Stt&crypto Research Paper.docx

Human Based Vs Computer Based Social Engineering Prerna Bhajbhuje [email protected]

Abstract We all either know or have heard about social engineering. And we have also read how an attacker can use human mind and a computer system for capturing useful information about organisations or individuals. It make available authorizations on how to protect against attackers using human based and computer based social engineering methods. Social engineering is a non-technical method of intrusion hacker’s use that trusts greatly on human interaction and often involves trapping people into breaking normal security procedure. There is no hardware/software available to protect an enterprises or individual against social engineering. It is essential that good practices be performed. Nowadays there are a number of security tools, such as firewalls and intrusion detection systems which are used to protect System from being attacked. However, the human part is frequently the weakest link of an information security chain. In this paper, we reveal that the human psychological weaknesses result in the main vulnerabilities that can be misused of social engineering attacks. Keywords:- Social Engineering, Human based, computer based, Intrusion, Attacks, Data Privacy, Hacking Methods, Prevention.

Introduction Data security and privacy are very important to personal resources, corporate data, and even state secrets, which across the world are facing several hacking threats. People use various digital gadgets, such as cell phones, laptops, tablet and desktop, connected by the Internet to communicate with each other and share data. Cyber threats reveal vulnerabilities in an organization’s security set-up to gain valuable information, usually for financial gain. Cyber attacks can cause system disturbance and reveal information such as credit card numbers, passwords, and trademarked documents that can cost individuals and organizations from hundreds to billions of dollars. Sometimes cyber attacks are motivated by a personal disputes or revenge. The Internet is developing into a medium that is beyond just web search. Social networking, micro blogging, etc. are some of the next generation services that have gained prominence. Users of these services have real time two-way interaction. Human beings can be very easily manipulated into providing information or other details that may be useful to an attacker. “Malicious social engineers aren’t necessarily very technical people but they’re cunning and clever in the way they think” says chief operating officer of Social Engineer [1] . Today most business and banks are trusting on technology like internet and smartphone. They are paying a lot of money for buying security tools software and hardware, but at the same time an innocent employer can give all the information the attacker need without going to the trouble of hacking the system. That is what social engineering all about use the human factor which is the weakest factor in any institute or organization. Humans are easier to hack than computer systems and networks. Most people are raised to be kind and helpful leading them to integrally trust others. The concept of bad people taking advantage of the good and honest does not sit well with most people.

Social engineering is the art of influencing people into performing actions or exposing confidential information. The term typically applies to fraud or trickery for the purpose of information gathering, fraud, identity theft, or computer system access. Social engineering attacks that include interpersonal interaction involve direct communication (such as in person or by telephone) or interaction that is mediated through electronic means (e.g., electronic media, email, and Internet). Social engineering is the act of gaining either unauthorized access to a system or sensitive information, such as passwords, through the use of trust and relationship building with

those who have access to such information. A social engineer uses human psychology to misuse people for his or her own use. The most common method for gaining unauthorized access into a company’s network is simply by calling specific personnel within the company. This generally involves convincing people over the phone into giving them information through persuasion with tools such as fear, imitation, and concern. Social engineering is a non-technical method of intrusion hacker’s use that trusts seriously on human interaction and often involves trapping people into breaking normal security procedures. Social engineering attacks are more challenging to manage since they depend on human behaviour and involve taking advantage of vulnerable employees. Businesses today must utilize a combination of technology solutions and user awareness to help protect corporate data.

Classification HUMAN BASED METHODS In human based social engineering attacker wants interact to the person directly contact with another person and then recovering the useful information. Attacker use human based social engineering in different method. An invader might use the technique of impersonating an employee and then trying different methods to gain access to important data. Attacker may give a false identity and ask for sensitive personally identifiable information. There is a well-known rule in social interaction that a favour creates a support, even if the original favour is offered without a request from the recipient. This is known as interchange. Corporate environments deal with reciprocation on a daily basis. Employees help each other, expecting a same in return. Social engineers are skilful in taking advantage of this social trait via imitation. Pretence as a legitimate User:

Personation is taken to a higher level by assuming the identity of an important employee in order to add an element of intimidation. The reciprocation factor plays a very important role in this scenario. The staff in the lower hierarchy helps their seniors, so that they can get a favour from them later and this will help them in the corporate environment. Hence, an attacker pretends as an important individual like a Vice President or a Director. Thus, he can easily manipulate an employee by leveraging their power. An example will clarify this situation better. A help desk employee is less likely to turn down a request from a director who says he or she is in hurry and needs to get some important document / information for a meeting. Pretence as Technical Support staff:

Another technique normally followed is to pose as a Technical support staff. This method is followed particularly when the victim is not skilful in technical areas. The attacker may pretend as technician, hardware vendor or a computer related supplier when approaching the target. For ex: Hacker called up one company without giving his credentials and asked them about connectivity issues in internet. He checked whether net is working well? The confused employee replied that it was the modem that was giving them trouble. Subsequently the attacker may ask employees to reveal their login information including a password, in order to sort out a non-existent problem. Technical Support Example:

Hacker calls a corporate help-desk and says he is forgotten his password. He pretends very anxious and adds that if he misses the deadline on a very important project, his boss might fire him. The help desk worker feels sorry for him and resets the password just to help him, innocently giving the hacker clear authenticated entrance into the network of a company.

2. Human-Based Social Engineering Techniques: The following are some more human-based social engineering techniques: • Eavesdropping: It is about illegally listening to conversations of others or reading of important messages. Eavesdropping includes interception of any form of communication, including audio, video, written etc.

• Shoulder surfing: Shoulder surfing is the technique of looking over someone’s shoulder as he or she enters information into a device. Identity thieves who use shoulder surfing to find out passwords, personal identification numbers, account numbers and other information. They do this by simply looking over a person’s shoulder or watching from particular distance through binoculars. • Dumpster diving: Dumpster diving is mechanism of searching for sensitive information in a company’s trash bins, or on or under desks. Hackers can collect the following information: Phone bills Contact information Financial data Operations-related information Dumpster Diving Examples The following are some examples of dumpster diving: • A garbage collector collects dry garbage from a company. Many a times they found employee list and their phone numbers, product information from a marketing department and financial costs of company etc. This type of information is definitely sufficient for hacker to launch a social engineering attack.

In-Person Attack Attackers might actually visit a target site and prefer to survey it personally to get important information. A great deal of information can be gathered from the desks, recycle bin, or even phone directories and nameplates. Hackers may disguise themselves as courier delivery person or janitors. They have been known to hang out as visitors in the lobby. Hackers can pose as businessmen, clients, or technicians. Once inside, attackers can look for passwords stuck on monitors or important documents lying on desks, or they may even eavesdrop confidential conversations. Tailgating Tailgating is a technique in which an unauthorized person closely follows an authorized person into a secured area. The authorized person is not aware of having provided an unauthorized person access to the secured area. For example, an unauthorized person, wearing a fake ID, enters a secured area by just closely following an authorized person through a door requiring key access or authentication. Piggybacking Piggybacking is a technique in which an unauthorized person convinces an authorized person to allow him or her into a secured area. For example, the unauthorized person could pretend that she forgot her ID badge that day, so the authorized person offers to hold the door to the secured area open for her.

Computer Based Social Engineering:Here we look at the following real life scenario involving a computer-based social engineering incident that took place in a large e-business enterprise. An employee was asked to send his photograph through e-mail. Since he didn’t have an email then, he requested another person to send his snapshot. In the attachment (JPEG) file received from the other party, there wasn’t a photo. Instead, upon accessing the attachment, the hard drive began to spin. Fortunately, the employee was sophisticated enough to understand the danger of a Trojan horse and immediately alerted the IT department, who terminated the Internet connection. As you know Trojan horse is a piece of malware that appears to be a normal, non-destructive program, but contains a virus hidden inside. Later investigations revealed that the computer was infected with SubSeven, a most powerful backdoor. A backdoor is a method of bypassing the usual authentication methods on a system, potentially allowing remote administration of the system. Eventually, the company reloaded the computer, rolled back to the day before with a backup tape and stayed offline for three full days overall. Computer-based social engineering uses software to retrieve information. The following sections describe some of the techniques attackers use. Pop-Up Windows In this type of social engineering, a window appears on the screen informing the user that he or she has lost his or her network connection and needs to re-enter his or her username and password. A program that the intruder had previously installed will then e-mail the information to a remote site. Mail Attachments

This strategy involves using attachments bearing a title suggestive of a current love affair. There are two common forms that may be used. The first involves malicious code. This code is usually hidden within a file attached to an e-mail message. Here the expectation is that an unsuspecting user opens the file, allowing the virus code to replicate itself. Examples are the “I Love You” and “Anna Kournikova” worms. The latter is also an example of how social engineers try to hide the file extension by giving the attachment a long file name. In this case, the attachment is named AnnaKournikova.jpg.vbs. If the name is truncated, it will look like a jpeg file and the user may not notice the .vbs extension. Another more recent example is the Vote. An e-mail worm. The second, equally effective approach involves sending a hoax e-mail asking users to delete legitimate files (usually system files such as jdbgmgr.exe). Another method is clogging e-mail systems by sending false warning e-mail regarding a virus and asking targeted users to forward the mail messages to friends and acquaintances. Such an attempt can be dangerous to the e-mail system of an organization. Web Sites

Attackers can use Web sites to perform social engineering. This involves a ruse to get an unwitting user to disclose close potentially sensitive data, such as a password used at work. Some methods include using advertisements that display messages offering free gifts and holiday trips and then asking for a respondent’s contact e-mail address, as well as asking the person to create a password. This password may be one that is similar to, if not the same as, the one that the target user utilizes at work. Many employees enter the same password that they use at work, so the social engineer now has a valid username and password to enter into an organization’s network. Instant Messenger

Using this method, an attacker chats with a targeted online user to gather personal information such as birth dates and maiden names. The attacker then uses the acquired data to crack the user’s accounts. Phishing

Phishing is a technique in which an attacker sends an e-mail or provides a link falsely claiming to be from a legitimate site in an attempt to acquire a user’s personal or account information. It shows the same technique being used on a Web page. Case Example

The Revenue department annually processes millions of tax returns. The returns are then converted into electronic records. The information contained in these records is protected by law and considered sensitive. Maintaining this type of information could make the Revenue department target for

computer hackers, these are individuals who attempt to gain unauthorised access to computers or computer networks. The Revenue department has made significant efforts to secure the perimeters of its computer network from external cyber threats. Because hackers cannot gain direct access to the revenue department through these Internet gateways, they are likely to seek other methods. (A gateway is a node (router) in a computer network, a key stopping point for data on its way to or from other networks. Thanks to gateways, we are able to communicate and send data back and forth.) One such method is social engineering, which is the process of gaining information from people, often through deception, for the purpose of finding out about an organisation and computer resources. One of the most common strategy is to convince an employees of that organisation to reveal their passwords. In order to test their employees, with the assistance of a contractor, the Revenue department conducted social engineering tests on employees. The specially designated team for this purpose placed calls to 100 employees and asked them to change their passwords as per department’s suggestion. Of those employees called, 70 were willing to accommodate the team’s request.

The employees gave the following reasons behind the acceptance of request: • They were unaware of social engineering techniques or the security requirements to protect their passwords. • They want to assist in any possible way once the team members identified themselves as the IT help desk personnel. • They were having network problems and the call appeared legitimate. • Although they questioned the identity of a caller and could not identify the caller’s name, which was false, in the global e-mail address book, still they changed their passwords anyway. • They were cautious, but their managers gave them approval to assist the team.

Prevention Nowadays several Tools and techniques have been designed to prevent social engineering attack. Using these tools make the organizations less vulnerable [1]. According to Douglas Twitchell, there are currently three ways commonly suggested to defend against social engineering attacks: education, training and awareness; policies; and enforcement through auditing. • Organization’s employees or individuals can be educated through training and awareness which can make them more reluctant to disclose personal information. In depth security training of the employees should be conducted. This reduces the risk of social engineering attack and makes the organization less vulnerable. • Policies should be made which provides instructions to the employees on proper handling of company’s or personnel information and user data. • Audits must be conducted in order to ensure that the employees of the organization are following the policies and procedures. • Hard copies of organizational data, records, or personal information must be destroyed before being discarded. Common effective methods for destroying hard copy information include shredders and fireboxes. • Employees or individuals should be trained to question the credentials of the person who is calling himself to be in authoritative position in that organization. • Organizations should be careful about what they are posting on their company’s website. Company’s details like names of people on authority and contact numbers should be escaped. The most important thing that we can do to prevent being a victim of an attacker is to be aware of common tricks like those I have mention in this paper. Never give out any confidential information or even seemingly non confidential information about you or your company-whether it’s over the phone, online, or in person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your

credit card rather than speaking to whoever called you. Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone. Also, make good use of your shredder and dispose of your digital data properly. You can protect yourself from phishers scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or someone manages to convince a company they’re you. You can, however, take a couple of preventive measures yourself. • Use different logins for each service and secure your passwords: Always use the different password for all services. And make sure your passwords are strong and complex so they’re difficult to guess. • Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised. • Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defence, but often these questions are easily guessed or discoverable (e.g. where you were born). • Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like Paytm, PhonePe) because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be exhausted. You can other secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers. • Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Goggle Alerts as an identity theft watchdog. • Remove your info from public information databases: Sites like Google, Yahoo and People Finders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource. These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself. Since there is neither hardware nor software available to protect an enterprise or individual against social engineering, it is essential that good practices be implemented. Some of those practices might include: • Require anyone there to perform service to show proper identification. Make certain that the reception area has been trained to verify all service personnel and that there are procedures in place for the receptionist to summon assistance quickly. • Establish a standard that passwords are never to be spoken over the phone. When contacting the help desk to have a password reset, the organization should establish a set of phrases or words known only by the user. The help desk can then reset the password to one of those words. • Implement a standard that prevents passwords from being left lying about. Because employees now average around eight access accounts and passwords (information technology employees average twenty accounts), it is no longer possible to prevent the writing down of accounts and passwords. The new requirement should place the importance on the classification of passwords and confidential information and require the employees to treat them accordingly. • Implement caller ID technology for the Help Desk and other support functions. Many facilities have different ring tones based on inter-office phone calls as opposed to calls that originate from outside. Employees need to be trained to not forward outside calls. Take down the name and number of the call and forward the message on to the proper person. • Invest in shredders and have atleast one shredder in individual Organisation. The size of the shredder should be based on how much confidential information is present in the office area. Eliminate confidential information collection bins. Require shredding, not storing. Policies, procedures and standards are an important part of an overall anti-social engineering campaign. To be effective a policy should be: • It should not contain standards or directives that may not be attainable. When creating standards work with the user community to establish what can be accomplished immediately. Once these actions have been implemented, then every six months assess the process and act accordingly. • They should burden what can be done and stay away from isn't allowed as much as possible. Enumerate to the employees what they can and should do. • They should be brief and transitory. Our employees don't have a lot of spare time. Tell them what is required and leave the validations to the security awareness program. • The need to be reviewed on a regular basis and kept current. Nothing lasts forever. As other discussed in their research paper every six months assess the process and make adjustments as required.

• The message and standards should be easily possible by the employees and available through the company intranet. Keep the user base informed. Use an internal web site to answer questions and give advice. Employee Education Is the Key to be effective, policies, procedures and standards must be taught and reinforced to the employees. This process must be ongoing and must not exceed three months between reinforcement times. It is not enough to just publish policies and expect them to read, understand and implement what is required. They need to be taught to emphasize what is important and how it will help them do their job. This training should begin at new employee orientation and continue through employment. When a person becomes an exemployee, a final time of support should be done during the exit interview process. Another method to keep employees informed and educated is to have a web page dedicated to security. It should be updated regularly. These signs might include such behaviours as: Reject to give contact information, hiss the process, Namedropping, Intimidation, Small mistakes, Requesting forbidden information or accesses etc. As part of this training or education process, reinforce a good catch. When an employee does the right thing, make sure they receive proper recognition. Train the employees on who to call if they suspect they are being social engineered. Apply technology where you can. Consider implementing trace calls if possible or at least caller ID where available. Control overseas long distance services to most phones. Ensure that physical security for the building and sensitive areas are effective. 2016: United States Department of Justice In 2016, the United States Department of Justice fell for a social engineering attack that resulted in the leak of personal details of 20,000 FBI and 9,000 DHS employees. The hacker claimed that he downloaded 200 GB of sensitive government files out of a terabyte of the data to which he had access.[6] The attack began with the hacker gaining access to the email account of a DOJ employee through unknown means. After this, he attempted to access a web portal which required an access code that he didn’t have. Rather than give up, the attacker called the department’s number and, claiming to be a new employee, asked for help, resulting in them giving him their access code to use. With this code, he was able to access the DOJ intranet using his stolen email credentials, giving him full access to three different computers on the DOJ network as well as databases containing military emails and credit card information. He leaked internal DOJ contact information as proof of the hack, but it is unknown what else he had access to and might have stolen off of the DOJ Intranet.

RESULTS A fundamental question is: how much privacy is enough? Social media companies have to balance the need for user privacy with law implementation needs. Facebook, in its 2010 policy guide states that falsifying profile information will lead to disabling of the user account. But, checking the reliability of the profile information for each of the several hundred million users is an impossible task. Craigslist allows its users to flag a posting into one of several categories, if they choose to. While policies and practices have been defined in India, U.S. and many other countries, this is not true globally. This may be because of low Internet penetration, blocking of all or many social media sites, close government monitoring of Internet user activities, etc. But with the growth of cellular networks Internet access is becoming more prevalent and cheaper in many countries. This means that in a few years countries that do not have well defined social media security policies have to rethink this issue to fill the policy gap. Even although people had participated in some form of training, many were still willing to share their passwords. Unfortunately, our other options for improving security are limited. Password strength may be improved through technical means and system requirements. However people are people and are often the weakest link in the security process.

CONCLUSION As compare human based vs computer based social engineering I think Computer based social engineering is good. Because sometimes users are not update every personal information about the user but If you see in human based social engineering attackers can easily get desirable information

from user. It means it is very easy for a good attacker to gather information about that organization just by gaining trust and being friendly with the user. technique of capturing information is being used since long time but it came into notice just some time before. Before people and organizations were not much aware of these security breach practices and techniques for securing information but nowadays information security is the main concern of the corporate world. A key mechanism for combating social engineering must be the education of potential victims, in order to raise their awareness of the techniques and how to spot them. To protect the Social Engineering, employee or individual education, training & awareness is the key. Policies, procedures and standards are an important part of an overall anti-social engineering campaign.

References 1. Kumar, A., Chaudhary, M. and Kumar, N., 2015. Social engineering threats and awareness: a Survey. European Journal of Advances in Engineering and Technology, 2(11), pp.15-19. 2. https://www.researchgate.net%2Fpublication%2F312020665_Social_Engineering_I-

E_based_Model_of_Human_Weakness_for_Attack_and_Defense_Investigations&btnG= 3. https://www.scirp.org/Journal/PaperInformation.aspx?PaperID=87360 4. Greitzer, F.L., Strozer, J.R., Cohen, S., Moore, A.P., Mundie, D. and Cowley, J., 2014, May. Analysis of unintentional insider threats deriving from social engineering exploits. In 2014 IEEE Security and Privacy Workshops (pp. 236-250). IEEE. 5. Janczewski, L.J. and Fu, L., 2010, October. Social engineering-based attacks: Model and New Zealand perspective. In Proceedings of the International Multiconference on Computer Science and Information Technology (pp. 847-853). IEEE. 6. https://resources.infosecinstitute.com/the-top-ten-most-famous-social-engineering-

attacks/#gref