Security Basics mailing list archives
Re: RE: Social Engineering
From: Mike Lisanke <mikelisanke () gmail com>
Date: Thu, 5 Jan 2006 17:37:15 -0500
This scenario is why, even for the most benign conversation with a company/creditor, I tell the caller that I will call them back via there general number. If the receptionist for the companies published number does know the 'team' which called me, I've thwarted the SE attack. I never answer in-bound calls excepts to receive status (which I then go on to verify in writing or a call back to the company). All the security people at creditor are happy with my process. On 5 Jan 2006 22:27:26 -0000, pg_vlad () hotmail com <pg_vlad () hotmail com> wrote:
The ideas aren't bad but that really won't stop SE attacks. Well perhaps some, but consider "SE-Attacker:Hello, this is Blah from Bank of X Visa. It seems that you have reported far fewer records to us today than usual, I'm calling to verify the number of card transactions vs the number we have recieved on record. SE-Victim (employee of company A):Oh well we had 70 credit card transactions today. SE-A:Hmmm we seem to have recorded on 10, if you don't mind I can submit a work order for your point of sale machine blah. SE-V:Sure that would be great! SE-A:While I'm at it I could log in the transactions we haven't recieved. SE-V:Ok, hold on." This is of course hypothetical, nonetheless if even one number was gleaned the attack would be a success. And in a larger corporation, let's say the website has Bob Rupertrandal's name as the author. You call the receptionist and say you are him and updating records for employees to go on the webpage adn you need information from here, using your methodologies she would see that yes he is in the company, but she still has no way or even a clue that it may not be him, so why should she doubt and refuse to give him the imformation? The best way to thwart SE attacks is to educate your users. After all you can have the biggest toys, if you have one users with a weak pass or whom gives out his pass, or the (and you lie if you don't have users who do this, ARG the post it note with pass info on it) then all your hard work is down the drain. --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Best regards, -- Mike --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- RE: Social Engineering, (continued)
- RE: Social Engineering coder (Jan 05)
- Re: Social Engineering List Spam (Jan 05)
- Re: Social Engineering Mario Platt (Jan 05)
- Re: Social Engineering Joshua Shaffer (Jan 05)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- Re: Social Engineering Gregory Boyce (Jan 06)
- RE: Social Engineering Burton Strauss (Jan 06)
- RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
- Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
- RE: Social Engineering Murad Talukdar (Jan 10)
- RE: Social Engineering coder (Jan 05)