Slide 1

Slide 1 text

ENGENHARIA SOCIAL A DOCE ARTE DE HACKEAR MENTES Rafael Jaques @rafajaques #FISL13 28.07.2012

Slide 2

Slide 2 text

“Se algum de vocês tem falta de sabedoria, peça-a a Deus, que a todos dá livremente, de boa vontade; e lhe será concedida.” Tiago 1.5

Slide 3

Slide 3 text

Atenção! As informações contidas nesta apresentação são apenas de caráter informativo. O conhecimento e as técnicas abordadas não visam ensinar como enganar as pessoas ou obter qualquer tipo de vantagem sobre outrem. O objetivo é apenas demonstrar os pontos fracos que existem nas corporações e sistemas para que seja possível sanar estas debilidades.

Slide 4

Slide 4 text

Antes de começar é necessário saber algumas coisas...

Slide 5

Slide 5 text

SIM! Vai falar de casos extremos?

Slide 6

Slide 6 text

SIM! Vou sair daqui paranoico?

Slide 7

Slide 7 text

Não é a ideia... Posso usar essas técnicas para o mal?

Slide 8

Slide 8 text

Todos prontos? Então vamos lá!

Slide 9

Slide 9 text

60% Admitem ter roubado algum tipo de informação ao sair do emprego.

Slide 10

Slide 10 text

2 10 em cada têm acesso às informações após sair da empresa. Safados!

Slide 11

Slide 11 text

PESSOAS Hoje em dia os e não mais sistemas. ALVOS são as

Slide 12

Slide 12 text

1. O que é Engenharia Social?

Slide 13

Slide 13 text

O que é Engenharia Social? A hábil manipulação da tendência humana natural de confiar.

Slide 14

Slide 14 text

Mas por que atacar uma pessoa e não um sistema?

Slide 15

Slide 15 text

Mas como atacar utilizando Engenharia Social?

Slide 16

Slide 16 text

Conquistar a confiança do alvo

Slide 17

Slide 17 text

Fazer sentir-se seguro

Slide 18

Slide 18 text

Mesclar as perguntas

Slide 19

Slide 19 text

Sensação de dever cumprido

Slide 20

Slide 20 text

Quem usa Engenharia Social?

Slide 21

Slide 21 text

Mas por que Engenharia Social funciona?

Slide 22

Slide 22 text

Diante de uma larga frente de batalha, procure o ponto mais fraco, e, ali, ataque com a sua maior força. Sun Tzu - A Arte da Guerra

Slide 23

Slide 23 text

E qual é o ponto mais fraco?

Slide 24

Slide 24 text

PESSOAS!

Slide 25

Slide 25 text

Pessoas tendem a acreditar

Slide 26

Slide 26 text

Pessoas querem ajudar

Slide 27

Slide 27 text

Pessoas são complacentes

Slide 28

Slide 28 text

... e impacientes também!

Slide 29

Slide 29 text

Engenheiros sociais são bons com emoções!

Slide 30

Slide 30 text

Algumas estatísticas da terra do Tio Sam...

Slide 31

Slide 31 text

Só no ano de 2009... 11 milhões de pessoas foram vítimas de roubo de identidade.

Slide 32

Slide 32 text

Só no ano de 2009... US$ 54 bilhões O total de fraudes movimentou aproximadamente

Slide 33

Slide 33 text

21 horas As vítimas gastaram em média resolvendo o crime! Só no ano de 2009... U$373 e

Slide 34

Slide 34 text

13% das fraudes de identidade foram cometidas por alguém que a vítima conhecia.

Slide 35

Slide 35 text

2. Características de um Engenheiro Social

Slide 36

Slide 36 text

Bem apresentável

Slide 37

Slide 37 text

Bom observador

Slide 38

Slide 38 text

Aproveita-se da inocência

Slide 39

Slide 39 text

Comunica-se bem

Slide 40

Slide 40 text

Usa bem a voz

Slide 41

Slide 41 text

Faz a vítima entregar o ouro voluntariamente

Slide 42

Slide 42 text

Kevin D. Mitnick

Slide 43

Slide 43 text

Vamos aprender um pouco com a história dele! Hackers 2: Operation Takedown

Slide 44

Slide 44 text

http://youtu.be/nVPV5dzM0yY Se ficar com vontade de assistir, tem o filme todo no YouTube!

Slide 45

Slide 45 text

3. Como se Manifesta a Engenharia Social?

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

E-mails

Slide 48

Slide 48 text

Telefone Tem um Fusca gelo na frente da tua casa?

Slide 49

Slide 49 text

Carta

Slide 50

Slide 50 text

Pessoalmente

Slide 51

Slide 51 text

4. Técnicas de Engenharia Social

Slide 52

Slide 52 text

Dumpster Diving

Slide 53

Slide 53 text

Shoulder Surfing

Slide 54

Slide 54 text

Impersonate

Slide 55

Slide 55 text

http://www.silicon.com/technology/hardware/2007/12/10/criminals-posing-as-police-burgle- verizon-data-centre-39169416/

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

Rush/No Authentication

Slide 59

Slide 59 text

Phone Phising

Slide 60

Slide 60 text

Data Collection

Slide 61

Slide 61 text

Phishing/SCAM

Slide 62

Slide 62 text

No content

Slide 63

Slide 63 text

74% ...dos SPAMs relatados em 2010 eram de produtos farmacêuticos.

Slide 64

Slide 64 text

VIAGRA!

Slide 65

Slide 65 text

Como identificar?

Slide 66

Slide 66 text

Se o link terminar em “.php”, então é vírus. :P (brincadeira)

Slide 67

Slide 67 text

No content

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

No content

Slide 70

Slide 70 text

No content

Slide 71

Slide 71 text

No content

Slide 72

Slide 72 text

http://fidelidade.promocaoscielo.com

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

No content

Slide 76

Slide 76 text

http://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shl

Slide 77

Slide 77 text

A técnica do CD-R

Slide 78

Slide 78 text

Trecho demonstrando algumas Hackers 2: Operation Takedown técnicas em ação!

Slide 79

Slide 79 text

No content

Slide 80

Slide 80 text

5. Objetivos da Engenharia Social

Slide 81

Slide 81 text

Fugir de problemas

Slide 82

Slide 82 text

Ganhar dinheiro roubando ou vendendo dados da vítima

Slide 83

Slide 83 text

Espionagem industrial

Slide 84

Slide 84 text

Satisfação pessoal

Slide 85

Slide 85 text

Pura sacanagem

Slide 86

Slide 86 text

Fatores de Risco 6. Fatores de Risco

Slide 87

Slide 87 text

Você anota suas senhas?

Slide 88

Slide 88 text

Sempre as mesmas senhas?

Slide 89

Slide 89 text

Minha senha é 123! Fala por telefone?

Slide 90

Slide 90 text

Deixa logado quando sai?

Slide 91

Slide 91 text

Ameaças Internas

Slide 92

Slide 92 text

7. Quer Ver o Quanto Você se Expõe?

Slide 93

Slide 93 text

Como você se comporta nas redes sociais?

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

No content

Slide 99

Slide 99 text

E no mundo real?

Slide 100

Slide 100 text

No content

Slide 101

Slide 101 text

8. Engenharia Social e as Redes Sociais

Slide 102

Slide 102 text

Recheadas de dados

Slide 103

Slide 103 text

Não necessita de grandes habilidades

Slide 104

Slide 104 text

As informações são públicas

Slide 105

Slide 105 text

Autenticação falsa

Slide 106

Slide 106 text

Fácil influenciar

Slide 107

Slide 107 text

9. Aprenda a se Proteger!

Slide 108

Slide 108 text

Torne-se familiar com as técnicas!

Slide 109

Slide 109 text

Eduque quem está ao seu redor.

Slide 110

Slide 110 text

Formalize os procedimentos de acesso a dados.

Slide 111

Slide 111 text

AS 7FRAQUEZAS MORTAIS by Cisco

Slide 112

Slide 112 text

1. Sex Appeal

Slide 113

Slide 113 text

2. Ganância

Slide 114

Slide 114 text

3. Vaidade

Slide 115

Slide 115 text

4. Confiança

Slide 116

Slide 116 text

5. Preguiça

Slide 117

Slide 117 text

6. Compaixão

Slide 118

Slide 118 text

7. Urgência

Slide 119

Slide 119 text

Mas e agora... Onde aprendo mais?

Slide 120

Slide 120 text

Livros

Slide 121

Slide 121 text

Social Engineering Framework (en_US) http://www.social-engineer.org/framework/ Symantec Security Articles (en_US) http://www.symantec.com/connect/security/articles Social Engineering Toolkit (pt_PT) http://ptcoresec.eu/SET.pdf Sites

Slide 122

Slide 122 text

Dúvidas? Nem entendi nada!

Slide 123

Slide 123 text

Obrigado! Rafael Jaques [email protected] phpit.com.br @rafajaques slideshare.net/rafajaques

Slide 124

Slide 124 text

Referências

Slide 125

Slide 125 text

+ Fontes consultadas - Palestras Entendendo a Engenharia Social : Daniel Marques : http://www.slideshare.net/danielcmarques/entendendo-a-engenharia-social Engenharia Social : Marcelo Lau : http://www.slideshare.net/datasecurity1/engenharia-social Social Engineering - Exploiting the Human Weakness : Wasim Halani : http://www.slideshare.net/washal/social-engineeringcase- study Social engineering & social networks : Sharon Conheady : http://www.slideshare.net/infosec10/social-engineering-social- networks-public-version - Sites http://www.us-cert.gov/cas/tips/ST04-014.html http://www.cisco.com/web/about/security/intelligence/mysdn-social-engineering.html http://www.social-engineer.org/framework/Social_Engineers:_Disgruntled_Employees#Statistics http://www.fraudes.org/showpage1.asp?pg=7 http://www.symantec.com/business/threatreport/topic.jsp?id=highlights http://www.massachusettsnoncompetelaw.com/ http://en.wikipedia.org/wiki/Social_engineering_(security) http://www.spendonlife.com/blog/2010-identity-theft-statistics http://mashable.com/2011/01/20/black-hat-hacking-stats/ http://www.consumerfraudreporting.org/internet_scam_statistics.htm http://informatica.terra.com.br/virusecia/spam/interna/0,,OI126626-EI2403,00.html http://press.pandasecurity.com/wp-content/uploads/2011/01/The-Cyber-Crime-Black-Market.pdf http://monografias.brasilescola.com/computacao/seguranca-informacao-vs-engenharia-social-como-se-proteger.htm http://www.iwar.org.uk/comsec/resources/sa-tools/Social-Engineering.pdf http://www.esha.be/fileadmin/esha_files/documents/SHERPA/Report_on_mechanism_of_social_engineering.pdf http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html http://www.securingthehuman.org/blog/2011/01/22/social-engineering-deadly-weaknesses http://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shl http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html http://info.abril.com.br/noticias/seguranca/brasilieiros-sao-os-que-mais-sofrem-phishing-19042011-30.shl http://www.symantec.com/connect/articles/social-engineering-fundamentals-part-i-hacker-tactics

Slide 126

Slide 126 text

Mídias

Slide 127

Slide 127 text

Images: Capa - Master of Puppets - http://www.flickr.com/photos/50417132@N00/2178362181 Person Icon http://edge-img.datpiff.com/ma336d2d/DeeZee_Too_Be_Continued_-back-large.jpg Calling http://www.flickr.com/photos/37475356@N00/5740461432 Suit and Tie http://www.flickr.com/photos/55046645@N00/475680145 Pierce Brosnan http://osolimpianos.files.wordpress.com/2009/05/jamesbond.jpg Computer Geek http://www.flickr.com/photos/18519023@N00/3498738259 Seller http://www.flickr.com/photos/larskflem/93753458/in/photostream/ Multiple Faces http://www.flickr.com/photos/56695083@N00/4470486685/ Drunk Guys http://www.flickr.com/photos/82605142@N00/86601569 Puss in Boots http://www.jpegwallpapers.com/images/wallpapers/Puss-In-Boots-Shrek-497126.jpeg Mother http://www.flickr.com/photos/brandoncwarren/5088547448/in/photostream/ Dumpster Diving http://www.flickr.com/photos/75054419@N00/460133621 Distrustful http://www.flickr.com/photos/37354253@N00/388468654 Climb on giant tubes http://www.flickr.com/photos/squeakywheel/379078841/in/photostream/ Shang Tsung http://www.umk3.net/images/portrait/shang_tsung.gif Shoulder Surfing http://www.flickr.com/photos/16258917@N00/2785190754 Fisherman http://www.flickr.com/photos/41346951@N05/5187103981 Red Telephone http://www.flickr.com/photos/pulpolux/151179802/ Spam http://www.ciromota.net/wp-content/uploads/2008/10/spam.jpg Setting Up Email Account http://www.flickr.com/photos/pieterouwerkerk/698618765/in/photostream/ Viagra http://www.n24.de/media/_fotos/bildergalerien/002011/valentinstag_1/7611575.jpg Pic of Email Screen (SPAM) http://www.fastactiontraining.com/wp-content/uploads/2010/10/Pic-of-Email-Screen.jpg Jornal Hoje http://4.bp.blogspot.com/_OZcgbN6AowE/S7uYcZuhbqI/AAAAAAAAAWQ/SKOM0o-_mIQ/s1600/jornal +hoje_globoc%C3%B3pia.jpg Baby at Computer http://www.flickr.com/photos/65315936@N00/5511409574 Impressed http://www.flickr.com/photos/64114868@N00/1019654125 Security Guy http://www.flickr.com/photos/51035555243@N01/268524287 Head in Hand http://www.flickr.com/photos/34120957@N04/4199675334 White Ninja http://www.flickr.com/photos/cverdier/3893327741/ Lady Cat http://sweettater.files.wordpress.com/2010/03/cimg3458.jpg God of War http://wallpapers.freewallpapers.im/images/2011/02/1024x600/god-of-war-2-game-1935.jpg

Slide 128

Slide 128 text

Maísa e Sílvio http://4.bp.blogspot.com/__UIUXK-sJhk/TOpBsG7XJwI/AAAAAAAABKM/DPuyUeFuTXk/s1600/maisa-e- silvio.jpg Engineer at Work http://www.flickr.com/photos/hammershaug/4494291610/ Password Security http://www.getadvanced.net/images/uploads/Computer_Password_-_Security_Breach.jpg Bum Shot http://www.flickr.com/photos/63423942@N00/497052735 Written Password http://www.flickr.com/photos/22871132@N00/4051530414 Japanese Guys http://img23.imageshack.us/img23/4451/1304026587.jpg Talk at Phone http://www.flickr.com/photos/colorblindpicaso/2717409111 Call From Home http://www.flickr.com/photos/91672050@N00/257496969 Handshake http://www.flickr.com/photos/65484951@N00/252924532 Uncle Sam http://pslawnet.files.wordpress.com/2011/04/uncle-sam.jpg Mr. Box Man http://www.flickr.com/photos/ollesvensson/3686050837/ Mails http://www.flickr.com/photos/comedynose/5666793668/ V for Vendetta http://www.flickr.com/photos/edans/5400848923/ Thinking http://www.flickr.com/photos/jakecaptive/3205277810/ Soldiers http://www.flickr.com/photos/19743256@N00/2223783127 Pés pra cima http://www.flickr.com/photos/81785266@N00/125463026 Chat http://www.flickr.com/photos/62597560@N00/258434606 Why you Meme http://clipartsy.com/FAVS/FAVICONIC.NET/April/y_u_no_guy_y_u_no-1331px.png Hand in hand http://www.flickr.com/photos/26993091@N08/4718225577 Police Car in the Snow http://www.flickr.com/photos/64844023@N00/4198908464 Friends http://www.flickr.com/photos/43081986@N00/115112704 Impatient http://www.flickr.com/photos/45842803@N00/4795997639 Thinking http://www.flickr.com/photos/7320299@N08/3283431745 Social Media http://2.bp.blogspot.com/_m5OYm6Jx05Q/TVK1A53STtI/AAAAAAAAAZk/2iuw4Io838k/s1600/ social_networks.jpg Band of Brothers http://www.flickr.com/photos/17149966@N00/460670492 Weakest Link http://www.flickr.com/photos/53611153@N00/465459020 Crowd http://www.flickr.com/photos/84856173@N00/3786725982 Lazy http://www.flickr.com/photos/superfantastic/3010891914/ Coins http://www.flickr.com/photos/restlessglobetrotter/3824486278/ Wireless Fail http://www.flickr.com/photos/bnilsen/2880929094/ The Thinker http://www.flickr.com/photos/53611153@N00/5827849044

Slide 129

Slide 129 text

My Files http://www.flickr.com/photos/84172943@N00/5352825299 CD-R http://www.flickr.com/photos/45382171@N00/1515739697 Inside Outside http://www.flickr.com/photos/followtheseinstructions/5571697149/ Pole Dance http://www.flickr.com/photos/46854683@N04/4547706741 Seller http://www.flickr.com/photos/17768970@N00/4485455723 Thumbs up http://www.flickr.com/photos/37961843@N00/6265449 Greed http://www.flickr.com/photos/calliope/2207307656/ Dress Table http://www.flickr.com/photos/centralasian/5968327542/ Trust http://www.flickr.com/photos/43132185@N00/196015953 Sloth http://www.flickr.com/photos/28442702@N00/279470157 Compassion http://www.flickr.com/photos/29553188@N07/3573969837/ Running http://www.flickr.com/photos/51035555243@N01/287666827 Files http://www.flickr.com/photos/juniorvelo/3267647833/ Goofy http://www.flickr.com/photos/42dreams/73838574/ Library http://www.flickr.com/photos/51035555243@N01/85441961 Talking Business http://www.flickr.com/photos/brymo/272834885/ Mask http://www.flickr.com/photos/18548550@N00/5313987 Young Gentleman http://www.flickr.com/photos/64031910@N00/422547724 Goomba VS Mario and Yoshi http://www.flickr.com/photos/77161041@N00/2266201047 Mother http://www.flickr.com/photos/54304913@N00/17647469 Private Place http://www.flickr.com/photos/76151808@N00/6100020538 Kevin David Mitnick http://www.starnostar.com/data/images/who-is-Kevin-Mitnick-is-star-or-no-star-Kevin-David-Mitnick- celebrity-vote.jpg The Jersey Devil http://www.flickr.com/photos/79874304@N00/285367520 A little better than the last group http://www.flickr.com/photos/81881849@N00/3222035439 Operation Takedown http://filmescomlegenda.net/wp-content/uploads/2009/03/operation-takeodown-300x422.jpg I Have You Now http://www.fotopedia.com/items/flickr-3500989490 Spying Turquoise http://www.flickr.com/photos/jdhancock/7439564750/ Office Prank http://www.sprichie.com/wp-content/uploads/2012/01/office_pranks_05.jpg

Slide 130

Slide 130 text

Crachás (sinto muito se sentiram-se ofendidos): http://farm4.static.flickr.com/3289/2295308772_cecfd160ea.jpg http://i279.photobucket.com/albums/kk160/lukstuning/DSC04358.jpg?t=1282497031 http://2.bp.blogspot.com/_mKoEIJZM0sk/SCDHHKtX2qI/AAAAAAAAAdU/OXDvNt9iqqU/s320/Foto-0336.jpg Backgrounds: Azul http://wallshq.com/wp-content/uploads/original/2011_06/80_blue-abstract-background_WallsHQ.com_.jpg Verde http://srv4.imghost.ge/out.php/i212027_greenabstractbackground.jpg Laranja http://wallpapers.free-review.net/wallpapers/19/Orange_abstract_wallpaper.jpg Videos: Jedi Mind Trick http://www.youtube.com/watch?v=bJiqrVWLfdw