Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Still Best Way to Crack Security

Posted by michael on from the quelle-surprise dept.

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

16 of 472 comments (clear)

  1. Re:Social Engineering is all but unstoppable by binaryDigit · · Score: 4, Interesting

    According to the article 90% of them gave their password away, not 75%.

    No, I said that 75% of them answered the direct question ("What is your password"). The article says that eventually 90% gave up their passwords, but it took a couple more questions to get to that percentage. That's what was so amazing, that 75% didn't even have to be "tricked", they just gave it up when asked.

  2. my password... by AssFace · · Score: 5, Interesting

    As far as I know, all of my passwords are ********

    Easier to remember that way.

    actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.

    The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
    It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
    They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.

    Nothing like severely limiting the keyspace for making good security.

    --

    There are some odd things afoot now, in the Villa Straylight.
  3. Re:Social Engineering is all but unstoppable by skillet-thief · · Score: 4, Interesting

    Just yesterday I was in a train station where the ticket agents had actually taped a little card on the side of their monitor that reminded them of two different system passwords plus login names! And we are talking about a national network! And this was on the customer side of the box, just to be ure that everyone saw it.

    --

    Congratulations! Now we are the Evil Empire

  4. Good password algorithm by gosand · · Score: 4, Interesting
    Most of the people I know with a clue have an algorithm for coming up with their password. I do. I just don't tell anyone what it is.

    I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,

    It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.

    --

    My beliefs do not require that you agree with them.

  5. hmmm by drDugan · · Score: 3, Interesting

    no mention of the "n" in the study. so we have no idea the statistical power of the %s they throw out. How many people did they interview? 20, 200, 2000? this leads to a big difference in the importance of the results.

  6. Story.... by sharph · · Score: 3, Interesting

    At the school I go to, in 7th grade (on a Novell network), we were assigned joe passwords (password=username). I hated this, but there was no way to change the password. It was all done through Novell's application explorer. The Upper School students (I'm in 9th grade now) got to use a change password icon, while we were stuck with our joe passwords. But I found a SETPASS.EXE in one of the shared folders and changed mine. I got in a lot of trouble and was *banned* from using the computers for a few months.

    The point is here: both sysadmin and users need to know about good security. How can I as a user protect my account if the sysadmin is assigning unchangable joe passwords?

  7. Obvious password detector, 19 years later by Animats · · Score: 3, Interesting
    19 years ago, while at Ford Aerospace, I wrote a small, simple obvious password detector to prevent this. It forces you to choose a password that doesn't have the triplet statistics of English, so you have to use something other than a single word. Most random combinations of letters will work. This is enough to prevent the usual idiotic password choices.

    Would somebody please put this in Linux?

  8. Sure - which of my 15 passwords? by gosand · · Score: 3, Interesting
    At work I have at least 10 passwords. Do you want my network login, SAP, ClearQuest, TestManager, RequisitePro, screensaver, Visual Source Safe, 401k, voicemail, or any of the other 10 applications I have to log into to get my job done? They all have different expiration and reset rules too.

    In my personal life, I have about half that. So yeah, I do use the same password in different places. But I usually have a "low" "medium" and "high" security password algorithm that I use. My more secure ones are up to 15 characters, my least secure are blank. (for dumb apps at work)

    Managing passwords can get pretty cumbersome, but I do it because I know it needs to be done. Most people don't realize that.

    I still remember working in the computer lab in college, and having to reset people's passwords daily because they would forget them. In true suave-geek fashion, every hot chick got her password changed to my name. (that never did work out the way I had hoped) :-)

    --

    My beliefs do not require that you agree with them.

  9. We didn't have social engineers - we had auditors by eaddict · · Score: 4, Interesting

    Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.

    --
    "If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
  10. Screw that.... by Mac+Degger · · Score: 5, Interesting

    If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.

    Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.

    --
    -- Waht? Tehr's a preveiw buottn?
  11. Re:Social Engineering is all but unstoppable by TopShelf · · Score: 4, Interesting
    Seriously? It's frustration with the current mishmash of PIN's, passwords, and other secret handshakes. For techies, keeping track of a dozen or more passwords may be doable, but for end users this becomes an unmanageable mess - so they end up using the same password for everything, and are glad to inform a helpful techie of this. It's a passive-aggressive way of expressing their frustration...

    Is it right? Of course not, but it's a sign that further development is needed to make security more user-friendly going forward.

    --
    Stop by my site where I write about ERP systems & more
  12. Re:stupid by Lumpy · · Score: 4, Interesting

    Ok fine...

    "Hi this is steve from the network operations center. we have been noticing that your machine has been accessing unapprove websites. I need to verify this is you. What is your login?"

    "Ok thanks"

    2 days later... "Hi this is dave from Information services, we are setting up a new internal website to make human resources files easier for you to access, claim forms and such.. what password would you like?"

    9 times out of ten I will get their network login.

    That is real social engineering... first harvest good usernames then go password harvesting.

    Social engineering is much more subtle that you realize. hell I have in my wild youth had operators and even Telephone company techs give me access number passwords and account information without a second thought over the phone.

    Social engineering is super easy if you know how to do it. and it makes life in general easier.

    I can return any item to any store without a recipt, get a sale price on an item that is 3 days after the sale, or even get the $100.00 bill changed at that gas station that has 500 signs that say "no $50.00 or $100.00 bills!"

    chances are that you will get Social engineered and never EVER know it.

    --
    Do not look at laser with remaining good eye.
  13. MAKING password security people's priority by SuperBanana · · Score: 5, Interesting
    Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients.

    I turned on strong password authentication when I was promoted.

    Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.

    Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:

    • Approach senior exec, inform him/her of the problem and the risks. Take your time to put your thoughts together and even better down on paper. Point out that a weak password is equivalent to leaving the front door unlocked. Don't get hysterical, don't present unrealistic scenarios about swarms of hackers flooding the company, death/destruction...they can smell BS a mile away.
    • When asked "what can we do?", request/suggest the HR department create new rule(s) regarding passwords. Include the rules you want about what passwords should/should not be; make sure you're reasonable and don't make stupid rules that only marginally increase security in specific cases.
    • Make the "what a password should/should not be" policy effective in one week to give people plenty of time to change them. Make effective -immediately- a policy that passwords are not to be written down nor discussed with ANYONE, except IT personnel who have identified themselves in person, and NEVER over the phone or via email.
    • Make sure it is backed up with a clear consequences and strict punishments(but, say, one 'grace' exception, so nobody looses their job over one slip). Forced leave of absence, followed by termination if repeated...whatever's legal. The HR department will be the best people to decide how to go about this one, since there are often legal issues involved, and keeping employees in line is a problem they deal with every day. All you need to do is say "company secrets" "proprietary information", "potential large-scale data loss", and HR should immediately get the picture.
    • follow it up with password security audits using password cracker tools...make sure accounts aren't shared by checking logs, and conduct surprise office/cubicle "look around only"(ie, don't touch their stuff, please) inspections, looking for said postit notes. If an employee flunks, a letter goes to their manager and HR immediately. It will not take long for word to get around that you're serious about security.

    Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for

    --
    Please help metamoderate.
  14. The Air Force did this. Once. by devphil · · Score: 4, Interesting
    More than a few workplaces hold fire drills to gauge readiness for a fire.

    Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.

    Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.

    The website had a simple "type in your username and password" form.

    Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)

    (Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)

    A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.

    A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.

    Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  15. A cool trick by PatJensen · · Score: 3, Interesting
    Have you ever ordered a pizza before? This is a fun one you can do in room full of your coworkers. All it takes is a phone number and someone's name - and you can get their address. Even if their phone number is unlisted!

    Call up Me and Eds or Pizza Hut and tell them you want to order a pizza for delivery. Give them your phone number and name, and they will happily read you back their address. Then hang up.

    -Pat

  16. Open Salaray Policies at some companies. by ron_ivi · · Score: 4, Interesting

    Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.