Presenting their subject further, Shane MacDougall and Rafal Los stick to the objectives and key constituents of the points of attack modeling process.To model the points of attack, obviously, our key objective is to break everything down into the tiniest pieces possible. If you’re familiar with the STRIDE threat model, this is a lot of what they do, too. You break everything down into the tiniest possible granules that you can, and then you break those granules down. Basically, we are looking for what part of this component can be broken down; and if it can’t be broken down, what needs to be done to break it down.
Same kind of thing we do with the human assets: we break them down into family members, friends, roommates; where they go, if they have a shared home network, whether they commonly visit public network sites. Indirect targeting of asset via targeted spear phishing, piggyback hacking; even going to the house and breaking in – dumpster diving is the most effective at their homes, not at the office. They have basic shredders, if they have a shredder at all. How many people actually do the dumpster diving at their target’s home? Not too many, because that’s not usually in the rules of engagement for your pentest. And, obviously, target via social engineering to elicit information.So, we want to model and identify the human behavior, and this is very important, because these are the people we want to identify, who we attack. We should look at their personal activities, their hobbies, routines, favorite hangouts, religious preferences – all this stuff is very useful in helping to develop pretexts for social engineering attacks, and also allows us to track individuals physically.
How many people here use Foursquare? I see lots of guys on my Twitter feed that use Foursquare and it shocks me, because you’re giving real-time pretexting information to an attacker: “Hey, I’m here and this is a place I go to all the time.” And it’s kind of shocking how many big companies have sensitive sites that somebody has made as a check-in point. I mean, it’s really frightening.
Now, negative behaviors are my favorite part. This is kind of the chewy chocolate goodness part. If you can identify behavioral issues, such us substance abuse, gambling, extramarital affairs, etc., that opens up the target to a possibility of blackmail or extortion. It sometimes requires more digging, because there are a lot of protections out there, but some sites are easily exploited.
For instance, prostitution sites are fantastic if you’ll ever try to find a person that’s easily attacked. And the reason for that is, usually, in most countries, not all of them, prostitution is illegal, so you have these websites that are set up; the girls or the providers that can be guys, obviously they don’t want to be providing their real names, etc., and they’re kind of the commodity that the website is selling, so they usually get on these sites for free. It’s very easy to create a prostitute profile on these sites.
On the other hand, if you want to be a customer and you’re paying for access to these girls, you’re verified, because that’s part of the allure to the providers coming to this site, so they can kind of make a creep list. Therefore you really need to use legitimate credit cards and verifiable data, and the girls or guys have access to that data. So, it’s very easy to mine that data and do cross-referencing via social networking to find potential victims.
If they don’t go to one of these sites, obviously it takes more digging, but you’ll be amazed at how many times this comes up. And also, if you want to, try to remember the name of the guy who did the Internet trolling. Do you guys remember that when he put out the horrible, horrible ads? Some guy put out this ad for a very odd kind of sexual activity and he got tons and tons of people flooding him with emails saying: “I am very interested in hooking up,” and then he posted all the private information online, but it was shocking how many people were responding from, like, Microsoft.com or Boeing.com or whatever, obviously not understanding how the corporate email works. I’m sure that violates some sort of HR model.Modeling the points of attack is obviously about psychology and privacy as well. Psychological profiling from social networking is a growing field: Tweetpsych.com, there’s a bunch of other tools out there; to be honest, not a fan yet, I think automated profiling is just not there yet. However, you can still do it manually.
If you look at some of the stuff that the Online Privacy Foundation has done, they’ve started to say that there are some correlations, but they’re not as strong as previously believed. The best way to do a psychological profile from social media is basically look at the profile and see what they do, who they hang out with, their political beliefs. If you can’t really get anything from them, look at who they hang out with, because usually that can build some information about them.I’ll give you an example, but there’s a downfall to this type. If you’re looking at people on Twitter and they’ve got a Guy Fawkes mask, they follow command and control accounts from Anonymous, you can probably profile them as a follower of Anonymous with fairly strong likelihood. They’re probably going to be more open to be susceptible to be recruited into a hacktivist operation than most other people.
But, that said, I’ve seen a lot of junkie data mining that goes out there, and basically they say: “If you’ve got a Guy Fawkes mask, you’re an actor, you’re a guy that we need to monitor,” and that’s not necessarily the case. You can’t just go by an avatar and say: “Well, he’s a baddie.” So, do some due diligence, but if you see enough connections.
Rafal M. Los: Just to throw one thing into that, one of the things that are sitting on certain agency briefs and security organizations briefs about the whole Anonymous thing: companies are so paranoid about who is or who isn’t within their walls one of the Anons that this is becoming a very real threat. You can actually very easily recruit somebody to do something pretty bad within a company simply by purporting to be somebody in command or in power structure of a hacktivist group like this. Now, with the recent arrests, I’m sure that becomes a little bit harder, but there’re still lots of young impressionable minds out there; just something to keep in mind.