Re: Social Engineering

[Gregory Boyce <gboyce () akamai com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

coder wrote:
> OK, Everyone seems to think that Social Engineering cant be solved with
> software, so
> I shall show you some of the ideas I have to defeat SE with software.
>
> Idea 1: A Directory site.
>
> The site will be used by companies to find out if Person X works at company
> Y.
> how will this work?
>
> Well, first an admin is nominated from the company (pref. someone who is
> "up" on security i.e. a sys admin)
> This admin will register the company with the site,
> Then he will register everyone in the company with the site
>
> If you want to view info in the site, you will have to use the un/pass sent
> when the admin registered you,
> to prevent terminated users staying on the server, en email is sent from the
> site every X days with a link
> (like the one securityfocus sends for you to finish your registration)
> if you do not reply to the email after X days, you are put into an MIA list
> (if someone searches for you, you will not be found...
> but you are not deleted either)
> when this happens the admin will receive an email asking why you haven't
> replied and if you should be deleted.
>
> if someone tries clicking on the link after the expiration time for a new
> link to be sent (or if you are deleted), nothing will happen..
> just incase the person who got canned tired to reactivate his/herself.
>
> I don't think I have covered all the bases here, but I will do more thinking
> later.

Problems:

1) Verifying that the name matches someone at the company does not help
if you cannot confirm that the person you are speaking to is that person.
2) Publishing a companies entire corporate directory to anyone who may
need it makes coming up with a name to fake with that much easier.
3) Are you planning on publishing job titles with the names?
  a) If no, then someone in the mailroom at a large company could
pretend to be someone that you should listen to.
  b) If yes, you're opening up the company to scavanging by recruiters
who just want to know the names of all of your admins so they can try to
hire them away.
4) A lot of the social engineering attempts that I have received were
attempts to collect information on employees in order to put together
the exact information you're suggesting that people should publish freely.

> =------------------------------------------------=
>
> Idea 2. Folder security information.
>
> In Mitnicks book he says it is a good idea to rate information by security
> priority.
>
> e.g. If its Priority 1, then you cant send it tom anyone... even if they
> work in the same company
> P2, you can send it to a verified person in the company
> etc...
>
> So I want to write a program then, when you open a folder on the file
> server, a message will pop-up saying:
>
> The info. in this folder is Priority X,
> this means you... blahablahblah..
>
> Again, I will work more on this idea... and I have the added bonus of
> testing it out where I work.

Problems:

1) Anything that implements this will be OS specific
2) It will only work if the system accessing the folder already has your
program installed (unless you're suggesting that computers should
auto-execute applications located on a remote filesystem, which has its
own implications).

Why not just create a text file that states the security level of the
directory?

- --
 Gregory Boyce | gboyce () akamai com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvV79Ry7J/ecQa/MRAnHXAJwOL/oIoEerdRiuJnyifG5rN6UpugCeLBLe
dELwWUaCKzdbnBOYxh3smmI=
=iHq8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------