Talk in The Social-Engineer Village at DEF CON 24
http://www.social-engineer.org/social-engineer-village/
[Overview]
As a Japanese security consultant, one of my research questions in social engineering is whether or not cultural difference becomes the barrier for social engineering. It is because the malicious practice of social engineering is different between in Japan and the U.S. I think it is true. Since I have the both experience of being the company in Japan and the U.S., I would like to consider various technique of social engineering from both cultural glasses, such as tailgating, phishing or vishing method. In my talk, I would like to discuss the workability of several social engineering techniques from both Japanese and U.S. culture. It will support the cultural difference can become the barrier or vulnerable weakness.
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Social-Engineer Village at DEF CON 24 : Does Cultural Differences Become a Barrier for Social Engineering?
1. Does Cultural Differences Become a
Barrier for Social Engineering?
TOMOHISA ISHIKAWA
scientia.admin@gmail.com
www.scientia-security.org
2.
3.
4. >> WHO AM I ?
Tomo (Tomohisa Ishikawa)
• Japanese Security Consultant (7 years experience)
• ESL (English as a Second Language)
• A Doctoral Program Student
• Currently in insurance company in Philadelphia
• CISSP, CISA, CISM, CFE, QSA, GPEN, GWAPT, GXPN, GWEB, GSNA, GREM, GCIH
Specialized Area
• Penetration Test
• Incident Response
• Vulnerability Management
• Security Awareness & Education
5. Background
Social Engineering is remarkable attack vectors now
• HBGary hacked by Anonymous
• CloudFlare hacked by UGNazi
• Mat Honan (WIRED Journalist)
• Naoki Hiroshima (Stealing Twitter Username “@N”)
• CIA Director hacked by CWA (Crackas with Attitude)
• BEC (Business Email Compromise)
Is it popular in Japan ??
• Spear phishing email attack is popular
• but…not so active compared with U.S. such as BEC
6. My Research Questions:
Does Cultural Difference become a barrier for SE?
• If culture works as the barrier, “Cultural Defense” will be one of the
solutions.
• The design of organization, corporate culture, business process will be the
effective method against SE.
9. Additional Notes:
Why is the idea of “cultural defense” so important?
• CVE-0 ( No patch Tuesday for Human Being )
10. Disclaimer
I AM NOT …
• A Cultural anthropologist, Sociologist, Psychologist, Philosopher, etc…
Any opinions offered are …
• my opinion, hypothesis and thought based on a few my examples
• NOT those of my employers.
Focus on the difference between Japan and U.S
I may be biased because…
• 28 yrs experience in Japanese Culture (Guru)
• 8 months experience in U.S. culture (Beginner or Intermediate)
It is NOT conclusion, and I would like to start the discussion
• Welcome constructive criticism and opinion
11. Disclaimer
I DO NOT want to discuss the advantage or disadvantage of
each culture
• I would like to respect both cultures
• Only discuss the defensive workability against SE attack
I welcome the question and comment, but
• PLEASE PLEASE speak slowly and easily
20. What is Culture?
A lot of Definition is available
The Definition of E.B.Tylor
• “that complex whole which includes knowledge, belief, art,
morals, law, custom and any other capabilities and habits
acquired by man as a member of society”
21. What is Culture?
A lot of Definition is available
The Definition of E.B.Tylor
• “that complex whole which includes knowledge, belief, art,
morals, law, custom and any other capabilities and habits
acquired by man as a member of society”
22. What is Cultural Difference?
Hofstede's cultural dimensions theory
• He had comprehensive analysis for IBM employees, and he proposed six
dimensions to characterize the culture
• DataSet : http://www.geerthofstede.nl/dimension-data-matrix
23. Hofstede's cultural dimensions theory
INDEX DETAILS
PDI Power Distance Index
IDV Individualism vs. collectivism
MAS Masculinity vs. femininity
UAI Uncertainty avoidance index
LTO Long-term orientation
IVR Indulgence versus restraint
0
10
20
30
40
50
60
70
80
90
100
PDI
IDV
MAS
UAI
LTO
IVR
Cultural Differences by Hofstede Indicator
Japan U.S.A.
JPN USA DIFF
PDI 54 40 14
IDV 46 91 45
MAS 95 62 33
UAI 92 46 46
LTO 88 26 62
IVR 42 68 26
24. Hofstede's cultural dimensions theory
From this Data
Item Diff Japan U.S.A
LTO 62 Long Term Oriented Short Term Oriented
UAI 46 Hate uncertainly Accept Risk
IDV 45 Collectivism Individualism
29. OSINT
Open Source Intelligence
• Collecting necessary information by using public resource for SE
Cultural Defense Workability of JP Culture:
• Japan prefer anonymity in the Internet
• It means that the difficulty of OSINT in JP is high.
MIC 2014 Research (MIC : Ministry of Internal Affairs and Communications)
• 6 countries (JP, US, UK, FR, SK, SGP) comparison
• http://www.soumu.go.jp/johotsusintokei/whitepaper/eng/WP2014/chapter-4.pdf
30. OSINT – Cultural Defense
MIC 2014 Research
• The US tend to use Real Name, but JP prefers to use false name
10.1
12.6
30.2
17.8
20.8
15.5
22
24.3
26.7
19.7
29.8
67
7.8
28.1
18.1
25.3
1.5
16.6
2.5
18.1
1.2
3.9
2.2
3.9
2.7
5.4
2
6
2.3
4.6
58.9
16.5
59.8
50.2
58.4
53.8
74.5
53.1
68.5
57.6
0 10 20 30 40 50 60 70 80 90 100
JP
US
JP
US
JP
US
JP
US
JP
US
FBTwitterChatSNSBBSBlog
Use of false names versus real names on SNS
Use False Name Use Real Name Use Both (multiple acount) Not User
31. OSINT – Cultural Defense
MIC 2014 Research
• 66.3% of JP have antipathy against disclosing real name (US: 35.9%)
15.9
41.7
13.1
23.2
24.6
22.8
24.8
13.7
28.3
22.4
12.7
22.2
13.7
7.3
13.6
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Total
JP
U.S.
The Antipathy against disclosing real name
Strong Moderate Nuetral/Neither Not much No
32. OSINT – Cultural Defense
MIC 2014 Research
• Approximately 60% of JP and US people feel the risk of being identified
even though they use false name
20.2
16.5
24.4
39.1
43.7
36.9
29.9
26.5
27.4
10.8
13.3
11.3
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Total
JP
US
Awareness of The Risk of Being Identified with Anonymous Use
High Possiblity Some Possiblity Low Possiblity Almost No Possiblity
34. Tailgating
Tailgating
• Breaking physical access control by using pretexting
• Ex) Pretending to be a “FedEx guy” or “pest control guy”
• Ex) Pretending to be a freshman, WFH employee, employee in different
branch
Cultural Defense Workability of JP Culture:
• Japanese culture is detective environment
• Office Layout
• Working Style Culture
36. Tailgating – Cultural Defense
Why does it work as a defense?
• Easy to identify the stranger or attackers
• Know the usual behavior (baseline) of colleagues and other vendors
37. Tailgating – Cultural Defense
Working Style Culture
• Before that, let’s look at the working style difference
U.S.A Japan
Working Style • WFH is popular • WFH is NOT popular
Employment
Mobility
• High Mobility
• Join frequently, leave
frequently
• Low Mobility
• JP company do not like mid-carrier recruiting
• Stay one companies +10 years
New Graduate
Job Hunting
• Apply to “Job”
• Specialist Oriented
• Apply to “Company”
• Generalist Oriented
• Join into the company on April 1st
• 2-4 month Bootcamp Training (Project works)
• Company assigned the division (=Job)
• Job rotation is popular
39. Tailgating – Cultural Defense
Working Style Culture
• Let’s look at the working style difference
U.S.A Japan
Working Style • WFH is popular • WFH is NOT popular
Employment
Mobility
• High Mobility
• Join frequently, leave
frequently
• Low Mobility
• JP company do not like mid-carrier recruiting
• Stay one companies +10 years
New Graduate
Job Hunting
• Apply to “Job”
• Specialist Oriented
• Apply to “Company”
• Generalist Oriented
• Join into the company on April 1st
• 2-4 month Bootcamp Training (Project works)
• Company assigned the division (=Job)
• Job rotation is popular
It creates strong informal connection btw colleagues.
40. Tailgating – Cultural Defense
Why does it work as a defense?
• New guys or stranger = easy to identify
• Informal connection will work as the verification method
• It may be difficult to create workable pretexting
42. Vishing
Vishing
• Phishing attack by using Phone Call
• Ex) pretending to be a “computer support” guy
• Ex) pretending to be people in WFH / another branches
Cultural Defense Workability of JP Culture:
• Working Style
• Decision Making Process
43. Vishing – Cultural Defense
Working Style
• WFH is not popular
• Outsourcing is not so popular
• The employee have strong informal connection
Why does it work as a defense?
• Pretexting may be hard
• If the phone call is suspicious, it is possible to ask the question by using
the informal network of colleague. (validation function)
44. Vishing – Cultural Defense
Phone Call Handling
• When your colleague get the phone call...
• In Japan, freshman or administrative staff take the phone within 3 ringing
Why does it work as a defense?
• Share the contents through the process (flat desk will be helpful)
• Freshman or administrative staff can create the baseline
45. Vishing – Cultural Defense
Decision Making Process
• US If boss said Yes, it is done
• JP prefer the consensus (many escalation flow to decide)
Why does it work as a defense?
• Various validation function by the process, especially for financial
settlement
47. I give the couple of examples about
Japanese (business) cultures & it’s workability.
48. I give the couple of examples about
Japanese (business) cultures & it’s workability.
However, it does not necessarily means
Japanese cultures and people are tolerant for
social engineering.
49. Scams to elderly people are serious
problems in Japan and we see a lot of SE
techniques.
52. Scenarios:
Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.
53. Scenarios:
Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.
• They also committed cloning of credit
card, and your credit card has the
possibility of abusing.
54. Scenarios:
Step 1
Victim Attacker
(Police Officer A)
• We arrest the scam group.
• They have the name list for a future
attack, and it include your name.
• They also committed cloning of credit
card, and your credit card has the
possibility of abusing.
• We investigate this case with FSA and
FSA staff will contact you.
FSA : Financial Service Agency
56. Scenarios:
Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police officer A
Attacker
(Police Officer A)
57. Scenarios:
Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
Attacker
(Police Officer A)
58. Scenarios:
Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
Attacker
(Police Officer A)
59. Scenarios:
Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
• Umm…abused
Attacker
(Police Officer A)
60. Scenarios:
Step 2
Victim
FSA : Financial Service Agency
Attacker
(FSA Staff)
• You got the phone call from
police officer A
• We investigate the malicious
usage of your credit card
• Please tell me last 4 digits and
expired date. We will match up
with our database.
• Umm…abused
• We will start the process to
issue new card and FSA staff go
to your home to pick up it.
Attacker
(Police Officer A)
63. Wrap-Up
Does Cultural Difference become a barrier for SE?
• I think YES.
• But it is the beginning of my first thought, and I think I need further
discussion
• Also, from attacker’s perspectives, the adjustment of pretexting to specific
culture will be effective.
The design consideration of culture, business process may
help to avoid the social engineering
64. Thank You!!
If you have any questions, please feel free to contact me
Contact Info
• Email scientia.admin@gmail.com
• JP Blog www.scientia-security.org
• EN Blog blog.scientia-security.org (Coming Soon)