Re: Steps to avoid Social Engineering

[rusty chiles <rustychiles () gmail com>]

I would STRONGLY ADVISE not relying on caller ID information to
validate who is calling you. A smart social engineer could use a 3rd
party caller id spoofing service such as the one provided at
http://camophone.com to trick you into thinking that they are from
company X.

Instead, as already mentioned either:
Contact the company and give them some sort of unique identifier that
you can request from them whenever they call you.
or
Initiate a call to the company to ensure that the person you are
working with is legit.

On 4/19/05, P. Rodriguez <mailinglists () deltum com> wrote:
> You can always use caller id, primarily. And of course, have them give out
> information that only they can provide, but at the same time, fairly
> non-intrusive. So you can't ask them the password, because me myself won't
> give to anyone, being security-conscious. You can ask them about their
> billing information, like the verification code at the back of their credit
> card, or the last n digits of their SSN.
>
> The possibilities are endless. The chief thing that you must remember is not
> to be gullible enough to be fooled. Even the latest and greatest
> technoogical and interrogative methods to avoid social engineering won't
> help if you believe and follow everything you are told.
>
> It's just like web-based authentication. Always assume that the user (and
> all external sources) may (and can) input bad data, so you have to make sure
> you are prepared to handle it.
>
> ____________________
> KAILANGAN NAMIN ANG INYONG TULONG upang
> labanan ang spam o junk mail. Ikaw ba ay
> may blog, livejournal, o kahit na anong
> website?  Maaari lamang na pumunta sa
> http://filipino.spampoison.com/ para sa mas
> maraming impormasyon kung paano ka
> makatutulong. Salamat.
>
>
> -----Original Message-----
> From: Tabs The Cat [mailto:tabsthecat () gmail com]
> Sent: Tuesday, April 19, 2005 2:39 AM
> To: security-basics () securityfocus com
> Subject: Steps to avoid Social Engineering
>
> Hello y'all,
>
>     I have a question for you guys (and gals). We all know about social
> engineering. Some of us use it on a daily basis. And we all know how it can
> be even more dangerous than any computerized attacks, but how can we protect
> against it?
>
>     I'll give you an example: we have a database based program that was
> written by and maintained by a third party that is in another city. In the
> past when they needed access for maintenance, we would provide them it via
> VPN. Recently there has been a problem so they were contacted. Earlier today
> someone from that company phoned me to discuss details about the VPN. I
> haven't given them any information yet. In this case I am fairly positive it
> is legit since they knew the company that we use as well as who lodged the
> complaint.
>
>     But how could I get this person (or any one in the future) prove to me
> that they are the people who are they say they are? Any advice?
>
> Tabs