinout converter. ... Pull plug at AC outlet. Protect power cord. Do not pull on cord itself. Remove jewelry. Power supplies and CRT monitors contain capacitors.
  • e - safety

    e - safety

    e - safety How e-safe are you? Isn't the internet amazing? It allows you to see more, learn more and have lots of fun. To help you enjoy it safely, we'd like you to follow the 'Click Clever, Click Safe...
  • How did Stalin the cult of personality to establish and ...

    How did Stalin the cult of personality to establish and ...

    Rewriting History. Another significant aspect of the cult of personality was the reinterpretation of history in Stalin's favour. In 1938, the History of the All-Union Communist Party, or Short Course as it was usually called, was published in the USSR.....
  • Words Their Way - Mrs. Canducci's Classroom

    Words Their Way - Mrs. Canducci's Classroom

    Words Their WayGreen: Syllables and AffixesSort 13. Spelling Sorts: Do not use Slide Show to sort the words.
  • Polygenic and Multifactorial Inheritance Chapter 10 Central Points

    Polygenic and Multifactorial Inheritance Chapter 10 Central Points

    Arial MS Pゴシック Wingdings Times Blank Presentation Default Design 1_Blank Presentation Polygenic and Multifactorial Inheritance Central Points Case A: Prenatal Pills 10.1 Polygenic Traits Slide 5 10.2 What Is a Multifactorial Trait?
  • Transportation Disadvantaged Taskforce AUGUST 2, 2017 DANIELLE MCGILL

    Transportation Disadvantaged Taskforce AUGUST 2, 2017 DANIELLE MCGILL

    Presentation at the Transportation Disadvantaged Legislative Day in Tallahassee, March 2018. Presentation at the SARTAC National Self Advocacy Conference May 2018. My Goal: To share my personal insight, from a rider's perspective about my daily challenges and encourage other riders...