| SOCIAL ENGINEERING | |
| . | This page
used in the following courses taught by Prof. Richardson
.
|
 |
YES THIS PAGE IS USEFUL
Nov 2011 - former UTSC student
(MGTD06
in 2008) Hasan Shahzad stopped by to talk about his work in Mutual Funds
at Royal Bank and mentioned that frequently he references material from
this page in order to educate clients as to some risk and threat situations
they should be careful about regarding identity theft and hacking.
Thanks Hasan for mentioning
this.
|
lll
 |
University of Toronto (UTM)
students Marc N. and Zain - (camera guy) in MGD 415 in March 2012 created
a kewl video in which they describe going through a McDonald's drive through
and using Social Engineering tricks to scam a free latte (all done for
"educational purposes" no doubt.
Am sure the execs at McDonald's head office know about this but they probably calculate that lost sales that may occur from "challenging" such situations outweigh the cost of complying with such requests ... so they just smile and give you the beverage. |
 |
University of Toronto (UTM)
students Wyann L. and Sol. L in MGD 415 in March 2008 created a kewl video
in which they describe several components of how Social Engineering
tricks can lead to an Identity Theft situation. If you watch the video
carefully, you can pick up on several tricky (but convincing) lies that
are told. And,,, what makes it even trickier is that the tricky lines come
from a friend - which makes it less likely the "victim" will be suspicious.
http://youtube.com/watch?v=9qKfrnXjqjc While it is sensational to talk about Identity theft happening by strangers hacking you. it is far more common for it to be committed by someone you actually know. |
 |
University of
Toronto (UTM) students Kiel D, Teh Yu H. and Ting Po H. (+ help from Gordon
L) in MGD 415 in April 2009 created a kewl video in which they describe
several components of how Social Engineering tricks can lead to compromising
a RFID access control checkpoint. If you watch the video carefully,
you can pick up on several tricky technical things done with a bit of "fakery".
WTGR says "Thanks , I can see it took a bit of time to create the "script" and plan the shoot, I appreciate your efforts" |
| Making
better passwords Protecting
|
.Social
Engineering is often used to uncover people's passwords in order to carry
out some form of identity theft - here is some "practical-tactical" information
on how to make passwords longer and easier to remember.
|
 |
Whitman explains
in Principles of Information Security, Chpt 2, p. 69
"... the process of using social skills to convince people to reveal access credentials" TR adds, usually done under stress and with the threat of an implied time limitation "... I need this in 7 minutes before our V.P. logs in before the board meeting....he's be very appreciative of your co-operation... how do you spell your name again...." |
 |
Kevin Mitnick
http://www.mitnicksecurity.com on Kevin's site he has a link to a video clip about his interview with 60 minutes in which he specifically talks about hsi social engineering skills |
| Black
Hats
Tricks Social
|
.
"Social engineering is hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system. Psychological subversion is Thunder's term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users." from http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html |
| Black
Hats
Tricks Social
Black Hats
Social
|
.
"The enticements of pornography, free software and security -- otherwise known as "social engineering" -- that have been common among e-mail-borne computer viruses now have spread to instant messaging (IM) and Internet Relay Chat (IRC), according to CERT, a federally funded security center based at the Software Engineering Institute of Carnegie Mellon University. CERT said it has received reports that "tens of thousands of systems have recently been compromised" using "social engineering attacks" via IRC or instant messaging. The attacks attempt to trick Internet chat users into downloading what purports to be antivirus protection, improved music downloads or pornography but is actually malicious code, the center reported. While use of social engineering among virus writers and hackers is nothing new, the IRC and IM tricks have allowed thousands of computers to be taken over and used in distributed denial-of-service (DDoS) attacks or infected with Trojan horse or backdoor programs, according to CERT." "... another trend in social engineering with IRC networks involves picking out individuals, spamming them with unsolicited messages, then offering a bogus spam solution that is actually malicious code." |
| Social
Engineering an example |
"On Friday, I received a phone call from an employment company that I know of. The representative on the phone kept asking me questions like where you live, what is your occupation and asked me for my SIN #. I gave her my number, but didn’t know the exact order of the numbers. I responded, “I don’t know the numbers” and she was like “well go check please.” Then, I thought, why is she asking me all this, when I have a file with them! I hung up. This company probably didn’t exist, but just used a popular name. Such things like this are scary because you think you’re talking to the right person, but then things get a bit fishy later. Information needs to be confidential and secured. Isn’t this an example of information intelligence? – trying to steal peoples information!" Yes, it is a good example, you should always be circumspect and suspicious when people ask you to clarify information they are already supposed to have on file. |
| Social
Engineering an
|
After last week's last, I became curious about the idea of social engineering. I ended up talking about it with one of my friend's, and he mentioned an excellent example where office workers gave away their passwords for pens. I looked it up on Google and found the article - I was both surprised and amused. Basically, a survey was distributed by the organizers of Infosecurity Europe 2003. They wanted to find out the security conscious levels of workers with regards to computer-stored company information. So, office workers where asked a series of questions, such as what their password was. 75% of the them immediately gave it! Even the CEO, after a bit of convincing, gave his password as well. It just goes to show how far a little sweet-talking and cheap pens will go. The full article can be [was] found here: http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/ Hope that helps, WTGR replies
The article explains
|
| Social
Engineering an
|
I read an article on Social Engineering and found it very interesting because it talked about social engineering and the use of USB keys.
WTGR replies
|
| Social
Engineering an
|
Betty emailed to say "Dear Professor Richardson, A British documentary TV show called, "The Real Hustle" demonstrates social engineering techniques like confidence tricks, distraction scams performed on the general public. I remembered during the class for this topic, you mentioned about a character in a movie easily gets through security doors by wearing the security uniform. An episode I found from the show demonstrates how a woman intends to go to a Manhatten bank's night deposit drop box and ends up giving money to the two phony security guards." |
Social
Engineering to obtain a credit card
 |
.
M emailed to say "I've been meaning to tell you about a little incident I had recently where I might have been a victim of social engineering. I wanted to make reservations at a restaurant for valentine's day so I called this restaurant I found online called "Spunti.....". It looks quite nice on the website and I liked the food on the menu. When I called the restaurant they asked me for my credit card number. I asked why? They said it's because they'll charge $85 per person if I don't show up. I had until two days before the reservation to cancel, free of charge. The man on the phone said that this ensures people will show up to dinner because the last thing they want is an empty restaurant. I honestly haven't made many restaurant reservations in my life before this and this particular restaurant was in Yorkville so I thought maybe things work a little differently there. So I was like allright, I really want to go to this place. So I gave him my credit card number. Then he asked for the expiry date and even the verification number on the back. I gave him everything. Then I hung up, texted my boyfriend that we better show up on Monday evening or I'll get charged $170 if we don't. My boyfriend replied absolutely freaking out at me for what I had just done. He couldn't call me because he was in class but he sent text after text telling me that they could be using my credit card number for all kinds of things... even online gambling. Then he told me to cancel the reservation immediately and to cancel my credit card immediately. When I called BMO to cancel my credit card, the lady on the phone said restaurants don't ask for credit card numbers and it was a good thing I cancelled my card. |
| Social
Engineering to obtain a credit card
|
M
concludes by saying
"Maybe this wasn't a scam or maybe it was. It was better to be safe than sorry. Maybe the reason why the man on the phone asked me for my information was because when he said "What is your credit card number" I was surprised and asked "Why do you need it?" but then after his explanation, I said, "Well I wouldn't really know how making dinner reservations works". He saw right there that I was inexperienced and that he could possibly take advantage of this by not only asking for my credit card number but the expiry date and verification number. Whatever the case may be, it is still ridiculous to charge $85 per person if you don't show up to your dinner reservation.." WTGR replies,
|
 |
this is a screen capture
from the video that Betty found, showing the "fake" bank guards standing
outside the "out of order" night deposit box, with their own cash box below.
As "victims" come to make deposits, the security guys tell them to put the envelope in the strong box on the pavement. |
| Social
Engineering an
|
Betty explains
"The video is found at: www.trutv.com/shows/real_hustle/index.html?pid=HhThzrgEy_ZJHAD5_LiKszdjBn8lhGFh The trick is done first (1960s) by social engineering icon, Frank Abagnale. At an interview, he suggests that especially withtoday's technology and with some companies' lack of training, it is not that much harder to surpass security compared to 40 years ago. He said, "Today banks don’t want to pay benefits, so they don’t hire full time employees, they hire part time help, and there’s very little training. So if a bank teller can’t tell me the difference between a good bill and a bad bill, then what can they tell me in the hotel lobby, or in the retail store? And because of lack of training and the ability to make the document look so good, it’s very simple to do today." Abagnale also comments "when does it become a matter of you’re giving away way too much information." People are giving too much information to banks including social security number, and in the near future, your fingerprint. For e-commerce, Abagnale suggests that it is just another form of payment, and it’s as dangerous as cash, credit card or over the phone because every system is not foolproof. He used a quote from Sherlock Holmes, ‘What one invents, one will discover.’ " |
| Social
Engineering an
|
After tuesday's class i started researching examples of social engineering and i came across this video http://www.youtube.com/watch?v=cQtQg--PB0k&feature=fvw which shows how some young boys deceived mcdonalds and collected free burgers and fries. [they lie about their order not being completed] It made me realize that social engineering is a subtle but severe crime. The best way to handle it would be to protect information, never make any exceptions for verification of information because in the video if they had not made an exception they would not have gotten away with it. They should have asked the father to bring the receipt. WTGR replies
|
|
|
CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE |
| . | |
MISTAKES
I TEXTS
USED I
IMAGES
I RANK
I DISCLAIMER
I STUDENT
CONTRIBUTORS I FORMER
STUDENTS I PUBLICATIONS
I  |
|
| . |
