Social Engineering And Emerging Multimedia Technologies

all right so I will be talking to you about social engineering so first let's get a few things out of the way what is it well imagine you have a castle to protect some sort of data hacking in the traditional sense would be going around poking of the walls to see which brick is loosest or where to add an extra bricks of the whole wall crumbles meanwhile social engineering is just simply walking up to the front gate and tricking the guy operating it to open up and this is why social engineering is so dangerous I mean you can build thicker walls or you can dig a deeper moat but the human element can still be

compromised also the castle analogy still holds true in the literal sense as social engineering is very often used in the physical world to gain access to secure locations now first I will go over the current social engineering tactics and here in this list I have loosely organized them from tactics that are exclusive to the digital world to those that are exclusively physical so let's start with the first tactic phishing or as I like it call it the Nigerian prince one so phishing is very much a shotgun approach meaning that fire as many shots as possible and well one of them has to hit the target and because of this fishing has very low success rates around 3% of all phishing

attacks are successful and but because it can target such a wide range of people it is by far the most popular online scam method I mean I'm sure everyone here has received some sort of spam email at some point asking me to reset their eBay password or something along those lines also because it's so broad it kind of requires a bit of naivety to fall for a phishing attack that's why the overwhelming majority of people who lose money to phishing attacks are seniors about 60 years old additionally as just said phishing is mainly used to exploit financial data and although a three percent success rate doesn't sound like much since phishing targets so many people

percent of a large number is still a lot of damage for example 91 million dollars were lost last year in Australia alone according to the Australian Centre for Commerce and two other seas I can't remember now onto spear fishing spear fishing and fishing are principally the same with one key difference being that spear fishing is far more targeted than regular fishing therefore it also requires some extra research by the attacker for example where the targets were their gender their age etc and because of that they are far more effective than regular fishing emails spear phishing emails are 25 times more likely to be open than regular fishing ones and because of this they can also

be used for a larger variety of purposes because instead of targeting a large group of people with the standard your PayPal customer please reset your password it can be tailored to sum or maybe even all employees of a specific company to disclose their network credentials additionally both spear phishing and phishing attacks are almost exclusively administered over email this is firstly because the style of emails of large companies can very easily be replicated additionally they can be sent to a massive people would listen to no cost almost instantly and finally there are tools out there that very easily exploits flaws in the email system for example there are online services right now that yet let you send an email from

any fake email address to any real one now on to quid pro quo which means something for something in lab and quid pro quo is a method of essentially finding the easiest point of entry into a system for example if an attacker were to call a company's employees offering tech support I'm sure a lot of the employees will turn him down but eventually one who actually needs tech support would gladly talk to them and likely disclose their network credentials but it doesn't necessarily require active involvement by the attacker for example they can set up a website that tests the security of your password and all you have to do is enter it or what I've seen is a website that checks if

your credit card details have been stolen and all you have to do is enter your credit card number and security pin and it'll do the rest and essentially quid pro quo is driving the target or offering a service in exchange for information by the target now all the next weirdly water-related one water holy so water-holding is a way of exporting targets trusts especially specifically the trust in services or websites they commonly use for example early infections of their warned acquire ransomware or administered through a combination of both waterhole and phishing attacks and it also targets a specific group of people who use a website where service CCleaner for example which is a popular PC space ring

tool was exploited for as over a month last year the official ccleaner download contained malware and why this is so powerful because if the same malware were on some random email or link on the Internet the user would likely be far more wary of clicking it meanwhile if it's on a trusted most trusted source such as a software they commonly use or an update therefore therefore more like far more likely to fall to earth however the one key downside of water-holding that it actually requires website exports to function attackers usually use zero-day exploits such as once again want to cry use the eternal blue exploit in older Windows operating systems to function and because of that

water-holding somewhat blurs the line between hacking and social engineering but due to this element of trust water cooling can be very effective for example in 2014 chinese attackers use exports in flash to infect users of forbes.com which ultimately led them to gain access to US defense systems now I'll do pretexting pretexting is quite simply pretending someone you're not or in the situation you aren't and it can come in many different forms for example being contacted by an authorized Microsoft IT helper to divulge access to your personal computer or from your system administrator to do the same additionally since an individual it pretexting relies can also rely on an individual's trust of authority and since humans are taught to respect

authority this can be very powerful for example a group of Australians decided to put this to the test a while ago simply by buying high visibility vests and seeing what kind of places they kick it into which ultimately ended up with them getting into an Australian Cokely concert not only for free but also standing which remixed the stage now finally onto painting baking is essentially a physical Trojan horse and usually comes in the form of leading physical traps such as a USB stick lying around labelled in an interesting manner of course was some sort of malware on it and this very much relies of human curiosity curiosity because I'm sure a lot of us if they

were to see a USB stick on the floor labeled confidential or top-secret what probably plugged with their computer just to see what's on it and because of this in 2016 your researchers dropped almost 300 USB drives around the campus of the University of Illinois with a simple script on it that phoned home once it was plugged into a computer and ultimately 45% of the deployed USB sticks were inserted and less detectable by the researchers so now that we've looked at the current tactics let let's look at what's to come or specifically the ability of future social engineers to perfectly impersonate anyone they wish granting them immense capabilities so first let's talk about the first aspect in perfect impersonation speech

and specifically let's look at Adobe Project Boco project boku allows the modification of a flip of spoken audio specifically in to use a simple text-to-speech to allow visual editing of the spoken spoken text and because of this it was aptly dubbed by Adobe themselves the Photoshop of voice and however it has some limitations firstly it operates exclusively inside that clip of audio meaning that it is quite easy to rearrange words and maybe replace one or two or add a few however it doesn't really have the capability to add extra phrases or even do this live therefore for an impersonation standpoint it isn't really Bible however there are still enough nefarious applications for this that Adobe actually never released VOC

go to the public let's elevate this one level though and look at Lyrebird Lyrebird is an AI startup that uses a five-minute recording of someone's speech combined with neural network speech analysis to create a model of someone's speaking patterns allowing for full speech synthesis and contrary to boku this allows for full flexibility ie you could have someone read a book in you could read a book in someone's voice however because of this it also requires more effort and material than boku since voco only requires one clip of audio lyle bird requires at least five minutes of recording to produce a halfway decent result but also liebert can be live so translate your voice into someone else's

on the fly and so let's look at an example of this first let's listen to a recording of the Axl Donald Trump and then let's listen to the fully AI speech synthesized version we call on every nation including giant and Russia to fully implement UN Security Council resolutions downgrade diplomatic relations with the regime and sever all ties in trade and Technology so that was the actual Donald Trump and now let's look at the AI version the United States is consumed in addition although there it isn't quite perfect and I mean there are still some telltale signs such as the weird metallic garbling in the background sometimes it's pretty good especially considering some of the enunciation and speech

patterns that are clearly traceable back to Trump and so as this tech develops this voice will become more and more convincing and maybe even at some point indistinguishable from the actual person so now that we've got the speech part covered let's look at the visual aspects of impersonation firstly let's look at the fake out fake app similar to Lyrebird is an AI powered application but instead of doing voice synthesis it does face logging additionally it is very time intensive as it takes long rendering and it has long rendering and learning times to produce an adequate result additionally hours of footage have to be used of both the subject and the target to produce a convincing

result however once you meet those requirements it produces excellent outcomes and since the software is free and has been easily compiled with a graphic user interface the Internet has had its fun with it specifically they put Nick Cage in anything they could find such as in this clip uploaded by a Reddit user from the new Superman movie

as you can see the result is in your perfect I mean it looks almost like a real Amy Adams in the cage mashup thing and however fake app has been used for some slightly less fun and less water related purposes mainly black male criminals have been putting people's faces in situations they weren't in mostly usually erotic and then wanted money for not releasing the video as a result of this all fake app outputs in our watermark but also since fake up isn't live it doesn't really for much from an impersonation standpoint so let's look at something more applicable that being face to face face to face is also AI based but instead of doing face swapping it's

simply swamps facial expression meaning that it takes an RGB video of a source actor and analyzes their facial expression and then plays that onto a simple video of the target actor so let's look an example let's look at an example that's working oops there we go so contrary to face a face app it's relatively inexpensive because while face app needs a face that needs a relatively powerful computer on lots of time this only requires a webcam and an RGB video of the target additionally it is live as you can see the source act of facial expression is being mapped off the target actors video in real time yet face to face is also somewhat limited

being that it is it operates exclusively in the video clip of the target actor seeing as only facial expressions are being mapped for example if the source actor were to move his head for example that would not translate onto the real-time reenactment but let's look at one last solution that could solve all these problems that beam Unreal Engine so a few weeks ago Epic Games the maker of Unreal Engine put out a tech demo of what they called a digital human showing me of photorealistic results in a real time in real time rendering of an actress and a motion capture suit in the room next door and it looks something like this and as you can see the result is still a bit in

the uncanny valley but seeing that this is rendered live it is an incredibly impressive result however there are also some drawbacks of this method firstly it requires very expensive tracking equipment as the actress of this source actors for this was actually rigged up like this additionally it requires very powerful computers to Ron as remember this is all done in real time however computer power is getting cheaper year-over-year and additionally Unreal Engine offers full flexibility of lighting environment clothing and most importantly the person being displayed yet this comes with one drawback being that it would require a 3d model of the target yet imagine a default character model with a few tweetable features such as in present in most video games today

well as such as is present in most video games with a character creator today coupled with a few pictures of the targets face can most likely create a very convincing look especially imagine if it's over a Skype connection for example and now back to the tracking aspect that is the most expensive part of the social set up however cheaper technology exists right now and I'm holding it in my hand so this Taiwanese visual effects artist actually demonstrates this demonstrates the tracking capabilities of the iPhone X by mapping his facial expressions onto a 3d mesh and while some may argue this isn't practically viable yet for the fidelity used in the Unreal Engine example some game developers such as

next games are actually already using this exact technology to animate digital characters in their games so as you can see here all they're set up is is an iPhone eggs and a custom built app to animate 3d characters in real time using the facial tracking of the phone so this of course begs the question would a future version of an AI synthesis coupled with a rendering engine allow you to impersonate anyone well at the moment it's not really viable for anyone to do this however in the future with a handful of newer developments this could become very possible for anyone to do so imagine in the near future getting a Skype call from someone who

talks like your boss and looks like your boss or anyone else imaginable why you believe what they say now this of course raises a simple question how can I protect myself well this question doesn't have a simple answer and not only because the technology isn't fully developed yet but there are a few steps that don't only apply to future social engineering but also current firstly common-sense and critical thinking this definitely isn't a mist in any setting but especially important in the internet on the internet and in a social nearing standpoint so just ask is this email from eBay really valid or is this completely random and is trying to get my information thirdly a two-factor

confirmation system for everything would not would go a long ways ie confirming every order you get and just making sure it's correct and additionally there might be another option being that you don't have to protect yourself because technology advances in all directions so if there's an AI system faking someone's voice on the phone they're similarly might be one detecting it so in conclusion social engineering will only become more prevalent as digital systems become more and more secure and as the common matter goes a chain is only as strong as its weakest link and this certainly applies to all digital systems and increasingly the human element is the weakest link and with emerging technologies such as the previously

mentioned AI voice synthesis this human element will come under attack more and more making digital awareness as important as ever thank you

thank you so much that was very entertaining any questions yes God thank you for a great presentation it's really exciting so I should like to add a personal story so you shout the picture of the concept in the West and in the early 1980s I was a clear little loopy emergency service is a warranty and a friend of mine asked me well let's take the orange ticket and our heart and then don't go to the Rolling Stones and uber trust we entered and there was a border for for the area which was not for the public and there were some policemen and we did not watch to cross that border but the policeman asked us well we can

help you and so it was not our intention so we just wanted to attend the concert and finally we ended up below the stage and we saw other people pushing against there for us and we just watched it and so it really works so as this story that's incredible yes yeah like secret phrases or something yeah so the question was for a protection would like a secret exchange phrase to validate the person's identity be a good way of protection and sure definitely I mean if you can construct such a system that probably be a very good way of mustering out all the potential social engineers

yeah the question was about biometrics on the web and I think it's very possible I think when the iPhone 5s came out a few researchers were actually able to I think get fingerprints off a photo and I think I make that mistake myself because although I think it's really cool my background is actually my fingerprint so that might not be too great but yeah I'm sure the possibility especially with face ID now on the newer iPhones I'm sure the possibility exists to get a adequate 3d model of someone's face from a few pictures yeah I use the face it's fine yeah the question was about AI specifically asking about the AI solutions I mentioned and I think there

are already a few companies that employ AI for cybersecurity I think one is dark Trace and one was I can't remember the name was recently bought by sofas the antivirus software and they employ that already yes

[Music]

yeah the question was about I think like two-factor authentication essentially for phone calls of the future and I think I'm sure it's a possibility because especially if these technologies get used more frequently I mean the market will exist for something that makes phone calls more secure and especially over the Internet and so I mean this could already be valid outside of a social engineering standpoint if for example government officials want to communicate securely this could definitely be used to validate someone's identity oh thank you [Applause]