Thanks for your suggestion. I certainly think those attacks are
instances of social engineering attacks, and I have included them in the
data set already.
CTaylor 2121 wrote:
What about the one in which a disk or CD is left in the employee rest
room with an enticing title written on it? Or the free software (game
or program) that is given away at a trade-show? Both would contain
trojans. Where would you classify those types of attacks?
Thanks,
C Taylor
CTaylor2121@hotmail.com <mailto:CTaylor2121@hotmail.com>
"Retirement is just a PowerBall away"
------------------------------------------------------------------------
> From: frynge@frynge.com
> To: xundong@cs.york.ac.uk; pen-test@securityfocus.com;
security-basics@securityfocus.com
> Subject: Re: Social Engineering Data set
> Date: Thu, 12 Oct 2006 00:19:27 -0600
>
> Social Engineering Attack examples
>
> Social engineering attacks are usually done to exploit the laziness of
> people, or people with good manners, or even people that want to
help you.
> This is what makes it very hard to guard against a SE attack because
the
> people involved may not realize that they are being fooled and will
never
> admit this to anyone. The SE attempts to persuade someone to provide
> information that will allow them to use your system or resources as
if they
> were his own. This is most commonly referred to as the "confidence
trick".
>
> These are the 5 main attacks that I know of
>
> 1: Personal approaches including the confidence trick
> 2: Online attacks (includes all the email phishing attacks)
> 3: Telephone
> 4: Waste management
> 5: Reverse Social engineering
>
>
> 1: Online Attacks
>
> They include:
> A) Email threats like phishing
> B) Confidence tricks and attacks
> C) Online pop up attacks
> D) Instant messaging
>
> Here is one example
>
> Pop ups or dialog boxes
>
> One of the most popular goals is to embed a mail engine within your
computer
> environment through which the hacker can launch phishing or other
e-mail
> attacks on other companies or individuals.
> The phishing attack will show a hyperlink that appears to link to a
secure
> account management site, while the status bar shows that it takes
the user
> to, is the hacker's site. Hackers can suppress or reformat the
status bar
> information to whatever they want. Most people will not look or know to
> look. This way, the hacker is given the information via a neat form
they
> have created. All this was done from a simple email, that the hacker
sends
> impersonating the company.
>
>
> 2: Telephone
>
> Attacks on AOL
>
> Aol was attacked and approximately 200 accounts were compromised. It
was a
> simple human SE attack in which the hacker would talk to tech
support for a
> long time. It seemed the longer the hacker talked, the more
confident and
> friendly the employee became.
>
> At the point of most confidence the hacker mentions that he had a
car for
> sale at a great price. The employee had shown interest and then it
was as
> simple as sending an email. The hacker then sent an email with an
executable
> trojan backdoor instead of the picture of the car. Upon viewing the
email
> it executed. The email basically said, that he may have did
something wrong
> by sending the picture, did you get it? At this point the damage has
> already been done and the system compromised.
>
> This trojan backdoor then opens a port from AOL through the
firewall. It
> was then an open door for the hacker to come back at a later date in
order
> to check out the system, gather passwords and hide the evidence.
This is a
> common way to gain entrance to a secure system. Why go through all the
> defences created, when they let you in the backdoor :)
>
>
> This next example below includes these techniques
> 1: confidence attack
> 2: reverse engineering
> 3: waste management
> 4: telephone SE attacks
>
> Reverse social engineering describes a situation where the TARGET
will offer
> the hacker the information. This may seem unlikely, but people of
> authority, often receive vital personal information, such as user
IDs and
> passwords, because they are above suspicion.
>
> Example 2:
>
> A group of hackers walk in to a large shipping firm and walked out
with the
> entire companies corporate network.
>
> What did they do?
>
> This technique is called the syphon. Small amounts of information,
can be
> useless, but to a hacker, bit by bit, you can collect a large
portion of the
> puzzle. The key is to gather this from different employees.
>
> You will see as in the last example, its not through the bars of the
prison
> they come, but through its weakness, which is its employees.
>
> First, there was a small period of data collecting on the company.
Calling,
> going through trash that is set outside. (waste management) They
also need
> to get familiar with the roles, they must know who they are dealing
with.
> It is very important to become the person or become your role. They had
> learned key employees' names by simply calling the company and
inquiring
> about shipping and receiving (telephone SE attacks). Next, they
pretend to
> lose their key to the front door and as simple as that, they are in the
> front door :) (confidence SE attacks)
>
> Then they lost their identity badges when entering a very secure
area, they
> just smiled, were very calm and a friendly employee let them right
in. Most
> will not assume you shouldnt be there or your not who you say you are.
> (again confidence or personal SE attacks)
>
> The hackers already had known previously, that the CFO was out of
town, so
> they knew which offices to enter before hand. They went in to obtain
> financial data off his computer. The went through the trash which is
a very
> common practise and you would be surprised what you can find in the
trash,
> the people do not shred. (waste and trash management) After getting all
> types of useful documents, they asked a janitor for a garbage pail
and then
> placed all the data in this and carried it straight out of the
building with
> permission.
>
> The hackers had talked previously to the CFO and knew his voice and
> mannerisms. So they then called up, pretending they were the CFO in a
> hurry, and desperately needed the network password. From there, they
used
> regular hacking techniques and tools to gain super user access to the
> system, with not one person the wiser. (telephone reverse engineering
> attacks)
>
> In this case, the "hackers" were network consultants performing a
security
> audit for the CFO without any other employees' knowledge. They were
never
> given any privileged information from the CFO but were able to
obtain all
> the access they wanted through social engineering. (This story was
recounted
> by Kapil Raina, currently a security expert at Verisign and
co-author of
> mCommerce Security: A Beginner's Guide, based on an actual workplace
> experience with a previous employer.)
>
> Security is all about trust. Trust in protection and authenticity.
Generally
> agreed upon as the weakest link in the security chain, the natural
human
> willingness to accept someone at his or her word, leaves many of us
> vulnerable to attack.
>
> Kelly Sigethy
> http://www.frynge.com
>
> ----- Original Message -----
> From: "xun dong" <xundong@cs.york.ac.uk>
> To: <pen-test@securityfocus.com>; <security-basics@securityfocus.com>
> Sent: Wednesday, October 11, 2006 4:31 AM
> Subject: Social Engineering Data set
>
>
> > Hello list;
> >
> > I am currently doing research on Social Engineering Attacks.
Unlike the
> > technical hack, I found that there is few useful and well
documented SE
> > attack examples on the Internet. So I decided to create a data set
for SE
> > attacks, and I am willing to publish it for free on the Internet.
> >
> > However, I think only my own experience would not be able to make
this
> > dataset as comprehensive as possible. So I would like to ask for
help on
> > this list. If you think you have SE attack examples, you can email
me. Of
> > course for confidential reason you should not use the real name in
your
> > example. If you don't mind I will also publish your name along
with the
> > example you provided. Thanks a lot in advance. I hope this could
be a step
> > forwards in protecting against SE attacks.
> >
> > --
> > Xun Dong
> > Research Associate
> > Department of Computer Science
> > University of York
> >
> >
---------------------------------------------------------------------------
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic
Excellence
> > in Information Security. Our program offers unparalleled Infosec
> > management education and the case study affords you unmatched
consulting
> > experience. Using interactive e-Learning technology, you can earn
this
> > esteemed degree, without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> >
---------------------------------------------------------------------------
> >
> >
> >
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
Check the weather nationwide with MSN Search Try it now!
<http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
