Social Engineering technique to gather Critical Information of Social Networking Websites

Transcription

1 Social Engineering technique to gather Critical Information of Social Networking Websites Inderjit Kaur Dept. of Computer Science and Applications K.M.V., Jalandhar Punjab, India Er. Gurjot Singh Dept. of Computer Science and Applications K.M.V., Jalandhar Punjab, India Abstract Social engineering is a technique implied by penetration testers to find the loop holes in the security of web applications and organizations. The organizations often suffer harm from the unintended behavior of their employees that expose the organizations to security risk due to the unintentional insider threat. In this paper we describe the techniques that often used in social engineering to analyze unexpected insider threats extract from social engineering exploits and also the preventive measures against it. The social networking sites are the wide area of research due to the increase in growth of technology and human resources that leads to a crucial point of concern to be aware of the security aspects of social networking websites. We implied the social engineering technique to gain critical information about the target/ individual and to hack their social accounts. Index Terms Social Engineering, Penetration testing, social websites, hacking. I. INTRODUCTION The penetration testers are hired by the companies to discover if the employees are not disclosing the sensitive information of the company. The penetration tester finds these loop holes with the social engineering. Social engineering starts with gathering background information on targets [1]. This information is generally gathered via dumpster diving and phone calls, and the usage of social networking sites that leads to a growing number of available social engineering tools and techniques. Now a day s attackers can use social networking websites (SNSs) such as facebook to gather background information about the target. SNS`s serve as communication platform by offering services such as private messaging and chats which can be used by the penetration tester while social engineering [2]. The entire Online Social Networking websites bring the friends and their family members together to share their critical information but still it lacks in the security of social websites. The shared information is freely opened accessible to all the users of social networking websites. When the photos are freely available, the unauthorized users can easily access the photos of others individuals and download it. The hacked image can be misused, such as creation of fake profile and the photo can be sold to other nuisance websites. This kind of data hacking activities in online social networks even leads the life to death [14]. Social networking websites are wide area of research for the researcher`s. The increasing growth in Technology and Human Resources provides the new platform to form social networks that is the crucial point of concern to be aware of social networking websites and built networks. II. PENETRATION TESTING Penetration testing is widely used to help the security of web applications and organizations also. The penetration testers discover vulnerabilities by simulating attacks on a target system. Testers use the techniques that gather input information about the target system and analyze the application s responses to verify whether an attack was successfully done. Sometimes, in this technique the steps can t be completed, which can leave part of some web application untested and vulnerabilities undiscovered. The work of penetration tester is to find these loops holes from the system and make the systems and organization more secure [2]. III. SOCIAL ENGINEERING Social engineering, in information security, is the art of influencing the people to give up their sensitive information. It is a type of confidence technique for the purpose of information gathering. Social engineering is a term describes a non-technical attack that relies on human interaction and tricking people to break normal security procedure. Criminals use social engineering technique because it is comparatively easier than other attacks. It is one of the most useful attacks, because its victims naturally want to trust other people and are of course helpful. The victims of social engineering are tricked into releasing information that they do not realize, will used to 581 P a g e

2 attack a particular network. Social engineers know the fact that people are not conscious of the value of the information they possess and are careless about protecting it [3, 7]. A. Types of social engineering There are the two types of the social engineering that exists. The following are the names of the type of social engineering: 1. Human Based Social Engineering 2. Computer Based Social Engineering Types of social engineering Computer Based 1. Human Based Social Engineering Human Based Human based social engineering needs an interface with humans; it means communication among individuals and then retrieving the desired information about themselves. The penetration tester acquires human based social engineering techniques in different ways, some of the methods are as follows: a. Impersonation In this type of social-engineering attack, the hacker operates the system as an employee or valid user on the system. The hacker can gain physical access to the system by pretending to be a worker, employee, or contractor of that particular organization. b. Posing as an important user In this type of attack, the hacker pretends as he is a highlevel person who has the authority to use computer systems or documents. Most of the time, the employees don t ask any kind of questions to someone who appears in this position. c. Being a third party In this attack, the hacker has to get permission from an authorized person to operate the computer system. This method works when the official/ authorized person is unavailable for some time in the organization. d. Desktop support Calling tech support for assistance is a classic socialengineering technique. Help desk and technical are trained to help users, which makes this technique very useful for social engineering. e. Shoulder surfing Shoulder surfing is the technique of gathering passwords by watching over a person s shoulder while he is logging in to the system. A hacker can monitors a valid user log in and then use that password to gain access to the system. f. Dumpster diving Dumpster diving involves looking in the trash for information written on pieces of paper or printouts of computer. The hacker can often find passwords, filenames, or other type of confidential information [3]. 2. Computer based social engineering Computer-based social engineering uses computer software that attempts to retrieve the desired information. In the computer based social engineering the tester operates so many tools and fraud/obfuscation techniques, in this the tester opt the phishing pages also to get the sensitive information of the organization. The testers operate the social networking websites, s, viruses, spywares etc to retrieve information of the system. There are so many computer based social engineering techniques used in social engineering, some of them are as follows: a. Phishing Phishing involves fake s or websites designed to imitate real systems with the goal of capturing sensitive data. A message might be come from a bank or other well-known organization to verify your login information, through which the attacker can get sensitive information. b. Baiting Baiting involves dangling something you want to entice you to take action the hacker s wishes. Phishing can be done through downloads on a peer-to-peer website or it can be a USB flash drive with a company logo labeled Executive Salary Summary Q left out in the open for you to find. Then, once the device is downloaded, the person or company s computer system is infected with malicious code allowing the hacker to penetrate into your system. c. Online scams s sent by scammers may have attachments that include malicious code inside the attachment. Those attachments can include key loggers to capture users passwords, viruses, Trojans, or worms and pop up windows can also be used in social engineering attacks. The Pop-up windows that advertise special offers may excite users to unintentionally install malicious software on their systems. d. Vishing 582 P a g e

3 The vishing technique involves performing phishing on phone, typically using voice over IP technology. The main target of this technique is financial organizations, institution, government organizations, online sales, payment services and so on. It gains the information about target s payment card information, passport number, bank account etc. e. Using social networking sites The tester gains the information from the chat rooms and the social networking websites, which are very popular in present era. The tester can gather the information from the facebook, orkut, hi-5, my-space by visiting their profiles. f. Using video recording tools to capture images Recording tools can be used to capture screenshots of a victim s computer screen. This activity can provide the critical information of password, credentials, personal information etc [3]. IV. NEED OF SOCIAL ENGINEERING Social engineering helps us to understand the techniques and various approaches to that powerful hacking processes and it will enable you to integrate social engineering within the whole framework of your penetration testing services [6]. We can gain mesmerizing insights into how social engineering techniques, including phishing, telephone, and malicious code injection to get physical access can be used to gather information or manipulate the individuals to perform actions that may aid in an attack [4]. Social Engineering is an aspect of intrusion the makes use of vulnerabilities in the non-technical aspects of the system. In the technological area, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses [5]. Whatever you do to intrude in particular network, or to raise your access is a part of penetration testing. If you are able to get users to loop hole of the system, some kind of information that gain access to something, then you are doing that things which a real attacker would have been able to do. We can use the phishing technique or other technique to gain physical access or we can say them to disable a firewall. We can be able to get them under the false positive, through their own carelessness, or by other means to do unexpected tasks and the other techniques you do can also be included in part of a pen-test. V. LITERATURE SURVEY In [8] Lech. J Janczewski and Lingyan {Rene} Fu had described the major aspects and underling construct of social engineering. They construct a conceptual model of social engineering attacks.a case study was undertaken to understand the phenomenon of new zealand based IT practitioners to contribute insightful opinions, on the basis of this an improved model of social engineering based attacks was formulated. In [9] Markus Huber, Stewart Kowalski, Marcus Nohlberg and Simon Tjoa had described a growing number of people use social networking sites to foster social relationships among each other. While the advantages of the provided services are obvious, drawbacks on a user s privacy and arising implications are often neglected. The promising results of the evaluation highlight the possibility to efficiently and effectively perform social engineering attacks by applying automated social engineering. In [10] Frank L. Greitzer, Jeremy R. Strozer, Sholom Cohen, Andrew P. Moore, David Mundie and Jennifer Cowley had described the Organizations often suffer harm from individuals who bear no malice against them but whose actions unintentionally expose the organizations to risk the unintentional insider threat and inform future research and development of UIT mitigation strategies. In [11] Anubhav Chitrey, Dharmendra Singh, Monark Bag and Vrijendra Singh had described the research identified many participating entities in Social Engineering based Attacks and each identified entity of this research is a research area in itself. Their model can be used in development of Organization-wide Information Security policy and Information Security Awareness Program. In [12] Danesh Irani, Marco Balduzzi, Davide Balzarotti Engin Kirda, and Calton Pu, had presented the first user study on how attackers can abuse some of the features provided by online social networks with the aim of launching automated reverse social engineering attacks. They present and study the effectiveness and feasibility of three novel attacks: Recommendation-based, visitor tracking-based, and demographic-based reverse social engineering. In [13] Xin (Robert) Luo, Richard Brody and Alessandro Seazzu Stephen Burd showed that Social engineering is a technique used by malicious attackers to gain access to desired information by exploiting the flaws in human logic known as cognitive biases. Social engineering is a potential threat to information security and should be considered equally important to its technological counterparts. VI. DISCUSSION In this, we are using information gathering technique i.e. social engineering to determine where the most valuable information resides in social networking websites. It also determines the best way to gain access to the target and then hack them. Social engineering obtains critical information about an organization/website which ultimately leads to an attack. In our work, we attempt to hack particular individual s facebook account with the help of social Engineering technique. A human based interaction technique to retrieve desired information about their interest. Case Study: In this, we attempt to penetrate the facebook site with the vulnerability in URL of the facebook profile link. 583 P a g e

4 Using this loophole we can hack someone s account if there is no strong privacy implied on it. We first, copy the stuff i.e. individual`s particular profile ID i.e. the stuff written after the forward slash in the URL Now open the login page and then click on the forget password and now paste that particular stuff in that area. After that a window will open. There will be option of recovering the account through the address or phone and there is also the option shown as can t access to these. With the help of this method, we can penetrate someone s social site account. Preventions: There are some steps, to follow that protect your account from hacking: 1. Update- The old version of facebook website is vulnerable so use the updated version of facebook website with more security patches. 2. Make sure that you must login your account in 24 hours. 3. We should penetrate our account so that no one can get access to it. 4. Bound the amount - Bound the amount of personal information you post on your profile. Do not upload information such as your residential address or information about your upcoming schedule or your daily routine activities. Also be attentive when posting information, including photos, videos and other media content. 5. Beware of strangers - The internet makes it very easy for the individual`s to misrepresent their personal identities on social sites. It is always recommended to bound the individuals who contact you on these social websites or even not to add the stranger`s to your account. If you interact with unknown persons, be attentive about the information you update or share on your profile. 6. Evaluate your settings Always update with the site's privacy settings. The default settings allow anyone to see your profile, but you may have an option to moderate the access to certain individuals by customize your settings. Websites may change their features periodically, so make sure you check the security settings of your profile regularly to make sure that your permissions are still appropriate or not. 7. Beware of third-party applications The third-party applications provides numerous functionality and entertainment facilities to all, but we have to aware about the caution and common-sense when deciding which applications can access your personal information. Avoid applications that seem suspicious, and make sure to modify your settings to limit the information which the suspicious applications can access [16]. 8. Be cautious while posting your photo- Ensure that the photo you uploaded does not show`s your actual whereabouts [15]. 9. Donot post your current location - Posting these kind of information on social networking website is like a invitation to criminals. VII. CONCLUSION In the end, we analyze that on facebook s website, some accounts are not secure. There can be the loop holes in it. So don t upload any sensitive information on social networking websites and not even add the strangers to your account. Average users of social sites do not realize that restricting access to their information does not sufficiently address the risks rising from the amount, quality and persistence of information they provide. Restricting the profile visibility to friends only or only me simply means restricting it within the specific portion. Also, if someone sends you the links on social websites, don t click on them; malicious code can be attached to it which can helps the hacker to make backdoors to the system that results in the physical access to your system. In computers world, no one thing is secure, we should get aware of the techniques with which we can secure our social account. REFERENCES [1] Thapar, A. Social Engineering: An Attack Vector Most Intricate to Tackle, Infosec Writers, [2] Huber, M., Kowalski, S., Nohlberg, M. and Tjoa, S., Towards automating social engineering using social networking sites, Vol. 3, pp , [3] Malcolm Allen, A MEANS TO VIOLATE A COMPUTER SYSTEM, SANS Institute InfoSec, June [4] Richard Ackroyd, Andrew Mason and Gavin Watson, Social Engineering Penetration Testing Publisher, Elsevier Science, April [5] 5.Karen Scarfone Murugiah Souppaya Amanda Cody Angela Orebaugh, Technical Guide to Information Security Testing and Assessment, Special Publication [6] Gavin Watson, Andrew Mason and Richard Ackroyd, Social Engineering Penetration Testing-Executing Social Engineering Pen Tests, Assessments and Defense, ISBN: , Imprint: SYNGRESS, Published: April [7] Inderjit Kaur, Er. Gurjot Singh and Suman Khurana, Analyzing the Vulnerabilities in Social Networking Websites and their Prevention, International Journal of Computer and Communication System Engineering, Vol. 2 (3), pp. no , [8] Lech J. Janczewski and Lingyan(Rene) Fu - Social Engineering-Based Attacks Model and New Zealand Perspective ISSN [9] Markus Huber, Stewart Kowalsk, Marcus Nohlberg and Simon Tjoa, Towards Automating Social Engineering Using Social Networking Sites- AT-1040, Vienna, Austria. [10] Frank L. Greitzer Jeremy R. Strozer, Sholom Cohen, Andrew P. Moore, David Mundie and Jennifer Cowley, Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits, 2014 IEEE Security and Privacy Workshops. [11] Anubhav Chitrey, Dharmendra Singh, Monark Bag, Vrijendra Singh, A Comprehensive Study of Social 584 P a g e

5 Engineering Based Attacks in India to Develop a Conceptual Model, ISSN: [12] Danesh Irani, Marco Balduzzi Davide Balzarotti, Engin Kirda and Calton Pu - Reverse Social Engineering Attacks in Online Social Networks. [13] Xin (Robert) Luo, Richard Brody, Alessandro Seazzu and Stephen Burd, Social Engineering: The Neglected Human Factor for Information Security Management, Information Resources Management Journal, 24(3), 1-8, July- September [14] M. Milton Joe, Dr.B. Ramakrishan, Enhancing Security Module to Prevent Data Hacking in Online Social Networks, JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 6, NO. 2, MAY [15] Dr. Biswajit Das and Jyoti Shankar Sahoo, Social Networking Sites A Critical Analysis of Its Impact on Personal and Social Life, nternational Journal of Business and Social Science, pp no , Vol. 2 No. 14. [16] Abhishek Kumar, Subham Kumar Gupta, Animesh Kumar Rai and Sapna Sinha, [17] Social Networking Sites and Their Security Issues, International Journal of Scientific and Research Publications, Volume 3, Issue 4, April P a g e