Hackfest 2024 - 16-bit Edition

High level outline:

• Introduction
  Social engineering is responsible for 91 per cent of breaches, highlighting that overall security is only as strong as its weakest link. While organizations may spend heavily on cutting-edge technology, they often neglect adequate training and process implementation, leaving them vulnerable. This point is illustrated through case studies such as the MGM Grand social engineering incident, Uber's MFA fatigue attack, and Kevin Mitnick's ability to physically access secure areas without authorization.

• OSINT – Determining Targets and Entry Points
  Open-source intelligence (OSINT) gathering is used by attackers to gain an understanding of the target organization, including potential entry points, and background information on specific staff that could be exploited to perform social engineering attacks. Discovered entry points include customer support numbers, internal call centre numbers and employee email addresses. When compiling a list of employee targets (i.e. from LinkedIn) and selecting which ones to use it’s best to be selective to suspicion. Selection criteria could include selecting targets that are newer to the company, using departments that might have high turnover, and/or selecting target’s that have access to multiple internal data sources.

• NIST Phish Scale – Evaluating the Content of a Phishing Email
  When preparing the email content for a phishing campaign the NIST Phish Scale can be used to create emails that will test varying degrees of employee vigilance and security awareness within an organization. A few components that can be used to construct or evaluate the email content includes “cues” and “relevant content”. Cues include the observable characteristics of the phishing email that may raise suspicion, such as spelling mistakes, inconsistencies, and common tactics such as email attachments and hyperlinks. Relevant content measures how well the email aligns with the user's expectations and everyday work experiences. Is this an email they would realistically expect at work?

• Email Phishing – How to Get SPAM Into the Corporate Inbox
  When conducting an email phishing campaign, there might be technical hurdles that prevent an attacker’s emails from getting into the company’s inbox. This section will outline the SPAM ecosystem, email detection systems used to identify and block suspicious emails, and the various techniques that can be used to bypass them. For example, hackers can purchase aged domains that have a good domain reputation, incorporate matching technologies, and throttle sending rates.

• Phone Social Engineering – Experiences in Impersonation and Taking Over Accounts
  This section outlines two scenarios. The first involves impersonating employees when calling tech support numbers in order to take over their accounts. The second involves calling employees while disguised as technical staff with the aim of convincing them to enter online Authenticator tokens on Microsoft products in order to takeover their accounts. Experiences will highlight some of the responses people provide when performing these activities as well as recommendations for companies to improve identity verification.

• Physical Security – Outcomes from Just Hanging Around
  This section goes through social engineering outcomes while onsite at physical locations. Techniques covered include tailgating into facilities and leaving devices (i.e., USB keys) around the office. Outcomes can include gaining access to server rooms when doors are propped open, cloning HID cards, dropping man-in-the-middle tools around the network, finding confidential documents in filing cabinets, and setting up Wi-Fi devices to act as an evil twin.