Security Basics mailing list archives
Re: Steps to avoid Social Engineering
From: rusty chiles <rustychiles () gmail com>
Date: Wed, 20 Apr 2005 09:57:19 -0700
I would STRONGLY ADVISE not relying on caller ID information to validate who is calling you. A smart social engineer could use a 3rd party caller id spoofing service such as the one provided at http://camophone.com to trick you into thinking that they are from company X. Instead, as already mentioned either: Contact the company and give them some sort of unique identifier that you can request from them whenever they call you. or Initiate a call to the company to ensure that the person you are working with is legit. On 4/19/05, P. Rodriguez <mailinglists () deltum com> wrote:
You can always use caller id, primarily. And of course, have them give out information that only they can provide, but at the same time, fairly non-intrusive. So you can't ask them the password, because me myself won't give to anyone, being security-conscious. You can ask them about their billing information, like the verification code at the back of their credit card, or the last n digits of their SSN. The possibilities are endless. The chief thing that you must remember is not to be gullible enough to be fooled. Even the latest and greatest technoogical and interrogative methods to avoid social engineering won't help if you believe and follow everything you are told. It's just like web-based authentication. Always assume that the user (and all external sources) may (and can) input bad data, so you have to make sure you are prepared to handle it. ____________________ KAILANGAN NAMIN ANG INYONG TULONG upang labanan ang spam o junk mail. Ikaw ba ay may blog, livejournal, o kahit na anong website? Maaari lamang na pumunta sa http://filipino.spampoison.com/ para sa mas maraming impormasyon kung paano ka makatutulong. Salamat. -----Original Message----- From: Tabs The Cat [mailto:tabsthecat () gmail com] Sent: Tuesday, April 19, 2005 2:39 AM To: security-basics () securityfocus com Subject: Steps to avoid Social Engineering Hello y'all, I have a question for you guys (and gals). We all know about social engineering. Some of us use it on a daily basis. And we all know how it can be even more dangerous than any computerized attacks, but how can we protect against it? I'll give you an example: we have a database based program that was written by and maintained by a third party that is in another city. In the past when they needed access for maintenance, we would provide them it via VPN. Recently there has been a problem so they were contacted. Earlier today someone from that company phoned me to discuss details about the VPN. I haven't given them any information yet. In this case I am fairly positive it is legit since they knew the company that we use as well as who lodged the complaint. But how could I get this person (or any one in the future) prove to me that they are the people who are they say they are? Any advice? Tabs
Current thread:
- Re: Steps to avoid Social Engineering, (continued)
- Re: Steps to avoid Social Engineering Times Enemy (Apr 20)
- RE: Steps to avoid Social Engineering Aruna (Apr 19)
- RE: Steps to avoid Social Engineering Patoff Pat-EtHiQ (Apr 19)
- RE: Steps to avoid Social Engineering Yashodhan Deshpande (Apr 20)
- RE: Steps to avoid Social Engineering Matt Cunnane (Apr 19)
- Re: Steps to avoid Social Engineering Raoul Armfield (Apr 20)
- Re: Steps to avoid Social Engineering Alvaro Prieto (Apr 20)
- RE: Steps to avoid Social Engineering Reece, Terry (Apr 19)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 19)
- Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
- Re: Steps to avoid Social Engineering rusty chiles (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 20)
- Re: Steps to avoid Social Engineering John Pettitt (Apr 20)
- RE: Steps to avoid Social Engineering P. Rodriguez (Apr 20)
- RE: Steps to avoid Social Engineering Patoff Pat-EtHiQ (Apr 20)
- Re: Steps to avoid Social Engineering John Blackley (Apr 20)
- RE: Steps to avoid Social Engineering Sanders, Jonathan (Apr 20)
- RE: Steps to avoid Social Engineering David (Apr 21)