The most expensive domain name thus far in history was stolen in 1995 by sending a fax to the domain registrar. The same attack worked again in 2013 to hijack the DNS of another website. A FAX. In 2013. In 2015, a teenage hacker collective obtained control of the CIA Director's email, partial credit card number etc. In 2016, the Director of National Intelligence and the Director of the Office of Science and Technology Policy were hacked by the same group in the same way. A quick search reveals an alarming number of such attacks where the initial attacks were widely publicized and the vulnerabilities hence previously known, with most requiring little effort and often no cost to patch. So where exactly is the status quo failing? And what exactly is this problem? Social engineering attack? Identity theft? Something else?
It will quickly be evident that the complexity of thought required for the modeling, analysis, and detection of these types of attacks, ironically, belies the simplicity in their perpetration. There cannot be an effective solution without a comprehensive problem description; conventional theories fail to capture this problem meaningfully. This talk addresses the problems in the status quo and illustrates a methodology to comprehensively address this problem. Some very interesting findings from penetration tests are also discussed.