Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

SOCIAL ENGINEERING

No description
by

Adriano Sala

on 15 May 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of SOCIAL ENGINEERING

SOCIAL ENGINEERING
WHAT IS SOCIAL ENGINEERING??
Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by
manipulation. As a result, the social engineer is able to take advantage
of people to obtain information with or without the use of technology.
TECHNIQUES
All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.
These biases, sometimes called "bugs in the human hardware", are exploited in various combinations to create attack techniques, some of which are listed. In social engineering the attacks can be used to steal employees confidential information.
Pretexting
Diversion
Phishing
IVR or Phone phishing
Baiting
Quid pro quo
Tailgating
Shoulder surfing
Also known in the UK as blagging, is the act of creating and using an invented scenario to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.
Also known as the "Corner Game" or "Round the Corner Game".
In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner".
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card's PIN.
Uses a rogue interactive voice response(IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.
The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning.
dire consequence= consequenze disastrose
rogue= disonesto/ furfante
prompted= sollecitato
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD-ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
greed= avidità
malware= viral software/codice maligno
looking and curiosity-piquing label= un’etichetta che cattura/suscita curiosità
blagging= rapina/ottenere qualcosa con astuzia
unlikely= sarebbero improbabili
An attacker calls random numbers at a company, claiming to be calling back from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and, in the process, have the user type commands that give the attacker access or launch malware.
will hit= si imbatterà in
An attacker, seeking entry to a restricted area secured by
unattended, electronic access control, e.g. by RFID card (radio-frequency identification card), simply walks in behind a person who has legitimate access. Following common
courtesy, the legitimate person will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them. The legitimate person may fail to ask for identification for any of several reasons, or may accept an assertion that the attacker has forgotten or lost the appropriate identity token. The attacker may also fake the action of presenting an identity token.
unattended= incustodita
token= segno, gettone
Shoulder surfing involves observing an employee's private information over their shoulder. This type of attack is common in public places such as airports, airplanes or coffee shops.
Crackers are also called black-hat and they are malicious people who attempt or break into a secure computer system, with the intent of stealing or destroying information or disabling the system.
A cracker is someone who breaks into someone else's computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security.
Generally for cracking they use tools which everyone can download from internet or buy everywhere, but are hard to use by a beginner.
WHO IS A CRACKER?
FAMOUS GROUP OF CRACKER:
3DM
CIA
A Chinese group who gained popularity by cracking Dragon Age
CIA (Crackers In Action) uses IRC to communicate.
WHO IS A HACKER?

A hacker is an expert in computer systems, able to break into a protected computer network and in general to acquire a thorough knowledge of the system on which it operates, and then be able to access it or adapt it to his needs.

The prestige of a hacker is measured by his/ her ability to program, multiplied by the importance of the software on which he works.
Anonymous is the most famous group of hackers in the world, able to affect/damage systems considered among the safest and most impenetrable of the world and to escape without leaving tracks.
Another famous group of hackers in the world are Lizard Squad, known for their attacks to disrupt services related to gaming, such as League of Leagends, Destiny, Minicraft, Playstation/Xbox servers
FAMOUS GROUPS OF HACKERS:
Dos/DDos : In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
HOW DO CRACKERS/HACKERS ATTACK?

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser.
Persistent XSS
Reflected XSS
DOM-based XSS

Notable Crackers:
Adrian Lamo
Kevin Poulsen
Robert Tappan Morris
Lamo was born in Boston in 1981 and was called the "Homeless Hacker"
He is also known as Dark Dante and he was born in Pasadena in 1965.

Was born in Massachusetts in 1965.
In 1988 he Created“ the worm”
BADIR BROTHERS

These are three Israeli brothers (Ramy, Muzher, Shadde) who devoted their lives to proving they can out-think, out-program, and out-hack anyone with vision. They’ve been remarkably successful. But the most incredible thing is their blindness due to a genetic defect.

Frank Abagnale

Frank Abagnale was born in 1948.
Frank wrote hundreds of bad checks to support himself.
He became a pilot.
He decided to change identity again, he became a doctor in Atlanta.
He went to Montpelier, in France and decided to live a straight life for a while.
He was arrested and served time in France, Sweden and the United States for his crime.
Since he was released in 1974, he has helped the FBI and has designed many of secure checks for banks.

GEORGE HOTZ
He was born on October 2nd, 1989 in New Jersey.
Known for unlocking the iphone and for the breach of security of Play Station 3.

Jonathan James
James was born on December 12th 1983 in
the South of Florida.

He was the first juvenile incarcerated for
cybercrime in the United States.
He was 15 years old at the time of the first
offense and 16 years old on the date of
his sentecing.
KEVIN MITNICK
Kevin Mitnick (born on August 6, 1963) is an
American computer security consultant, author,
and hacker. In the mid nineties, he was “The
World’s Most Wanted Hacker”. Since 2000, he
has been a successful security consultant, public
speaker and author.
WIKILEAKS
WikiLeaks is a not-for-profit media organisation. Wikileaks's goal is bringing important news and information to the public.
Wikileaks provides an innovative, secure and anonymous way for sources to leak information to its journalists. One of the most important activities is publishing original source material alongside its news stories so readers and historians can see the truth.
Wikileaks is a young organisation that has grown very quickly, relying on a network of dedicated volunteers around the globe. Since 2007, when the organisation was officially launched, WikiLeaks has worked to report on and publish important information. That organisation also develops and adapts technologies to support these activities.
NAPSTER
In 1999,  an 18-year-old college dropout named Shawn Fanning changed the music industry forever with his file-sharing program called Napster. His idea was simple: a program that allowed computer users to share and swap files, specifically music, through a centralized file server.
Survive social engineering
MALICIOUS CODE
Malicious software are computer programs secretly installed on your business’s computer and can either cause internal damage to a computer network like deleting critical files, or can be used to steal passwords or unlock security software in place so a hacker can steal customer or employee information.
- Install and use anti-virus programs, anti-spyware programs, and firewalls on all computers in your business.
- Ensure that your computers are protected by a firewall; firewalls can be separate appliances, built into wireless systems, or a software firewall that comes with many commercial security suites.
- Moreover, ensure that all computer software is up-to-date and contains the most recent patches (i.e., operating system, anti-virus, anti-spyware, anti-adware, firewall and office automation software).
STOLEN/LOST LAPTOP OR MOBILE DEVICE
Believe it or not, stolen or lost laptops are one of the most common ways businesses lose critical data. However, a high profile incident, or an incident that requires a company to contact all their customers, because their financial or personal data might have been lost or stolen, can result in much higher losses due to loss of consumer confidence, damaged reputation and even legal liability.
Protect your customers’ data when transporting it anywhere on a portable device by encrypting all data that resides in it. Encryption programs encode data or make it unreadable to outsiders, until you enter a password or encryption key. If a laptop with sensitive data is stolen or lost, but the data is encrypted, it is highly unlikely that anyone will be able to read the data. Encryption is your last line of defense if data is lost or stolen. Some encryption programs are built into popular financial and database software. Simply check your software’s owner’s manual to find out if this feature is available and how to turn it on. In some cases you may need an additional program to properly encrypt your sensitive data.
SPEAR PHISHING
Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail that appears genuine to all the employees or members within a certain company, government agency, organization, or group.
The message might look like it comes from an employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or the person who manages the computer systems, and could include requests for user names or passwords. Spear phishing scams work to gain access to a company’s entire computer system.
- Employees should never respond to spam or pop-up messages claiming to be from a business or organization that you might deal with for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. Legitimate companies will not ask for sensitive information via email or a link.
- In addition, if an employee receives an email that looks like it’s from another employee, and asks for password or any type of account information, they shouldn’t respond to it, or provide any sensitive information via email. Instead, instruct the employee to contact their manager, or simply pick up the phone and contact the person who sent the email directly.
- It’s important to make your employees aware of what a spear phishing attack is and to be on the look out for anything in their in-box that looks suspicious. The best way to avoid becoming a victim of a spear phishing attack is to let everyone know it’s happening before anyone loses any personal information.
UNSECURED WIRELESS INTERNET NETWORKS
The wireless Internet networks provide businesses an opportunity to streamline their networks and build out a network with very little infrastructure or wires, there are security risks businesses need to address while using wireless Internet networks.
Hackers and fraudsters can gain entry to businesses’ computers through an open wireless Internet network, and as a result, could possibly steal customer information, and even proprietary information.
The 60% of small businesses have open wireless networks. In addition, many other small businesses may not use strong enough wireless security to protect their systems. Not properly securing a wireless network is like leaving a business’s door wide open at night.
- When setting up a wireless network, make sure the default password is changed.
Most network devices are pre-configured with default administrator passwords to simplify setup.
These default passwords are easily found online.
- Moreover, make sure you encrypt your wireless network with WPA encryption. WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices.
INSIDER/DISGRUNTLED EMPLOYEE THREAT
A disgruntled employee or an insider can be more dangerous than the most sophisticated hacker on the Internet.
Depending on your business’s security policies and password management, insiders may have direct access to your critical data, and as a result can easily steal it and sell it to your competitor, or even delete all of it, causing irreparable damage.
- Divide critical functions and responsibilities among employees within the organization, limiting the possibility that one individual could commit sabotage or fraud without the help of other employees within the organization.
- Implement strict password and authentication policies.
- Be sure to change passwords every 90 days. Delete an employee’s account or change the passwords to critical systems, after an employee leaves the company.
- Perform due diligence before you hire someone.
CASE STUDIES
In January 2015, Anonymous released a video and a statement via Twitter condemning the attack on Charlie Hebdo:
Full transcript