After 6:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, is Joe there?"
Programmer: "Joe no longer works here."
Caller: "O... So, what do you do there?"
Programmer: "Excuse me?"
Caller: "Are you a programmer? What kind of work do you do?"
[CLICK]
Around 2:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, who is this?"
Programmer: "Excuse me?"
Caller: "I'm returning a call from my pager... Who are you?..." (sounding clueless and innocent).
Programmer: "Who are you looking for?"
Caller: "I don't know, I'm just returning my pager's call. I only have the phone number. I don't know who called me..." (the number of my direct line???)
Caller: "... What's your name... What do you do over there?"
[CLICK]
Some other day, after 4:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, who is this?"
Programmer: "What do you mean?"
Caller: "I'm a recruitment agent. Are you looking for a job?"
Programmer: "Not really..."
Caller: "What kind of work do you do?" (You want to recruit me but you don't know what I do?)
[CLICK]
About 5:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, I'm calling from --- recruitment firm... I saw your resume the other day... very impressive... Are you looking for a job?" (I've never posted or submitted my resume anywhere.)
Programmer: "Not really..."
Caller: "What kind of job do you do?" (And you're interested in someone you don't know what he's doing?)
[CLICK]
Social engineering, as I was told, is not uncommon. It's another fancy way to call "spy," I guess. Sometimes it's employed as security drill; sometimes just plain thievery. It's simply an act to elicit otherwise sensitive or confidential information from unsuspecting people.
Common as social engineering might be, data encryption is often almost the only security measure many people (business or technical) talk about, as though encryption equated security.
Once, a bank asked a web application developement house to build an application for them. They emphasized strongly on data encryption. Encryption on the URL (we said we could encrypt the CGI parameters but not the entire URL itself), encryption over the network communication (that meant SSL and such), encryption (of passwords at least) in the database.
They also wanted physically independent database server for extra security--which, for security purpose at software level, made no sense to me since the database might be physically seperated but not necessarily logically. (A logically separated and independent database might contradict the overall architectural design of an application that was meant to be part of a larger "integrated" system.)
But then, an upper-mid-level manager had all his passwords posted by his computer monitor in plain view. This happens to many other people who have too many passwords to remember.
So, all the data were encrypted, huh?
___________________
Endnote: That's why security should be checked at two levels, namely local and global. For instance, a password like Delaunay19631112 (spouse's name + birthday) might be hard to crack by itself via brute force (local level) but could be easy via social engineering, pattern or correlation (global level). Good cryptanalysts or security advicers explore the latter, not just the former.
Re: Security: Technology vs Social Engineering
by dws (Chancellor) on Jul 23, 2003 at 08:51 UTC
|
As a partial defense against this type of social engineering, a company I once worked for arranged to publish some fake entries in the company phone list, with extensions that rang through to HR. The extensions were at the beginning of our block. If the phone list got into the wrong hands, the fake people would be called. Or if a recruiter started working their way through the company, the fake people would be called. Either way, this gave HR a quick heads-up that we were being "hacked".
A few got through. My favorite was "Hi, this is <mummble> in accounting. We need to verify your position, manager, and salary." That tends not to work well when your company is 50 people under the same roof.
| [reply] |
Re: Security: Technology vs Social Engineering
by blue_cowdawg (Monsignor) on Jul 23, 2003 at 13:41 UTC
|
I remember having to train a help desk staff where I worked
on the concepts of social engineering because of an
incident where someone called the HD and the conversation
went something like this:
HD: |
Help Desk, this is Rick, how can I help? |
Caller: |
Hi! I seem to have to have forgotten my
password and I'm locked out, can you reset
my password to "welcome"? I'll
change it to something else after I get in.
|
HD: |
What is your name? |
Caller: |
OH! My name is Rick C*****! |
HD |
(composing himself as his name is Rick C*****)
Oh really? That's my name...
|
Caller: |
**** Click! **** |
As a result of that incident I was tasked with developing
procedures that the Help Desk could use to verify the
identity of callers. (call backs, challenge/response, etc.)
There were several other attempts after that which were
foiled as the company became larger and more visible.
Peter L. Berghold | Brewer of Belgian Ales |
Peter@Berghold.Net | www.berghold.net |
Unix Professional |
| [reply] |
|
I happen to be an Air Force Reservist, and our policy within the Network Control Center is, "If you know the person that you are talking with, you can change their password over the phone, else they have to come to the NCC and show their identification". While the base has several hundred people who work there, after a while you get to know most of them, as they are the ones who constantly have all sorts of PC problems.
TStanley
--------
| [reply] |
|
you can change their password over the phone, else they have to come to the NCC
The challenge we had was we were a company that had 25
(later 53) locations around the country. Some of the people
we supported were mobile users and could be literally
anywhere.
Blind callbacks were the preferred method of verification.
Caller: |
My name is Sid Down and I need my
password reset |
HD: |
OK Mr. Down I see you are a mobile
user, can I call you right back on your Cell Phone?
|
Caller |
Errrmmm... I don't have my cell
phone handy and I'm not in the office... can you
call me at (555) 555-1212?
|
HD |
Mr. Down please call us back
when you are either in your office or have your
cell handy. We don't have (555) 555-1212 as an
authorised callback number for you at this time.
|
Caller |
(trys another approach)
WHO THE Expletetive Deleted IS YOUR
MANAGER!?!?! I WANT MY PASSWORD RESET NOW!
|
HD |
I understand your frustration Mr Down
and want to help. I will conference your manager into
this call as well as my own manager. Perhaps your
manager can vouch for your identity. |
Caller |
****CLICK!****** |
This is a sanitized version of a conversation that
actually took place hetween m help desk and a caller.
A person was looked up in the corporate contacts list and
could recieve a callback on one of up to four numbers that
were prearranged. There was a security question they were
asked (e.g. "What is your dog's name?") that
was pre-arranged and then the password would be reset.
In addition an email was sent to a special mailing list
"security-managers" so that an eye would be
kept on accesses by this user for a few days.
This all worked fairly well. Wasn't a perfect system but
it worked. Additionally mobile users were issued SECURE-ID
tokens and had to pass the challenge response system in order
to dial in.
Peter L. Berghold | Brewer of Belgian Ales |
Peter@Berghold.Net | www.berghold.net |
Unix Professional |
| [reply] |
|
|
|
Re: Security: Technology vs Social Engineering
by herveus (Prior) on Jul 23, 2003 at 11:35 UTC
|
Howdy!
About 5:00 pm, the phone rang...
Programmer: "Hello?"
Caller: "Hi, I'm calling from --- recruitment firm... I saw your resume the other day... very impressive... Are you looking for a job?" (I've never posted or submitted my resume anywhere.)
Programmer: "Not really..."
Caller: "What kind of job do you do?" (And you're interested in someone you don't know what he's doing?)
Programmer: *blink* "Why don't you tell me what it said in my resume?"
Caller: *awkward pause* *CLICK*
Substitute telemarketer for caller. "Put this number on
your do not call list." "What is the number?" "You called
me; you have the number." "No I don't" *click*
Caller ID can be nice, too. If it comes up "private number",
that's the first warning that something is fishy.
yours,
Michael | [reply] |
|
If it comes up "private number", that's the first warning that something is fishy.
Something fish? Oooh, somebody values their privacy, be very afraid.
There are these things called privacy laws, and the phone company lets you configure how your CallerID info is handed out. You can either have to hit *69 (i forget what the real code is) before making a call in order to stop your caller id info from going out, or you have to hit *69 to allow your caller id info to go out. I choose option 2.
| [reply] |
|
Howdy!
The situation is not symmetrical. For the recipient of the
call, it is a privacy issue.
If you are the one initiating the connection, your
expectation of "privacy" (or more accurately, anonymity)
is lower. I have no obligation to allow that connection
if you refuse to offer any identifying information.
I see this as analagous to deciding whether or not to
open your door to a caller. If the person is masked --
their identity obscured, would you open the door? Now
consider that person being unmasked, but unknown to you.
Then consider that person being known to you. You have
the option in all these cases to remain hidden in your
home -- to not reveal your presence or identity to the
caller.
If someone wishes to make telephone calls without their
number being visible to the recipient, one can consider
this analagous to a masked caller at your front door.
I believe the phone companies in the US offer the ability
to block calls that have caller ID blocked, presenting
the caller with a message that they must not block caller
ID in order to get their call to ring through.
yours,
Michael
| [reply] |
|
Anonymity is a double-edged sword -- no one can harass you, but no one can reward you, either. Anybody agreeing with what you just said has no way to respond except replies, and it's more convenient within our community to provide ++ and --.
you have to hit *69 to allow your caller id info to go out
Please leave a message at the tone. If you want me to contact you, you may want to leave some way for me to do so, privacy or not.
Oh, and if you show up at my door, you may have to wait a while:
- You: *knock knock*
- Me: Who's there?
- You: Why do you want to know? What do you need to know for?
- Me: You knocked to come in, right?
- You: Yes. It would be polite of you to let me in now.
- Me: Right. Who are you?
- You: I won't stand for these privacy violations! *leaves*
- Me: Gee, I feel cheated.
I'm not a person who enjoys wasting time, so I don't pick up phone calls from people who don't show up on my caller ID. I'm not an ER, firefighter, cop, etc., so I really don't get important calls, for any reason. Friends email me, family emails me, and I can choose if I want to read their email -- based on who they are.
Now, I do know someone with a perfectly legitimate reason to block their number (well, in their mind, anyway, but I digress...it's their choice). They don't have a problem with leaving a message. If they do, I will advise them to show the caller ID info when they call, and if they've got a problem with that...I can just stop returning their messages. I'll never pick up the phone when they call. :)
-----------------------
You are what you think.
| [reply] |
|
Something fish? Oooh, somebody values their privacy, be very afraid
Not really. As long as the people you're interested in know the rule then they'll reveal their phone number. The whole point is to identify the person on the other end of the line!
I'm with herveus on this, and use a similar system on my personal line. I don't want to talk to anonymous people.
| [reply] |
Re: Security: Technology vs Social Engineering
by AcidHawk (Vicar) on Jul 23, 2003 at 09:43 UTC
|
| [reply] |
Re: Security: Technology vs Social Engineering
by thraxil (Prior) on Jul 23, 2003 at 16:19 UTC
|
this is why i just never directly answer the phone. unless i recognize the number on caller id, or am actually expecting someone to call me, all incoming calls go to voicemail. my friends and family all know that this is how i operate so they know that if they call me from a strange phone they should leave a message and wait a few minutes for me to call them back.
Kevin Mitnick's The Art of Deception: Controlling the Human Element of Security and Bruce Schneier's Secrets and Lies are essential reading on this topic.
anders pearson
| [reply] |
Re: Security: Technology vs Social Engineering
by phydeauxarff (Priest) on Jul 24, 2003 at 01:55 UTC
|
I actually had a much worse experience about 10 years ago that drove home the importance of thinking through the human factor in security.
After paying (big huge phone company who makes really expensive switches that I won't mention by name because I don't want to get sued) to implement a large switching system for our call center, everything was great until I got a page on a Sunday afternoon because our switch was pretty unhappy about a sudden spike in call volume.
After driving in to see what was going on, I realize a bunch of calls routing from New York to all sorts of places on the planet via our 800 number for tech support.
After killing the entire New York and New Jersey area codes since we had no customers in that area, I heard the phone ring in our call center and heard the tech say, "it's that guy from the phone company again, what do you want me to tell him."...phone company? I thought...and had the call transfered to me.
After answering the call I hear, "Hi this is Rick with (really big phone company who put in my switch) and we are testing the lines on your system...could you transfer me to 910 so I can run a test?"
It turns our techs had been dutifully transfering what they believed to be phone company employees to 9, outside line and then 1 0 for an international operater...great...that explains the $2k phone bill I now had to talk to our CFO about...
Of course, my point is this.....we locked the system down pretty good (or so we thought at the time) but no security implementation can every fully take into account the kid who will hold the back door open as he comes in from his smoke break for the guy who is about to steal all your laptops ...you can try to implement whatever you want but to overcome the human factor you have to keep the awareness level high by communicating openly with your employees and making them part of, and accountable for your security processes. | [reply] |
Security, Password, Hash Values, etc.
by YAFZ (Pilgrim) on Jul 23, 2003 at 13:14 UTC
|
Not directly related to subject but since it is related to passwords, security, hashes, big chunks of data processing, etc. ... Here we go : Advanced Instant NT Password Cracker
You think a password like u76d0pelgbuz3 quite complex and hard to break (it took these guys just 2 seconds!)? Just read the technical paper and think again ;-) | [reply] |
|
That program is based on the fact that NT systems don't store the password with a salt value. That company claims that its program is "the first of its kind for NT", but I'd be very surprised if that was true. Not using salt in a hashed password is just stupid, as these guys demonstrated.
---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer
Note: All code is untested, unless otherwise stated
| [reply] |
Re: Security: Technology vs Social Engineering
by krisahoch (Deacon) on Jul 23, 2003 at 12:41 UTC
|
Ahhh Hah!
So you're the one who keeps hanging up on me! I was trying to call Joe! I now know what you do;)
just kidding
Kristofer Hoch
Si vos can lego is, vos es super erudio
| [reply] |
Re: Security: Technology vs Social Engineering
by waswas-fng (Curate) on Jul 24, 2003 at 02:10 UTC
|
One of my last jobs was working for for a sub of a big health care company as a sr. unix admin / security admin. I had an interview with the CIO set for Tuesday at 4:00pm. I called the CIO on the Friday before and told him I was Mike Hammer with EDS, and that the corprate CIO had asked us to finish the security audit we had started erlier in the year. I got a meeting set up with him at 2:30pm on Tuesday to go over the questions. I showed up at 2:30 and proceded to gleen info about his systems and network (firewall type/os/verions, os types and versions used, externally exposed boxen, fireweall rules). I walked out of his office at 3:30 and went back to the receptoinist area and waited for my 4:00pm interview. The look on his face was priceless.=)
-Waswas | [reply] |
|
| [reply] |
|
Wish it was a soap opera, I know more about HCFA/HIPAA Information Security guidlines than I ever care to admit. Where are those frontal lobe lobotomys when you need them. =/
-Waswas
| [reply] |
|
|
Re: Security: Technology vs Social Engineering
by zakzebrowski (Curate) on Jul 23, 2003 at 10:46 UTC
|
| [reply] |
|
I'm really not hot for this kind of software. While it is admittedly better than just having one password for all your services, it's still really bad. The former is really heinous as any of your services getting compromised results in a total compromise of all your services, but the latter is still bad as the compromising of this one particular environment will result in total compromise. Better to have your exclusive common password storage area be your brain, so that the only way it can be "cracked" is with a blow torch and a pair of pliers by a really callous person.
If you are going to use something like Password Safe, at least make sure that you do it on a machine where you and only you have superuser privileges. On any other machine it is a potentially dangerously irresponsible assumption to make that the tty/keyboard/whatever is not being snooped. This also logically entails that it is a bad idea to ssh from machine to machine to machine, unless you are the exclusive super user on each hop along the way. Instead, always connect directly to the machine on which you want to work so that the only one capable of seeing your cleartext password is the system actually validating your credentials.
Admittedly, having to maintain a different password for each of many services can be difficult, but there is a way to generate very strong passwords there aren't difficult to remember. Pick a good, long sentence from a book, and then use the first letter from each word as your password. Thus, my last sentence would become the password paglsfabatutflfewayp. The English language is sufficiently noisy and random that this generates strong, virtually unguessable passwords (it also helps that you can't grep dead trees), but even if you forget your password, you could ostensibly go and retrieve it just by remembering the page of the book from which you created it. Just don't make it the first sentence on the first page of the book that you go around propounding as your favorite book ever. :-)
| [reply] |
|
There are similar programs available for PDAs, which I vastly prefer to keeping it on one computer. Not just because I have near-complete control over physical access to my PDA, but also because I have to move from various systems throughout the day, and need something that can be kept with me.
---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer
Note: All code is untested, unless otherwise stated
| [reply] |
|
|
This is a common discussion at work... No security system is completly error-proof, or has holes in it. It's a matter of where you want to be able to have trust. If you trust your computer and your file system, then it's reasonable to have an encrypted file to store passwords, especially with a relativly strong encryption method such as blowfish. If you *don't* trust your hardware, then methods that you have suggested work better, though storing passwords with a strong password still provides some stability. (Even then, you do change your passwords every other week right? ...)
----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy
| [reply] |
|
|
|
| [reply] |
|
Argh, java! (couldn't resist)... otherwise cool.
----
Zak
Pluralitas non est ponenda sine neccesitate - mysql's philosphy
| [reply] |
|
| [reply] |
Re: Security: Technology vs Social Engineering
by Popcorn Dave (Abbot) on Jul 23, 2003 at 21:10 UTC
|
We get that all the time at work except it's usually competitors calling about item prices. You do get pretty good at weeding out the "spys" over time though.
thraxil had it correct about Mitnik's book. It's a good read for anybody that's answering a phone for any company. You at least have a better idea on what to watch out for.
There is no emoticon for what I'm feeling now. | [reply] |
Re: Security: Technology vs Social Engineering
by barrachois (Pilgrim) on Jul 28, 2003 at 22:19 UTC
|
Ed Skoudis has a reasonable discussion of
some of these issues in
his Counter Hack
book
in a section titled
Low-Technology Reconnaissance: Social Engineering,
Physical Break-in, and Dumpster Diving.
| [reply] |
A reply falls below the community's threshold of quality. You may see it by logging in. |
|
|