Social Engineering is still about

Printable View

Show 40 post(s) from this thread on one page

October 28th, 2004, 01:22 AM
Palemoon

Social Engineering is still about

The lengths spammers go through. I employ a spam scanner (open source on the email system), and part of what I use sends a canned auto message that includes my work number that more or less states call this number of the email block is in error. So even after work I monitor things at work and if errors are made make adjustments to unblock email address. So I get a request from reception to remove a block from a user that is a number at an account to a domain that cannot be found. Her excuse was I am attempting to send my resume from and address on your web site. This is about the 10th call I've had yes spammers do call me always with the excuse of I'm sending a resume, via voice mail or through actual telephone conversations with reception who email me. Most emails I send to these address do in fact go through but the domain search fails. My email to them please fax your resume I was not able to confirm your domain name. Looks like the spammers see the hand writing on the wall and do have the nerve to attempt to call leave voice mails or social engineeer events by simply calling the telephone number. I posted this just for those new fresh network admins. :D
October 28th, 2004, 04:17 AM
Spyder32

Social Engineering (sadly) will always be among us. Ever since virtually the dawn of time have people used a method of social engineering to get what they want. It's practically a historical fact.
October 28th, 2004, 01:49 PM
kr5kernel

Check out Kevin Mitnick's book "The Art of Deception". Great examples of Social engineering, and therer are some awesome chapters on creating a security policy and training staff to recognize scams.
October 29th, 2004, 12:56 AM
Spyder32

Kevin Mitnick = Greatest B/S Artist of All Time.
October 29th, 2004, 07:27 AM
MoonWolf

Social ... wtf.

Social Engineering, everybody does this on a daily basis. Really I don't see what so special about it.

Social Engineering I did that 5 minutes ago when I convinced my mother to give me another cookie.

Get over it its nothing new we only gave it a different name.
October 29th, 2004, 07:35 AM
hypronix

I'm 'eating' through Mitnick's book basicaly, it makes for a very entertaining read. It is true that social engineering is a dark art, but that's only because of the ignorance of some people. Whenever something smells like skunk... From KDM's book there's one thing that comes through clearly, and that I don't see many companies being fully aware of: challenging authority when it comes to sensitive stuff. When an employee is afraid of a boss coming down on him because he dared question the boss's secretary's authenticity [upon failure of said secretary to properly identify herself] people aren't really keen on putting up a fight over the phone.

We get "Takedown" and Tsutomu Shimomura making himself look like a smart-ass when Mitnick called him up, but that's because Tomu had nobody above him to fear. Take a new employee, he gets a call from somebody that throws around the CEO's first name like it was his dog, now there's a person you don't want to bother with too many questions.

So some companies don't have the right attitude when it comes to this... and some social engineers have no talent when it comes to information research and impersonation.
October 29th, 2004, 05:16 PM
RoadClosed

Quote:

Get over it its nothing new we only gave it a different name.

Social Engineering is actually a bigger threat than someone getting past the perimeter defenses of a network these days. Penetration via electronic means is getting harder and harder. I am not talking about some schmuck running windows 98 and a host of unmanaged NT servers. I am talking about real network admins. They are tough to crack and most would be attackers don't have the knowledge or patience to spend 4 months drudging around the perimeter. It's easier to "Ask" what the weakness is or where the boxes are. "Hey dude this is James from IT, I was talking to Tony (Tony was listed on the website) and we are going to have to reload the server tonight, we can't fix your profile when we bring it back up without your password - so could you give it to us? We will reset it later so don't worry about it."

We have little to NO control over it. There are things you can do to mitigate it but anyone can make an email look like it's coming from [email protected]. Risk factors change over time and right now social engineering and bad browser code coming in the firewall from authorized users are 1 and 2 on my list. Why? Because they are difficult to control in my environement. I can control risk of penetration much easier.

Just the other day I had a sweet sounding young lady call me... "Hi my name is Lisa, I am a student at Your_Local_University and we are doing a case study on Your_Line_Of_Business Instution." Being a fan of higher education I am eager to help of course. "What are you looking for, I might help" I say. She replies "We are conducting a survey of Core Accounting Platforms, what are you running in your data center." I think, that is an unusual cold call from a University out of the Blue and I did not like the way the questions were structured. In addition my own direct questions were not answered as I would have liked so I seaid "Lady I am not giving any information to you about our internal operational platforms." But I can think of a dozen people that will in any number of public listed departments.
October 29th, 2004, 06:21 PM
el-half

Quote:

Kevin Mitnick = Greatest B/S Artist of All Time.

Bah, all prejudices. You cannot judge him unless you know him personally.
It's simply because he's so famous he gets such negative attention.

I'm not defending him btw.
October 29th, 2004, 07:20 PM
cgkanchi

Quote:

Kevin Mitnick = Greatest B/S Artist of All Time.

Isn't that kind of the point of Social Engineering? :).

Cheers,
cgkanchi
October 29th, 2004, 08:15 PM
chsh

Re: Social Engineering is still about

Quote:

Originally posted here by Palemoon
The lengths spammers go through.

I don't know what annoys me more, getting spam via email, or the crap paper ads that get left on my car while it sits in the college parking lot. ;)
Social Engineering is the hardest thing to secure in an organization.

Best thing I ever had was a guy calling and asking me to take a survey on Microsoft's Windows Update.He started the survey with: "What is the latest patch you applied to your Windows 2000 webservers?". I asked him how he knew we hosted our own webservers, and he hung up. :) That was a couple of years ago tho.

Quote:

Originally posted here by el-half
Bah, all prejudices. You cannot judge him unless you know him personally.

Pfft, people do it all the time on here. :D

Show 40 post(s) from this thread on one page