Security Basics mailing list archives
Re: Social Engineering
From: Leif Ericksen <leife () dls net>
Date: Tue, 03 Jan 2006 16:35:32 -0600
Social Engineering relies on one key element. That is the HUMAN Element. Now, you can have programs that could listen to the voice and do a pattern match, however until it is FLAWLESS, and can not be fooled in any way shape or form (Tape recording, digital recording, GOOD voice training) It is not preventable via a computer program. For instance, just today I was on a voice IVR twice and COUGHED, one time the system assumed that I said HELP, on the other call it assumed something else and transferred me to a different location. The Human element is most *always* going to be the weakest link in any security plan. Another way to under stand Social Engineering is to understand the Concept of COLD leading (a majority of telephone psychics use this to get you to give up the information). <diverge> Taking the Psychic example: Ps "So what do you want to know about today?" Cli "Well, I am currently single and I have been seeing this person I want to know if (Did you give the name) is the person for me" Ps "(Going by tonal quality) Humm. OH I see something coming to mind, there is some (response based on tone) Cli (might start saying something giving the lead on several different directions. </diverge> Having not read Kevin's book, I will make no comments on it or ask questions based on it. But, I will say with social engineering the tactics are much like the (false) Psychic that uses cold leading. You call a help desk, or random number in the Company and start asking target questions because you have some knowledge of the target company. For instance, all those folks that Go way on vacation and have the auto-responder send information about whom to contact in their absence, that give the social engineer a foot in the door (as well as the thief that wants to rob the persons house) as to whom the are to call or names to drop as they dial a different number in the company looking for that one person that is going to give away they proverbial keys to the city. I hope that make sense. In short, no there are no computer programs that can be used to defeat social engineers. There is always the company directory that you yourself can run your own checks against, but again, Hi I am calling for Rob Smith... You lookup Smith in the directory and find dozens of them. Now is that really Rob, Robert or Bob that the person is listed as. The simple answer is as such. 1) Education of the employees 2) Can I get your name and number Please? I will Contact XYZ for you and have them call you back. (Not always desirable) 3) I can give you the number of the corporate operator (again not always desirable) 4) Employee Education and awareness 5) If in doubt, Sorry I can not help you, and I do not know what direction to point you in. Good byes should follow. 6) Follow points, 1, 4, 5. I one time was feeling good about a random call to my desk but when I asked for their number so that I could have somebody call them back they hung up on me. They knew enough Current and Old information but when asked for there number thy simply hung up. I hope this helps. -- Leif Ericksen On Fri, 2005-12-30 at 18:06 +0000, coder wrote:
Hello everyone, I am currently planning on writting a thesis on social engineering, I have been fascinated with this subject since I watched Hackers 2/Takedown and read Kevin Mitnick's book. Now before I fully take on this idea, what products currently exist to minimize/prevent social engineering? If anyone saw Hackers 2/Takedown, Tsutomu Shimomura used a program that could tell him if the person on the phone actually exists in a company, does this sort of software exist? Sorry, if this is in the wrong mailing list, but I didn't see a "Social Engineering" mail list ;) Thanks ~Davie Elliott --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
-- Leif Ericksen <leife () dls net> --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Social Engineering coder (Jan 03)
- Re: Social Engineering Gaddis, Jeremy L. (Jan 04)
- Re: Social Engineering Joshua Shaffer (Jan 04)
- Re: Social Engineering Joshua (Jan 04)
- Re: Social Engineering Barrie Dempster (Jan 04)
- Re: Social Engineering Clay Ye (Jan 04)
- Re: Social Engineering Leif Ericksen (Jan 04)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 04)
- RE: Social Engineering Ryan Chivers (Jan 05)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- RE: Social Engineering jpippin (Jan 05)
- <Possible follow-ups>
- Re: Social Engineering theanathema . at . gmail . com (Jan 04)
- Re: Social Engineering barcajax (Jan 04)
- Re:Social Engineering Snuff (Jan 04)
- RE: Social Engineering coder (Jan 05)
- Re: Social Engineering List Spam (Jan 05)
- Re: Social Engineering Mario Platt (Jan 05)
(Thread continues...)