Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security and Social Engineering

Similar presentations


Presentation on theme: "Information Security and Social Engineering"— Presentation transcript:

1 Information Security and Social Engineering
Michigan Council of Private Investigators 5/3/2018 Mark Lachniet ( )

2 I will be discussing techniques that could be misused
Disclaimer I will be discussing techniques that could be misused Make sure you know the law Consult a lawyer Opinions expressed are my own not that of my employer You have more leeway with a willing client (i.e. someone that is paying you to perform an assessment) Be particularly aware of wiretap and intrusion laws Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

3 About The Speaker Information Security Solutions Manager, CDW (previously Security Engineer) Penetration testing Incident response & forensics Regulatory compliance Past employment: K-12 Technology Director (Holt Schools) Instructor, Masters in Information Assurance, Walsh College Consulting at Analysts International, Promethean Security Industry certifications: Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Licensed Private Investigator # (Michigan) Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

4 About The Speaker Several terms on the board of the Michigan chapter of the High Technology Crime Investigation Association Meets quarterly, usually in Troy Composed of law enforcement and private industry Focuses on: Computer crime investigation Forensics Incident response See Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

5 M.S.U. English Major™ About The Speaker
Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

6 IP Telephony (i.e. Voice over IP) Text messaging (SMS) Caller ID
Agenda Discuss areas of information security that might be of interest to private investigators Hackers and Phreakers “Social engineering” IP Telephony (i.e. Voice over IP) Text messaging (SMS) Caller ID GPS, phones and images How I got ripped off A few random things “Stump the Chump” (time permitting) | Security solutions

7 Hackers, Phones and Social Engineering
“Hackers” have always been interested in ways to manipulate people and systems in order to achieve their ends This has historically included telephones, harkening back to the “phone phreaking” days of free long distance phone calls, conference bridges and phone system hacking A few interesting examples: War Dialing – repeated phone calls with a computer and a modem to find other modems, fax machines and valid calling card codes Blue Boxing / Red Boxing – using specific sounds to take control of a phone switch as an operator or make free long distance calls from a pay phone Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

8 Hackers, Phones and Social Engineering
A diverse kind of online culture Black Hats, Grey Hats, White Hats, Toques There are special events at infosec conferences like DefCon ( and Black Hat ( Includes social engineering competitions (being given a target such as a specific company and having to extract sensitive information over the phone – pretexting) Another popular conference feature is the “lockpick village” where you can practice your lock picking skills with increasingly difficult locks I went to a lockpick village this year Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

9 SE-CTF Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. walmart/ | Security solutions

10 Locks I picked when I got home…
So it turns out that many locks are easy to pick (if I can do it… anyone can) This is what I was able to pick with 2 minutes of training and a cumulative hour or so of dinking around The fire “safe” I keep my important documents Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. The “Master” lock I previously used to lock my pelican case for transporting equipment | Security solutions

11 Telephone Social Engineering scams
Some are fairly obvious… “Hello, I am calling from Microsoft Tech Support, we have detected a virus and need you to run some cleaner software for us” Then there are the tricky ones… Like the one that got me! First indication of something odd was that for about the span of a day our telephones didn’t work After they started working again we got some kind of automated AT&T message, didn’t think much of it Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

12 My own experience A few days later, I am asked “did you just transfer all the money out of our savings account?” Contacted credit union to inquire and was asked by a young clerk if I hadn’t recently authorized it, to which I said no, and was put on hold Obtained a copy of the wire transfer, it is for an amount just below the account balance, wiring the money to what looks like a construction company in Illinois The wire transfer had a copy of my signature from some source, but it was an old signature that I no longer use, at least 10 years old Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

13 My own experience It turns out that the scammers had gotten AT&T to disconnect my phone line and connect it to them somehow They then used a fax machine from my stolen “home phone” line to fax in the wire transfer (this number is what showed up on the fax machine’s caller ID) The CU, as per procedure, called to verify the large amount Unfortunately they verified it with the criminal that answered on my behalf Filled out a police report. My losses were too small for federal investigators, the MSP refused to take a report, so I ended up working with my township Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

14 Put extra security and passwords on Internet systems
My own experience Put extra security and passwords on Internet systems Ended up being reimbursed through the CU’s insurance, but did not vigorously pursue law enforcement help due to the trail going cold Consider the amount of funding, planning and research that had to go into that attack, not to mention the amount of employee time The attack wouldn’t have been possible without telephone tomfoolery! Quite likely the scammers were from another country entirely and just using the Chicago company as a shell All made possible with the Power Of Telco! Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

15 Conventional Analog Telephone
More or less like two tin cans with a string between them, only with a lot more parts Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

16 Networks and Digital Connections
Transmits information (such as a recorded voice) across a network by breaking it into small chunks of data These small chunks are put inside of network packets and transmitted Packets are similar in function to envelopes with source and destination addresses (IP addresses). Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

17 Networks and Digital Connections
Many of you have simple home networks with a number of devices and an Internet router Just as you can go to a website like Amazon.com, you can make telephone calls over the Internet Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

18 Google Voice / Google Hangouts
Voice Over IP Wikipedia: “Voice over IP (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, broadband telephony, and broadband phone service” Commercial examples: Skype Google Voice / Google Hangouts (Every modern and expensive phone system) Can work on a client-server basis, as well as tying together phone systems from different physical locations Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

19 Voice Over IP Stuff…. Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

20 Issued to me by work for home office
Cisco IP Phone Issued to me by work for home office Makes an encrypted VPN connection to CDW’s corporate office and connects to a voice gateway Works more or less as if I were in an office – rings when called, voic , etc. Gives me a (847) number Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

21 Pretty much a free landline, thanks to Google!
The ObiHai A gateway that allows you to plug in a regular land- line phone for VoIP Supports different services – I use Google Voice / Google Hangouts to get a number with a 248 area code Pretty much a free landline, thanks to Google! Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

22 Under the Truth in Caller ID Act, FCC rules:
Caller ID Spoofing Caller ID can be controlled by the system making the outgoing phone call, thus can be faked This is a problem for 911 services if they can’t find a physical location for you (same as a cell phone) Services also exist to allow you to spoof a caller ID, record the call, change your voice, etc. Under the Truth in Caller ID Act, FCC rules: Prohibit any person or entity from transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value. Subject violators to a penalty of up to $10,000 for each violation of the rules. Exempt authorized activities by law enforcement agencies and situations where courts have authorized caller ID manipulation to occur. Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

23 Text (SMS) message can also be spoofed
Caller ID Spoofing Call the IT helpdesk for a password reset, impersonating an employee’s short extension number or other pretexting “Swatting” Accessing a cell phone voice mail system by changing your number to that of the victim’s number Text (SMS) message can also be spoofed All of this traffic can be routed through virtual private networks and proxy servers to appear to originate from anywhere (both in terms of IP addresses and in terms of phone numbers) In other words – never trust what your phone tells you! Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

24 This includes pictures and multimedia files
Verizon Wireless Plus A feature from Verizon that lets you get your text messages on a different device such as a tablet or PC To configure it, you download the Message Plus software and tell it what your cell phone number is Verizon sends the cell phone a text message containing an authorization code Once connected, all future text messages will be downloaded on this device This includes pictures and multimedia files Will likely also grab historical SMS data such as old text messages within N number of days Configure it… delete the text message… text message bug! Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

25 EXIF Location Data in Photos
Depending on how a smart phone is configured, it may embed extra information into pictures that are taken on it Most notable is that it may include GPS coordinates for the place at which the picture was taken Thus it may be possible to place a phone (possibly a person) at a specific place Of course, in some cases (ahem.. Corporate cell phone) the GPS *has* to stay on so the phone can be tracked if they want to. Pictures may be the least of your worries Not the greatest privacy feature, but great if you tend to get lost really easily I suppose Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

26 Used to have a great deal more information in the free version
Echosec.net A web service that tracks social media posts and displays them based on the location that they were posted from Used to have a great deal more information in the free version Select a date range and then highlighting a box over the area you want information on (Detroit below) Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

27 Echosec.net Humanity... Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions

28 Q&A / Additional Demo ???? Security threats are pervasive and constantly evolving. Cybercriminals are becoming smarter, bolder and more ambitious. The IT landscape is constantly changing to accommodate mobility, cloud environments and the movement of massive amounts of data. It’s hard for customers to stay ahead of the game. So many factors play into a strong security strategy that it is hard to maintain control with so many moving parts. Security and risk are on everyone’s radar. From the retail customer to the healthcare provider to the CMO to the CSO, people are personally and professionally affected by how organizations approach security. If a company or organization doesn’t implement the right solutions and strategies to mitigate risk and protect information, the consequences can be devastating. | Security solutions


Download ppt "Information Security and Social Engineering"

Similar presentations


Ads by Google