Security Basics mailing list archives

RE: Social Engineering

From: "Burton Strauss" <Burton () FelisCatus org>
Date: Thu, 5 Jan 2006 12:03:40 -0600

WRT #1:

* I can't imagine any company voluntarily creating a database of technical
contacts available to others - hey, steal my employees, please!

*  How about the whole bundle of issues WRT security of that database?  Now
I don't have to socially engineer everyone, just that one company...

* Passwords being transmitted how? Through insecure email... Buzz... But
thanks for playing...

* Forced replies - don't think so.  How many out there have blacklisted
Plaxo and ilk because it's just too annoying?


WRT #2:

Levels of security is a basic concept - confidential, secret, top secret -
ring any bells?  But requiring the OS to enforce them is useless.  Corrupt
the OS and poof - no security.  Physical access to the hardware?  Book
Knoppix and any OS' security is useless.  Physical access to the console?
Boot any flavor of Linux directly to the shell and you can reset the root
password.  30s max.

That's why governments use separate systems for classified and unclassified
data. 



Using software to try an 'fix' human nature is like trying to herd cats.


-----Burton



-----Original Message-----
From: coder [mailto:elite.coder () ntlworld com] 
Sent: Wednesday, January 04, 2006 10:40 PM
To: security-basics () securityfocus com
Subject: RE: Social Engineering

OK, Everyone seems to think that Social Engineering cant be solved with
software, so I shall show you some of the ideas I have to defeat SE with
software.

Idea 1: A Directory site.

The site will be used by companies to find out if Person X works at company
Y.
how will this work?

Well, first an admin is nominated from the company (pref. someone who is
"up" on security i.e. a sys admin) This admin will register the company with
the site, Then he will register everyone in the company with the site

If you want to view info in the site, you will have to use the un/pass sent
when the admin registered you, to prevent terminated users staying on the
server, en email is sent from the site every X days with a link (like the
one securityfocus sends for you to finish your registration) if you do not
reply to the email after X days, you are put into an MIA list (if someone
searches for you, you will not be found...
but you are not deleted either)
when this happens the admin will receive an email asking why you haven't
replied and if you should be deleted.

if someone tries clicking on the link after the expiration time for a new
link to be sent (or if you are deleted), nothing will happen..
just incase the person who got canned tired to reactivate his/herself.

I don't think I have covered all the bases here, but I will do more thinking
later.

=------------------------------------------------=

Idea 2. Folder security information.

In Mitnicks book he says it is a good idea to rate information by security
priority.

e.g. If its Priority 1, then you cant send it tom anyone... even if they
work in the same company P2, you can send it to a verified person in the
company etc...

So I want to write a program then, when you open a folder on the file
server, a message will pop-up saying:

The info. in this folder is Priority X,
this means you... blahablahblah..

Again, I will work more on this idea... and I have the added bonus of
testing it out where I work.

=----------------------------------------------=

So, let me know what you think, it would be interesting to hear if this
ideas are silly.

Regards,

Davie Elliott





---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and the
case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

Re: Social Engineering, (continued)
- Re: Social Engineering theanathema . at . gmail . com (Jan 04)
- Re: Social Engineering barcajax (Jan 04)
- Re:Social Engineering Snuff (Jan 04)
- RE: Social Engineering coder (Jan 05)
  - Re: Social Engineering List Spam (Jan 05)
  - Re: Social Engineering Mario Platt (Jan 05)
  - Re: Social Engineering Joshua Shaffer (Jan 05)
  - Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
    - RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
  - Re: Social Engineering Gregory Boyce (Jan 06)
  - RE: Social Engineering Burton Strauss (Jan 06)
    - RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
  - Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
  - RE: Social Engineering Murad Talukdar (Jan 10)