sosyal mühendislik(edit&TRaltyazı-'Halaskar)
Sosyal Mühendislik (Giriş)
ingilizce dublaj- Türkçe Altyazı
ingilizce dublaj- Türkçe Altyazı
Category
🤖
TechTranscript
00:00Humans are the weakest link in any security system, so if I'm a bad guy, why wouldn't
00:15I go ahead and hack the human instead of trying to figure out some technically complex way
00:20of breaking in.
00:21Well, in fact, we call that social engineering, this hacking of humans, and it many times
00:27relies on two different underlying motivations that we're going to exploit in human psychology,
00:32and that is that people are largely driven by greed or the desire to get something or
00:39they're motivated by fear, and in some of these cases we'll use both, but in some cases
00:46only one or the other.
00:47I'm going to take you through three different scenarios where we are going to compromise
00:52credentials, we're going to compromise control of a system, and we're going to compromise
01:00intellectual property of an organization.
01:03Three different social engineering attacks.
01:05Let's get into the details.
01:07Okay, in our first scenario, we're going to compromise credentials, that is the user ID
01:12and password you use to log into a system, and something that makes for a successful
01:18human hack or social engineering attack is if you've done your homework in advance, that
01:23is, you've gathered intelligence and done research on your victim.
01:28So where would you do that?
01:29Well, you might look at places like social media, Facebook, like LinkedIn, like Google,
01:36and things like that to find out as much as you can about your intended victim.
01:40In this example, we're going to do what's known as a spear phishing attack, where we're
01:44going to send a phishing email, but it's very, very targeted because I've done this
01:48intel, and that's why it's more successful, because the generic stuff people will kind
01:53of ignore.
01:54So I go to these sources, and out of that, I'm able to ascertain the organization that
01:59my victim works for, their email address, I'm going to get the title that they have
02:06within the organization, I might find out other things like who their administrative
02:12assistant is, other things like that.
02:14A lot of information is online, and it's all going to come useful.
02:18Now what I'm going to do from that is harvest some of that information and take advantage
02:22of it.
02:23So let's say our victim has had a laptop issued to them by the company that's really old,
02:29and they're really looking forward to an upgrade.
02:31So they're looking for, maybe not greed, but something they're hoping to get out of this.
02:37They want a laptop upgrade.
02:39So what I'm going to do is, if I'm the attacker, I'm going to craft an email to them, and in
02:45the email, I'm going to send it to this information that I got, I'm going to make it from an address
02:53based upon the organization's domain name, and I might even address it to their title
02:58and so forth.
02:59I'm going to put in here as a subject that it's for your new laptop.
03:07And all you have to do is click on the link in here for some website.
03:12Let's say this is the website, example.com, but notice I left the E out.
03:18This is typosquatting.
03:20This is where I get something that's close, and maybe no one notices the difference, but
03:23it's close enough.
03:24And I tell the victim, click on this link to log in and confirm your order.
03:30And when they do that, they click on the link, and they end up at the hacker's website.
03:35And there it asks for their user ID and their password, and click yes to confirm your order.
03:43They enter the information.
03:45They think they're getting a new laptop.
03:47What in fact happened was, we just stole their user ID and password and added it to the hacker's
03:53database, where then they can come back in and log in and exploit all kinds of information
03:58from them.
03:59Now, what could we have done to prevent this?
04:02What would be a solution?
04:04So you're going to find that there are some common solutions in these cases when we're
04:08talking about social engineering.
04:12In this case, one of the things that would have helped is if we could have blocked him
04:15going to that website in the first place.
04:18And a solution we have for that is a secure DNS.
04:22And the capability I'm going to refer to is called Quad9.
04:26Quad9 is a capability that's free.
04:28All you have to do is change your DNS, that is your domain name setting, in your browser
04:32or in your IP stack on your system, and set it to four nines.
04:389.9.9.
04:39And when you do that, it has a blacklist and it looks for some of these known bad sites
04:44and will keep you from going there in the first place.
04:46So that could have prevented the person from getting there in the first place.
04:50What's something else we could do?
04:52Well, we really need to, if you think about this, this is an attack on the human, on their
04:56psychology, on their mind.
04:58So there's where we need to put a lot of our defenses.
05:01We need to do better user education.
05:04We need to let them know that this kind of scenario can happen so that they're expecting
05:08it.
05:09And ultimately, we've got to enforce these critical thinking skills.
05:15Make people think, not just act.
05:18In the first attack, we took advantage of the notion of greed or trying to offer them
05:22something.
05:23In this next one, we're going to go with fear.
05:25And sometimes fear is an even more powerful motivator.
05:28In this case, I'm going to ultimately try to get control over the user system.
05:33So the bad guy over here is going to again do his research, again gather the intel, find
05:42out the person's phone number, the victim's phone number.
05:45And here's our victim here.
05:48And he's going to get all of this information.
05:49The more he has on the individual, the more convincing he will be when he calls them up.
05:55And that's what he's going to do next.
05:57He's going to call the victim and say, I'm from a particular computer software company,
06:03and we have detected that there is malware on your system.
06:07And it's going to do great damage to you.
06:09It's going to wipe out all your files.
06:10It's going to do harm to generations yet unborn.
06:15And this is the motivation.
06:16And there's a sense of urgency that we also add to this.
06:20Urgency with fear or greed becomes a multiplier.
06:23So we want to put that urgency in if we're a social engineer.
06:27So he's going to say, what I want you to do is I need you to go to your computer.
06:33So here's the guy's computer.
06:36And he's going to go in here.
06:39And this guy is telling him, the attacker is telling the victim, you need to go download
06:43special software.
06:45I've got some software from your system.
06:47Come over here to my site.
06:50Download this free disinfection tool.
06:52This will get rid of all your problems, and it won't cost you anything.
06:56Life will get better for you.
06:57He downloads the software and puts it on his system.
07:00Now what happens is it turns out what he was downloading was not making things better.
07:05It was making it worse.
07:06In fact, what he downloaded is what we refer to as a RAT, a remote access Trojan.
07:13Now the bad guy has complete control over this user system.
07:17They can log in to that system and do anything as if they were right on the system.
07:22They can steal all of the information over there, all of the files, erase all of the
07:26files, get into the email, all of this kind of stuff.
07:30So very damaging, and in fact, this is a very, very common scenario a lot of people have
07:35fallen for because of fear and because of the sense of urgency.
07:39What could we do to prevent this?
07:41Well, some of the things that would help, the same things I mentioned before.
07:44If we had a way to block a bad site like this and we knew in advance the secure DNS would
07:51keep this user from accidentally downloading the bad software.
07:55If we train the user, this is a scenario everyone should know about, and that's what we're doing
08:00right now is making you aware of that, then they're less likely to fall for that.
08:04It turns out software companies don't call you up and tell you you've got malware on
08:08your system.
08:09It doesn't happen.
08:10If someone calls, hang up.
08:12And the other thing is, again, develop those critical thinking skills.
08:16We need people to question things and not just react, even if it seems like the sense
08:22of urgency is trying to get us away from that.
08:25It's trying to remove any thought that we put in and just get us to operate at the brainstem
08:31level, sheer reaction.
08:33And then another thing that we could add in here that might help is a technical measure
08:38called multi-factor authentication.
08:41Multi-factor authentication would make it so that not just entering a user ID and password
08:45would get this guy into the system, but maybe it would require another form of authentication,
08:51something that you have, something that you are.
08:53Now, depending on the nature of the way this RAT works, that may or may not help, but it
08:58certainly can help in preventing other types of attacks.
09:03In our final scenario, we're going to really amp it up on the fear side and the urgency
09:08side, and we're going to really use some technology to enhance all of that and make
09:13it even seem more real.
09:15In this case, what we're going to do is we're going to steal some corporate IP.
09:19That's what we're after, intellectual property.
09:21So how are we going to do that?
09:23We're going to start off with our bad guy down here, and one of the things he's done
09:27is, again, the intel phase.
09:29He's gone out and searched all of this, but you know one of the things he found in all
09:33of this was that this individual, our victim, is going to be presenting at a conference
09:39or attending a conference that is at a specific date and time.
09:44So he knows the person's going to be out of the office.
09:47Another thing that this guy did in the meantime was he did some search on the web and found
09:52an instance where there was a video of our victim doing a presentation at a conference,
10:00similar type of event.
10:01He's going to take that and feed it into a form of artificial intelligence, AI, known
10:07as a deepfake generator.
10:10The deepfake will take the information out of this video.
10:14In this case, we're going to strip out the audio and train its language model so that
10:19it can then produce an audio file that sounds like this individual, our victim.
10:26It will sound almost exactly like them, to the extent that someone might not be able
10:30to tell the difference.
10:32With that, then we can put words in that person's mouth.
10:35So I can type up text and say, run that through this particular voice simulator, and what
10:41comes out will sound like that person said something that in fact they never said.
10:45So there's the big setup.
10:47Now what are we going to do?
10:48What we're going to do is we're going to set this up so that we can make a call to
10:54this individual's administrative assistant, which was also some information I got out
11:00of Intel.
11:01I found out their phone number, and now I'm going to place a call, except the call I'm
11:04going to place is going to go straight to their voicemail.
11:07Now how would you do this?
11:08Well, you could do it by calling after hours, or you could do it if you know when they normally
11:12go to lunch, or there are actually tools you can use that will allow you to bypass the
11:18ringing and have it go straight to voicemail.
11:21Those tools already exist.
11:22So what I'm going to do as the bad guy is generate this message, and I'm going to
11:27have it go off and call this person's voicemail, and in the voicemail I'm going to put a very
11:33urgent message.
11:34I'm going to say, look, this is me, and whoever me is, and say, I'm at the conference, as
11:41you know, and something really terrible happened.
11:44I lost my phone.
11:46That's why you see this call coming in from another number.
11:48I had to borrow someone else's phone, but I'm in real trouble right now, and I need
11:53your help.
11:54I need you, since I also don't have my laptop with me, I need you to give me access to a
12:01file, those sales figures, those product plans, whatever the intellectual property is that
12:07the attacker is after.
12:08I need you to send that to my personal email account, because if I don't get that within
12:14the hour, I lose my job.
12:16If I lose my job, guess what?
12:17You lose your job, too.
12:19So this is to save our jobs.
12:22You've got to act on this right now.
12:24Don't even stop to think.
12:25That's the urgency, and in that message on the voicemail, I'm going to also tell them
12:31the name of a personal email account, but it's going to be the hacker's email account.
12:37It's not going to be the other person.
12:39This person, if they're sufficiently motivated and convinced, because it sounds like their
12:44boss, they know the boss is at the conference, so this all sounds very plausible, and it
12:49sounds plausible because this guy did his research.
12:54And then, aided by some AI technology, is able to simulate the voice of the ultimate
12:59victim, and this person then complies, sends the information, the confidential company
13:06information, off to the bad guy, and now the information has been leaked.
13:10This is not just hypothetical.
13:12It actually happened.
13:13There was a bank that lost $35 million where someone was exploiting this exact kind of
13:19scenario and imitating the voice of an executive.
13:23And what could we do to prevent this, because we're about solutions?
13:25Well, in this case, the secure DNS wouldn't help because it wasn't a website we were going
13:30to, but certainly user education would help.
13:33People need to know just because you heard something doesn't mean it's necessarily real.
13:37You have to have the critical thinking skills to verify this.
13:41Maybe call the person back.
13:44Verify through another means so that you know that, in fact, this story is true, and ultimately
13:48be trained.
13:49Under no circumstances, I don't care who is asking me to.
13:53I'm not sending confidential information to a personal email account.
13:57I don't care what their justification is, because that will get me fired for sure.
14:02And so these are the kinds of technologies that can help.
14:05In many cases, though, if you think about it, it's not just about technology.
14:09It's about the user.
14:11Unfortunately, no one has invented a firewall for a human mind.
14:15If there was one, we could get it installed, and then all we'd have to do is update the
14:18policy in everyone's head every time we found out about a new social engineering attack.
14:23It's not that simple, obviously.
14:25But hopefully you understand now a social engineering attack is really not so much an
14:29attack on the system.
14:31It's an attack on the individual, and human psychology has certain weaknesses to it.
14:36So what do we need to do?
14:38In some cases, we can use technological means in order to thwart the attack, but in most
14:43cases it's going to be things like this, where we're getting into the human mind and
14:48trying to train them against this, make them strong against what otherwise would be these
14:54sort of vulnerabilities.
14:57Thanks for watching.
15:13Transcribed by https://otter.ai