Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Still Best Way to Crack Security

Posted by michael on from the quelle-surprise dept.

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

19 of 472 comments (clear)

  1. Social Engineering is all but unstoppable by dtolton · · Score: 5, Insightful

    According to the article 90% of them gave their password away,
    not 75%. 95% of the men and 85% of the women did.

    It's sad because no matter how much I know this, people are
    still able to shock me. 90% of them gave their passwords away!
    I would've thought maybe 10% or 20%, but 90%?!?

    As a corollary to this article, Kevin Mitnick's book "The Art of
    Deception" is fantastic. I tend to think of myself as fairly
    security conscious, but this book opened my eyes.

    Social Engineering is a very real threat, something IMO will
    take decades to be addressed. At a certain level I think Social
    Engineering can never be totally defeated or even necessarily
    defeated to any large degree. The problem lies with
    efficiency. Any large organization that works with a large
    number of external organizations is *extremely* vulnerable to
    this type of attack, even with incredibly strong security
    measures in place.

    The company that I work for has very, very stringent control
    policies for security. They are by far the most security
    conscious company that I have ever worked for, yet I am
    supremely confident that even a poorly executed Social
    Engineering attack would be highly successful. There is no
    doubt about it, when it comes to security humans are definately
    the weakest link.

    I wonder if the reason the numbers were a little low last year
    was due to the september 11th attacks. After the attacks people
    were highly conscious of security, but as time passes people
    relax more and begin to trust other people more. They just
    don't realize how small pieces of information can incur such a
    large cost.

    --

    Doug Tolton

    "The destruction of a value which is, will not bring value to that which isn't." -John Galt
    1. Re:Social Engineering is all but unstoppable by invenustus · · Score: 5, Insightful

      More than a few workplaces hold fire drills to gauge readiness for a fire. It wouldn't cost much for a company to hire a local starving actor to call random employees, spout some technical BS, and ask for their passwords. Then you could determine the percentage of gullible employees, and send out an email reminding everyone never to give out their passwords to someone they don't know, ever ever ever.

      Doing this once or twice a year would be dirt cheap, amusing, and very useful.

      --
      grep -ri 'should work' /usr/src/linux | wc -l
    2. Re:Social Engineering is all but unstoppable by eht · · Score: 5, Insightful

      Why should they be giving out passwords even to people they know?

      One of the first things I would ever do on the occasion someone gave me a password was tell them to change it immediately after i was done doing whatever I was doing, most of them gave me strange looks.

      IT should never need your password for anything, if they need to login as you for whatever odd reason they should get your permission, wipe out your old password, put in a new temp one, use that, then give you the temp one and tell you to change it.

      They shouldn't even know your password scheme as long as a trip through satan or something similiar doesn't turn anything up, or you force some standards on them like not using your logon as your password and other simple security provisions.

    3. Re:Social Engineering is all but unstoppable by Cthefuture · · Score: 5, Insightful

      That's why there are so many companies working on "other than password" authentication methods. Biometrics, smartcards, etc.

      The thing about something like a smartcard is that it adds a physical security layer. Even if you give someone your PIN, they still need your card. While someone could steal your card, you would be more likely to recognize "Hey, someone took my card" so that security could be locked down. Plus it because it a physical layer of security it's less likely that Joe h4xx0r will even be able to steal your card in the first place (ie. you can't physically give your card out over the phone).

      And biometrics let the computer recognize who you are instead of you telling the computer who you are.

      --
      The ratio of people to cake is too big
    4. Re:Social Engineering is all but unstoppable by Anonymous Coward · · Score: 5, Insightful

      I once had the network manager ask me my password.

      I replied, "Real systems administators will never need to ask for a user's password. If someone asks you for your password, they must be trying to infilitrate the system."

      This caused his boss, who was standing next to him, to burst out laughing.

      I don't know what he needed to do, but I didn't give him my password.

  2. Social Engineering Still Best Way to Get Free Pen by Greedo · · Score: 5, Insightful

    If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.

    'Cause, you know ... free pen.

    Until the people who ran this survey actually *test* their findings, their data isn't very valid.

    --
    Tuus crepidae innexilis sunt.
  3. Re:Let's Test the Theory by DeadSea · · Score: 3, Insightful

    I'll give you a fake password.

    Is there any reason to believe that people didn't just give a fake password to get a free pen? Were the passwords actually verified?

    "Yeah, my password is 'password', now give me that pen."

  4. stupid by ReLik · · Score: 5, Insightful

    This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?

    --
    WTF is a sig?
  5. Sadly... by hafree · · Score: 3, Insightful

    Sometimes the easiest way to obtain information is just to ask for it. It doesnt matter how many locks you have on your door and bars on your windows if you open up for anyone that knocks...

  6. and how is this different by Archfeld · · Score: 4, Insightful

    from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)

    Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  7. admission by Anonymous Coward · · Score: 5, Insightful

    okay - I really laughed when I read this article ... but ...

    The number of things that I have to remember a fscking account name and password for in my life in insane.

    To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!

    So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.

    Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.

  8. WHAT? by DonkeyJimmy · · Score: 3, Insightful

    The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

    Ok, so that's 47% of the company had a password that anyone could guess in 10 seconds! WHAT?? OK, I believe people are stupid, even REALLY stupid. But this I'm not sure I can believe. This study has to be tainted or something-- did they test all these passwords to make sure people weren't making them up? Seems to me that 90% of the people I know would lie about their password for a free pen.

    This is of course assuming that nobody's name was password, or their birthdate was 4/9/ers or anything.

    --
    "Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
  9. Passwords themselves are bad social engineering by One+Louder · · Score: 5, Insightful
    Perhaps we should not blame the users, but instead accept that passwords are themselves a poor design.

    The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.

    I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.

  10. IT arrogance is part of the "social" here... by ianscot · · Score: 4, Insightful
    There are a fair number of posts here that say something like:

    This will always be a problem because people are just stupid.

    At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...

    (I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)

    --
    "Fundamentalism" isn't about divine morality. It's about human authority.
  11. Re:Salaries? by Sparr0 · · Score: 4, Insightful

    Everywhere I have ever worked (USA) has warned us that our salaries are confidential. Which stopped about 1% of us from comparing them. All a company accomplishes by hiding salaries is being able to pay people less, which is a very bad thing from an employee perspective.

  12. Cute reasoning, but counterproductive. by dark-nl · · Score: 4, Insightful

    By browbeating her password out of her this way, you reduced her resistance to future social engineering attempts. You should be teaching your users that they don't ever need to give out their passwords, regardless of who asks or in what circumstances. That's an easy rule to remember. Any complication you add to it just introduces confusion that an attacker can use.

  13. Re:Salaries? by Sparr0 · · Score: 3, Insightful

    The value of a person's work has no real basis most of the time. The only thing you can base your salary goal on is what everyone else gets paid.

    [blockquote]
    I've seen what happens when people do, and it usually just makes for a bad environment.
    [/blockquote]

    You make my point. The reason the environment is bad is because some people are getting paid more for the same, or even less, work. As long as they can keep everyone in the dark then people are happy.

  14. From Ross Anderson by Checkered+Daemon · · Score: 5, Insightful

    In his book "Security Engineering"

    "In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."

  15. Passwords are a bad idea anyhow. by Enrico+Pulatzo · · Score: 4, Insightful

    You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.

    Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.