Talk Notes: James Powell on How His Daughter Taught Him Social Engineering

James Powell is a senior software engineer at Cisco with a psychology degree. He has been fascinated with the mechanisms of social engineering and manipulation since a very young age. In this talk he compares and contrasts examples of how how daughter manipulates him into giving her chocolate and candy with examples of how companies, adversaries, and even pets manipulate victims.

You Are Always Being Manipulated.

Most of it is benign. This realization came from an unlikely source: his daughter. Children are amazing manipulators; they are goal-oriented and have the benefit of living somewhat outside of our societal moral/ethical framework. This extends to every moment in life. It all can be used as training because everybody is trying to use social engineering on you for better or worse.

The Good Guys?

These are your training partners and instructors. They will provide you the training while they try to get you to do good, or at least neutral, things, like give them candy or pet them.

  • Friends and Family
  • Pets
  • Corporations (sometimes)*

* James includes corporations here but really states they belong “on the fence”

The Bad Guys

These are people trying to find shortcuts and loopholes in your psychology to get you to do things you don’t want t

  • Scammers / Con Artists
  • Phishing, like the “whaling” attacks used against the DNC.
  • “Watering Hole” Attackers
  • Corporations (sometimes), by way of manipulative advertising

Attack One: Build Trust

This example social engineering begins by being cute and asking what seems to be a benign question.
This example social engineering begins by being cute and asking what seems to be a benign question.

His daughter asks “Papa, are you happy with me?” every day (building in repetition!) to which James will almost always reply, “Yes, of course!” His daughter says “Then I will have chocolate for dinner.”

Not a question. Just a statement and a conclusion. In the real world, this might look like the following:

This attempt is not so cute.
This attempt is not so cute.

“Dan from IT” is a great name to build trust. Dan sounds like a perfectly believable name. “IT” sounds trustworthy. Dan might say he’s here to help and upgrade security patches on your system. You might tell “Dan” that you already upgraded and he’d say “Great job!” to give you good feels, and then say “Just log into this website to verify.”

Defense 1: Be Cautious

This sounds like blanket advice but reminding yourself consciously of it will train you to take it as an active step. Be cautious. Slow down. Think about the situation you’re in. You’ve never logged into a website to verify your updates before, have you?

Defense 2: Trust but Verify

Just like James would ask his wife if it’s OK for his daughter to have candy for dinner, you should check with somebody else if you need to verify your updates via a website. Of course, they will tell you “you shouldn’t have to ask.” Ask anyway.

Attack Two: Developing Reciprocity

It's only a matter of second before she asks for candy. You'll see.
It’s only a matter of second before she asks for candy. You’ll see.

When people do something for you, it creates an imbalance and pressure for you to do something else in return. Reciprocity is the act of restoring this balance. This all holds true for children as well as adversaries.

James’ daughter will “clean,” reinforce by saying “look how clean I made it!” and then she will finally ask “Can I have candy?”

Defense One: Ask Yourself: “Do I Know This Person?”

Do you know them? In real life? How well do you know them? What are their motivations? Why should you trust what they’re giving you?

Defense Two: Beware More Give Than Take

Infomercials are superb examples of manipulation via "more give than take" with this one simple phrase.
Infomercials are superb examples of manipulation via “more give than take” with this one simple phrase.

From there, ask if this situation is more give than take? If so, then be even more cautious.

Attack Three: Create a Sense of Urgency

The infomercial above might end with a phrase like “you won’t find a better deal than this!” This may be true, but the function of such a claim is to create urgency. Bringing this back to James’ daughter, it might look a little more like this:

Creating a sense of urgency gets people to panic and respond because they want the alarm to stop. James tells a story of his daughter crying in public. When he rushes to her aid, first she consoles HIM, and then starts asking for things vaguely. “Can you get it for me?” While he’s still panicked, she can get candy, toys, chocolate, whatever.

In the “cyber” world, creating urgency might look more like this:

Lesson 1: Follow a Process

Do you have one? If so, start there by making one. Got it? Good.

Lesson 2: Remember Lesson 1

Seriously, all it takes is one person making one stupid mistake to bring everything crashing down.

Rules of Thumb against Social Engineering

Train Like You Fight

Bringing the talk full circle, remember the assertion at the beginning: Every moment in life is an opportunity to train yourself against social engineering. Luckily, most of life is a low-risk environment.

Reward Your Training Partners

In James’ case – if she successfully tricks him, she gets a piece of candy. All it takes for her to win is if he moves before he thinks – not even following through on fulfilling the request. The exception here is advertising and marketing. They’re already getting paid 😉

James ends the talk by reminding the audience that they are physically in the city of Las Vegas –  “one of the most well-oiled machines to get you to do things.” They’re also at DEF CON. The perfect training ground.

JusticeBeaver on Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) is a security engineer at Barracuda Networks. He started as a civil engineer and moved to all things wireless networking. In this talk he discusses how to detect and locate a rogue cell tower, or IMSI catcher.

What is a Rogue Cell Tower?

A rogue cell tower is device that allows somebody, usually an authority of some sort, to do an “evil twin” attack on your phone by posing as a cell tower. Also known as IMSI Catchers, or cell-site simulators. Otherwise they are known by the brand name Stingray. According to the ACLU, 66 agencies and 24 states own Stingrays.  They are also used abroad.

These allow you to collect metadata from phones, but in some cases they can also downgrade your connection and by doing so get your calls, SMS, and data,

IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone
IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone

Why You Should Care?

These devices are extremely invasive. They are essentially one big net that can capture you, as a small fish.  Your phone connects automatically to the device with the strongest signal. All transmitted data is suspect – even TFA keys sent through SMS.

How Do You Detect an IMSI Catcher?

Cell towers broadcast data about themselves, and the values should remain constant. By comparing incoming data against a baseline over time,  If you detect deviations, it could be as simple as work being done on the network, OR it could be an IMSI catcher.

Examples:

  • A new cell tower
  • Country code mismatch
  • Mobile network code mismatch
  • Frequency mismatch
  • Location area code mismatch

How Do You Locate a Tower?

Once you notice an anomalous tower, you might want to figure out what it is. The best way to do this is to combine all available cell tower data with receive power and location, using a single sensor that can be moved.

Some Math and GIS software can give you some fancy maps.
Some Math and free GIS software can give you some fancy maps to locate a potential IMSI catcher.

Trilateration vs Triangulation

These are similar concepts but often confused. Essentially: Triangulation is the practice of using the intersection of strongest-signal angles of three detectors to zero in on a location. Trilateration, on the other hand, uses indirect data like signal strenth of at least three detectors to determine the location of a cell tower.

How to Build a Detector?

JusticeBeaver walks us through how to build a detector with $52 worth of parts:

Mega-hacked IMSI Catcher detector for $52
It’s a hack, but it works!

 

Getting Cell Tower Data: SIM 900 or Field Test Mode

The SIM 900 is an inexpensive device that gives you the broadcast data from the top 7 nearby towers. Engineering mode requires no SIM card, and it does not sniff data. You can also achieve this using Field Test Mode with your phones.

Typically, the SIM 900 will return data in this format, and the GPS will return data in this format. You can parse and store that in SQL or NoSQL, or whatever medium of your choice.

Beware the TV Tuner!

Depending on where you are, listening to raw GSM frames can be very illegal.

Once you Locate a Tower

You can send yourself a notification using Email, Twilio, or PushOver. If you get a notification, turn off your phone. Then you can start looking at the data.

Jake Kouns at DEF CON 24 on Cyber Attribution and the Arrest Tracker

In this talk, Jake Kouns debuts Arrest Tracker after he walks us through a few examples of why attribution is hard. He then examines the data from the site and shows us what we can learn from it.

If these Talk Notes are useful to you, become a patron!

Frequency and intensity of data breaches aren’t getting better. 2015 was the most breaches ever tracked, with 77% of attacks originating from outside of the organization. 2016 isn’t looking much better with the highest amount of records breached at 1.1 billion thus far. The most common question asked is: who is behind all of this?

“Attribution is Power”

Attribution can mean a number of things depending on context, but in the “cyber” world, researchers like Jake want to know a few key facts:

  1. Who did this?
  2. What the hell did you just do?
  3. Why?

Case Study: 2014 Sony Hack

There were two major viewpoints here: North Korea vs. A Sony Insider. Credible sources backed both viewpoints: Crowdstrike and the FBI blamed North Korea, whereas Norse, Marc Rogers, and Kim Zetter from Wired blamed an insider. Much argument ensued.

Somebody had to be wrong. But, if you’re wrong in cybersecurity, especially with such bold claims, can you still be trusted?

Case Studies: 2016 DNC Hack

Most people agree that Russia was involved, this time by looking at code style, use of Russian keyboard, and timezone / holiday analysis. “Would have been a very elaborate scheme if it were anybody else” – Fidelis. However, a new question was raised: was it an individual, or an organization / government pulling the strings?

Additionally, the first state sponsored “hack back” occurred when the NSA allegedly counter-hacked Russia. This is all to say: attribution matters.

Why Can’t We Seem to Get Attribution Right?

  • Top firms can’t agree
  • Can’t believe people whom claim attacks
  • Typical detective / forensic work not possible
  • Easy to spoof attacks, and easy to embed other people’s work in your attacks to throw off trails
  • Lack of physicality that might otherwise provide clues

One Better Way: The Arrest Tracker

Arresttracker.com is a data gathering service founded by Lee Johnstone. Tracks not only arrests but any reported hacking related incidents and raids. Fields include detailed Legal and Authority information about which court it was tried in, or if there was a paid informant involved.

Despite limitations with data,  there are a number of useful data collected by the site which improve statistical analysis and profiling, aka “The Face of a Hacker.” Cyber crime is undoubtedly on the rise based on time series data. Each incident tells a fairly compelling story.

What Does the Data Show?

  • Youngest Arrest: 12 years old
  • Oldest Arrest: 66 years old
  • Vast majority 18-35. Average of 27 years old
  • Almost all male (81%+)
  • US and UK top data, but this is arrest data.
  • Most that belong to a collective belong to Anonymous (of 58 known)
  • Most popular operations were OpPayBack and OpPayPal
  • Arrests are not inevitable. Average of 610 days between crime and arrest
  • Raids most likely to occur on Mondays, and in April
  • Longest jail time was 334 years
  • Average fine, $1M

So, what is the profile of a hacker?

From the slides:

Amalgamated data from Arrest Tracker of "The Face of the Hacker"
Amalgamated data from Arrest Tracker of “The Face of the Hacker”

What’s Next for Arrest Tracker?

  • Data quality and quantity
  • Bug fixes / bug tracking
  • Ability to track complex issues based on individual profiles, specifically motivation
  • Integration with FBI’s Most Wanted
  • “Where are they now?”

If these Talk Notes are useful to you, become a patron!

Talk Notes: Karyn Benson on Examining the Internet’s Pollution

Garbage men have reported that people often throw away interesting and valuable items. This raises two questions. First, how do we define “trash” on the Internet, and what interesting and valuable things can be found there? Karyn Benson, who spent the last 4 years working on her Ph. D in “internet trash,” otherwise known as Internet Background Radiation (IBR) answers these questions for us.

Note, this talk was so good and so relevant to cybersecurity that I decided to include it in the cybersecurity section of thie site as well.

If these TalkNotes are useful to you, become a patron!

What is Internet “trash?”

Internet Background Radiation, or Internet Trash is simply unsolicited packets sent to your own IP addresses. This includes:

  1. Scanning packets. Crawlers and probes send lots of unsolicited packets. Bro.org has a working definition of what a scanner is.
  2. Backscatter. An attacker sends a sends a packet forged as one of your IP addresses, and the victim responds to you.
  3. Misconfigurations. A host erroneously believes that the wrong machine is hosting a service.
  4. Bugs. Bugs such as byte order bugs that simply send packets to the wrong destination.
  5. Spoofed Traffic. Attackers mask their IP addresses to appear as if they’re coming from a different source.
  6. Unknown. Just plain weird traffic like TCP non-standard ports or encrypted UDP packets.

How do we collect Internet Background Radiation

Researchers collect using “honeypots,” simply mock servers. You can configure your honeypot to respond like a normal host. You can also configure them not to respond at all and just collect one-way traffic. There are a number of specific ways to route incoming traffic internally that I won’t go into detail on here.

What Karyn and her team used was called a “Network Telescope,” which allowed all traffic in with no response, and stored all incoming packets for analysis. They collected a massive dataset from all over the world going back to 2008

Interesting and valuable items found in Internet Background Radiation

Revisiting the earlier list:

  1. Scanner traffic correlates heavily to vulnerability announcements

    The early data show worm releases such as Conficker on TCP port 455. In fact, the historical data show heuristically a probable test run of Conficker from a province in China, months before the worm was discovered.  Later traffic moved to TCP port 23 (telnet), which may correlate to Internet-of-Things devices.

  2. Backscatter data show that name servers are vulnerable to DDoS

    An open resolver is a DNS server that resolves any DNS request, not just that of its own internal network. Spood traffic to Open Resolvers can be used to attack an authorative NS (like, say, Dyn) with no response cost to the user. Amazingly, this talk was given in August, well before the Oct 21 Dyn attack.

  3. Misconfigurations, such as those caused by a BitTorrent Index Poisoning attack, can cause IBR.

    False hosts inside of a BitTorrent Distributed Hash Table can give incorrect locations for torrets, causing the internet background radiation on Benson’s network telescope. 95% of the malicious hosts were in China.

  4. Byte order bugs and careful packet inspection can reveal information.

    Using these techniques and coordination with UCSD, they were able to determine that many packets came from Qihoo, a popular Chinese security software package. Qihoo versions containing said bug sent traffic to incorrect hosts. Benson’s team notified them of the bug.

  5. By carefully inspecting the bytes of unknown packets, you can determine the source of traffic. Often times the source is a Botnet like Sality.

Conclusion

In addition to witnessing security related events, you can use techniques such as outage detection, DHCP lease duration analysis, and path change detection to further secure your systems.

If these TalkNotes are useful to you, become a patron!