RE: Social Engineering

["Ebeling, Jr., Herman Frederick" <hfebelingjr () lycos com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----Original Message----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Thursday, 05 January, 2006 13:21
To: security-basics () securityfocus com
Subject: Re: Social Engineering

: On 2006-01-05 elite.coder () ntlworld com wrote:
:: OK, Everyone seems to think that Social Engineering cant be solved with
:: software, so I shall show you some of the ideas I have to defeat SE with software.
::
:: Idea 1: A Directory site.
::
:: The site will be used by companies to find out if Person X works at
:: company Y. how will this work?
::
:: Well, first an admin is nominated from the company (pref. someone who is
:: "up" on security i.e. a sys admin)
:: This admin will register the company with the site,
:: Then he will register everyone in the company with the site
:
: First of all: you still need the target of the social engineering attack
: to actually do that lookup. But if people did cross-check, social
: engineering wouldn't work at all. Please re-read Mitnick's book. You
: seem to have completely missed his point.
:
: In addition to that, even if people did look up in a directory like you
: suggest, what would prevent an attacker from picking an existing name
: from that directory? What good would the lookup do in that case? This
: scenario was already mentioned in one reply you got.
:
: Other issues are: who will maintain that directory? Who will be allowed
: to register people? Why do you consider maintainer and registrar
: trustworthy? How will the directory be protected from forgery (e.g.
: attacker registers forged name prior to attack)?
:
: And last, but absolutely not least: what makes you believe that every
: company would want to publish a complete list of their employees?
:

Not to mention the high turn rate that some companies have, it is still possible for an
employee who was let go/quit to
still be active in said directory.  Also not to mention IF company "a" employees more then
a "handful" of people ya'd
need to take the search time into account.

Also how long would a person have to be working there before they're added to the
database?  There are a whole LOT of
variables to take into account.

Herman
Live Long and Prosper
 ___________________          _-_
 \==============_=_/ ____.---'---`---.____
             \_ \    \----._________.----/
               \ \   /  /    `-_-'
           __,--`.`-'..'-_
          /____          ||-
               `--.____,-'

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQ727Ux/i52nbE9vTEQLO4gCaA0DZch530Zq4P8OiUqs+KC+yQYEAoLlm
mGb3TbZuVQ9xi0LLEcFYBRcu
=VG49
-----END PGP SIGNATURE-----



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------