-
Notifications
You must be signed in to change notification settings - Fork 0
Synopsis
Design a Proof of Concept to demonstrate that information can not only be leaked but also can be influenced to leak without raising any suspicion via social networking sites by making use of profile hijacking and bot persuasion attack. To verify it we will use a modified version of Turing test at basic conversation level.
Businesses spend a significant portion of their annual information technology budgets on high-tech computer security. But the firewalls, vaults, bunkers, locks and biometrics those dollars buy can be pierced by attackers targeting untrained, uninformed or unmonitored users. Humans are the weakest link in any security system, according to KL-based organizers of the Hackers Halted Asia Pacific 2009 conference.
The chief minister of Malacca, Datuk Seri Haji Mohd Ali Bin Mohd Rustam, said there is no perfect system in the world. "Even if you have the best security devices and software--your organization still relies on humans--who are the weakest link in any security system. Public education and awareness is essential."
Above is a Data Security Breach Statistics of 2008 revealing that Malicious Insider and Careless/Untrained Insider is a bigger threat than an outside cracker.
Also, in the age of Social Networking Sites like Facebook, Twitter, Linkedin, Google+ information of companies internal hierarchy structure, employees, personal information is readily available online for the information gathering phase to breach companies security perimeter by various social engineering ways like phishing links, Trojans, Backdoors, Password guessing, breaking security questions etc.
Is it possible to break into the circle of “friends” network on social networking sites and make them reveal certain information about them which can be used further to infiltrate the security perimeter of a company?
Our project is designed to answer this Question and provide a Proof of Concept that Yes, it can be done and without even raising any suspicion on the target for a long time.
Some of the best tools for fighting social engineering attacks are security awareness training and social engineering testing. The effectiveness of these controls will vary based on the quality of their implementation, including follow-up and retraining.
Social engineering testing, by its very nature, can be difficult to conduct without third-party assistance. One option is to engage an information security organisation to conduct testing. The testing can uncover areas in which an organisation is most vulnerable so that risk can be assessed and mitigation strategies can be formulated and implemented.
While prices vary, hiring an outside firm to conduct social engineering testing typically costs between $10,000 and $15,000. Rolling social engineering testing into a larger security penetration engagement can reduce the cost of the social engineering component, says Jim Patterson, director of consulting for Rapid7.
Main Application of this Project is to develop a tool that will aid in Doing Social Engineering Testing on Companies Employees, also it will provide as a live demonstration to employees under training on how social engineering can be done and how by being cautious one can prevent serious damage not only to the company but also to their private life.
In this project we will use two main concepts:
-
Profile Hijacking : In Profile Hijacking, we will impersonate the target(s) profile on Social Networking Sites like Facebook and use their identity to infiltrate the network of other target’s friend to fit in the group. Profile Hijacking is important, to use them to reveal certain information without their knowledge.
-
Using Humans as Botnets to do the job of Artificial Intelligence. : We studied many AI based Chat Bots that are available on the web and we found that Using Chat Bots to chat with humans for Social Engineering Attack is not feasible as Humans detect that the other “person” is not a human but a program and hence the attack fails even before it is launched.
Since developing a fully convincing AI based Chat Bot is not possible considering the Scope, we will use another human to do the talking with our target while we sit in between, watch and modify the conversation towards the conversation which would reveal certain information which we are interested in.
Following is an example.
Let’s say we have two marks (targets) Alice (Human) – aliceHuman & Bob (Human) - bobHuman
We make two profiles both run by bots. The highlight is both bots hijack the profiles of marks namely alice and bob.
So aliceBot’s profile is similar to aliceHumans profile and bobBot's profile is simlar to bobBot's profile. aliceBot sends a friend request to bobHuman. bobBot sends a friend request to aliceHuman. So now, aliceHuman is a friend of bobBot & bobHuman is a friend of aliceBot. Also, bobBot and aliceBot can exchange information outside of facebook to each other.
So now let’s say, bobHuman and aliceHuman are online. Our bots start the conversation. Whatever is being passed to one of the Bot by one human, it is passed on to the other Bot and in turn passed on to the other human, i.e. two humans are having conversation through two bots but they think that they are talking to a human since the conversation sounds like a human (which it is).
After some amount of bonding between them our bots start modification...
AliceHuman -> bobBot : "Hey how was the movie yesterday?"
botBot -> aliceBot : "Hey how was the movie yesterday? and hey btw whats your fav color?"
aliceBot -> BobHuman : "Hey how was the movie yesterday? and hey btw whats your fav color?"
BobHuman -> aliceBot : "movie was great, and its blue btw, whats yours?"
aliceBot -> bobBot : "movie was great, you know my fav color is blue, what is yours?"
bobBot -> AliceHuman : "movie was great, you know my fav color is blue, what is yours?"
AliceHuman -> bobBot : "mine is pink :)"
botBot -> aliceBot : "mine is pink :)"
aliceBot -> BobHuman : "mine is pink :)"
Notice how the conversation has been altered to make it unclear that no one asked each other about favorite color and yet both of them told us their favorite color. We got hold of two marks information without raising suspicion.
- Standard Desktop Computer: 2 GB Ram, 80GB Hard Disk.
- Internet Connection.
- Operating System – Ubuntu 11.04
- Language – Python 2.x
-
Honeybot, Your Man in the Middle for Automated Social Engineering; Tobias Lauinger, Veikko Pankakoski, Davide Balzarotti, Engin Kirda; EURECOM Sophia-Antipolis, France. LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats.
-
All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks; Leyla Bilge, Thorsten Strufe, Davide Balzarotti, Engin Kirda EURECOM Sophia Antipolis, France. WWW '09 Proceedings of the 18th international conference on World Wide Web.
-
Eight Friends Are Enough Social Graph Approximation via Public Listings; Joseph Bonneau, Jonathan Anderson, Frank Stajano, Ross Anderson. SNS '09: Proceedings of the Second ACM EuroSys Workshop on Social Network Systems.
-
Towards Automating Social Engineering Using Social Networking Sites; Huber, M.; Kowalski, S.; Nohlberg, M.; Tjoa, S.; Computational Science and Engineering, 2009. CSE '09. International Conference.
-
Dirty Jobs: The Role of Freelance Labor in Web Service Abuse; Marti Motoyama Damon McCoy Kirill Levchenko Stefan Savage Geoffrey M. Voelker; Department of Computer Science and Engineering; University of California, San Diego.