Αυτοματοποιημένο σύστημα αποτίμησης κινδύνων
από επιθέσεις Κοινωνικής Μηχανικής σε παραγωγικά
πληροφοριακά συστήματα
Νικόλαος Μπενίας Βασίλειος Χαντζάρας
ΜΜ4140012 ΜΜ4140021
ΔΙΠΛΩΜΑΤΙKH ΕΡΓΑΣΙΑ
Επιβλέπων: Kαθηγητής Δημήτρης Γκρίτζαλης
ΚΟΙΝΩΝΙΚΗ ΜΗΧΑΝΙΚΗ
• Ορισμός
• Ιστορική αναδρομή
• Πώς & γιατί λειτουργεί
• Ποιος τη χρησιμοποιεί
• Στόχοι
“It’s been great, but spying, blocking sites, repurposing people’s
content, taking you to the wrong websites — that completely
undermines the spirit of helping people create... We don’t have a
technology problem, we have a social problem."
Tim Berners-Lee
ΠΡΟΒΛΗΜΑΤΑ
ΑΠΕΙΛΕΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ
• SEO (Search Engine Optimization) poisoning
• Follower scams
• Impersonation of celebrities
• Impersonation of friends
ΕΠΙΘΕΣΕΙΣ ΚΟΙΝΩΝΙΚΗΣ ΜΗΧΑΝΙΚΗΣ
Ανθρώπινη επαφή
Μέσω τηλεφώνου (vishing)
Shoulder surfing / Στενής ακολουθίας σε παρακολούθηση (tailgating)
Έρευνα σε απορρίμματα (Dumpster Diving)
Pretexting
Τεχνολογικά μέσα
Phishing
Baiting
Diversion theft
Quid pro quo
Scareware
Reverse social engineering
Browser exploitation
Άνθρωπος
Διαδικασίες
Τεχνολογία
“You could spend a fortune purchasing technology
and services, you can have the best firewalls,
encryption tools and such in place, but they will
neither detect nor protect you from a social
engineering attack, because your network
infrastructure could still remain vulnerable to old-
fashioned manipulation.”
Κέβιν Μίτνικ
ΜΕΤΡΑ
ΠΡΟΣΤΑΣΙΑΣ
• Προτεινόμενη διαδικασία
αντιμετώπισης των επιθέσεων
τύπου phishing
ΤΕΧΝΙΚΑ ΧΑΡΑΚΤΗΡΙΣΤΙΚΑ
Ubuntu 14.04 LTS
Virtual machine (latest Oracle VirtualBox)
PHP (with Yii), Python Scripts, Javascript
Php-resque ( backend for Redis in PHP)
Κρίσιμες υπηρεσίες:
Apache2 (ver. 2.4.7)
postgres (ver. 9.3)
redis-server (ver. 2.8.4)
supervisor (python implementation)
MVC IN ACTION
Use Case: List Campaigns
CampaignController
CampaignModel
(ActiveRecort)
findAll(campaigns)
list(campaings)
Campaigns View
(ActiveRecort)
show(campaings)
render(campaings)
AppComponents ResqueJobsaction perform()
action data
Yii App
Commands
AppManagers
SOME SPAM REASONS
IP and domain Reputation
Quality of email subject line, teaser, and content
Quality and safety of links in email
Presence of images
Ratio of images to text and links to text
Inclusion of text version of email
etc.
ANTI-SPAM TIPS
Whitelist your IP or Domain on your Spam Defence or:
Set helo/ehlo SMTP host name in your server
Review Your Email Content (SpamAssasin ranking)
Use a Corporate Email Account as Your Sender Address
Use Descriptive Text Instead of URLs as Link Text
Make Sure You Are Not Blacklisted
It Matters Where You’re “From”
Keep the Format Simple
Limit the Number of URL Links
Create a Unique Subject Title
DNS Optimization
Watch out when you spoof your own domain
Set PTR
Configure an SMTP Banner that matches your domain
Avoid using a tracking image
Test your IP & Domain reputation
ΕΝ ΙΣΧΥ ΑΝΤΙΓΡΑΦΟ ΙΣΤΟΣΕΛΙΔΑΣ
Πραγματική σελίδα:
https://webmail.aueb.gr
Σελίδα κλώνος:
http://aueb-gr.my-free.website/
The art of changing what you copy from web pages
PASTEJACKING
Demo: https://github.com/dxa4481/Pastejacking
ΜΕΛΛΟΝΤΙΚΗ ΕΞΕΛΙΞΗ
Λογικό επίπεδο
Προσομοίωση κακόβουλου λογισμικού
Διενέργεια Social Engineering Vulnerability Assessment μετά
από έγκριση του ιθύνοντος του οργανισμού, μέσα από το ίδιο
το framework (ψηφιακή υπογραφή)
Τεχνικό επίπεδο
Threat intelligence backend
Decoupling του server με clients
References
1. Barrett F., Russell A., The psychological construction of emotion, Guilford Press, 2015.
2. Bhunu Shava F., Van Greunen D., “Designing user security metrics for a security awareness at Higher and Tertiary Institutions”, Proc. of
the 8th International Development Informatics Association Conference, 2014.
3. Falgun R., Handbook on Cyber Crime and Law in India: Cyber Crime, Investigation and Cyber Law, Falgun Rathod, 2014
4. Goodman M., A journey to the dark side of technology and how to survive it, Transworld, 2015.
5. Hadnagy C., Fincher M., Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails, Wiley, 2015.
6. Mitrou L., Kandias M., Stavrou V., Gritzalis D., "Social media profiling: A Panopticon or Omniopticon tool?", Proc. of the 6th Confe-
rence of the Surveillance Studies Network, Spain, April 2014.
7. Orrey K., Cyber Attack: Exploiting the User - There are so many ways!, University of Bedfordshire, 2010.
8. Pipyros K., Mitrou L., Gritzalis D., Apostolopoulos T., "A cyber attack evaluation methodology", Proc. of the 13th European Conference
on Cyber Warfare and Security, pp. 264-270, ACPI, Greece, July 2014.
9. Rocha-Flores W., Holm H., Svensson G., Ericsson G., “Using phishing experiments and scenario-based surveys to understand security
behaviours in practice”, Information Management & Computer Security, 2014.
10. Schacter D., Gilbert D, Wegner D., Psychology, Worth Publishers, 2011.
11. Sudhanshu C., Nutan K., Hacking Web Intelligence: Open Source Intelligence and Web Reconnaissance Concepts and Techniques,
Syngress, 2015.
12. Tsalis N., Mylonas A., Gritzalis D., “An intensive analysis of the availability of security and privacy browser add-ons”, Proc. of the 10th
International Conference on Risks and Security of Internet and Systems, pp. 1-16, Springer, Greece 2015.
13. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., “Security Busters: Web browser security vs. suspicious sites”, Computers & Security,
Vol. 52, pp. 90-105, July 2015.
14. Virvilis N., Tsalis N., Mylonas A., Gritzalis D., "Mobile devices: A phisher's paradise", Proc. of the 11th International Conference on
Security and Cryptography, pp. 79-87, ScitePress, Austria 2014.
15. Wüest C., The Risks of Social Networking, Symantec, 2010.
Top Related