Engenharia Social: A Doce Arte de Hackear Mentes

Transcript of Engenharia Social: A Doce Arte de Hackear Mentes

ENGENHARIASOCIALA DOCE ARTE DE HACKEAR MENTES

Rafael Jaques@rafajaques

#FISL1328.07.2012

“Se algum de vocês tem falta desabedoria, peça-a a Deus, que a

todos dá livremente, de boavontade; e lhe será concedida.”

Tiago 1.5

Atenção!As informações contidas nesta apresentação são apenas de caráter informativo. O conhecimento e as técnicas abordadas não visam ensinar como enganar as pessoas ou obter qualquer tipo de vantagem sobre outrem.

O objetivo é apenas demonstrar os pontos fracos que existem nas corporações e sistemas para que seja possível sanar estas debilidades.

Antes de começar é necessário

saber algumas coisas...

SIM!

Vai falar de casos extremos?

SIM!

Vou sair daqui paranoico?

Não é a ideia...

Posso usar essas técnicas para o mal?

Todos prontos? Então vamos lá!

60%Admitem ter roubado

algum tipo de informação

ao sair do emprego.

2 10em cada

têm acesso às informações

após sair da empresa.

Safados!

PESSOAS

Hoje em dia os

e não mais sistemas.

ALVOSsão as

1. O que é Engenharia Social?

O que é Engenharia Social?

A hábil manipulação da

tendência humana

natural de confiar.

Mas por que atacar uma pessoa

e não um sistema?

Mas como atacar utilizando

Engenharia Social?

Conquistar a confiança do alvo

Fazer sentir-se seguro

Mesclar as perguntas

Sensação de dever cumprido

Quem usa Engenharia Social?

Mas por que Engenharia Social funciona?

Diante de uma larga frente de batalha,

procure o ponto mais fraco, e, ali,

ataque com a sua maior força.

Sun Tzu - A Arte da Guerra

E qual é o ponto mais fraco?

PESSOAS!

Pessoas tendem a acreditar

Pessoas querem ajudar

Pessoas são complacentes

... e impacientes também!

Engenheiros sociais são bons com emoções!

Algumas estatísticas da terra do Tio Sam...

Só no ano de 2009...

11 milhõesde pessoas foram vítimas

de roubo de identidade.

US$ 54 bilhões

O total de fraudes

movimentou aproximadamente

21 horas

As vítimas gastaram em média

resolvendo o crime!

U$373e

13%das fraudes de identidade

foram cometidas por alguém

que a vítima conhecia.

2. Características de um Engenheiro Social

Bem apresentável

Bom observador

Aproveita-se da inocência

Comunica-se bem

Usa bem a voz

Faz a vítima entregar o ouro voluntariamente

Kevin D. Mitnick

Vamos aprender um pouco com

a história dele!

Hackers 2:

Operation Takedown

http://youtu.be/nVPV5dzM0yY

Se ficar com vontade de assistir, tem o filme todo no YouTube!

http://youtu.be/nVPV5dzM0yY

3. Como se Manifesta a Engenharia Social?

E-mails

Telefone

Tem um Fuscagelo na frenteda tua casa?

Carta

Pessoalmente

4. Técnicas de Engenharia Social

Dumpster Diving

Shoulder Surfing

Impersonate

http://www.silicon.com/technology/hardware/2007/12/10/criminals-posing-as-police-burgle-verizon-data-centre-39169416/

Rush/No Authentication

Phone Phising

Data Collection

Phishing/SCAM

74%...dos SPAMs relatados em 2010

eram de produtos farmacêuticos.

VIAGRA!

Como identificar?

Se o link terminar em “.php”,

então é vírus. :P (brincadeira)

http://fidelidade.promocaoscielo.com

http://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shl

A técnica do CD-R

Trecho demonstrando algumas

Hackers 2:

Operation Takedown

técnicas em ação!

5. Objetivos da Engenharia Social

Fugir de problemas

Ganhar dinheiro roubando ou vendendo dados da vítima

Espionagem industrial

Satisfação pessoal

Pura sacanagem

Fatores de Risco

6. Fatores de Risco

Você anota suas senhas?

Sempre as mesmas senhas?

Minha senha é 123!

Fala por telefone?

Deixa logado quando sai?

Ameaças Internas

7. Quer Ver o Quanto Você se Expõe?

Como você se comporta nas redes

sociais?

E no mundo real?

8. Engenharia Social e as Redes Sociais

Recheadas de dados

Não necessita de grandes habilidades

As informações são públicas

Autenticação falsa

Fácil influenciar

9. Aprenda a se Proteger!

Torne-se familiarcom as técnicas!

Eduque quem

está ao seu redor.

Formalize os procedimentos de acesso a dados.

AS7FRAQUEZASMORTAIS

by Cisco

1. Sex Appeal

2. Ganância

3. Vaidade

4. Confiança

5. Preguiça

6. Compaixão

7. Urgência

Mas e agora...

Onde aprendo mais?

Livros

Social Engineering Framework (en_US)http://www.social-engineer.org/framework/

Symantec Security Articles (en_US)http://www.symantec.com/connect/security/articles

Social Engineering Toolkit (pt_PT)http://ptcoresec.eu/SET.pdf

Sites

http://www.social-engineer.org/framework/

http://www.symantec.com/connect/security/articles

http://ptcoresec.eu/SET.pdf

Dúvidas?

Nem entendinada!

Obrigado!Rafael Jaques

rafa@php.net

phpit.com.br

@rafajaques

slideshare.net/rafajaques

Referências

+ Fontes consultadas

- PalestrasEntendendo a Engenharia Social : Daniel Marques : http://www.slideshare.net/danielcmarques/entendendo-a-engenharia-socialEngenharia Social : Marcelo Lau : http://www.slideshare.net/datasecurity1/engenharia-socialSocial Engineering - Exploiting the Human Weakness : Wasim Halani : http://www.slideshare.net/washal/social-engineeringcase-studySocial engineering & social networks : Sharon Conheady : http://www.slideshare.net/infosec10/social-engineering-social-networks-public-version

- Siteshttp://www.us-cert.gov/cas/tips/ST04-014.htmlhttp://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.htmlhttp://www.social-engineer.org/framework/Social_Engineers:_Disgruntled_Employees#Statisticshttp://www.fraudes.org/showpage1.asp?pg=7http://www.symantec.com/business/threatreport/topic.jsp?id=highlightshttp://www.massachusettsnoncompetelaw.com/http://en.wikipedia.org/wiki/Social_engineering_(security)http://www.spendonlife.com/blog/2010-identity-theft-statisticshttp://mashable.com/2011/01/20/black-hat-hacking-stats/http://www.consumerfraudreporting.org/internet_scam_statistics.htmhttp://informatica.terra.com.br/virusecia/spam/interna/0,,OI126626-EI2403,00.htmlhttp://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdfhttp://monografias.brasilescola.com/computacao/seguranca-informacao-vs-engenharia-social-como-se-proteger.htmhttp://www.iwar.org.uk/comsec/resources/sa-tools/Social-Engineering.pdfhttp://www.esha.be/fileadmin/esha_files/documents/SHERPA/Report_on_mechanism_of_social_engineering.pdfhttp://www.cisco.com/en/US/prod/vpndevc/annual_security_report.htmlhttp://www.securingthehuman.org/blog/2011/01/22/social-engineering-deadly-weaknesseshttp://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shlhttp://www.infosectoday.com/Norwich/GI532/Social_Engineering.htmhttp://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.htmlhttp://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shlhttp://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

http://www.slideshare.net/danielcmarques/entendendo-a-engenharia-social

http://www.slideshare.net/datasecurity1/engenharia-social

http://www.slideshare.net/washal/social-engineeringcase-study

http://www.slideshare.net/infosec10/social-engineering-social-networks-public-version

http://www.us-cert.gov/cas/tips/ST04-014.html

http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html

http://www.social-engineer.org/framework/Social_Engineers:_Disgruntled_Employees#Statistics

http://www.fraudes.org/showpage1.asp?pg=7

http://www.symantec.com/business/threatreport/topic.jsp?id=highlights

http://www.massachusettsnoncompetelaw.com

http://en.wikipedia.org/wiki/Social_engineering_(security

http://www.spendonlife.com/blog/2010-identity-theft-statistics

http://mashable.com/2011/01/20/black-hat-hacking-stats/

http://www.consumerfraudreporting.org/internet_scam_statistics.htm

http://informatica.terra.com.br/virusecia/spam/interna/0,,OI126626-EI2403,00.html

http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf

http://monografias.brasilescola.com/computacao/seguranca-informacao-vs-engenharia-social-como-se-proteger.htm

http://www.iwar.org.uk/comsec/resources/sa-tools/Social-Engineering.pdf

http://www.esha.be/fileadmin/esha_files/documents/SHERPA/Report_on_mechanism_of_social_engineering.pdf

http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

http://www.securingthehuman.org/blog/2011/01/22/social-engineering-deadly-weaknesses

http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm

http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html

http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Mídias

Images:

Capa - Master of Puppets - http://www.flickr.com/photos/50417132@N00/2178362181Person Icon http://edge-img.datpiff.com/ma336d2d/DeeZee_Too_Be_Continued_-back-large.jpgCalling http://www.flickr.com/photos/37475356@N00/5740461432Suit and Tie http://www.flickr.com/photos/55046645@N00/475680145Pierce Brosnan http://osolimpianos.files.wordpress.com/2009/05/jamesbond.jpgComputer Geek http://www.flickr.com/photos/18519023@N00/3498738259Seller http://www.flickr.com/photos/larskflem/93753458/in/photostream/Multiple Faces http://www.flickr.com/photos/56695083@N00/4470486685/Drunk Guys http://www.flickr.com/photos/82605142@N00/86601569Puss in Boots http://www.jpegwallpapers.com/images/wallpapers/Puss-In-Boots-Shrek-497126.jpegMother http://www.flickr.com/photos/brandoncwarren/5088547448/in/photostream/Dumpster Diving http://www.flickr.com/photos/75054419@N00/460133621Distrustful http://www.flickr.com/photos/37354253@N00/388468654Climb on giant tubes http://www.flickr.com/photos/squeakywheel/379078841/in/photostream/Shang Tsung http://www.umk3.net/images/portrait/shang_tsung.gifShoulder Surfing http://www.flickr.com/photos/16258917@N00/2785190754Fisherman http://www.flickr.com/photos/41346951@N05/5187103981Red Telephone http://www.flickr.com/photos/pulpolux/151179802/Spam http://www.ciromota.net/wp-content/uploads/2008/10/spam.jpgSetting Up Email Account http://www.flickr.com/photos/pieterouwerkerk/698618765/in/photostream/Viagra http://www.n24.de/media/_fotos/bildergalerien/002011/valentinstag_1/7611575.jpgPic of Email Screen (SPAM) http://www.fastactiontraining.com/wp-content/uploads/2010/10/Pic-of-Email-Screen.jpgJornal Hoje http://4.bp.blogspot.com/_OZcgbN6AowE/S7uYcZuhbqI/AAAAAAAAAWQ/SKOM0o-_mIQ/s1600/jornal+hoje_globoc%C3%B3pia.jpgBaby at Computer http://www.flickr.com/photos/65315936@N00/5511409574Impressed http://www.flickr.com/photos/64114868@N00/1019654125Security Guy http://www.flickr.com/photos/51035555243@N01/268524287Head in Hand http://www.flickr.com/photos/34120957@N04/4199675334White Ninja http://www.flickr.com/photos/cverdier/3893327741/Lady Cat http://sweettater.files.wordpress.com/2010/03/cimg3458.jpgGod of War http://wallpapers.freewallpapers.im/images/2011/02/1024x600/god-of-war-2-game-1935.jpg

http://www.flickr.com/photos/50417132@N00/2178362181

http://edge-img.datpiff.com/ma336d2d/DeeZee_Too_Be_Continued_-back-large.jpg

http://osolimpianos.files.wordpress.com/2009/05/jamesbond.jpg

http://www.flickr.com/photos/larskflem/93753458/in/photostream/

http://www.flickr.com/photos/56695083@N00/4470486685/

http://www.jpegwallpapers.com/images/wallpapers/Puss-In-Boots-Shrek-497126.jpeg

http://www.flickr.com/photos/brandoncwarren/5088547448/in/photostream/

http://www.flickr.com/photos/squeakywheel/379078841/in/photostream/

http://www.umk3.net/images/portrait/shang_tsung.gif

http://www.flickr.com/photos/pulpolux/151179802/

http://www.ciromota.net/wp-content/uploads/2008/10/spam.jpg

http://www.flickr.com/photos/pieterouwerkerk/698618765/in/photostream/

http://www.n24.de/media/_fotos/bildergalerien/002011/valentinstag_1/7611575.jpg

http://www.fastactiontraining.com/wp-content/uploads/2010/10/Pic-of-Email-Screen.jpg

http://4.bp.blogspot.com/_OZcgbN6AowE/S7uYcZuhbqI/AAAAAAAAAWQ/SKOM0o-_mIQ/s1600/jornal+hoje_globoc%C3%B3pia.jpg

http://www.flickr.com/photos/cverdier/3893327741/

http://sweettater.files.wordpress.com/2010/03/cimg3458.jpg

http://wallpapers.freewallpapers.im/images/2011/02/1024x600/god-of-war-2-game-1935.jpg

Maísa e Sílvio http://4.bp.blogspot.com/__UIUXK-sJhk/TOpBsG7XJwI/AAAAAAAABKM/DPuyUeFuTXk/s1600/maisa-e-silvio.jpgEngineer at Work http://www.flickr.com/photos/hammershaug/4494291610/Password Security http://www.getadvanced.net/images/uploads/Computer_Password_-_Security_Breach.jpgBum Shot http://www.flickr.com/photos/63423942@N00/497052735Written Password http://www.flickr.com/photos/22871132@N00/4051530414Japanese Guys http://img23.imageshack.us/img23/4451/1304026587.jpgTalk at Phone http://www.flickr.com/photos/colorblindpicaso/2717409111Call From Home http://www.flickr.com/photos/91672050@N00/257496969Handshake http://www.flickr.com/photos/65484951@N00/252924532Uncle Sam http://pslawnet.files.wordpress.com/2011/04/uncle-sam.jpgMr. Box Man http://www.flickr.com/photos/ollesvensson/3686050837/Mails http://www.flickr.com/photos/comedynose/5666793668/V for Vendetta http://www.flickr.com/photos/edans/5400848923/Thinking http://www.flickr.com/photos/jakecaptive/3205277810/Soldiers http://www.flickr.com/photos/19743256@N00/2223783127Pés pra cima http://www.flickr.com/photos/81785266@N00/125463026Chat http://www.flickr.com/photos/62597560@N00/258434606Why you Meme http://clipartsy.com/FAVS/FAVICONIC.NET/April/y_u_no_guy_y_u_no-1331px.pngHand in hand http://www.flickr.com/photos/26993091@N08/4718225577Police Car in the Snow http://www.flickr.com/photos/64844023@N00/4198908464Friends http://www.flickr.com/photos/43081986@N00/115112704Impatient http://www.flickr.com/photos/45842803@N00/4795997639Thinking http://www.flickr.com/photos/7320299@N08/3283431745Social Media http://2.bp.blogspot.com/_m5OYm6Jx05Q/TVK1A53STtI/AAAAAAAAAZk/2iuw4Io838k/s1600/social_networks.jpgBand of Brothers http://www.flickr.com/photos/17149966@N00/460670492Weakest Link http://www.flickr.com/photos/53611153@N00/465459020Crowd http://www.flickr.com/photos/84856173@N00/3786725982Lazy http://www.flickr.com/photos/superfantastic/3010891914/Coins http://www.flickr.com/photos/restlessglobetrotter/3824486278/Wireless Fail http://www.flickr.com/photos/bnilsen/2880929094/The Thinker http://www.flickr.com/photos/53611153@N00/5827849044

http://4.bp.blogspot.com/__UIUXK-sJhk/TOpBsG7XJwI/AAAAAAAABKM/DPuyUeFuTXk/s1600/maisa-e-silvio.jpg

http://www.flickr.com/photos/hammershaug/4494291610/

http://www.getadvanced.net/images/uploads/Computer_Password_-_Security_Breach.jpg

http://img23.imageshack.us/img23/4451/1304026587.jpg

http://www.flickr.com/photos/colorblindpicaso/2717409111

http://pslawnet.files.wordpress.com/2011/04/uncle-sam.jpg

http://www.flickr.com/photos/ollesvensson/3686050837/

http://www.flickr.com/photos/comedynose/5666793668/

http://www.flickr.com/photos/edans/5400848923/

http://www.flickr.com/photos/jakecaptive/3205277810/

http://clipartsy.com/FAVS/FAVICONIC.NET/April/y_u_no_guy_y_u_no-1331px.png

http://2.bp.blogspot.com/_m5OYm6Jx05Q/TVK1A53STtI/AAAAAAAAAZk/2iuw4Io838k/s1600/social_networks.jpg

http://www.flickr.com/photos/superfantastic/3010891914/

http://www.flickr.com/photos/restlessglobetrotter/3824486278/

http://www.flickr.com/photos/bnilsen/2880929094/

My Files http://www.flickr.com/photos/84172943@N00/5352825299CD-R http://www.flickr.com/photos/45382171@N00/1515739697Inside Outside http://www.flickr.com/photos/followtheseinstructions/5571697149/Pole Dance http://www.flickr.com/photos/46854683@N04/4547706741Seller http://www.flickr.com/photos/17768970@N00/4485455723Thumbs up http://www.flickr.com/photos/37961843@N00/6265449Greed http://www.flickr.com/photos/calliope/2207307656/Dress Table http://www.flickr.com/photos/centralasian/5968327542/Trust http://www.flickr.com/photos/43132185@N00/196015953Sloth http://www.flickr.com/photos/28442702@N00/279470157Compassion http://www.flickr.com/photos/29553188@N07/3573969837/Running http://www.flickr.com/photos/51035555243@N01/287666827Files http://www.flickr.com/photos/juniorvelo/3267647833/Goofy http://www.flickr.com/photos/42dreams/73838574/Library http://www.flickr.com/photos/51035555243@N01/85441961Talking Business http://www.flickr.com/photos/brymo/272834885/Mask http://www.flickr.com/photos/18548550@N00/5313987Young Gentleman http://www.flickr.com/photos/64031910@N00/422547724Goomba VS Mario and Yoshi http://www.flickr.com/photos/77161041@N00/2266201047Mother http://www.flickr.com/photos/54304913@N00/17647469Private Place http://www.flickr.com/photos/76151808@N00/6100020538Kevin David Mitnick http://www.starnostar.com/data/images/who-is-Kevin-Mitnick-is-star-or-no-star-Kevin-David-Mitnick-celebrity-vote.jpgThe Jersey Devil http://www.flickr.com/photos/79874304@N00/285367520A little better than the last group http://www.flickr.com/photos/81881849@N00/3222035439Operation Takedown http://filmescomlegenda.net/wp-content/uploads/2009/03/operation-takeodown-300x422.jpgI Have You Now http://www.fotopedia.com/items/flickr-3500989490Spying Turquoise http://www.flickr.com/photos/jdhancock/7439564750/Office Prank http://www.sprichie.com/wp-content/uploads/2012/01/office_pranks_05.jpg

http://www.flickr.com/photos/followtheseinstructions/5571697149/

http://www.flickr.com/photos/calliope/2207307656/

http://www.flickr.com/photos/centralasian/5968327542/

http://www.flickr.com/photos/29553188@N07/3573969837/

http://www.flickr.com/photos/juniorvelo/3267647833/

http://www.flickr.com/photos/42dreams/73838574/

http://www.flickr.com/photos/brymo/272834885/

http://www.starnostar.com/data/images/who-is-Kevin-Mitnick-is-star-or-no-star-Kevin-David-Mitnick-celebrity-vote.jpg

http://filmescomlegenda.net/wp-content/uploads/2009/03/operation-takeodown-300x422.jpg

http://www.fotopedia.com/items/flickr-3500989490

http://www.flickr.com/photos/jdhancock/7439564750/

http://www.sprichie.com/wp-content/uploads/2012/01/office_pranks_05.jpg

Crachás (sinto muito se sentiram-se ofendidos):

http://farm4.static.flickr.com/3289/2295308772_cecfd160ea.jpghttp://i279.photobucket.com/albums/kk160/lukstuning/DSC04358.jpg?t=1282497031http://2.bp.blogspot.com/_mKoEIJZM0sk/SCDHHKtX2qI/AAAAAAAAAdU/OXDvNt9iqqU/s320/Foto-0336.jpg

Backgrounds:

Azul http://wallshq.com/wp-content/uploads/original/2011_06/80_blue-abstract-background_WallsHQ.com_.jpgVerde http://srv4.imghost.ge/out.php/i212027_greenabstractbackground.jpgLaranja http://wallpapers.free-review.net/wallpapers/19/Orange_abstract_wallpaper.jpg

Videos:

Jedi Mind Trick http://www.youtube.com/watch?v=bJiqrVWLfdw

http://farm4.static.flickr.com/3289/2295308772_cecfd160ea.jpg

http://i279.photobucket.com/albums/kk160/lukstuning/DSC04358.jpg?t=1282497031

http://2.bp.blogspot.com/_mKoEIJZM0sk/SCDHHKtX2qI/AAAAAAAAAdU/OXDvNt9iqqU/s320/Foto-0336.jpg

http://wallshq.com/wp-content/uploads/original/2011_06/80_blue-abstract-background_WallsHQ.com_.jpg

http://srv4.imghost.ge/out.php/i212027_greenabstractbackground.jpg

http://wallpapers.free-review.net/wallpapers/19/Orange_abstract_wallpaper.jpg

http://www.youtube.com/watch?v=bJiqrVWLfdw