Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Still Best Way to Crack Security

Posted by michael on from the quelle-surprise dept.

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

6 of 472 comments (clear)

  1. Re:Social Engineering is all but unstoppable by Santos+L.+Halper · · Score: 5, Informative

    When I do on-site work, I often have to ask people their passwords. I can't think of one time when anybody refused to tell me. In fact, many make it a point to tell me that they use that password for everything. I still remember most of the passwords, too.

    --

    "Ask not for whom the bone bones. It bones for thee." --Bender
  2. Social engineering vs. Common Passwords. by EinarH · · Score: 4, Informative
    Why bother doing social engineering at all?
    Probably well over 50% of users use a common password within the top 10 category. (source silicon.com and Egg (UK bank))

    Top 10 list:
    1. Blank
    2. password.
    3. Cartoon(s).
    4. Footbal team or player.
    5. Pets.
    6. Date of birth.
    7. Girfriend name.
    8. Something nasty; words like sex, fu** or prOn.
    9. Sci-fi or fantasy (Gandalf, Yoda, etc.).
    10. Company name.

    Other common alternatives:
    -Names on children
    -qwerty and asdf
    -Same password and login (root and root)

    It's sad; but Joe-users are (generally) very ignorant about this problem.

    --

    Melius mori in libertate quam vivere in servitute.

    1. Re:Social engineering vs. Common Passwords. by watzinaneihm · · Score: 2, Informative

      From the article : The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent). 47 percent here. Close enough.

      --
      .ACMD setaloiv siht gnidaeR
  3. Re:hmmm by rev063 · · Score: 2, Informative
    There were 152 subjects. From the article:

    Of the 152 office workers surveyed many explained the origin of their passwords.

    Although it would be nice if they'd mentioned this up front.

  4. Discussing salaries is legally protected by Wesley+Everest · · Score: 2, Informative
    Discussing salaries is protected by U.S. labor law. That doesn't mean that employers won't lie to you about your rights or that they won't illegally fire you, but you do have recourse if they do.

    Here are the details.

    And, btw, U.S. labor law protects concerted activity even if you aren't actively organizing a union.

  5. ``There should be no passwords'', said RMS. by hackrobat · · Score: 2, Informative
    From the book, Free as in Freedom, Chapter 4:

    "The hackers who wrote the Incompatible Timesharing System decided that file protection was usually used by a self-styled system manager to get power over everyone else," Stallman would later explain. "They didn't want anyone to be able to get power over them that way, so they didn't implement that kind of a feature. The result was, that whenever something in the system was broken, you could always fix it."

    Through such vigilance, hackers managed to keep the AI Lab's machines security-free. Over at the nearby MIT Laboratory for Computer Sciences, however, security-minded faculty members won the day. The LCS installed its first password-based system in 1977. Once again, Stallman took it upon himself to correct what he saw as ethical laxity. Gaining access to the software code that controlled the password system, Stallman implanted a software command that sent out a message to any LCS user who attempted to choose a unique password. If a user entered "starfish," for example, the message came back something like:

    I see you chose the password "starfish." I suggest that you switch to the password "carriage return." It's much easier to type, and also it stands up to the principle that there should be no passwords.

    Users who did enter "carriage return"---that is, users who simply pressed the Enter or Return button, entering a blank string instead of a unique password--left their accounts accessible to the world at large. As scary as that might have been for some users, it reinforced the hacker notion that Institute computers, and even Institute computer files, belonged to the public, not private individuals. Stallman, speaking in an interview for the 1984 book Hackers, proudly noted that one-fifth of the LCS staff accepted this argument and employed the blank-string password.

    BTW I quote this under the terms of the GNU Free Documentation License.