Security Basics mailing list archives

RE: Steps to avoid Social Engineering

From: "Sanders, Jonathan" <Jonathan.Sanders () healthsouth com>
Date: Tue, 19 Apr 2005 15:45:26 -0500


I would be leery of using Caller ID. Depending upon a couple technical
specifications and which piece of information your local phone co. is
using to provide Caller ID, Caller ID can be spoofed very easily using
VoIP. All someone would have to do is set up an Asterisk gateway
(http://www.asterisk.org/) at their office or house even and spoof the
Caller ID. I've had this done to me many times just by various "friends"
and it's quite interesting. They could appear to "be" any number they
wanted to be. One guy even called me from my OWN number. Just a thought
for anyone who uses Caller ID to authenticate or verify identity.


-----Original Message-----
From: P. Rodriguez [mailto:mailinglists () deltum com]
Sent: Tuesday, April 19, 2005 4:15 AM
To: security-basics () securityfocus com
Subject: RE: Steps to avoid Social Engineering
Importance: High

You can always use caller id, primarily. And of course, have them give
out
information that only they can provide, but at the same time, fairly
non-intrusive. So you can't ask them the password, because me myself
won't
give to anyone, being security-conscious. You can ask them about their
billing information, like the verification code at the back of their
credit
card, or the last n digits of their SSN.

The possibilities are endless. The chief thing that you must remember is
not
to be gullible enough to be fooled. Even the latest and greatest
technoogical and interrogative methods to avoid social engineering won't
help if you believe and follow everything you are told.

It's just like web-based authentication. Always assume that the user
(and
all external sources) may (and can) input bad data, so you have to make
sure
you are prepared to handle it.


<snip>



Confidentiality Notice: This e-mail communication and any attachments may contain
confidential and privileged information for the use of the designated recipients named above. If
you are not the intended recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination, distribution or
copying of it or its contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and deleting it from your
computer. Thank you.

Current thread:

RE: Steps to avoid Social Engineering, (continued)
- RE: Steps to avoid Social Engineering Aruna (Apr 19)
- RE: Steps to avoid Social Engineering Patoff Pat-EtHiQ (Apr 19)
  - RE: Steps to avoid Social Engineering Yashodhan Deshpande (Apr 20)
- RE: Steps to avoid Social Engineering Matt Cunnane (Apr 19)
- Re: Steps to avoid Social Engineering Raoul Armfield (Apr 20)
- Re: Steps to avoid Social Engineering Alvaro Prieto (Apr 20)
- RE: Steps to avoid Social Engineering Reece, Terry (Apr 19)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 19)
  - Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
  - Re: Steps to avoid Social Engineering rusty chiles (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
  - RE: Steps to avoid Social Engineering P. Rodriguez (Apr 20)
    - Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
- RE: Steps to avoid Social Engineering Patoff Pat-EtHiQ (Apr 20)
- Re: Steps to avoid Social Engineering John Blackley (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
  - RE: Steps to avoid Social Engineering David (Apr 21)