Compass Security

rhus 30 November 2016, Ivano SomainiSocial EngineeringThe devil is in the details

Cyber Security 4.0

Tel.+41 31-312 09 45Fax+41 31-312 09 43team@csnc.ch www.csnc.chCompass Security Schweiz AGAhornweg 2CH-3012 Bern

Compass Security Schweiz AGPage nr.www.csnc.chWho am I

Disclosed Information gathered3 years in a theater group as amateur actorMaster in Information Security at ETH ZrichSecurity Analyst since 2011Responsible for SE test at Compass SecurityRegional Manager Bern since 2013

Hobby

Study

Work

Compass Security Schweiz AGPage nr.www.csnc.ch

My first experience

Compass Security Schweiz AGPage nr.www.csnc.chWhat is Social Engineering?Any act that influences a person to take an action that may or may not be in their best interest.

social-engineering.org

Any act that influences a person to take an action that may or may not be in their best interest.

social-engineering.org

Compass Security Schweiz AGPage nr.www.csnc.chWhat is Social Engineering?Any act that influences a person to take an action that may or may not be in their best interest.

social-engineering.org

Any act that influences a person to take an action that is not in their best interest.

Compass Security Schweiz AGPage nr.www.csnc.ch

New attack vectors

Compass Security Schweiz AGPage nr.www.csnc.ch

Compass Security Schweiz AGPage nr.www.csnc.ch

Compass Security Schweiz AGPage nr.www.csnc.ch

Compass Security Schweiz AGPage nr.www.csnc.chToday Ill present you

5 social engineering tests

which were successful!

Compass Security Schweiz AGPage nr.www.csnc.chExploit 1 - Helpfulness/Authority

Compass Security Schweiz AGPage nr.www.csnc.chMissionGoalGain access to the restricted employee area of the buildingGain access to the internal protected areaSteal confidential information (i.e. USB sticks, documents etc.)

Information from the customerCompany nameBuilding address

Compass Security Schweiz AGPage nr.www.csnc.chInformation GatheringInformation gatheredMedium-sized private bankNo public areaReception with security guard with full height turnstile with badge readerGarage entrance with badge readerAnd

Compass Security Schweiz AGPage nr.www.csnc.chAttack ScenarioCoffee delivery service coming every day between 07:00 07:30

has access to the garage and a badge for the secondary entrance

Compass Security Schweiz AGPage nr.www.csnc.chInsider Knowledge

Compass Security Schweiz AGPage nr.www.csnc.chQuiet Place

Compass Security Schweiz AGPage nr.www.csnc.chTailgating / Piggybacking

Compass Security Schweiz AGPage nr.www.csnc.chSimulate phone call

Very effective to indirectly communicate/suggest:AuthorityNeed for helpInternal Know-How PretextingEtc.

Compass Security Schweiz AGPage nr.www.csnc.chExploit 2 - Curiousness

Curiosity killed the cat Phishing/Baiting

Compass Security Schweiz AGPage nr.www.csnc.chMissionGoalGain confidential information from employees through indirect attacksInformation from the customerCompany name

Compass Security Schweiz AGPage nr.www.csnc.chInformation GatheringInformation gatheredSwiss Bank500 ~ 600 employeeMail address of 250 employeeAnd

Compass Security Schweiz AGPage nr.www.csnc.chAttack Scenario75th anniversary of the Bank

time for a bonus?!?

Compass Security Schweiz AGPage nr.www.csnc.chWrong delivery address

Compass Security Schweiz AGPage nr.www.csnc.chExploit 3 - Holiday

Compass Security Schweiz AGPage nr.www.csnc.chMissionGoalGet the IT support company to change a firewall rule

Information from the customerCompany nameSupport company nameContact data of the responsible technician

Compass Security Schweiz AGPage nr.www.csnc.chInformation GatheringInformation gatheredName of the boss of the responsible technicianAnd

Compass Security Schweiz AGPage nr.www.csnc.chAttack Scenario

Compass Security Schweiz AGPage nr.www.csnc.chIvano Somaini (SOI) - stress erzeugen

Upload Generation

Compass Security Schweiz AGPage nr.www.csnc.chOther attack vectorAnalyze social network activityTry to reach the target during school holidays

Compass Security Schweiz AGPage nr.www.csnc.chPretexting

Compass Security Schweiz AGPage nr.www.csnc.chFake e-mail conversation

victim

+=STRESS!!!

+=

PRETEXT

+

Compass Security Schweiz AGPage nr.www.csnc.chSE EquationPRETEXT + STRESS =

Compass Security Schweiz AGPage nr.www.csnc.chExploit 4 - BYOD

Compass Security Schweiz AGPage nr.www.csnc.chMissionGoalGain access to the confidential data of the CEOInformation from the customerCompany nameName of the personal assistant of the CEO

Compass Security Schweiz AGPage nr.www.csnc.chInformation GatheringInformation gatheredMobile phone number of CISOMobile phone number of personal assistant of CEO

Compass Security Schweiz AGPage nr.www.csnc.chAttack ScenarioSMS SpoofingCaller ID Spoofing

Hi Martina, this morning during the evaluation of the weekly security scan result we noticed that a security hole allowed a virus to infect many machines. We are further analyzing the issue with an external company. Ivano Somaini from Compass Security will show up in 15 min at the headquarter in order to analyze your PC. I'll call you in 2 hour to give you an update. Now I've a meeting about the incident. Cheers, Karl

Compass Security Schweiz AGPage nr.www.csnc.chExploit 5 - Events/Festivity

Compass Security Schweiz AGPage nr.www.csnc.chMissionGoalGain access to the secured area of the buildingSteal confidential information (i.e. USB sticks, documents etc.)

Information from the customerCompany nameBuilding address

Compass Security Schweiz AGPage nr.www.csnc.chInformation GatheringInformation gatheredTraditional Swiss companyNo public areaSingle Point-of-EntryFull height turnstile with badge reader

Compass Security Schweiz AGPage nr.www.csnc.chAttack Scenario

Would you ask Santa Claus for an identification card? It was the 5th of December

Compass Security Schweiz AGPage nr.www.csnc.chUnintended consequences

Compass Security Schweiz AGPage nr.www.csnc.chConclusion

Compass Security Schweiz AGPage nr.www.csnc.chQuestion?

Compass Security Schweiz AGPage nr.www.csnc.ch