[plug] Computer insecurity

Simon Scott simon.scott at flexiplan.com
Tue Aug 7 16:27:27 WST 2001


	To kill 2 birds with one stone

	Greg - there are zero differences in 'social engineering' security
between Linux and other OS'. However, I wouldnt say that this aspect of
security is worth skipping over just because all OS' suffer from it,
especially since most documents I have seen simply ignore this aspect
(probably they throw it in the 'too hard' basket).

	Peter - most successful, meaning it is the simplest way to do it and
gets the best results with the least effort... Read anything relating to any
of the famous crackers in the world, and they all employed these methods
most of the time. Kevin Mitnick was a vastly over-rated cracker, but a
vastly under-rated social engineer. He admits himself that most of his
exploits were acheived through phoning the right person, or simply walking
onto a company's premises and looking like he should be there. From memory,
it was Mitnick who had several uniforms from different companies and
government departments, including a few telcos. 

	I would define (and let me point out that I am only relaying my own
beliefs, others may differ, but I do have a little experience which I wont
relate in a public forum) "social engineering" as creating a set of false
circumstances under which people will tell you information you want to know.
This ranges from simple lies (I heard you are dating the boss, is that
true?) to get a reaction, all the way up to nasty interrogation methods
where you walk into the next room and get the guys wife to scream before
firing a gun....

	One of the simplest forms of this is to ring a random person at a
largish company (try it at yours) and say 'Hi, this is John from helpdesk
here. We've recently had problems with one of our servers and had to restore
from backup last night. Did you change your password anytime today?' and the
conversation continues from this point, until such time as you can blatantly
ask them for their password (for "cross-referencing puposes") and they
*will* give it to you. Trust me. If you dont sound nervous, and dont drop
the ball, sooner or later they will give it to you. Drop a few buzzwords in
for good measure. Try to have a sense of humour. If they are smart and
completely refuse, just make an excuse ("oh, sorry, Im an idiot, your
account is fine, sorry for wasting your time") thank them and hang up. No
loss. Try someone else. 

	More benign forms of social engineering include arguing a losing
point (devil's advocate) just to wind someone up and get information from
them. 

	You would be amazed at what people will tell you while at the pub on
a Friday evening. :)

	I dont recommend employing any social engineering in day to day life
(it is better to be honest and open), but if you were so inclined you would
be suprised at the results youd get.

	Simple real life example - a friend of mine drove (in his personal
car - admittedly it was a white wagon) straight into Hay St mall. He was
wearing steel cap boots and hard yakka gear, and he drove right up to
Rosendorf's and parked outside. Noone questioned him. He went to see a
friend who works in the mall, had a chat, jumped back in his car 30 mins
later and drove away. As I said, noone questioned him, not even the police
walking up and down the mall. He *looked* like he should be there. He wasnt
nervous. He appeared to be a worker or something. 

	Second real life example (try this yourself) - Next time you are out
clubbing and there is a line, walk straight up to the bouncer and say 'Gday
mate, Im a glassy at <insert pub/club here, we used to use 'The Aberdeen'>,
mind if I come in?'. 90% of the time they will wave you in, hoping to get
the same treatment if they are ever at your work. Be confident and it will
work...... if not, wait in line.

	Anyway, enough blather, the point is that technical security is the
tip of the proverbial iceberg and *nothing* is 100% secure, especially when
humans are involved.






	From:	Peter Wright <pete at akira.apana.org.au> on 07/08/2001 03:46
PM
	Please respond to plug at plug.linux.org.au@SMTP at Exchange
	To:	plug at plug.linux.org.au@SMTP at Exchange
	cc:	 

	Subject:	Re: [plug] Computer insecurity

	On Tue, Aug 07, 2001 at 03:05:51PM +0800, Simon Scott wrote:
	> Social Engineering is still, and probably always will be, the most
	> successful form of security breach.

	Define "most successful".

	...at least the way you're using it in the above sentence.

	(for that matter, what you do you define as "social engineering"?)

	Pete.
	-- 
	http://akira.apana.org.au/~pete/

	-- 
	Klingon programmer sayings:
	9. "You cannot really appreciate Dilbert unless you've read it in
	the original Klingon."



**********************************************************************
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they   
are addressed. If you have received this email in error please notify 
the system manager.

This footnote also confirms that this email message has been swept by 
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************



More information about the plug mailing list