Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 38

Thread: social engineering

  1. #11
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    another thing that is usefull is unannounced security audits. You call up a user, giver them a false name and try to get their password off them. If they respect the companys policies you shouldn't get it.
    I used combine this with a monthly or bi-monthly report. Add a password scan with details on how long it took you to get 90% of the passwords in the company and most people sit up and take notice. Especially with things like 25 people out of 50 use "god" as their password. Basically what i am saying is moer or less the same as what has been said before educate your users and communicate the importance of security to them.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  2. #12
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    another thing that is usefull is unannounced security audits. You call up a user, giver them a false name and try to get their password off them. If they respect the companys policies you shouldn't get it.
    If you're going to do something like that make sure whoever is going around trying to get teh passwords has a written note from senior management detailing that they do have permission to do this. If you do this without a 'get out of jail free' note you could still end up in the **** even with the best of intentions.

  3. #13
    Banned
    Join Date
    Jul 2005
    Posts
    511
    I could imagine a slightly worse scenario. Staff A walks over to the desk of Staff B and asks him for his password because he needs it on some other system. Staff A and B have been collegues for a few years. So Staff B sees no problem providing Staff A the password.
    However, Staff A will leave the company at the end of the month and is planning to copy as much information as possible for his new employer. So by collecting passwords from other staff members he can access all this information and possibly hide his true intentions for a long while.
    So A uses the usernames/passwords from B, C, D, etc. to collect as much as information as possible and manages to store everything on an external USB harddisk before he leaves the company, knowing his new employer will reward him handsomely for the information.

    You could assume that it all depend on the level of value and importance of the data that people can access. Unfortunately, someone who wants to get inside would start at the weakest link, which could be the users with the most limited access to the important data. But by using information from this user, they can manage their way upwards in the hierarchy until they gain full access. Like going up some stairs, step by step until they reach the level they want.

  4. #14
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    A system I have seen is where each workstation has a unique ID as does each user. You could only login from your workstation using your ID and password. In that scenario your details were useless unless someone had physical access to your workstation.


  5. #15
    Junior Member
    Join Date
    Aug 2002
    Posts
    25
    Social Engineering is the most common way to break into networks. All the new helpdesk guys get a call from me pretending to be Frank Rizzo. I am usually sucessful in gaining access. Then they get scolded the next day.
    -Producer

  6. #16
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    352
    I don't know about the most common way to break into networks. But I guess the possibility stands there. But in dealing with my own experiences with this sort of thing, sometimes it helps to mention Social Engineering at an office conference, or talk to the help desk people personally, it all depends on how big the company is. Because if you have 50 help desks with 10 people on each, that's alot of people to warn. Sometimes its best to contact the CEO or the person dealing with everyone. But why am I rambling about this ? I have seen actual incidents where someone from the same company would call a help desk to see how much system information he could get from them as a test to their loyalness to the company. Maybe more people should start doing this.

    -N (Good to be back)
    "Serenity is not the absence of conflict, but the ability to cope with it."

  7. #17
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    I believe the saying goes

    There is no patch for human stupidity
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  8. #18
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Staff A walks over to the desk of Staff B and asks him for his password because he needs it on some other system.

    Bzzzzzzzzt wrong answer.

    If staff A legitimately requires access to a system he does not currently have access too s/he must go through the proper channels to recieve their OWN set of credentials.

    In the case of admins, each admin user should have their own admin account for carrying out the required tasks.

    If each user has and individual ID it provides an audit trail to identify who caused a problem if a problem should occurr.

    If staff B gives their password to A they break the audit trail. According to policy staff B is now responsable for the actions of staff A. + if I find out they are doing it I would take action with their line manager to prevent this happening and I would push it to a disciplinary if anything did happen.

    Sharing passwords is the 8th deadly sin.

    It goes on a lot though and in the same context as said. I'm investigating our application developers right now and some of the major recommendations in my report are to get them to stop using communal admin IDs and sharing passwords.

  9. #19
    Banned
    Join Date
    Jul 2005
    Posts
    511
    Well, okay. Other situation then. Person A from an external colsultant agency tells Staff B that he needs to have a password for system X right now. It doesn't matter if this goes through the official channels for him, he also notes, because he just gets paid by the hour. If the regular channels would take half a day or more to provide him the password, then he doesn't care. Means he's there just half a day doing nothing and getting paid for that. So some employees might think about this and decide to save the company some cash. Of course, that's not always smart but people tend to be too trustful at occasions.
    Of course, a very brutal social engineer might just fast-talk his access into a whole building, trying to sneak inside with other employees and at one point he just says he's been sent there by some consultant agency to modify something. Maybe he even has some forged documents that seem to make his claims valid. Of course, this would be extremely rare but when the stakes are high and the information extremely valuable, some people might go as far as this.

    Basically, alwys keep track of the weakest points in your security and be aware that when you strengthen one weak spot, some other spot will become the next weak spot...

  10. #20
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    Of course, a very brutal social engineer might just fast-talk his access into a whole building, trying to sneak inside with other employees and at one point he just says he's been sent there by some consultant agency to modify something. Maybe he even has some forged documents that seem to make his claims valid. Of course, this would be extremely rare but when the stakes are high and the information extremely valuable, some people might go as far as this.
    Hi there katja does the name Kevin Poulsen ring any bells ??

    Or you could always just apply for a job and if you end up getting it you just avoided half of those steps ... Or you could always blackmail someone and do it that way ... Or you could bribe someone to get the info for you ... The possibilties are endless ...

    B.T.W. Why do they call it social engineering why not just pathological lying ???
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •