Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
According to the article 90% of them gave their password away,
not 75%. 95% of the men and 85% of the women did.
It's sad because no matter how much I know this, people are
still able to shock me. 90% of them gave their passwords away!
I would've thought maybe 10% or 20%, but 90%?!?
As a corollary to this article, Kevin Mitnick's book "The Art of
Deception" is fantastic. I tend to think of myself as fairly
security conscious, but this book opened my eyes.
Social Engineering is a very real threat, something IMO will
take decades to be addressed. At a certain level I think Social
Engineering can never be totally defeated or even necessarily
defeated to any large degree. The problem lies with
efficiency. Any large organization that works with a large
number of external organizations is *extremely* vulnerable to
this type of attack, even with incredibly strong security
measures in place.
The company that I work for has very, very stringent control
policies for security. They are by far the most security
conscious company that I have ever worked for, yet I am
supremely confident that even a poorly executed Social
Engineering attack would be highly successful. There is no
doubt about it, when it comes to security humans are definately
the weakest link.
I wonder if the reason the numbers were a little low last year
was due to the september 11th attacks. After the attacks people
were highly conscious of security, but as time passes people
relax more and begin to trust other people more. They just
don't realize how small pieces of information can incur such a
large cost.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
As long as people are A) retarded or B) don't listen to corporate policies against this, social engineering will always be an effective tool.
People.
Are.
Stupid.
If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.
... free pen.
'Cause, you know
Until the people who ran this survey actually *test* their findings, their data isn't very valid.
Tuus crepidae innexilis sunt.
I'll give you a fake password.
Is there any reason to believe that people didn't just give a fake password to get a free pen? Were the passwords actually verified?
"Yeah, my password is 'password', now give me that pen."
This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
WTF is a sig?
Sometimes the easiest way to obtain information is just to ask for it. It doesnt matter how many locks you have on your door and bars on your windows if you open up for anyone that knocks...
from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)
Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...
errr....umm...*whooosh* *whoosh* Is this thing on ?
okay - I really laughed when I read this article ... but ...
The number of things that I have to remember a fscking account name and password for in my life in insane.
To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!
So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.
Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).
Ok, so that's 47% of the company had a password that anyone could guess in 10 seconds! WHAT?? OK, I believe people are stupid, even REALLY stupid. But this I'm not sure I can believe. This study has to be tainted or something-- did they test all these passwords to make sure people weren't making them up? Seems to me that 90% of the people I know would lie about their password for a free pen.
This is of course assuming that nobody's name was password, or their birthdate was 4/9/ers or anything.
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
That's because most employees are wage slaves with no meaningful stake in the data.
The GIs in WWII used to have a saying when they abused a jeep by running it over a pothole or something: "Oh well, it's not my jeep."
Same thing with passwords: "Oh well, it's not my data."
The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.
I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.
At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...
(I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)
"Fundamentalism" isn't about divine morality. It's about human authority.
Everywhere I have ever worked (USA) has warned us that our salaries are confidential. Which stopped about 1% of us from comparing them. All a company accomplishes by hiding salaries is being able to pay people less, which is a very bad thing from an employee perspective.
...there is an underlying reason why people are predisposed to trust other people. I wonder if anyone's done any studies on whether such a predisposition is somehow an evolutionary strategy? Perhaps overall it's good for society to be cooperating instead of distrustful and angst-ridden?
Maybe *gasp* Stallman was right after all?
Protection from cheaters (con men) is fine and dandy, but perhaps the structures that require that level of protection are the problem, and not the people who are unnaturally forced to conform to security standards they don't want to?
I get such a kick out of all these Slashdot geeks sitting back, smug that their anti-social, paranoid behaviour makes them less of a target for con-men trying to "score big," while completely ignoring the corrolary: A lack of cooperation or trust in general means you don't get to reap the benefits of normal socialization.
I'm not sure which person is more sad: The one who trustingly gives away meaningless "passwords" to systems that are flawed and poorly designed anyway, or the ones who think they are somehow superior for being paranoid nutjobs about things that Don't Really Matter.
Many of you seem to think your systems are the target of every smooth-talking "social engineer" out there--get over yourselves. Nobody is interested in getting access to your porn-ridden home directories.
Kevin Mitnick's book was an interesting read, but he wasn't describing social engineering, he was describing a con artist whose prize wasn't money, but the thrill of lying convincingly to otherwise normal people. This is an asset? What the hell man? Here's an analogy that pops into mind: I can walk up to someone and sucker-punch them in the gut. Even the most seasoned martial-artists can be taken in by a sucker-punch. So what?! Should we all wander around in an extreme state of combat readiness? Should I be crowing about my own superiority just because I can sucker-punch a Ninjitsu nth-degree blackbelt god?
I call bullshit. Bull-effin-shit.
These forms of passwords are much better than words, but still vulnerable if the other security mechanisms aren't in place. For example, accounts must be locked out after a certain number of illegal tries. This may seem a no-brainer, but many large organizations do not set failure thresholds precisely because they do not want to generate password reset requests to overburdened help desks (or pay more to outsourced desks).
The problem with first-letter of common phrase is that it can reduce the variability of letters. Some letters are much more common at the beginning of words than others. If there is no limit on failed attempts it becomes a simple matter to iterate through all options and try all via scripts.
As the article mentions though, the problem is not the complexity of the password but inadequate training to let employees (and CEOs) know the dangers of handing out passwords. For example, I could pick a large company at random and through googling around, find resumes of people who have worked at that organization. I could then, through google or through the receptionist, find employees at that organization. Knowing the names of their technical department I could then do something like, "Hello, this is Bob from IT Network Services in the Miami Field Support Office. There has been reports of someone attempting to use your account. What is your password?" Or something very similar. I've done it. It works, even after having employees go through a training session warning them about sharing passwords.
Well, in my experience, older people tend not to share salary info. It's people who are relatively new to the working world ( 2-3 years), who like to compare, especially when talking about salaried individuals. I attribute this to people eventually realizing there actually ARE other advantages to not discussing it.
A company accomplishes a lot more than being able to pay people less, by encourage non-disclosure of salaries. They also keep any feelings of resentment and bad attitudes to a minimum which can affect productivity. It allows employees the freedom to fight for a salary they feel they're worth, without having to deal with the pressure and attitude of their peers because they are paid more. I've told coworkers that were friends, but I also trust that they wouldn't spread it around. Anyone I wouldn't trust, I certainly wouldn't tell. And I certainly wouldn't tell anyone else another person's salary.
If you aren't happy with your salary, talk to your boss. But don't think a company doesn't have more redeeming reasons for discouraging people from discussing salaries. I've seen what happens when people do, and it usually just makes for a bad environment. I'm not saying that they might also use that as a way to control salary levels... but do you REALLY think a manager is going to give everyone raises just because they know? What are they gonna do, quit? So quit! They'll just hire someone else, and probably at a lower salary.
People whine too much about not having what others have. They really should worry less about everyone else, and think about their own happiness and contentment with their own job and salary.
Just my $0.02.
-Alex
By browbeating her password out of her this way, you reduced her resistance to future social engineering attempts. You should be teaching your users that they don't ever need to give out their passwords, regardless of who asks or in what circumstances. That's an easy rule to remember. Any complication you add to it just introduces confusion that an attacker can use.
Maybe it is more than having nothing, but it could be just obsolete (as in I gave you the PW to a dead acct).
Despite the sloppiness, the outcome of the study is clear, and I'd like to see a more rigorous study...
The value of a person's work has no real basis most of the time. The only thing you can base your salary goal on is what everyone else gets paid.
[blockquote]
I've seen what happens when people do, and it usually just makes for a bad environment.
[/blockquote]
You make my point. The reason the environment is bad is because some people are getting paid more for the same, or even less, work. As long as they can keep everyone in the dark then people are happy.
In his book "Security Engineering"
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."
You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.
Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.
One problem with that kind of poll is you don't know the quality of the responces.
If someone walked up to me on the street and said "I'll give you this pen for your password" I'd say "fluffy" or something like that, take the pen and be on my way. "fluffy" Isn't my password anywhere, but they wouldn't know that.
How many people did they ask that just wanted the pen? (This wouldn't count for tbe people like the CEO who they actually tricked in to giving the password, just the ones who answered right away).
Indeed, it does seem like someone without a brain might sugegst such a bad idea.
The idea between locking out an account after a certain number of tries is a reasonable one. You want to make it impossible for an attacker to repeatedly try passwords. There are two big problems.
1. Who can try the password? Anyone with access to your web site? Great, anyone in the world can denial of service attack you by doing a few back login attempts. Anyone in your company? Hope no one in the department thinks playing the "get Bob locked out of his computer" joke is funny. On a cryptocard? You better lock the card up safely so the nosy kid your coworker brought in to work today doesn't mess with it and lock you out.
2. It encourages people to write down passwords. Sometimes people just briefly forget their passwords, or they're feeling fumblefingered today. So you try and try again. If you get a limited number of tries, after the first two you're going to stop and look it up. To look it up, you'll want it written down. This is all the more likely if you juggle a dozen or so passwords on a daily basis (infrequent for most people, but common for techies). If I know I can keep trying I'm more likely to just keep guessing until my brain kicks in and reminds me.
While lockout systems can make sense, in most cases they are overkill and cause more problems than they fix. There are better ways to solutions. Most notably: log all bad access attempts and check the logs. Set up your system to throttle login attempts (say, no more than 5 per minute). Given those two rules, an attacker won't be able to guess any strong passwords because it will take forever to search, and within a day or two his pattern of attack will be noted and he can be tracked down.
Search 2010 Gen Con events
This all assumes, of course, that people are telling the truth. Leaving aside the fact that people tend to lie when answering anonymous surveys (like all too often off the mark pre-election polls show, or like those surveys that conclude that the average number of sex partners men have in one year is like a couple of scores - what many would of course like,) just try and put yourself in the position of one of those guys.
The deal is, I give you my password, you give my a pen. Sure! My password is girl&friend. Give me the pen. How difficult is it to come up with a bogus password?
This survey is worse than useless.