Re: RE: Social Engineering

[Mike Lisanke <mikelisanke () gmail com>]

This scenario is why, even for the most benign conversation with a
company/creditor, I tell the caller that I will call them back via
there general number. If the receptionist for the companies published
number does know the 'team' which called me, I've thwarted the SE
attack. I never answer in-bound calls excepts to receive status (which
I then go on to verify in writing or a call back to the company). All
the security people at creditor are happy with my process.

On 5 Jan 2006 22:27:26 -0000, pg_vlad () hotmail com <pg_vlad () hotmail com> wrote:
> The ideas aren't bad but that really won't stop SE attacks. Well perhaps some, but consider "SE-Attacker:Hello, this 
> is Blah from Bank of X Visa. It seems that you have reported far fewer records to us today than usual, I'm calling to 
> verify the number of card transactions vs the number we have recieved on record.
> SE-Victim (employee of company A):Oh well we had 70 credit card transactions today.
> SE-A:Hmmm we seem to have recorded on 10, if you don't mind I can submit a work order for your point of sale machine 
> blah.
> SE-V:Sure that would be great!
> SE-A:While I'm at it I could log in the transactions we haven't recieved.
> SE-V:Ok, hold on."
>
> This is of course hypothetical, nonetheless if even one number was gleaned the attack would be a success.
>
> And in a larger corporation, let's say the website has Bob Rupertrandal's name as the author. You call the 
> receptionist and say you are him and updating records for employees to go on the webpage adn you need information 
> from here, using your methodologies she would see that yes he is in the company, but she still has no way or even a 
> clue that it may not be him, so why should she doubt and refuse to give him the imformation?
>
> The best way to thwart SE attacks is to educate your users. After all you can have the biggest toys, if you have one 
> users with a weak pass or whom gives out his pass, or the (and you lie if you don't have users who do this, ARG the 
> post it note with pass info on it) then all your hard work is down the drain.
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------

Best regards,
--
Mike

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------