social engineering - Page 4
Page 4 of 4 FirstFirst ... 234
Results 31 to 38 of 38

Thread: social engineering

  1. #31
    Senior Member z31200n3's Avatar
    Join Date
    Jan 2004
    Location
    Bellevegas
    Posts
    102
    Originally posted here by ghostmachine
    thanks for all your input.
    The main concern on my part is how , in the scenario mentioned, the staff B is going to identify that helpdesk is who they are.
    So firstly, helpdesk should not ask for passwords from users at all. This is enforced by policy.
    secondly, users should just say no, no and no when being asked for password (enforced by policy )
    lastly, as a identifying mechanism, use caller ID...

    thanks


    well, as pointed out in Mitnick's book, caller ID can be tricked too, if the S.E is really motivated and skilled....So, it cant be relied upon as a "final id mechanism" 100% of the time...

    my $0.02

    -z3

  2. #32
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    A long complex isn't necessarily good. It just forces more people to write them down. We use 8 an 8 character minimum which mush contain numbers, letters in upper and lower case. I think this is probably the upper limit that staff can cope with.

    Schneier advises that you can make staff use very hard passwords but you have to let them write them down. Put the note in your wallet. Most people keep their wallets pretty safe.

    It's a view that a lot of people are coming round to here. Especially with some pressure for single sign in happening.

    I belive the best practice for development within an organisation is to have it on a seperate network logical or physical. Develpment should never occurr on the business network. Development data should be synthetic or at least sanitised but must be analogous with live data.

  3. #33
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Of course people tend to fixate on passwords, things like how long is yours, does it have special characters, etc. In my experiance the biggest internal security threat comes from people simply not locking their workstation when they run to get coffee or go to talk to their supervisor, etc. I've had devellopers thinking they were smart and by passing our lock out policy. That stopped quickly after a couple of them left for the weekend and didnt log out. when they came back monday they had sent an e-mail inviting everyone in their team and the tech support team for a drink to celebrate their birthday. .
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  4. #34
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Aspman

    You move with the eloquence of disintegrating fuselage.
    Must send that one to some of my RAF mates?..............the compliment generator at the bottom of your posts is a real hoot

    You are right about the development environment...............hell I would not have any of my team messing in the live environment..............we have a subspecies called "catches" (catch 22 )......errrrrr "auditors".................I do not think that they would be impressed?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #35
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    I am an auditer

    (a large part of my job at least)

  6. #36
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    We come in peace.....................shoot to kill................

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #37
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    I got this one :
    You have not yet reached the height of your depravity.

    Sounds about right for me.....

    As for the rest of it a developer sniffing around a live system
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  8. #38
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    It's not my fault. They didn't mention the 'A' word when I took the job

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •