Security Basics mailing list archives
Re: Social Engineering
From: List Spam <listspam () gmail com>
Date: Thu, 5 Jan 2006 11:15:20 -0800
On 1/4/06, coder <elite.coder () ntlworld com> wrote:
Idea 1: A Directory site.
<snip>
Well, first an admin is nominated from the company (pref. someone who is "up" on security i.e. a sys admin) This admin will register the company with the site, Then he will register everyone in the company with the site
To the no-doubt eager to please and/or ego-inflated admin: "Thats a pretty cool system you have setup. Can you show me how it works?" (record authentication mechanism - something as simple as video-taping the keystrokes while looking over his shoulder should suffice)
If you want to view info in the site, you will have to use the un/pass sent when the admin registered you,
"Hi, I'm the new directory maintainer for the company. The previous guy left a little to be desired in his documentation process and I'm following up and making sure that everyone has a valid account. Can you forward what was originally sent so that I can make sure it's in the list?"
to prevent terminated users staying on the server, en email is sent from the site every X days with a link (like the one securityfocus sends for you to finish your registration) if you do not reply to the email after X days, you are put into an MIA list
Subject: Directory Maintenance Body: In order to maintain an active listing in the company directory, please follow the link below and login to renew your entry: http://urlobfuscationdejour/loginbox.html (Chances are, you just gained valid credentials for other services)
(if someone searches for you, you will not be found... but you are not deleted either) when this happens the admin will receive an email asking why you haven't replied and if you should be deleted.
<snip>
Idea 2. Folder security information.
<snip>
So I want to write a program then, when you open a folder on the file server, a message will pop-up saying: The info. in this folder is Priority X, this means you... blahablahblah..
You are already socially engineering them with this approach, thereby providing an environment where it is expected that the user do what they're told simply because they're told. <snip>
So, let me know what you think, it would be interesting to hear if this ideas are silly. Regards, Davie Elliott
Thinking about ways to minimize the impact of social engineering is never silly, nor is soliciting input on those ideas. Whether the "bad guy" socially engineers a user, an admin, an exec, a vendor, a partner, a supplier, etc. is really out of your control. What you need, IMHO, is to determine a worst-case scenario resulting from someone that can adverselly affect you suceeding with their efforts. Build in policies, processes, and technology (preferabiy in that order) to reduce exposure and/or liability. Social engineering is not new, existed before the "Information Age", and seldom employs technology in it's execution. As such, relying exclusively on technology to combat it will ultimately fail as it is not a technology problem. My two cents. Take them for what they are - the ramblings of a list poster. Keep plugging along though, because by at lease thinking about it, you are already ahead of many of your peers in protecting your company's assets - be they physical or perceptual. RE --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Re: Social Engineering, (continued)
- Re: Social Engineering Clay Ye (Jan 04)
- Re: Social Engineering Leif Ericksen (Jan 04)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 04)
- RE: Social Engineering Ryan Chivers (Jan 05)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- RE: Social Engineering jpippin (Jan 05)
- Re: Social Engineering theanathema . at . gmail . com (Jan 04)
- Re: Social Engineering barcajax (Jan 04)
- Re:Social Engineering Snuff (Jan 04)
- RE: Social Engineering coder (Jan 05)
- Re: Social Engineering List Spam (Jan 05)
- Re: Social Engineering Mario Platt (Jan 05)
- Re: Social Engineering Joshua Shaffer (Jan 05)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- Re: Social Engineering Gregory Boyce (Jan 06)
- RE: Social Engineering Burton Strauss (Jan 06)
- RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
- Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
(Thread continues...)