Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering Still Best Way to Crack Security

Posted by michael on from the quelle-surprise dept.

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."

3 of 472 comments (clear)

  1. my password... by AssFace · · Score: 5, Interesting

    As far as I know, all of my passwords are ********

    Easier to remember that way.

    actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.

    The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
    It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
    They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.

    Nothing like severely limiting the keyspace for making good security.

    --

    There are some odd things afoot now, in the Villa Straylight.
  2. Screw that.... by Mac+Degger · · Score: 5, Interesting

    If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.

    Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.

    --
    -- Waht? Tehr's a preveiw buottn?
  3. MAKING password security people's priority by SuperBanana · · Score: 5, Interesting
    Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients.

    I turned on strong password authentication when I was promoted.

    Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.

    Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:

    • Approach senior exec, inform him/her of the problem and the risks. Take your time to put your thoughts together and even better down on paper. Point out that a weak password is equivalent to leaving the front door unlocked. Don't get hysterical, don't present unrealistic scenarios about swarms of hackers flooding the company, death/destruction...they can smell BS a mile away.
    • When asked "what can we do?", request/suggest the HR department create new rule(s) regarding passwords. Include the rules you want about what passwords should/should not be; make sure you're reasonable and don't make stupid rules that only marginally increase security in specific cases.
    • Make the "what a password should/should not be" policy effective in one week to give people plenty of time to change them. Make effective -immediately- a policy that passwords are not to be written down nor discussed with ANYONE, except IT personnel who have identified themselves in person, and NEVER over the phone or via email.
    • Make sure it is backed up with a clear consequences and strict punishments(but, say, one 'grace' exception, so nobody looses their job over one slip). Forced leave of absence, followed by termination if repeated...whatever's legal. The HR department will be the best people to decide how to go about this one, since there are often legal issues involved, and keeping employees in line is a problem they deal with every day. All you need to do is say "company secrets" "proprietary information", "potential large-scale data loss", and HR should immediately get the picture.
    • follow it up with password security audits using password cracker tools...make sure accounts aren't shared by checking logs, and conduct surprise office/cubicle "look around only"(ie, don't touch their stuff, please) inspections, looking for said postit notes. If an employee flunks, a letter goes to their manager and HR immediately. It will not take long for word to get around that you're serious about security.

    Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for

    --
    Please help metamoderate.