CISSP D3 Preview | Attacks on our Cryptography – Part 2

In this lecture, we are going to continue with cryptographic attacks.
We just talked about how it is easier to steal the key than it is to break it, but it is even easier if you convince someone to give you the key.
Social engineering can be tremendously successful.
People want to be helpful.
People want to be nice.
They don’t like conflict and they don’t want to get in trouble.
So if you call and say you are from helpdesk, “Hey, this is Thor from help desk. We’re seeing some
problems with your user log-in, there’s some irregularities with your log-in, and I just need to confirm that you are actually you. Please give me your password to confirm that you are.
If not, I’m unfortunately going to have to lock your accounts.”
People are used to doing what they are told.
They don’t want to be locked out from their accounts so they can’t do their work and they just want the somewhat friendly guy from helpdesk to go away and leave them alone.
How do you achieve that?
Well, you give whoever is on the phone what they want.
There was a very successful social engineering attack done by penetration testing company.
The company thought that they had been very clear in their training that users should never under anycircumstances share their password.
So the Pen-Test company rented an ice cream truck.
They drove it up in front of the company office.
They had a sign that said free ice cream for anyone in this company.
We want to thank our employees for being so awesome.
So here is a free ice cream.
All you need to do is to prove that you work here by entering your username and password.
Whatever they entered, they will get an approved message and they will get their free ice cream.
In less than half an hour, that Pen-Testing company was able to get over 90% of the employees’usernames and passwords that were at the location on that day.
Once the employees saw someone else in line getting free stuff that they knew well, then they just went over there to get their free ice cream.
It looked legit.
It had the company logo.
It has to be right.
Let’s get our ice cream.
And this is why I keep saying we need the training to raise their awareness.
If they don’t change their behavior, their awareness, well, then the training doesn’t matter.
And luckily, this was a penetration test.
It was not an attack.
But it is a very good example of how easy it is to get people to do what they do, even if they are completely clear that this is sensitive information they’re giving out.
We are going to cover social engineering more later, but just for now, understand how it works.
And then maybe the different approaches to social engineering.
We have authority that is someone that you either trust or you are afraid of, an authority figure tells you to do something.
You are more likely to comply.
Then we have intimidation.
If you don’t do this, then something bad will happen.
We briefly touched on that.
That was the email to the CEO.
If you don’t open this attachment and reply within 24 hours, then we’re going to sue you
for $1 million.
Then we have consensus, that is you following the crowd.
Everybody else was doing it.
That can be fake reviews on a website or some sort of fake social proof.
Well, that looks legit.
I’m going to buy it.
Then we have scarcity.
That is the only five left in stock, act now or lose out forever.
They never only have five in stock.
Then we have urgency.
Do it now or something happens.
That is the 24 hour limit the CEO got from that email.
The intimidation was the threat.
And then finally, we have familiarity.
Here, you and the attacker has some sort of common ground that you can build on.
This Thor from IT support, can you give me your password?
Oh, I see here in our files that you went to this high school.
So did my sister.
Maybe you know Karen from this year, because we have that common ground, we kind of sort of know each other.
It is now much more likely that they will help you.
Now onto rainbow tables, those are the pre compiled lists of plaintext and matching ciphertext made by using different hashing algorithms, millions and millions of pairs.
So if they somehow get my hashed password, that is ThorIsAwesome, and we didn’t use salting and we didn’t use nuances, then they compared that to their list and they now know my password.
Then we have known plaintext attacks.
The attacker has the plaintext that we used for a password.
They also have the ciphertext.
They then use that to try to figure out which encryption key we used.
If they can figure that out, well, then they can decrypt all the other passwords as well.
Chosen plain text is similar to known plaintext, but here, as the name indicates, we are able to choose the plain text.
So not only do we know the plain text, it is also one of our choice.
Which then brings us to Adaptive Chosen Plaintext.
Here we enter a password, we see the new hash value, then we do it again and again and again.
So each round we adapt what we use as the password.
And if there are any implementation flaws or flaws in the actual hashing algorithm, well then this adaptive approach could possibly help us break it.
Finally, on this slide, we have Meet-in-the-Middle attacks, and this is a more specialized type of attack.
Here, the attacker knows parts of the plaintext and the ciphertext, but they need to break multiple ciphers.
If you remember back to Triple DES K1, then the encryption is the same algorithm, but three different keys.
The attacker would break the first key, then start over, then break the second key, then start over and then break the third key.
And with that, we are done with this lecture.
I will see you in the next one.