Security Technology Executive

SEP-OCT 2017

Issue link:

Contents of this Issue


Page 11 of 69

10 SECURIT Y TECHNOLOGY E XECUTIVE • September/October 2017 • www. TECH TRENDS By Ray Coulombe • Ray Coulombe i s F o u n d e r a n d M a n a g i n g D i r e c t o r o f S e c u r i t y S p e c i f i e r s . c o m a n d R e p s F o r S e c u r i t y . c o m . R a y c a n b e r e a c h e d a t r a y @ S e c u r i t y S p e c i f i e r s . c o m , t h r o u g h L i n k e d I n a t w w w. l i n k e d i n . c o m / i n / r a y c o u l o m b e o r f o l l o w e d o n Tw i t t e r @ R a y C o u l o m b e . I n recent columns, I have written about the importance of being vigilant with e-mail attachments and web links you don't know, and the importance of making sure employees are educated in the threats that social engineer- ing may pose. I think it is important for security professionals to be aware of the types of tools that they are up against. If the sheer number of attack vectors outlined below doesn't prompt you and your coworkers to be extra- vigilant about what is opened in an email or clicked on, it is only a matter of time before your organization is a victim. Understanding and vigilance about social engi- neering attacks are the low hanging fruit in cyberse- curity – on both sides of the ball. Social engineering is an approach where people are compromised via e-mail, telephone, infected USB stick or in person. It can render the best technical defenses useless as access can be cleverly gained to the most hardened network. Spear-phishing attacks are a form of social engi- neering that use targeted email attacks using points of familiarity from public information, social media or other sources. A group of emails can be sent based on harvested information from lists or scans, or individuals can be directly targeted. The emails can send malicious files or links, and the sender's email address can be spoofed. Among the suite of tools I have been exposed to is the Social-Engineer Toolkit (SET), or setoolkit, available as an open source download at www. How I Went "Black Hat" This summer, I had the chance to take a course in Penetration Testing , which is designed to teach you how to hack – so you know how to prevent getting hacked. One exercise we performed was to clone a website in order to set up a phony phishing site. Entering login credentials on the phony site allowed my listener site to capture the data – a technique known as Credential Harvesting. Using a Website Attack, we also demonstrated how to use the phony site to get a user to download and run a file – in this case a keylogger. Other types of phishing-based website attacks are based on getting a victim to click on a web link. Using the Metasploit framework (see sidebar), a web server can be set up on the attacking machine to host various exploit payloads. Clicking the link directs the victim to this server, whereupon the payload – for example, a keylogger – is delivered. A Java Applet attack will spoof a Java Certificate and deliver the payload, and techniques exist to digitally sign these certificates. The TabNabbing Method waits for a user to move to a different tab, then refreshes the page to something different. The Web Jacking attack method uses iframe replace- ments to make a highlighted URL link appear legiti- mate; however, when clicked, a window pops up and is replaced with the malicious link (iframe is the technique to display information from another web page within the current page and is commonly used in social media). All of this occurs through the use of port 80 (http) on the attacking machine which is commonly allowed through firewalls. If a browser has not been fully patched, known exploits – many of which are found on Internet Explorer – can take advantage. More Social Engineering Attack Vectors Here are some of the other options the Social Engi- neer Toolkit provides a hacker to easily compromise a careless victim. Note that hackers may deploy multi- pronged attacks using multiple attack vectors. • Infectious Media Generator: This USB/DVD creator develops a payload that, when placed on a USB port, will trigger an auto-run feature to compro- mise the system. • Mass Mailer Attack: This allows multiple custom- ized emails to be sent in a mass phishing attack. • SMS Spoofing Attack: Allows the creation and sending of customized text messages. The SMS source can be spoofed and there is a choice of predefined or make-your-own templates. • Wireless Access Point Attack Vector: Creates an access point from a wireless interface card on the attacking machine and leverages DNS- Spoof to redirect a victim's browser requests to the attacker. My Crash Course in Hacking How penetration testing education opened my eyes to the dangers of social engineering Continued on page 14

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - SEP-OCT 2017