Social Engineering Still Best Way to Crack Security

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

Re:Social Engineering is all but unstoppable

[binaryDigit]

According to the article 90% of them gave their password away, not 75%.

No, I said that 75% of them answered the direct question ("What is your password"). The article says that eventually 90% gave up their passwords, but it took a couple more questions to get to that percentage. That's what was so amazing, that 75% didn't even have to be "tricked", they just gave it up when asked.

my password...

[AssFace]

As far as I know, all of my passwords are ********

Easier to remember that way.

actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.

The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.

Nothing like severely limiting the keyspace for making good security.

6 letter password

[Swanky+Canary]

The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run). It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.

I had an account with them too (long since canceled) and used the following password for it:

E6l7rs

Which, naturally, stands for "Exactly 6 le7ters".

Even with crappy restrictions, you can usually come up with something that's not going to be easily crackable.

Secret salary info only helps employer

[asmithmd1]

You are right. Everyone believes when they are told "don't let anyone else know, but you are getting paid above average" When word get around who is payed what it only causes problems for PHB's. I absolutly would (and actually have done exactly) pass around salary info that my boss accidently left on the copier,

Re:Security just isn't the focus of a lot of peopl

[Eccles]

I turned on strong password authentication when I was promoted.

Did you ever consider going biometric?

A bunch of U.are.U (or similar) fingerprint readers would probably be a fair bit safer than any system that forces difficult-to-remember passwords, and many users would like the instant-login possibility.

Re:Social Engineering is all but unstoppable

[skillet-thief]

Just yesterday I was in a train station where the ticket agents had actually taped a little card on the side of their monitor that reminded them of two different system passwords plus login names! And we are talking about a national network! And this was on the customer side of the box, just to be ure that everyone saw it.

Password evaluator

http://geodsoft.com/cgi-bin/pwcheck.pl

This seems to be a good password evaluator. Only problem, your password is displayed on the screen... so you have to make sure no one is watching you as you type (and to clear your history once your done using it...)

Re:What's the big deal with salary information?

[SlightlyMadman]

I think you just answered your own question.

Good password algorithm

[gosand]

Most of the people I know with a clue have an algorithm for coming up with their password. I do. I just don't tell anyone what it is.

I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,

It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.

hmmm

[drDugan]

no mention of the "n" in the study. so we have no idea the statistical power of the %s they throw out. How many people did they interview? 20, 200, 2000? this leads to a big difference in the importance of the results.

Story....

[sharph]

At the school I go to, in 7th grade (on a Novell network), we were assigned joe passwords (password=username). I hated this, but there was no way to change the password. It was all done through Novell's application explorer. The Upper School students (I'm in 9th grade now) got to use a change password icon, while we were stuck with our joe passwords. But I found a SETPASS.EXE in one of the shared folders and changed mine. I got in a lot of trouble and was *banned* from using the computers for a few months.

The point is here: both sysadmin and users need to know about good security. How can I as a user protect my account if the sysadmin is assigning unchangable joe passwords?

Obvious password detector, 19 years later

[Animats]

19 years ago, while at Ford Aerospace, I wrote a small, simple obvious password detector to prevent this. It forces you to choose a password that doesn't have the triplet statistics of English, so you have to use something other than a single word. Most random combinations of letters will work. This is enough to prevent the usual idiotic password choices.

Would somebody please put this in Linux?

Sure - which of my 15 passwords?

[gosand]

At work I have at least 10 passwords. Do you want my network login, SAP, ClearQuest, TestManager, RequisitePro, screensaver, Visual Source Safe, 401k, voicemail, or any of the other 10 applications I have to log into to get my job done? They all have different expiration and reset rules too.

In my personal life, I have about half that. So yeah, I do use the same password in different places. But I usually have a "low" "medium" and "high" security password algorithm that I use. My more secure ones are up to 15 characters, my least secure are blank. (for dumb apps at work)

Managing passwords can get pretty cumbersome, but I do it because I know it needs to be done. Most people don't realize that.

I still remember working in the computer lab in college, and having to reset people's passwords daily because they would forget them. In true suave-geek fashion, every hot chick got her password changed to my name. (that never did work out the way I had hoped) :-)

Re:Social Engineering is all but unstoppable

[Cthefuture]

Well, that's what people are working on now, solving those issues.

Couple points though.

If you've ever worked anywhere that you need security clearance, you almost always need a badge. If you forget your badge, you don't get into work without jumping through some hoops (or going back home to get your badge). The same thing applies to smartcards. In fact, your badge can and often is the smartcard. Just like if you forget the keys to your car, you can't drive it. It's not any harder than that.

As for working remotely... Again, that's what people on working on solving right now. Smartcard and biometric readers are getting cheaper and cheaper. There are secure methods for remote validation. For instance, smart cards with public key cryptography. You still need to physically have the card to prove your identity. Doesn't matter if your at a remote location, that private key never leaves the card and no one can even get to the private key (supposedly). I say supposedly because there are some smartcards that are not as physically secure as they could be.

There are tons of new smartcards that can plug straight into a USB port. No reader required.

We didn't have social engineers - we had auditors

[eaddict]

Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.

Screw that....

[Mac+Degger]

If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.

Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.

Re:Social Engineering is all but unstoppable

[TopShelf]

Seriously? It's frustration with the current mishmash of PIN's, passwords, and other secret handshakes. For techies, keeping track of a dozen or more passwords may be doable, but for end users this becomes an unmanageable mess - so they end up using the same password for everything, and are glad to inform a helpful techie of this. It's a passive-aggressive way of expressing their frustration...

Is it right? Of course not, but it's a sign that further development is needed to make security more user-friendly going forward.

Re:stupid

[Lumpy]

Ok fine...

"Hi this is steve from the network operations center. we have been noticing that your machine has been accessing unapprove websites. I need to verify this is you. What is your login?"

"Ok thanks"

2 days later... "Hi this is dave from Information services, we are setting up a new internal website to make human resources files easier for you to access, claim forms and such.. what password would you like?"

9 times out of ten I will get their network login.

That is real social engineering... first harvest good usernames then go password harvesting.

Social engineering is much more subtle that you realize. hell I have in my wild youth had operators and even Telephone company techs give me access number passwords and account information without a second thought over the phone.

Social engineering is super easy if you know how to do it. and it makes life in general easier.

I can return any item to any store without a recipt, get a sale price on an item that is 3 days after the sale, or even get the $100.00 bill changed at that gas station that has 500 signs that say "no $50.00 or $100.00 bills!"

chances are that you will get Social engineered and never EVER know it.

MAKING password security people's priority

[SuperBanana]

Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients.

I turned on strong password authentication when I was promoted.

Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.

Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:

• Approach senior exec, inform him/her of the problem and the risks. Take your time to put your thoughts together and even better down on paper. Point out that a weak password is equivalent to leaving the front door unlocked. Don't get hysterical, don't present unrealistic scenarios about swarms of hackers flooding the company, death/destruction...they can smell BS a mile away.
• When asked "what can we do?", request/suggest the HR department create new rule(s) regarding passwords. Include the rules you want about what passwords should/should not be; make sure you're reasonable and don't make stupid rules that only marginally increase security in specific cases.
• Make the "what a password should/should not be" policy effective in one week to give people plenty of time to change them. Make effective -immediately- a policy that passwords are not to be written down nor discussed with ANYONE, except IT personnel who have identified themselves in person, and NEVER over the phone or via email.
• Make sure it is backed up with a clear consequences and strict punishments(but, say, one 'grace' exception, so nobody looses their job over one slip). Forced leave of absence, followed by termination if repeated...whatever's legal. The HR department will be the best people to decide how to go about this one, since there are often legal issues involved, and keeping employees in line is a problem they deal with every day. All you need to do is say "company secrets" "proprietary information", "potential large-scale data loss", and HR should immediately get the picture.
• follow it up with password security audits using password cracker tools...make sure accounts aren't shared by checking logs, and conduct surprise office/cubicle "look around only"(ie, don't touch their stuff, please) inspections, looking for said postit notes. If an employee flunks, a letter goes to their manager and HR immediately. It will not take long for word to get around that you're serious about security.

Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for

Does not always apply

[LordZardoz]

Honest and open accounting is probably a good thing, but only if the company its self is entirely on the up and up. And I am not talking about various strictly illegal activities either.

Do you think that there would be a morale increase when it becomes common knowledge that the owners unqualified son in a junior position is paid more then people with greater amounts of skill?

Or when the 2 highest paid employees ae the owner and his secretary (who is also his girl friend).

How about when the executives get a raise that is roughly equal to the amount of payroll reduction in the last round of lay offs?

Odds are that if office morale is in the crapper already, that there is a good reason for it.

END COMMUNICATION

Re:stupid

[Lumpy]

that's the great part, you then say " Oh it wasn't you. Good. we will have to look at the logs, thanks"

concern them and then after they give up the info you relieve them and thank them. Bingo you win.

It works every single time and I never EVER was turned down when I did that... Now as a professional I simply social engineer the IS or IT department to get the services I need to get my job done.

funny.. the fowl mouthed, bad attitude manager down the hall cant get IS or IT to do a damned thing for him, yet I can get upper level access easily to make my life easier here.
so rule #1 be super duper polite and nice and you get the gold ring every time.

the jerk wearing the "F**K YOU" t-shirt get's nothing.

Re:Biometrics don't work

[tomhudson]

Don't believe that biometrics is a stupid technology? Just google on "biometric gummy bear" and you'll see how to defeat a fingerprint scanner.

Just breathing on some scanners is enough to "reactivate" the previous user's print (from the oil they left behind). Or, when the scanner also checks for temperature, press a baggy filled with warm water against the sensor.

Iris scanners were defeated by pasting a picture of the user's iris on your glasses, or in some cases just holding a picture of the person up to the camera. A video of the person, played back on a laptop held in front of the camera, also worked.

Remember - the more complicated the technology, the more points of failure/compromise are possible.

The Air Force did this. Once.

[devphil]

More than a few workplaces hold fire drills to gauge readiness for a fire.

Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.

Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.

The website had a simple "type in your username and password" form.

Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)

(Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)

A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.

A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.

Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.

A cool trick

[PatJensen]

Have you ever ordered a pizza before? This is a fun one you can do in room full of your coworkers. All it takes is a phone number and someone's name - and you can get their address. Even if their phone number is unlisted!

Call up Me and Eds or Pizza Hut and tell them you want to order a pizza for delivery. Give them your phone number and name, and they will happily read you back their address. Then hang up.

-Pat

Open Salaray Policies at some companies.

[ron_ivi]

Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.

Re:My password is

[einhverfr]

If I wanted a free pen, I would create a new user account and give you the info ;^) You would then think me a sucker, but who would be the social engineer?