1 00:00:01,670 --> 00:00:07,810 There are a few very popular social engineering attacks people who have little children know these attacks 2 00:00:07,810 --> 00:00:12,490 from daily life. 3 00:00:12,530 --> 00:00:16,610 The first one is based on diffusion of responsibility. 4 00:00:16,670 --> 00:00:18,560 This is the attack which can be tagged. 5 00:00:18,680 --> 00:00:20,980 John said that he would shoulder the blame. 6 00:00:24,740 --> 00:00:30,080 The fear of punishment for acting to the detriment of the company you work for such as sharing a file 7 00:00:30,320 --> 00:00:39,660 starting certain applications or allowing remote access is usually enough to stop you. 8 00:00:39,750 --> 00:00:44,550 However you would be more likely to fall prey to manipulation if someone assured you that there would 9 00:00:44,550 --> 00:00:47,360 be no consequences attached to your actions. 10 00:00:49,510 --> 00:00:54,820 This can be done by impersonating a high ranking supervisor whom the potential victim hasn't had the 11 00:00:54,820 --> 00:00:56,370 chance to meet in person. 12 00:00:58,150 --> 00:01:02,370 Suppose you work in the I.T. Department you know all too well. 13 00:01:02,390 --> 00:01:09,660 One of the basic rules of security is not to reveal passwords during a phone conversation a situation 14 00:01:09,660 --> 00:01:14,970 where someone calls the I.T. Department asking for a password that he or she forgot is unthinkable. 15 00:01:17,210 --> 00:01:21,980 But how do you react if you pick up the phone and it turns out to be the director's secretary informing 16 00:01:21,980 --> 00:01:27,130 you that she is about to get you through to the director himself. 17 00:01:27,210 --> 00:01:34,520 And what if after a while you really are talking to the director he's asking for his password because 18 00:01:34,520 --> 00:01:39,530 he's on a business trip and he really needs to check his e-mails but he's forgotten his password. 19 00:01:41,530 --> 00:01:46,960 Well in a company which implemented a security policy you must say that in accordance with the policy 20 00:01:46,990 --> 00:01:51,410 you're not allowed to tell the password via phone. 21 00:01:51,610 --> 00:01:54,080 But the director tells you that this is in order. 22 00:01:54,220 --> 00:01:59,750 And in case of any trouble he'll take all the responsibility. 23 00:01:59,800 --> 00:02:01,810 Now it's no longer appropriate to oppose. 24 00:02:01,840 --> 00:02:08,080 And you tell your superiors the password he demands. 25 00:02:08,140 --> 00:02:12,270 The principle behind the second kind of social engineering attack is a banal truth. 26 00:02:12,340 --> 00:02:17,370 Everyone has their price. 27 00:02:17,410 --> 00:02:20,800 Please look at the photographs of employees at the bottom of the slide. 28 00:02:21,570 --> 00:02:25,260 They don't look motivated. 29 00:02:25,280 --> 00:02:30,510 These people have worked for the same company and doing the same job for five 10 or 15 years. 30 00:02:31,830 --> 00:02:38,870 They mean to do no harm to their company such people know that they will have worked for another five 31 00:02:38,870 --> 00:02:43,150 years doing the exact same thing. 32 00:02:43,190 --> 00:02:49,460 Now if such an employee is approached at lunchtime by someone who is offering him or her $50000 for 33 00:02:49,460 --> 00:02:53,170 connecting a certain USP flash drive to the company laptop. 34 00:02:53,510 --> 00:02:56,300 How can we be sure that this employee rejects the offer. 35 00:03:00,580 --> 00:03:05,590 Another manipulation technique is based on a willingness to help others. 36 00:03:05,610 --> 00:03:09,680 This is something people learn in childhood. 37 00:03:09,720 --> 00:03:17,750 It's a natural reaction to try to help someone who has lost or in need were willing to help especially 38 00:03:17,750 --> 00:03:20,510 if it doesn't take much energy or risk on our part. 39 00:03:22,680 --> 00:03:27,000 Let's imagine that your company hires a new person. 40 00:03:27,190 --> 00:03:30,990 It's a young lady and this is their first real job. 41 00:03:31,000 --> 00:03:33,470 She doesn't seem to fit into the new workplace yet. 42 00:03:35,300 --> 00:03:39,140 She turns to us and says that she is so nervous because it's her first day. 43 00:03:40,990 --> 00:03:45,580 She's forgotten her password and she tells you that she has an important presentation in half an hour 44 00:03:46,390 --> 00:03:47,520 but she left the report. 45 00:03:47,520 --> 00:03:50,150 She's been working on at home and she needs your help. 46 00:03:52,900 --> 00:03:58,660 You'll help her to recover her password or get remote access to the computer because it costs you nothing. 47 00:04:01,670 --> 00:04:07,170 Another effective technique is abusing previously gain trust. 48 00:04:07,180 --> 00:04:13,800 The easiest way to gain Somali's trust is to help them the easiest way to help is by solving a problem 49 00:04:13,800 --> 00:04:17,430 you have cost yourself. 50 00:04:17,440 --> 00:04:25,000 Let's imagine another situation using social networking sites and programs such as multi-game. 51 00:04:25,340 --> 00:04:32,210 You've discovered that a company is a local network is operated by a certain internet provider. 52 00:04:32,320 --> 00:04:37,390 You can call the company and impersonate someone from the internet provider in order to obtain a company 53 00:04:37,390 --> 00:04:46,520 employs password before you do that you have to cause the companies network to go down. 54 00:04:46,590 --> 00:04:49,770 It's enough to cut off the internet connection just for a while. 55 00:04:51,650 --> 00:04:56,540 You can do that by redirecting DNS queries sent by the company. 56 00:04:56,650 --> 00:05:01,180 This is enough for the lady at the front office not to be able to serve her favorite Web site or do 57 00:05:01,180 --> 00:05:02,100 her work. 58 00:05:05,110 --> 00:05:10,050 Suppose you've managed to cause a problem you call the victim. 59 00:05:10,050 --> 00:05:15,120 You introduce yourself as the Internet providers employee and you inform the victim that you've discovered 60 00:05:15,120 --> 00:05:21,650 that users may experience temporary connection problems. 61 00:05:21,650 --> 00:05:26,840 This will give you the confirmation of the problem we've caused the problem which you then proceed to 62 00:05:26,840 --> 00:05:27,630 solve. 63 00:05:29,570 --> 00:05:36,220 The lady from the front desk is thankful for saving the day you add that the problem may reoccur but 64 00:05:36,220 --> 00:05:37,930 that there is a way to prevent it. 65 00:05:40,470 --> 00:05:45,540 You then ask for the password we illegibly need to check network settings that may cause the problem 66 00:05:47,750 --> 00:05:53,470 you assure the lady that it won't interfere with her job or that her help will then no longer be required. 67 00:05:54,320 --> 00:05:57,160 That's how you gained remote access to a company computer 68 00:06:04,190 --> 00:06:08,070 moral pressure is another form of manipulation. 69 00:06:08,190 --> 00:06:15,570 If someone says to you if you don't help me I'm dead or for you it's a trifle but it means life to me. 70 00:06:15,570 --> 00:06:19,720 You'll help them for the sake of your conscience. 71 00:06:19,740 --> 00:06:24,090 We're eager to help even people we don't know if the cost seems noble to us. 72 00:06:25,690 --> 00:06:29,590 We identify with anonymous people who have a specific goal in mind. 73 00:06:31,030 --> 00:06:33,310 Such a situation is easy to arrange 74 00:06:37,160 --> 00:06:40,580 another technique is based on the feeling of community. 75 00:06:40,580 --> 00:06:49,090 We're most likely to help people we identify with suppose you're hired to perform an attack. 76 00:06:49,200 --> 00:06:54,060 You've learned that the administrator of the targeted Web site eats his lunch at a specific time and 77 00:06:54,060 --> 00:06:55,600 place. 78 00:06:55,620 --> 00:06:58,400 You've also learned the breed of his dogs and their names. 79 00:06:59,870 --> 00:07:05,760 You could arrange a meeting at the place see Edes and start a conversation about dogs would be best 80 00:07:05,760 --> 00:07:10,590 if the victim approached you and started the conversation first noticing that you are reading a dog 81 00:07:10,590 --> 00:07:15,340 magazine thanks to a shared interest. 82 00:07:15,360 --> 00:07:20,870 The person you haven't met before will treat you as if you'd known each other for years and if you've 83 00:07:20,870 --> 00:07:23,970 known someone for years you can do them small favors. 84 00:07:28,680 --> 00:07:31,500 There is a technique that everyone will fall prey to. 85 00:07:31,970 --> 00:07:38,960 It's guilt parents of little children know that if they try to make someone feel guilty they will either 86 00:07:38,960 --> 00:07:43,870 back out or try to redeem their false. 87 00:07:44,010 --> 00:07:45,630 You just have to play the victim 88 00:07:49,030 --> 00:07:56,320 another form of attack is connected with willingness to work people rarely take the initiative even 89 00:07:56,320 --> 00:07:58,390 if they're motivated workers. 90 00:08:00,500 --> 00:08:05,890 However the prospect of working on an interesting subject with a larger group of people is more appealing. 91 00:08:07,980 --> 00:08:14,380 A cynical worker may use that as an opportunity to gain something at the expense of others. 92 00:08:14,390 --> 00:08:17,760 This is what the attackers take advantage of. 93 00:08:17,790 --> 00:08:20,680 They offer a solution that will help them to achieve their goals 94 00:08:26,470 --> 00:08:32,360 and other effective manipulation technique is based on fear. 95 00:08:32,410 --> 00:08:36,540 You don't have to draw a bead on someone to make them afraid. 96 00:08:36,550 --> 00:08:39,680 It's enough if you threaten them with revealing certain information. 97 00:08:41,110 --> 00:08:45,790 Especially if they've wrote on their blog or their Facebook profiles some critical information about 98 00:08:45,790 --> 00:08:48,730 their superior. 99 00:08:48,890 --> 00:08:53,610 If you know about it you can blackmail them. 100 00:08:53,650 --> 00:08:56,020 Now you know basic manipulation techniques.