Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!
"We are all in the gutter, but some of us are looking at the stars." - Oscar Wilde
Naughty.
I love the way the register slipped that in on it's own between paragraphs.
Sure, most people might not be smart enough. But I'd have fun with it.
Guy: "What's your password."
Me: "My favorite tool. Dickfore."
Guy: "What's a dick-"
Me: "Nahahaha!" *scamper off*
What is music when you despise all sound?
Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
-Eod
in a related study, engineering isn't necessarily the best way to be social.
that jerk on the tour that told you chicks dig engineers was a lying bastard.
There are some odd things afoot now, in the Villa Straylight.
I was neither amused nor scared... can I have my money back now?
A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
I have a great idea for the next Slashdot poll. Here we go ...
My computer password is:
- 12345
- jennajameson
- password
- Other, type here: _____________
- cowboyneal
Cyde Weys Musings - Scrutinizing the inscrutable
When I was in college, Sears was giving away cups if you applied for a credit card. My friends and I must have applied for 50 of them. Yes, my name is Hugh Ugly. And I live at 314 Pi Street.
1-2-3-4-5 ???
I think the word you're looking for is 'pathetic'.
Nine in ten (90 per cent) of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.
The free pen index is not a security index, but correlates inversely with security of the supply closet which is proportional to the current economic condition.
Thinking: "Don't say Homer, don't say Homer."
Saying: "Homer!"
was "none", which even after telling people, they still would have have problems getting into the account, not thinking literally.
Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.
A little paranoia would work wonders here.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
Well, 'Anonymous Coward'... As you can see, I am now using your password to access your /. account!!!
Now that I have your password, I am going to use your account to post as many trolls as I possibly can, bringing your karma down as far as possible!
'Please enter a new password'
Penis
'Password too short'
Yeah, I once had an account somewhere that wanted a max 6 charachters password. I mean really, is password storage overwhelming their memory capacity or what?
On the other hand, after the account was gone, I decided I liked the sound of the password, so at least I got a new nick out of it.
cheers,
2short
The subject says it all!
The bad news is, BankOne will be contacting you shortly about the above violation of the DMCA by exposing and discussing the vulnerability.
If I give out my password do I get Karma points on /.?
Fat, drunk, and stupid is no way to go through life, son.
Thanks to Michael Moore's Bowling for Columbine, everyone now knows that up here in Canada, we don't even bother to lock our doors (unless we live in a border town).
I might as well also mention that we don't use passwords either. We don't really worry too much about crackers - most of them are just bored kids with nothing better to do.
"I have never let my schooling interfere with my education." - Mark Twain
In my engineering school there was this story about a guy in the CS department who had been "living" in front of one of the workstations for years.
On one occasion, he was helping some newbie with something; and he allowed the guy to log into his account. Naively, the newbie asked for the password across the room; everyone else in the computer center listened up expecting a refusal.
But instead, this CS guy just started to tell his password "j3Y9_fg..." loudly; the newbie started to type. But the password just kept comming; it was up towards 50 completely random characters long!
It turned out that the system insisted on a changed password every month; but the default selection was the old password. Rather than coming up with something new every month, this guy had just added one more character every time. Of course, it is not too hard to memorize one more character per month month either.
Tor
Other good ones are 'obscure' and 'secret', always fun if someone asks you for the password.
-What's your password?
-It's obscure.
-Good, but what is it?
-I told you, it's obscure.
-OK, let's start at the top, what's your login?
-It's secret. No, really! No, not the comfy chair!
Money for nothing, pix for free
i have three passwords to remember at work. maybe four, i can't remember. but i have to change at least 3 of them every month. man, my memory just ain't that good. sometimes i can't even remember the fact that i have changed a password, let alone remember what the word is. and the door to my office has a digital lock, nevertheless anytime anybody knocks they are let in with no questions asked.
Ah, you don't need a password to do that.. But to make all the headers perfect, do it from their workstation, or at least don't do it from yours. :)
:)
------------------
> telnet smtp.yourcorp.com 25
helo yourcorp.com
mail from: victim@yourcorp.com
rcpt to: ceo@yourcorp.com
data
Cc: supervisor@yourcorp.com
Bcc: victim@yourcorp.com
Subject: Asshole!
Hey asshole,
I'd just like to remind you that you really suck donkey dong! I'd tell you to go screw yourself, but it seems the VP is already in "the position".
P.S., don't go home early tonight, I'll be there banging your wife and daugher.
Love,
victim
.
quit
------------------
Sometimes they call me a troublemaker. I don't know why.
Back in the day, I used to do this for personal entertainment, but it wasn't anything rude like this. I'd do messages from Bill Gates offering jobs and crap like that. One guy almost quit and went to Microsoft, til he saw me laughing my ass off when he was showing everyone in the office the printed Email.
Serious? Seriousness is well above my pay grade.
I should add that the correct response by a user, when asked 'tell me your password', is to reply 'Simon didn't say!'.
-- Ed Avis ed@membled.com
The place I work for used to have no passwords, meaning that any time an employee was asked to login, they just had to type their login name and hit enter. Not only that, but they were all running windows 2000 with administrative shares enabled, and every user was a member of the "domain admins" group. Anyone sitting at any computer in the company had full read/write access to every computer in the office, with no need to break any logins. In addition, none of them ever installed patches on their systems. Any time they opened an infected email attachment, which happened really quite often, especially at the CEO level, the virus would often spread to all the computers, and the network admin, who was actually just a shipping manager who had some computer experience, would have to clean all the computers again and sometimes restore them from previous backups.
They're doing much better now, but they still have a long way to go. Many of them still don't use passwords, and the rest use very predictable ones, but enforcing sound security practices is not in my job description.
At least there's the double firewalls, one in the office and one at the isp. There's also the frequent backups. They keep tape backups for the last 5 days and 1 tape goes to offsite storage every week. In addition, I took the liberty of writing a program to backup all the changes to the databases 3 times a day, so that they can be restored to any point in the last 8 months. If I can't force them to be secure, at least I can protect their data and patch any really major holes, like disabling the administrative shares.
No, the top passwords are LOVE, SEX, SECRET, and GOD.