Re: Social Engineering: The Human Side Of Hacking

[InfoSec News <isn () c4i org>]

Forwarded from: rferrell () texas net

> Social engineering is the human side of breaking into a corporate
> network. Companies with authentication processes, firewalls, VPNs
> and network monitoring software are still wide open to an attack if
> an employee unwittingly gives away key information in an email, by
> answering questions over the phone with someone they don't know or
> even by talking about a project with coworkers at a local pub after
> hours.

One prime source of information that I seldom see mentioned is
vacation messages generated by SMTP agents.  Setting aside for now the
fact that a lot of brain-dead email programs rudely send out these
things in response to every incoming message, no matter the source, a
distressing number of people include not only their complete contact
information, but details about the projects they're working on (even
including internal code names), title and responsibilities of other
employees in the company, and even details about their own and other
employees' short-term and long-term schedules.

Acceptable vacation message policy should quite definitely be spelled
out as part of the overall infosec operational plan.

RGF

Robert G. Ferrell
rferrell () texas net



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.