www.cybersecurityuae.com
Conference & Exhibition
2nd Annual
CYBER SECURITY UAE
SUMMIT 2013
Special focus on the Banking, Oil & Gas & Government Sectors
March 18th & 19th, Dubai
Protecting critical infrastructures Main Sectors Covered:
Developments, Strategies and Best Practice in Global Cyber Security Featuring 30 top level speakers!
STEVE HAILEY, President CEO, CYBER SECURITY INSTITUTE
USAMA ABDELHAMID Director, UBS KENAN BEGOVIC, Head of Information Security,
AL HILAL BANK
AHMED BAIG, Head, Information Security and Compliance,
UAE GOVERNMENT ENTITY
ZAFAR MIR Regional Manager Information Security Risk, HSBC BANK MIDDLE EAST
MAHMOUD YASSIN Lead Security & System Eng Manager,
NATIONAL BANK OF ABU DHABI
ber g C y in g n i r n tu Fea it y Trai how n ur o c e S r op s ksh ect You m r o W Prot r nf o to a t io c k s i n a a O r g ber A t t Cy
Assess the nature of the latest threats being faced and the impact of these upon your organisation Discuss the most promising cyber security technologies in the marketplace
Assess the trends to watch in global cyber security International Case Studies: Discover the best practice in protecting your organisation from cyber-attack
Security Engineer, DUBAI
STATISTICS CENTRE
HUSSAIN ALKHASAN, IT GRC Manager, COMMERCIAL BANK OF DUBAI (UAE)
AYMAN AL-ISSA, Digital Oil
MOHAMED ROUSHDY,
Chief Information Officer, NIZWA BANK
HESHAM NOURI, IT Manager, KUWAIT OIL COMPANY
Fields Cyber Security Advisor, ABU DHABI MARINE
ASHRAF SHOKRY, Chief
OPERATING COMPANY
AJMAN BANK
TAMER MOHAMED HASSAN, Information Security Specialist, UAE GOVERNMENT ENTITY
Information Officer,
MOSTA AL AMER, Information
security Engineer, SAUDI ARAMCO.
of IT Security, ADCO
BIJU HAMEED, ICT Security
ANDREW JONES, Chairman of Information Security,
AL BALUSHI BASHEER, Manager
KHALIFA UNIVERSITY
Manager, DUBAI AIRPORTS
of Information Security and Systems Engineering, NATIONAL BANK OF OMAN
NAVEED AHMED, Head of IT
Security, DUBAI CUSTOMS
MOHAMMED AL LAWATI, ICT policy and Procedure Advisor, OMAN AIRPORTS MANAGEMENT COMPANY
MURTAZA MERCHANT,
Senior Security Analyst, EMIRATES AIRLINE
Hurry exhibition space for the 30 booth exhibition is expected to sell out. 1
2 3 4 5
Architect, EMIRATES
INVESTMENT AUTHORITY
Plus many more to be announced!
TEL +44 (0)207 127 4501
7
8
9
21
22
23
24
25
26
27
28
29
30
10
18 17 16 15 14
11
12
For further details on exhibiting place email info@oliverkinross.com
FAX +44 (0)207 127 4503
SILVER SPONSOR
19
20
6
FURQAN AHMED HASHMI,
GOLD SPONSOR
UAE TECH 2013
NET WORKING AREA
RIEMER BROUWER, Head
ROADS & TRANSPORT AUTHORITY
Transportation
CYBER SECURITY
NET WORKING AREA
OMER SYED, Project Manager,
Financial Services
Defense
The only d s kin event of it lace t o t ake p E in the UA
AMR GABER, Senior Network
Oil & Gas
Government
Network with your industry peers in the comfort of a 5 star venue The only event of its kind to take place in the Middle East
Electricity & Water
13
Join us for the Gala Dinner and Networking Evening and make valuable networking contacts
EMAIL info@oliverkinross.com
Editor’s Note
02/2013 (11)
Dear Hakin9 Readers, team Editor in Chief: Ewa Dudzic ewa.dudzic@hakin9.org Managing Editor: Ewa Duranc ewa.duranc@hakin9.org Editorial Advisory Board: Scott Paddock, Matthew Holley, Derek Thomas, Imad Soltani, Gavin Inns Proofreaders: Ewa Duranc, Derek Thomas, Kishore P.V. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@hakin9.org Production Director: Andrzej Kuca andrzej.kuca@hakin9.org Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@hakin9.org DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en
I
n the second issue of Hakin9 OnDemand in 2013 we will provide you with plenty of information on Cybersecurity and the safety of the Interned-Based World. The newest issue of Hakin9 OnDemand is divided into few sections. The first one, Burning issue – megaupload.com, is devoted to Kim Dotcom. In this section one can find two articles, presenting two sides of a coin on this burning issue. In the next section, Attack, Hakin9 OnDemand will teach you about insider threat to cybersecurity. Thus, you will be able to control and mitigate all the threats in your organization. Furthermore, you will find out how to sharpen your hacking skills at home. This article will examine the Digital Dojo: the hacker’s home lab, the tools of the trade, and the various avenues available which may aid in growing the craft during off-hours at home. In this section you will also find the story of a successful well-planned attack. After reading this article you will definitely know what steps could have been taken to recognize and nullify or avoid this exploits. The last section of this month’s issue is entitled Plus. Here you will find an intreview with William F. Slater, III in which he discusses his story with Hakin9 magazine. In the same section you can find press release by Digital Shield Summit. Enjoy reading! Ewa Duranc and Hakin9 Team
Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.
DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
4
02/2013
CONTENTS
contents BURNING ISSUE – MEGAUPLOAD.COM The Rise and Fall of Megaupload.com 06 and Kim Dotcom, and the Possible Implications for the Internet-based World of Piracy and Theft of Intellectual Property By William F. Slater, III
In January 2012 the U. S. Government took down the Megauploads.com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files.”
Kim Dotcom’s Letter to Hollywood By Kim Dotcom
10
The Internet frightens you. But history has taught us that the greatest innovations were built on rejections. The VCR frightened you, but it ended up making billions of dollars in video sales. You get so comfortable with your ways of doing business that any change is perceived as a threat. The problem is, we as a society don’t have a choice: The law of human nature is to communicate more efficiently.
ATTACK
Insider Threat to Cybersecurity – Fighting the Enemy Within
12
By Arun Chauhan
This article explains Insider Threats to cyber security in an organisation, with real life case examples. The author is of the opinion that organisations have a tendency to lay more emphasis on securing their perimeters and take the insider threat lightly. Further, the author believes that processes which we implement in our organisation have a more important role to play than technology in safeguarding from insider threats and recommends certain common guidelines / controls for mitigating this threat.
Cybersecurity Constantly Under Attack 16 By RIFEC – Research Institute of Forensic and ECrimes – Massimiliano Sembiante
Cybersecurity, crime, terrorism, attacks, wars, these and other “cyber categories” continue to be used more or less indiscriminately in many areas. This is partly attributed to the fact that the industry is evolving rapidly as well as because of the complexity resulting from the combination of information technology and communications (Information and Communication Technology, ICT) with other systems essential for sustainability of the key features of modern societies (the so-called critical infrastructures).
Hacking Humans: The Story of a Successful Well-planned Social Engineering Attack
20
By William F. Slater, III
This paper will review an actual incident related to a social engineering exploit, why this exploit was effective, and what steps could have been taken to recognize and nullify or avoid this exploits. The exploit that will be described involves authority, pretexting, and deception, resulting in psychological manipulation. The exploit had serious consequences, both in my personal professional life.
The Digital Dojo: Sharpening Your Hacking Skills At Home
30
By Terrance Stachowski and Michael Simbre Ask any skilled hacker or penetration tester how they became proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hacking skills.
PLUS
Social Engineering: The Single Greatest Threat to Organizational Security
42
By Terrance J. Stachowski, CISSP, L|PT Security planning is an onerous, complex and continual process, largely because there exists two factions which are continually at ends with one another. Security professionals work to erect walls which provide security to an organization’s data, networks, and personnel - whereas the opposition is continually developing ways to go over, under, around or through security barriers.
Interview with William F. Slater, III By Ewa Duranc
48
I was inspired to write it because I knew that applying the concepts described in the article would help make cyberspace a little safer. The article explains how using a welldesigned security compliance framework can help an organization defend against the perils of cyberattacks and cyberwarfare. As far as I know, no one yet been bold or knowledgeable enough to take the time to write such an article for the general public.
Digital Shield Summit – Press Release 52
Monday, February 18, 2013; Dubai: Ideanomics today officially announced the Emirates Identity Authorities involvement with Digital Shield Summit 2013. H.E. Dr. Eng. Ali Mohamed Al Khouri, Emirates ID Director General will be the Chief Guest of Honour and will be inaugurating the summit to be held on the 21st and 22nd of April in Abu Dhabi, United Arab Emirates
BURNING ISSUE – MEGAUPLOAD.COM
The Rise and Fall
of Megaupload.com and Kim Dotcom, and the Possible Implications for the Internet-based World of Piracy and Theft of Intellectual Property In January 2012 the U. S. Government took down the Megauploads. com website and then quickly filed charges against the owner, Kim Dotcom, and his colleagues for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyrightprotected files.”
K
im Dotcom and his colleagues were arrested a few hours later in New Zealand and await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and possibly many years in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megauploads.com and it will review issues how lawful governments may treat similar offenses in the future. The Rise and Fall of Megaupload.com and Kim Dotcom, and the Possible Implications for the World of Internet-based Software Piracy and Theft of Intellectual Property. Less than 24 hours after end of the global SOPA Protest on the world wide web, on January 19, 2012, the governments of the U.S. and New Zealand acted swiftly to stop the Megauploads. com empire that Kim Dotcom had built. The U.S. Department of Justice shut down the Megaupload.com website and produced a 72-page federal indictment against Kim Dotcom, Megaupload.com, and several of the business partners for alleged “copyright infringement, conspiracy to commit money laundering, racketeering, rewarding users who uploaded pirated content for sharing, and turning a blind eye to requests from copyright holders to remove copyright-protected files. Almost 12,000 miles away, on January 20, 2012, New Zealand’s law enforcement authorities were forcibly entering Mr. Dotcom’s home, a leased luxury mansion in the serene New Zealand countryside, and forcing their way into a “safe room” where Mr. Dotcom was hiding with guns, cash, and his closest colleagues (Acohido, 2012). Mr.
6
Kim Dotcom and his colleagues were then arrested and now await extradition to the U.S. to be tried for these charges. Conviction on these charges could result in severe fines and possibly many years of imprisonment in a U.S. Federal prison. This paper will discuss the rise and fall of Kim Dotcom and Megaupload.com and it will review issues how lawful governments may treat similar offenses in the future. Originally as Kim Schmidt, Mr. Dotcom, a native citizen of Germany, began is computer career in Germany in his early 20s in the early 1990s. He first began his career as a “computer expert” and then very shortly afterwards opened a computer security-related business. A short time later, Mr. Schmidt was indicted in Germany on computer fraud charges and later paid a fine and was released on probation. A few years later, Mr. Schmidt changed his named legally to “Kim Dotcom”, perhaps as a prelude to starting the Megaupload.com business, and to position himself as a self-styled Internet mogul entrepreneur. Now as a 38-year old German foreign national and temporary resident of New Zealand, at 6 feet 6 inches tall and over 285 pounds, Mr. Kim Dotcom, is both in stature and in his actions, a larger than life figure, who openly flaunted his wealth and his playboy lifestyle, the obvious results of the success of his Megaupload.com business (MikelVizualBazzikHck, 2012). With an annual income of more than $30 million, the flamboyant Mr. Dotcom could afford nearly everything he wanted, except permanent citizenship as a New Zealander. Yet after his arrest on January 20, 2012, he and his colleagues
02/2013
Europe’s No.1 Information Security Event
SECURE THINKING SECURE BUSINESS
Why AttENd INFOSECURIty EUROPE 2013? Access Europe’s most extensive & free to attend knowledge enhancing educational programme Meet over 300 leading information security suppliers – identify best of breed, cutting edge technology & see real solutions in action Hear from real experts & respected public & private sector IT practitioners to discover how they spent their budget on the right products, services and solutions Network with your peers through a wide range of activities including workshops & evening receptions Earn CPE credits by attending the free educational programme
Register for FREE at infosec.co.uk/register * * Visitor registration is free online before Friday 19th April at 5pm. Onsite registration £20.
Organised by:
Follow us @infosecurity
23-25 April 2013 Earls Court London UK
BURNING ISSUE – MEGAUPLOAD.COM
Ki m Dotcom’s Lett e r to Hol l ywood Dear Hollywood,
The Internet frightens you. But history has taught us that the greatest innovations were built on rejections. The VCR frightened you, but it ended up making billions of dollars in video sales. STORY: Kim Dotcom: New Site Is Legal, ‘Fresh Start,’ Not Revenge on Hollywood You get so comfortable with your ways of doing business that any change is perceived as a threat. The problem is, we as a society don’t have a choice: The law of human nature is to communicate more efficiently. And the economic benefits of high-speed Internet and unlimited cloud storage are so great that we need to plan for the day when the transfer of terabytes of data will be measured in seconds. Businesses and individuals will keep looking for faster connectivity, more robust online storage and more privacy. Transferring large pieces of content over the Internet will become common – not because global citizens are evil but because economic forces leading to “speed of light” data transfer and storage are so beneficial to societal growth. Come on, guys, I am a computer nerd. I love Hollywood and movies. My whole life is like a movie. I wouldn’t be who I am if it wasn’t for the mind-altering glimpse at the future in Star Wars. I am at the forefront of creating the cool stuff that will allow creative works to thrive in an Internet age. I have the solutions to your problems. I am not your enemy. Providing “freemium” cloud storage to society is not a crime. What will Hollywood do when smartphones and tablets can wirelessly transfer a movie file within milliseconds? THR COVER Megaupload’s Kim Dotcom: Inside the Wild Life and Dramatic Fall of the Nerd Who Burned Hollywood The very powerful and the very stupid have one thing in common. Instead of changing their views to fit the facts, they try to
10
02/2013
attack
Insider Threat To Cyber Security – Fighting The Enemy Within This article explains Insider Threats to cybersecurity in an organisation, with real life case examples. The author thinks that organisations have a tendency to lay more emphasis on securing their perimeters and take the insider threat lightly. Further, the author believes that processes which we implement in our organisation have a more important role to play than technology in safeguarding from insider threats and recommends certain common guidelines / controls for mitigating this threat.
T
his article is meant for a diverse audience. Decision makers across an organization will benefit from reading it because insider threats are influenced by a combination of technical, behavioural, and organizational issues and must be addressed by policies, procedures, and technologies. Staff members of an organization’s management, HR, Legal, Physical Security, Data Owners, IT, and Software Engineering groups should all understand the overall scope of the problem and communicate it to all employees in the organization.
What do we understand by Insider Threat?
In the simplest of form, it means all individuals who have / had authorised access to our cyber infrastructure and resources and intentionally misuse that access to endanger the confidentiality, integrity and availability of organisation’s data. Special emphasis must be laid upon individuals who have recently left the organisation or are in the process of leaving. The reasons for which they leave the organisation also assume importance whilst formulating an Insider threat policy. The following personnel fall into the category of insider’s threat in the context of cyber security: • Current or former employees • Current or former Business partners and outsourcing companies Insider threat becomes even more dangerous to an organisation when we consider the scenario where there is collusion between insiders and Business competitors, organised crime and even foreign governments.
12
Why are we more vulnerable from inside?
It is a human tendency to expect threat from outside and ignore the trouble indicators within the organisation. The first steps towards securing the cyber infrastructure are always directed at securing the perimeters and external interfaces of organisation. The best of technology is bought and implemented, and we slowly and deeply sink into the “Comfort zone” of being secure. We forget that off the shelf security measures most of the times do not cater to the threat arising from inside. As most of my pen testing buddies would agree, the reverse connect payload is a good indicator of how the attackers realised this vulnerability of organisations of not checking the traffic originating from inside. In my early days of pen testing, I often heard this example of breaking into the network being similar to cracking a coconut – hard from outside but soft and creamy from inside. The person outside the organisation always has the tough job of breaking in through solid defences and needs higher level of expertise and resources to accomplish his task. Even then his chances are slim, compared to a malicious insider already sitting inside the network who merely has to do what the external attacker calls as “post exploitation” tasks. He has the access and authorisation and most importantly the trust of the resources owner.
What risks are posed by a malicious insider to an organisation? Data theft
With the proliferations of mobile storage and computing devices, the problem of data theft by insiders has multiplied manifold. This coupled with a never before
02/2013
attack
CyberSecurity Constantly Under Attack Cyber security, crime, terrorism, attacks, wars, these and other “cyber categories” continue to be used more or less indiscriminately in many areas.
T
his is partly attributed to the fact that the industry is evolving rapidly as well as because of the complexity resulting from the combination of information technology and communications (Information and Communication Technology, ICT) with other systems essential for sustainability of the key features of modern societies (the socalled critical infrastructures). Whether for espionage or sabotage purposes, corporations, governments, military and banks are increasingly becoming the target of criminal activities. Attacks such as: Viruses, DDoS, exploitations techniques, hijacking, etc. are constant threats for all the existing assets. Hackers, specifically target the weak parts of the network infrastructures to penetrate fortified systems and commit cyber-crimes. It’s a real war out there, but it’s taking place on a new battlefield, “The Network”. Modern economies are preparing to protect from cyber-attacks, investing important budget on researches, countermeasures and investigation. Critical infrastructures must be prepared to potential threat that may impact, resulting in economical and reputational losses. Cyber-attacks can be performed in many different ways. Common attack vectors are: • Scam Email – Using Social Engineering techniques to convince the receiver to open a fake links or files. • Network – using for example, PHP scripts or Web Applications written for Apache. • Instant Messenger – using social engineering and other vulnerabilities.
16
• Distributed denial of service – occurs when multiple systems (i.e.: using a botnet) flood the bandwidth or resources of a targeted system. • Virus infection – virus such as: Trojans, spyware, worms etc. can be conveyed on the target system in many different way. In many cases infection can spread rapidly, compromising a huge number of computers in short time.
Cyber-hacktivism and cyber-terrorism
Cyber-criminals are not only targeting money and data but, for instance, hacktivists and cyber terrorists are politically motivated and aim to attack and compromise infrastructures, in order to gain visibility and defend their country’s honor or promote specific causes. These attacks have ranged from mere annoyances, such as the defacement of websites, to fullscale digital blockades of the target country, such as the 2007 cyber-attacks against Estonia. Most likely, one of the biggest, public cyber-war between two countries (Ref. 01). The entire X-Road (Figure 1) the Estonian e-infrastructure, a system of more than 355 government organizations interconnected, including services such as: Telecom, Tele2, Uninet, Delfi, Atlas communications and many others, was under a cyber-attack for about 3 weeks. Estonian Government claimed the attack was launched from Russian Government as a political repercussion. Probably, the most important case associated to APT (Advanced Persistent Threat) so far, has been “Titan Rain” (Ref. 03). This was the designated name that US Government gave to a per-
02/2013
RESEARCH INSTITUTE OF FORENSIC AND E-CRIME
Protection through Research RIFEC OFFER A FREE RISK ANALYSIS SERVICE CONTACT US FOR FURTHER INFORMATION
The growth of the internet and the massive use of new technologies has been the biggest social change of this lifetime. Increasing dependence on these technologies has brought new risks. RIFEC takes these risks seriously. In our laboratories we conduct researches to tackle these threats and develop our response. Our objective is to set strategies to reduce vulnerabilities and secure the benefits of a trusted digital environment for businesses and individuals.
Web: Twitter: Linkedin: Email:
www.rifec.com www.twitter.com/rifec www.linkedin.com/company/rifec info@rifec.com
attack
Hacking Humans The Story of a Successful Well-planned Social Engineering Attack Ask any skilled hacker or penetration tester how they became proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hacking skills.
T
he exploit had serious consequences, both in my personal professional life. The exploit was short-lived, occurring in August 2008, but very likely damaged my career and reputation at Gehenomsoft where I was employed at the time. In addition, this exploit quickly escalated to a criminal assault against me, and though the case was never resolved, it was a very traumatic experience. This paper will explore why each of these social engineering techniques was effective, and how I could apply knowledge and techniques learned in the materials from my Social Engineering class, as well as other research materials, to prevent similar attacks.
Using Authority and Pretexting as Social Engineering Weapons
This brief paper will examine an incident in which authority and pretexting was used with deception to help an intruder to gain access to an office area that was protected by traditional physical security controls as well as policies, as well as the outcomes of each of this incident. In his book, Influence: Science and Practice, Robert Cialdini discusses the concept of authority as a trigger that can influence human behavior, for better or worse (Cialdini, 2009). Pretexting is a social engineering technique in which the social engineer invents a story that sounds convincing, so that he or she may gave a favor or access to an area to which they might not otherwise be able to obtain access (Hadnagy, 2011). Each of these social engineering techniques used deception, intent, and motive can constitute formidable threats that can overcome most of the people without the specialized experi-
20
ence and training to recognize them. This incident happened to me at the Gehenomsoft Midwestern Regional Office in Downers Grove, IL, while I worked at Gehenomsoft in 2008. In his book, Cialdini reviewed the classic 1974 case study of Professor Milgram was cited as an example of how authority could be used to influence behavior. The Milgram study showed a truly dark side of authority, where his student subjects were willing to follow orders to send large voltages of electricity into the bodies of the study’s participants, despite what the subjects’ consciences might have otherwise led them to believe whether following these orders was morally right or wrong. The fact that these subjects consistently followed orders and shocked the participants without argument, compassion, or question illustrated the degree to which they were influenced by his authority as a professor and the architect of the study. This was Milgram’s simple final conclusion of his experiment: “It is the extreme willingness of adults to go to almost any lengths on command of an authority that constitutes the chief finding of the study (Cialdini, 2009).”
The Social Engineering Exploit: What Happened?
This social engineering attack, which involved the use of authority, pretexting and deception occurred on Friday evening, August 22, 2008, at the site of the Gehenomsoft’s Midwest Regional Office in Downers Grove, IL. The intruder had quietly entered the building past the first floor security checkpoint about 6:00 PM and appeared in the hall way on the third floor of this secure office building after business hours,
02/2013
attack
The Digital Dojo Sharpening Your Hacking Skills At Home Ask any skilled hacker or penetration tester how they became proficient at their craft and they will likely tell you that they have spent an unbelievable amount of solitary hours hammering away at a keyboard to hone their hacking skills.
S
erious hackers and penetration testers might be largely self-taught, studied for security or networking certifications, pursued an IT security degree, or found guidance under a patient and experienced mentor, but one thing almost every one of them will have in common – especially if they are trying to remain proficient – is that they are continuously learning, expanding their knowledge, and practicing to keep their skills sharp. The goal of this paper is to look at ways of keeping that digital sword sharp, and one of the best ways to do so is through hands-on practice. This article will examine the Digital Dojo: the hacker’s home lab, the tools of the trade, and the various avenues available which may aid in growing the craft during off-hours at home.
ficient in: Python, Pearl, C++, Java, and though not really a language, HTML; it could take years to master these alone, but learning to program isn’t where a hacker stops it’s more likely that’s where they begin. Most hackers will want to have an at least a ba-
Introduction
Hacking isn’t a skill one simply learns overnight, it takes immeasurable hours of learning, analysis, trial-and-error, and a ghoulish level of tenacity. There are so many sub-categories of hacking that no individual hacker is likely to be a master of them all, the majority will focus their efforts on specific areas of expertise and attempt to learn the basics of the areas outside their wheelhouse. For example, a hacker who specializes in network security may not be as sharp at webpage exploitation; a systems expert may not be graceful at social engineering, and so on. There’s simply too much to learn and the landscape is constantly changing, making it nearly impossible to maintain a true mastery of all aspects of hacking. For example, there are various programming languages a hacker may want to become pro-
30
Figure 1. Digital Dojo (2013). Art by Terrance Stachowski
02/2013
plus
Social Engineering The Single Greatest Threat to Organizational Security Security planning is an onerous, complex and continual process, largely because there exists two factions which are continually at ends with one another. Security professionals work to erect walls which provide security to an organization’s data, networks, and personnel – whereas the opposition is continually developing ways to go over, under, around or through security barriers.
O
ne major problem with many security plans is that most organizations focus exclusively on technical countermeasures, but the weakest link in security, the human element, is often overlooked. Attackers are aware of this deficiency, and use an unethical approach known as social engineering to exploit this weakness. This paper examines how social engineering attacks take advantage of normal human behavior and demonstrates the real and present threat that this type of dishonest attack poses. Historical data extracted from Kevin Mitnick’s case, and the DEFCON 18 Social Engineering Capture-the-Flag (CTF) – How Strong is Your Schmooze results will be utilized to build this case study. Additionally, this paper will investigate what organizations can do to diminish this threat.
Introduction
In the current age of technology, many organizations have come to rely on information systems as one of the most important tools for facilitating nearly every aspect of business activities. The use of information technology expedites workflow, increases productivity, accelerates communication and allows for multiple employees to view and work on a single project concurrently. One major concern with organizations relying so heavily on information systems is that enormous amounts of data, much of which could be considered sensitive or valuable in nature, is used, stored, and created on these systems. Security has become a critical affair for managers at all levels of innumerable governments and
42
organizations; clients with concerns about protection of their personally identifiable information (PII), privacy and identity fraud or theft are demanding it; vendors, suppliers, and business partners require it from one another, especially when there exists a mutual network and information access (Allen, 2009). Though many organizations take security seriously and put an enormous emphasis on both technical and physical safeguards such as firewalls, id cards, intrusion detection systems (IDS), and guards, there is little emphasis placed on the human element of security. A million dollars worth of state-of-the-art technical and physical safeguards could be, and continues to be, rendered useless by hackers who know how to manipulate and bypass the weakest link in any security program, the human being.
Understanding Social Engineering
Social engineering is an art or a better put, the science, of expertly manipulating other humans to take some form of action in their lives (Hadnagy, 2011). A social engineer is someone who takes advantage of the credulity, indolence, good manners, or even passion of employees (Microsoft, 2006). Social engineering is basically a con-game and the social engineer is nothing more than a sophisticated con-artist who employees tactics of skillful lying, influencing, persuading, smooth talking, trickery, and deception to convince their target that they are someone they are not, or require access to something they do not have authorization to access.
02/2013
plus
An Interview with
William F. Slater, III M.S. in Cybersecurity Program Bellevue University, Bellevue, NE
Ewa Durnac: How was your article selected for publication by Hakin9?
William F. Slater, III: I was identified as a Cybersecurity professional who is also a writer back in October 2012. They contacted me via e-mail and asked me to start writing articles for Hakin9 magazine. I think that they found me either on LinkedIn. com or via a Google search. The January 2013 article was my fourth article with the magazine. The editors and publishers at Hackin9 magazine are also fun to work with and they seem to appreciate working with Cybersecurity professionals who can write and deliver articles that meet their quality standards as well as their publication submission deadlines.
ED: Was the article something that developed out of a class project?
WS: No. I was inspired to write it because I knew that applying the concepts described in the article would help make cyberspace a little safer. The article explains how using a well-designed security compliance framework can help an organization defend against the perils of cyberattacks and cyberwarfare. As far as I know, no one yet been bold or knowledgeable enough to take the time to write such an article for the general public. Note that I did not receive any academic credit or even any compensation for writing this article.
ED: What led to your interest in Bellevue University’s Cybersecurity program?
WS: I was accepted into the M.S. in Cybersecurity program at Bellevue University on Friday, Aug. 26, 2011. I chose this program for two reasons: 1) you
48
folks appear to really have your act together compared to everyone else; and 2) I hope to work at least another 20 years, and the Bellevue University M.S. in Cybersecurity program will equip me to accomplish some great things, including teaching and equipping the Cyberwarriors of America’s future. I have been making a living in Information Technology since I started my service in the United States Air Force in July 1977. I served as a Computer System staff officer (AFSC 5135B) at Strategic Air Command Headquarters supporting the command control systems that provided command control and communications capability to SAC forces globally for the leadership of SAC and also the National Command Authorities. If you are interested in what I did at HQ SAC, there are several interesting pictures here: http://billslater.com/myusaf. After becoming ill in 1980, I left active duty in October 1980 and travelled to Houston, TX to begin my civilian career in IT. My career has involved many roles and many technologies over the years. You can see a synopsis of my career here: http:// billslater.com/career and here: http://billslater.com/ interview.
ED: What has been your impression of the program thus far?
WS: It’s been very educational and VERY intense. I am completing my 11th and 12th classes in this program and it basically means that whenever school is in session, I have had no weekend time off since August 2011. Between work, teaching, and my M.S. and Cybersecurity course work, I have stayed extremely busy. It has been worth it, but I don’t think people outside the program re-
02/2013
plus
Digital Shield Summit Announces Partnership with Emirates Identity Authority EIDA Group Director to inaugurate summit, speaker lineup unveiled; including Dubai Customs, aeCERT, Emirates Group, Emirates NBD and Meraas Holding.
M
onday, February 18, 2013; Dubai: Ideanomics today officially announced the Emirates Identity Authorities involvement with Digital Shield Summit 2013. H.E. Dr. Eng. Ali Mohamed Al Khouri, Emirates ID Director General will be the Chief Guest of Honour and will be inaugurating the summit to be held on the 21st and 22nd of April in Abu Dhabi, United Arab Emirates The summit primarily tackles problems relating to digital security and digital infrastructure. The main objective is to see how to develop and manage information resources and deal with challenges such as delivering a robust information and compliance framework, streamlining models for digital, information management, collaboration and social networking. Along with H.E. Dr. Eng. Ali Mohamed Al Khouri the Advisory Board also consists of Tariq Al Hawi, Director of aeCERT, Guruswamy Periyasamy, Head of IT Security and Innovation at Emirates Group and Naveed Ahmed, Head of IT Security for Dubai Customs. Ajay Rathi, Head of IT for Meraas Holding, Amit Bhatia, Group Risk Management and IT Security Manager for Emirates NBD, will also be in attendance and will be speaking at the summit. “In a knowledge based economy, with governments and businesses continuing to invest heavily in critical technology deployments, utilities companies looking at forming utility grids allowing them to virtualize and scale their resources at record pace and end users adopting the latest technology devices, a growing concern remains on the underlying threat of digital security to new technology
52
adoption and the increasing channels of communication that have been created to communicate with it.” says Savio Coutinho, CEO at Ideanomics, “The Digital Security Summit will provide a unique platform for various verticals to come together to discuss and address key challenges faced with growing data and look at the role both government and service providers can take, in protecting its critical data and users at large.”
Emirates Identity Authority (EIDA)
Emirates Identity Authority (EIDA) is an independent federal authority established by virtue of the federal decree No. (2) of 2004. The decree has empowered the Authority with ultimate powers required for the execution of the Population Register and the ID card program. Established in 2012, Ideanomics Global has opened operations in several key countries which support the roll out of our events globally. Based in Dubai, our offices organize and conceptualize Conferences and Summits, Trainings and Live Events. For further queries on Digital Shield Middle East please contact Eric Wang on +9714 4232868 or email on info@ie2global.com.
02/2013
BOSTON • May 28-31, 2013 The Westin Boston Waterfront
Get the best real-world Android developer training anywhere! • Choose from more than 75 classes and tutorials • Network with speakers and other Android developers • Check out more than 40 exhibiting companies “AnDevCon is one of the best networking and information hubs available to Android developers.” —Nate Vogt, Android Developer, Willow Tree Apps
Register NOW at www.AnDevCon.com A BZ Media Event
Follow us: twitter.com/AnDevCon
AnDevCon™ is a trademark of BZ Media LLC. Android™ is a trademark of Google Inc. Google’s Android Robot is used under terms of the Creative Commons 3.0 Attribution License.