1 / 58

Test Taking and Cheating

Test Taking and Cheating. ISAW 2008 UofU Dave Packham. Don’t Cheat on THIS test, Cheat on the NEXT one. There will be 2 tests today. Cheat on the second one please Please Leave the TEST face down You will have 2 minutes to take the test

louisa
Télécharger la présentation

Test Taking and Cheating

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Test Taking and Cheating ISAW 2008 UofU Dave Packham

  2. Don’t Cheat on THIS test, Cheat on the NEXT one • There will be 2 tests today. Cheat on the second one please • Please Leave the TEST face down • You will have 2 minutes to take the test • Please answer everything as accurately as possible on the first test. • I will show you the cheats after the test is over and let you take it again.

  3. START • You have 2 minutes

  4. STOP

  5. And now for the Test Cheating Info

  6. You WERE the TEST

  7. Exploits “layer 8” • There is no computer system on Earth that does not rely on humans • S.E. completely bypasses all information controls and goes directly after the weakest link:

  8. The OSI model 7. application 7. application 6. presentation 5. session 7. application 6. presentation 5. session 4. transport 6. presentation 4. transport 3. network 3. network 2. link 4. transport 5. session 2. link 1. physical (cyberspace) 2. link 3. network 1. physical (cyberspace)

  9. The OSI model 8. human 7. application 6. presentation 7. application 5. session 7. application 6. presentation 5. session 4. transport 6. presentation 4. transport 3. network 3. network 5. session 2. link 4. transport 1. physical (cyberspace) 2. link 2. link 3. network 0. physical (meatspace) 1. physical (cyberspace)

  10. Stuff I seen THIS WEEK • talking to t-mobile op got my new home phone even though they should not • fax sent to wrong place. • listening to co-workers use automated voice • cell phones outer display • cell phone conversations on public transit • ask someone their name... get their last name and fake that you know there mom and insert a fake middle name in hopes that they correct that • DTMF tones are songs and can be memorized • Someone Passing out a USB KEY WATCH… the he “FOUND”

  11. Exploits “layer 8” • There is no computer system on Earth that does not rely on humans • S.E. completely bypasses all information controls and goes directly after the weakest link:

  12. Social engineering • The art and science of getting people to comply to your wishes. • Not a form of mind control • Lots of groundwork • Information-gathering • Idle chit-chat • Amusing accents • Most of the work is in preparation

  13. Uh, isn’t that what selling is? • To sell: create a spark • Predict • What the eye will see • What the ear will hear • What the mind will think • The highest form of selling: • In a way that the consumer is unaware she is being sold

  14. Social engineering • The art and science of getting people to comply to your wishes. • Is the highest form of hacking • Can be very easy • Often yields largest rewards • Natural human desire to help leaves us vulnerable • And can undermine all technical countermeasures

  15. Suave and sophisticated • Only amateurs ask for passwords • Build emotional bond—even trust • Administrators • Security personnel • Any likely possessor of information • Anyone with access is a potential risk • Electronic or physical • Includes people outside the policy

  16. Cute Girls are SOCIAL

  17. Types of exploits Diffusion of responsibility “The veep says you won’t bear any responsibility…” Chance for ingratiation “Look at what you might get out of this!” Trust relationships “He’s a good guy, I think I can trust him” Moral duty “You must help me! Aren’t you so mad about it?”

  18. Types of exploits Guilt “What, you don’t want to help me?” Identification “You and I are really two of a kind, huh?” Desire to be helpful “Would you help me here, please?” Cooperation “Let’s work together. We can do so much!”

  19. More psychological triggers • Strong affect • Overloading • Reciprocation • Deceptive relationships • Authority • Integrity and consistency

  20. Involvement vs. influence

  21. Public access terminals: gold!

  22. The help desk • People are naturally helpful • Its function is to help—to provide answers • Like all customer service • Generally not trained to question the validity of each call • Minimally-educated about security • Don’t get paid much • Objective: move on to next call

  23. Try it yourself! • Be professional. • Be calm. • Know your mark. • Do not fool a superior scammer. • Plan your escape from your scam. • Be a woman. • Use watermarks. • Make business cards and fake names. • Manipulate the less fortunate, the unaware, and the stupid. • Use a team if you have to.

  24. Why It Succeeds

  25. People vs. machines Six problems that show the inherent conflict between carbon and silicon • How do people perceive risk? • How do people handle exceptions? • Why do people trust computers? • Why do we think people can make intelligent security decisions? • Are there malicious insiders? • Why are people vulnerable to social engineering?

  26. Awkward exception handlnig • Computer mistakes are rare; people don’t know how to deal with them • Sometimes we just ignore or disable the alarm • Attackers take advantage of mistakes • Drills ensure people know what to do • “This computer never makes mistakes, so you must be lying”

  27. My Daughters LAPTOP • EDU installed a BATCH file to enable security that runs every boot • It prompts her to allow it every boot with UAC. • She has been conditioned now to accept everything so she can get to work • Friend used MS power shell to prompt her for her password…. • PWNED

  28. Hell not again… we gotta fix that stupid alarm Damn, this new Whyte Ryce album kicks! George’ll shut it off when he looks up, he always does

  29. Trusting the computer • People don’t sign or encrypt stuff…software does! • Necessary to securely transfer human volition to computer action • Volition can be forged…make the computer lie • Trojan horse feeds malicious document into signing system when key is opened to sign something else

  30. Who needs physical access?

  31. Making security decisions • People want security… …but they don’t want to see it working • And will disable or circumvent it if it gets in the way of work • Yet good security relies on interaction • Checking the name on a digital certificate • The allure of email worms with sexy subject lines • JavaScript warning dialogs

  32. Malicious insiders • Implicitly trusted • Digital world is rife with insider knowledge • Authors of security programs • Installers of firewalls • Auditors • Hire honest people • Integrity screening • Diffuse trust • Public code reviews

  33. Tools And Techniques

  34. So you wanna be social engineer • You need two things: A telephone A “mark” —maybe a former best friend

  35. Other useful bits • ANI (caller ID) if planning a callback scam • Voice changer • Ability to think quickly

  36. Fingering the mark • Need collection of information tidbits to create sense of authenticity • Obtain a list of employee and computer names • whois • finger • Domain registration records • Target organization’s own web site • Google, anyone?

  37. Make a site visit • Look good!—blend in • Fake ID badge • Observe typical entry/exit behavior • Stride with confidence; pretend you belong • Private offices are best • Computer connections • Posted lists and notes • Ask low-level employees

  38. Dumpster diving • Memos • Phone books • Policy manuals • Calendars • System manuals • Disks and tapes • Organizational charts • Printouts of names and passwords • Printouts of source code • Old discarded hardware

  39. Building the picture • Faking a phone rep could work… • Try the written word: built-in trust • “You might already be a winner!” • “We value your opinion…” • Be official-looking mass mail • “We will need a password to verify…” • Follow up with a phone call • Ask for the password and other data • Listen to speech pattern

More Related