Security Basics mailing list archives
Re: Steps to avoid Social Engineering
From: John Pettitt <jpp () cloudview com>
Date: Tue, 19 Apr 2005 16:54:45 -0700
Any number can be spoofed - the camophone system will happily let you be the Whitehouse switchboard or my cell phone it doesn't care. Caller ID is simply not validated beyond the originating switch (which in this case is lying). ANI on 800/900 numbers is a different matter - as far as I know it's not easy to spoof but I've not tried with VOIP so who knows. The bigger question - How do I know who I am talking to? Is one of the basic securty problems that all crypto systesm and all security polices must address. You basically have three choices: Shared secret (password), Asymetric secrets (public key / signature), trusted third party (if you call them back on their main number you are using the phone company as a trusted third party, accept a drivers licence as ID and the state becomes your third party). Everything comes down to a variation of one of those three. John P. Rodriguez wrote:
I see. That is very interesting. How about mobile numbers, can that be spoofed as well? E.g. Mobile to landline or mobile to mobile calls? From: John Pettitt [mailto:jpp () cloudview com]Caller ID is not safe it's way too easy to spoof - seehttp://www.camophone.com/ From: Sanders, Jonathan [mailto:Jonathan.Sanders () healthsouth com]Caller ID can be spoofed very easily using VoIP. All someone would have todo is set up an Asterisk gateway (http://www.asterisk.org/) at their office or house even and spoof the Caller ID.
Current thread:
- RE: Steps to avoid Social Engineering, (continued)
- RE: Steps to avoid Social Engineering Yashodhan Deshpande (Apr 20)
- RE: Steps to avoid Social Engineering Matt Cunnane (Apr 19)
- Re: Steps to avoid Social Engineering Raoul Armfield (Apr 20)
- Re: Steps to avoid Social Engineering Alvaro Prieto (Apr 20)
- RE: Steps to avoid Social Engineering Reece, Terry (Apr 19)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 19)
- Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
- Re: Steps to avoid Social Engineering rusty chiles (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 20)
- Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 20)
- RE: Steps to avoid Social Engineering Patoff Pat-EtHiQ (Apr 20)
- Re: Steps to avoid Social Engineering John Blackley (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
- RE: Steps to avoid Social Engineering David (Apr 21)