Re: Social Engineering Data set

[xun dong <xundong () cs york ac uk>]

Thanks for your suggestion. I certainly think those attacks are 
instances of social engineering attacks, and I have included them in the 
data set already.

CTaylor 2121 wrote:
> What about the one in which a disk or CD is left in the employee rest 
> room with an enticing title written on it?  Or the free software (game 
> or program) that is given away at a trade-show?  Both would contain 
> trojans.  Where would you classify those types of attacks?
>
>
> Thanks,
> C Taylor
> CTaylor2121 () hotmail com <mailto:CTaylor2121 () hotmail com>
> "Retirement is just a PowerBall away"
>
>
> ------------------------------------------------------------------------
> > From: frynge () frynge com
> > To: xundong () cs york ac uk; pen-test () securityfocus com; 
> security-basics () securityfocus com
> > Subject: Re: Social Engineering Data set
> > Date: Thu, 12 Oct 2006 00:19:27 -0600
> >
> > Social Engineering Attack examples
> >
> > Social engineering attacks are usually done to exploit the laziness of
> > people, or people with good manners, or even people that want to 
> help you.
> > This is what makes it very hard to guard against a SE attack because 
> the
> > people involved may not realize that they are being fooled and will 
> never
> > admit this to anyone. The SE attempts to persuade someone to provide
> > information that will allow them to use your system or resources as 
> if they
> > were his own. This is most commonly referred to as the "confidence 
> trick".
> >
> > These are the 5 main attacks that I know of
> >
> > 1: Personal approaches including the confidence trick
> > 2: Online attacks (includes all the email phishing attacks)
> > 3: Telephone
> > 4: Waste management
> > 5: Reverse Social engineering
> >
> >
> > 1: Online Attacks
> >
> > They include:
> > A) Email threats like phishing
> > B) Confidence tricks and attacks
> > C) Online pop up attacks
> > D) Instant messaging
> >
> > Here is one example
> >
> > Pop ups or dialog boxes
> >
> > One of the most popular goals is to embed a mail engine within your 
> computer
> > environment through which the hacker can launch phishing or other 
> e-mail
> > attacks on other companies or individuals.
> > The phishing attack will show a hyperlink that appears to link to a 
> secure
> > account management site, while the status bar shows that it takes 
> the user
> > to, is the hacker's site. Hackers can suppress or reformat the 
> status bar
> > information to whatever they want. Most people will not look or know to
> > look. This way, the hacker is given the information via a neat form 
> they
> > have created. All this was done from a simple email, that the hacker 
> sends
> > impersonating the company.
> >
> >
> > 2: Telephone
> >
> > Attacks on AOL
> >
> > Aol was attacked and approximately 200 accounts were compromised. It 
> was a
> > simple human SE attack in which the hacker would talk to tech 
> support for a
> > long time. It seemed the longer the hacker talked, the more 
> confident and
> > friendly the employee became.
> >
> > At the point of most confidence the hacker mentions that he had a 
> car for
> > sale at a great price. The employee had shown interest and then it 
> was as
> > simple as sending an email. The hacker then sent an email with an 
> executable
> > trojan backdoor instead of the picture of the car. Upon viewing the 
> email
> > it executed. The email basically said, that he may have did 
> something wrong
> > by sending the picture, did you get it? At this point the damage has
> > already been done and the system compromised.
> >
> > This trojan backdoor then opens a port from AOL through the 
> firewall. It
> > was then an open door for the hacker to come back at a later date in 
> order
> > to check out the system, gather passwords and hide the evidence. 
> This is a
> > common way to gain entrance to a secure system. Why go through all the
> > defences created, when they let you in the backdoor :)
> >
> >
> > This next example below includes these techniques
> > 1: confidence attack
> > 2: reverse engineering
> > 3: waste management
> > 4: telephone SE attacks
> >
> > Reverse social engineering describes a situation where the TARGET 
> will offer
> > the hacker the information. This may seem unlikely, but people of
> > authority, often receive vital personal information, such as user 
> IDs and
> > passwords, because they are above suspicion.
> >
> > Example 2:
> >
> > A group of hackers walk in to a large shipping firm and walked out 
> with the
> > entire companies corporate network.
> >
> > What did they do?
> >
> > This technique is called the syphon. Small amounts of information, 
> can be
> > useless, but to a hacker, bit by bit, you can collect a large 
> portion of the
> > puzzle. The key is to gather this from different employees.
> >
> > You will see as in the last example, its not through the bars of the 
> prison
> > they come, but through its weakness, which is its employees.
> >
> > First, there was a small period of data collecting on the company. 
> Calling,
> > going through trash that is set outside. (waste management) They 
> also need
> > to get familiar with the roles, they must know who they are dealing 
> with.
> > It is very important to become the person or become your role. They had
> > learned key employees' names by simply calling the company and 
> inquiring
> > about shipping and receiving (telephone SE attacks). Next, they 
> pretend to
> > lose their key to the front door and as simple as that, they are in the
> > front door :) (confidence SE attacks)
> >
> > Then they lost their identity badges when entering a very secure 
> area, they
> > just smiled, were very calm and a friendly employee let them right 
> in. Most
> > will not assume you shouldnt be there or your not who you say you are.
> > (again confidence or personal SE attacks)
> >
> > The hackers already had known previously, that the CFO was out of 
> town, so
> > they knew which offices to enter before hand. They went in to obtain
> > financial data off his computer. The went through the trash which is 
> a very
> > common practise and you would be surprised what you can find in the 
> trash,
> > the people do not shred. (waste and trash management) After getting all
> > types of useful documents, they asked a janitor for a garbage pail 
> and then
> > placed all the data in this and carried it straight out of the 
> building with
> > permission.
> >
> > The hackers had talked previously to the CFO and knew his voice and
> > mannerisms. So they then called up, pretending they were the CFO in a
> > hurry, and desperately needed the network password. From there, they 
> used
> > regular hacking techniques and tools to gain super user access to the
> > system, with not one person the wiser. (telephone reverse engineering
> > attacks)
> >
> > In this case, the "hackers" were network consultants performing a 
> security
> > audit for the CFO without any other employees' knowledge. They were 
> never
> > given any privileged information from the CFO but were able to 
> obtain all
> > the access they wanted through social engineering. (This story was 
> recounted
> > by Kapil Raina, currently a security expert at Verisign and 
> co-author of
> > mCommerce Security: A Beginner's Guide, based on an actual workplace
> > experience with a previous employer.)
> >
> > Security is all about trust. Trust in protection and authenticity. 
> Generally
> > agreed upon as the weakest link in the security chain, the natural 
> human
> > willingness to accept someone at his or her word, leaves many of us
> > vulnerable to attack.
> >
> > Kelly Sigethy
> > http://www.frynge.com
> >
> > ----- Original Message -----
> > From: "xun dong" <xundong () cs york ac uk>
> > To: <pen-test () securityfocus com>; <security-basics () securityfocus com>
> > Sent: Wednesday, October 11, 2006 4:31 AM
> > Subject: Social Engineering Data set
> >
> >
> > > Hello list;
> > >
> > > I am currently doing research on Social Engineering Attacks. 
> Unlike the
> > > technical hack, I found that there is few useful and well 
> documented SE
> > > attack examples on the Internet. So I decided to create a data set 
> for SE
> > > attacks, and I am willing to publish it for free on the Internet.
> > >
> > > However, I think only my own experience would not be able to make 
> this
> > > dataset as comprehensive as possible. So I would like to ask for 
> help on
> > > this list. If you think you have SE attack examples, you can email 
> me. Of
> > > course for confidential reason you should not use the real name in 
> your
> > > example. If you don't mind I will also publish your name along 
> with the
> > > example you provided. Thanks a lot in advance. I hope this could 
> be a step
> > > forwards in protecting against SE attacks.
> > >
> > > --
> > > Xun Dong
> > > Research Associate
> > > Department of Computer Science
> > > University of York
> > >
> > > 
> ---------------------------------------------------------------------------
> > > This list is sponsored by: Norwich University
> > >
> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > > The NSA has designated Norwich University a center of Academic 
> Excellence
> > > in Information Security. Our program offers unparalleled Infosec
> > > management education and the case study affords you unmatched 
> consulting
> > > experience. Using interactive e-Learning technology, you can earn 
> this
> > > esteemed degree, without disrupting your career or home life.
> > >
> > > http://www.msia.norwich.edu/secfocus
> > > 
> ---------------------------------------------------------------------------
> > >
> > >
> > >
> >
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > 
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> > ------------------------------------------------------------------------
> >
>
> ------------------------------------------------------------------------
> Check the weather nationwide with MSN Search Try it now! 
> <http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG>

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------