Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Still Best Way to Crack Security

Posted by michael on from the quelle-surprise dept.

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

10 of 472 comments (clear)

  1. Social Engineering is all but unstoppable by dtolton · · Score: 5, Insightful

    According to the article 90% of them gave their password away,
    not 75%. 95% of the men and 85% of the women did.

    It's sad because no matter how much I know this, people are
    still able to shock me. 90% of them gave their passwords away!
    I would've thought maybe 10% or 20%, but 90%?!?

    As a corollary to this article, Kevin Mitnick's book "The Art of
    Deception" is fantastic. I tend to think of myself as fairly
    security conscious, but this book opened my eyes.

    Social Engineering is a very real threat, something IMO will
    take decades to be addressed. At a certain level I think Social
    Engineering can never be totally defeated or even necessarily
    defeated to any large degree. The problem lies with
    efficiency. Any large organization that works with a large
    number of external organizations is *extremely* vulnerable to
    this type of attack, even with incredibly strong security
    measures in place.

    The company that I work for has very, very stringent control
    policies for security. They are by far the most security
    conscious company that I have ever worked for, yet I am
    supremely confident that even a poorly executed Social
    Engineering attack would be highly successful. There is no
    doubt about it, when it comes to security humans are definately
    the weakest link.

    I wonder if the reason the numbers were a little low last year
    was due to the september 11th attacks. After the attacks people
    were highly conscious of security, but as time passes people
    relax more and begin to trust other people more. They just
    don't realize how small pieces of information can incur such a
    large cost.

    --

    Doug Tolton

    "The destruction of a value which is, will not bring value to that which isn't." -John Galt
    1. Re:Social Engineering is all but unstoppable by invenustus · · Score: 5, Insightful

      More than a few workplaces hold fire drills to gauge readiness for a fire. It wouldn't cost much for a company to hire a local starving actor to call random employees, spout some technical BS, and ask for their passwords. Then you could determine the percentage of gullible employees, and send out an email reminding everyone never to give out their passwords to someone they don't know, ever ever ever.

      Doing this once or twice a year would be dirt cheap, amusing, and very useful.

      --
      grep -ri 'should work' /usr/src/linux | wc -l
    2. Re:Social Engineering is all but unstoppable by eht · · Score: 5, Insightful

      Why should they be giving out passwords even to people they know?

      One of the first things I would ever do on the occasion someone gave me a password was tell them to change it immediately after i was done doing whatever I was doing, most of them gave me strange looks.

      IT should never need your password for anything, if they need to login as you for whatever odd reason they should get your permission, wipe out your old password, put in a new temp one, use that, then give you the temp one and tell you to change it.

      They shouldn't even know your password scheme as long as a trip through satan or something similiar doesn't turn anything up, or you force some standards on them like not using your logon as your password and other simple security provisions.

    3. Re:Social Engineering is all but unstoppable by Cthefuture · · Score: 5, Insightful

      That's why there are so many companies working on "other than password" authentication methods. Biometrics, smartcards, etc.

      The thing about something like a smartcard is that it adds a physical security layer. Even if you give someone your PIN, they still need your card. While someone could steal your card, you would be more likely to recognize "Hey, someone took my card" so that security could be locked down. Plus it because it a physical layer of security it's less likely that Joe h4xx0r will even be able to steal your card in the first place (ie. you can't physically give your card out over the phone).

      And biometrics let the computer recognize who you are instead of you telling the computer who you are.

      --
      The ratio of people to cake is too big
    4. Re:Social Engineering is all but unstoppable by Anonymous Coward · · Score: 5, Insightful

      I once had the network manager ask me my password.

      I replied, "Real systems administators will never need to ask for a user's password. If someone asks you for your password, they must be trying to infilitrate the system."

      This caused his boss, who was standing next to him, to burst out laughing.

      I don't know what he needed to do, but I didn't give him my password.

  2. Social Engineering Still Best Way to Get Free Pen by Greedo · · Score: 5, Insightful

    If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.

    'Cause, you know ... free pen.

    Until the people who ran this survey actually *test* their findings, their data isn't very valid.

    --
    Tuus crepidae innexilis sunt.
  3. stupid by ReLik · · Score: 5, Insightful

    This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?

    --
    WTF is a sig?
  4. admission by Anonymous Coward · · Score: 5, Insightful

    okay - I really laughed when I read this article ... but ...

    The number of things that I have to remember a fscking account name and password for in my life in insane.

    To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!

    So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.

    Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.

  5. Passwords themselves are bad social engineering by One+Louder · · Score: 5, Insightful
    Perhaps we should not blame the users, but instead accept that passwords are themselves a poor design.

    The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.

    I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.

  6. From Ross Anderson by Checkered+Daemon · · Score: 5, Insightful

    In his book "Security Engineering"

    "In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."