Security Basics mailing list archives
RE: Social Engineering
From: "Ebeling, Jr., Herman Frederick" <hfebelingjr () lycos com>
Date: Thu, 5 Jan 2006 19:38:38 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----Original Message---- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Thursday, 05 January, 2006 13:21 To: security-basics () securityfocus com Subject: Re: Social Engineering : On 2006-01-05 elite.coder () ntlworld com wrote: :: OK, Everyone seems to think that Social Engineering cant be solved with :: software, so I shall show you some of the ideas I have to defeat SE with software. :: :: Idea 1: A Directory site. :: :: The site will be used by companies to find out if Person X works at :: company Y. how will this work? :: :: Well, first an admin is nominated from the company (pref. someone who is :: "up" on security i.e. a sys admin) :: This admin will register the company with the site, :: Then he will register everyone in the company with the site : : First of all: you still need the target of the social engineering attack : to actually do that lookup. But if people did cross-check, social : engineering wouldn't work at all. Please re-read Mitnick's book. You : seem to have completely missed his point. : : In addition to that, even if people did look up in a directory like you : suggest, what would prevent an attacker from picking an existing name : from that directory? What good would the lookup do in that case? This : scenario was already mentioned in one reply you got. : : Other issues are: who will maintain that directory? Who will be allowed : to register people? Why do you consider maintainer and registrar : trustworthy? How will the directory be protected from forgery (e.g. : attacker registers forged name prior to attack)? : : And last, but absolutely not least: what makes you believe that every : company would want to publish a complete list of their employees? : Not to mention the high turn rate that some companies have, it is still possible for an employee who was let go/quit to still be active in said directory. Also not to mention IF company "a" employees more then a "handful" of people ya'd need to take the search time into account. Also how long would a person have to be working there before they're added to the database? There are a whole LOT of variables to take into account. Herman Live Long and Prosper ___________________ _-_ \==============_=_/ ____.---'---`---.____ \_ \ \----._________.----/ \ \ / / `-_-' __,--`.`-'..'-_ /____ ||- `--.____,-' -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQ727Ux/i52nbE9vTEQLO4gCaA0DZch530Zq4P8OiUqs+KC+yQYEAoLlm mGb3TbZuVQ9xi0LLEcFYBRcu =VG49 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- RE: Social Engineering, (continued)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- RE: Social Engineering jpippin (Jan 05)
- Re: Social Engineering theanathema . at . gmail . com (Jan 04)
- Re: Social Engineering barcajax (Jan 04)
- Re:Social Engineering Snuff (Jan 04)
- RE: Social Engineering coder (Jan 05)
- Re: Social Engineering List Spam (Jan 05)
- Re: Social Engineering Mario Platt (Jan 05)
- Re: Social Engineering Joshua Shaffer (Jan 05)
- Re: Social Engineering Ansgar -59cobalt- Wiechers (Jan 06)
- RE: Social Engineering Ebeling, Jr., Herman Frederick (Jan 06)
- Re: Social Engineering Gregory Boyce (Jan 06)
- RE: Social Engineering Burton Strauss (Jan 06)
- RE: Social Engineering Liviu Lica (Jan 09)
- Re: RE: Social Engineering pg_vlad (Jan 05)
- Re: RE: Social Engineering Mike Lisanke (Jan 05)
- RE: Social Engineering Mike Fetherston (Jan 05)
- RE: Social Engineering coder (Jan 06)
- RE: Social Engineering jpippin (Jan 09)
- RE: Social Engineering m_r_welch (Jan 09)
- RE: Social Engineering Murad Talukdar (Jan 10)