Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
Aren't salaries in most UK businesses public?
Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!
"We are all in the gutter, but some of us are looking at the stars." - Oscar Wilde
According to the article 90% of them gave their password away,
not 75%. 95% of the men and 85% of the women did.
It's sad because no matter how much I know this, people are
still able to shock me. 90% of them gave their passwords away!
I would've thought maybe 10% or 20%, but 90%?!?
As a corollary to this article, Kevin Mitnick's book "The Art of
Deception" is fantastic. I tend to think of myself as fairly
security conscious, but this book opened my eyes.
Social Engineering is a very real threat, something IMO will
take decades to be addressed. At a certain level I think Social
Engineering can never be totally defeated or even necessarily
defeated to any large degree. The problem lies with
efficiency. Any large organization that works with a large
number of external organizations is *extremely* vulnerable to
this type of attack, even with incredibly strong security
measures in place.
The company that I work for has very, very stringent control
policies for security. They are by far the most security
conscious company that I have ever worked for, yet I am
supremely confident that even a poorly executed Social
Engineering attack would be highly successful. There is no
doubt about it, when it comes to security humans are definately
the weakest link.
I wonder if the reason the numbers were a little low last year
was due to the september 11th attacks. After the attacks people
were highly conscious of security, but as time passes people
relax more and begin to trust other people more. They just
don't realize how small pieces of information can incur such a
large cost.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
As long as people are A) retarded or B) don't listen to corporate policies against this, social engineering will always be an effective tool.
People.
Are.
Stupid.
Sure, most people might not be smart enough. But I'd have fun with it.
Guy: "What's your password."
Me: "My favorite tool. Dickfore."
Guy: "What's a dick-"
Me: "Nahahaha!" *scamper off*
What is music when you despise all sound?
Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
-Eod
in a related study, engineering isn't necessarily the best way to be social.
that jerk on the tour that told you chicks dig engineers was a lying bastard.
There are some odd things afoot now, in the Villa Straylight.
If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.
... free pen.
'Cause, you know
Until the people who ran this survey actually *test* their findings, their data isn't very valid.
Tuus crepidae innexilis sunt.
A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
WTF is a sig?
As far as I know, all of my passwords are ********
Easier to remember that way.
actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.
The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.
Nothing like severely limiting the keyspace for making good security.
There are some odd things afoot now, in the Villa Straylight.
Sometimes the easiest way to obtain information is just to ask for it. It doesnt matter how many locks you have on your door and bars on your windows if you open up for anyone that knocks...
from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)
Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...
errr....umm...*whooosh* *whoosh* Is this thing on ?
I have a great idea for the next Slashdot poll. Here we go ...
My computer password is:
- 12345
- jennajameson
- password
- Other, type here: _____________
- cowboyneal
Cyde Weys Musings - Scrutinizing the inscrutable
When I was in college, Sears was giving away cups if you applied for a credit card. My friends and I must have applied for 50 of them. Yes, my name is Hugh Ugly. And I live at 314 Pi Street.
1-2-3-4-5 ???
okay - I really laughed when I read this article ... but ...
The number of things that I have to remember a fscking account name and password for in my life in insane.
To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!
So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.
Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
I had an account with them too (long since canceled) and used the following password for it:
E6l7rs
Which, naturally, stands for "Exactly 6 le7ters".
Even with crappy restrictions, you can usually come up with something that's not going to be easily crackable.
Probably well over 50% of users use a common password within the top 10 category. (source silicon.com and Egg (UK bank))
Top 10 list:
1. Blank
2. password.
3. Cartoon(s).
4. Footbal team or player.
5. Pets.
6. Date of birth.
7. Girfriend name.
8. Something nasty; words like sex, fu** or prOn.
9. Sci-fi or fantasy (Gandalf, Yoda, etc.).
10. Company name.
Other common alternatives:
-Names on children
-qwerty and asdf
-Same password and login (root and root)
It's sad; but Joe-users are (generally) very ignorant about this problem.
Melius mori in libertate quam vivere in servitute.
Thinking: "Don't say Homer, don't say Homer."
Saying: "Homer!"
You are right. Everyone believes when they are told "don't let anyone else know, but you are getting paid above average" When word get around who is payed what it only causes problems for PHB's. I absolutly would (and actually have done exactly) pass around salary info that my boss accidently left on the copier,
Free cell phone tracking
was "none", which even after telling people, they still would have have problems getting into the account, not thinking literally.
The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).
Ok, so that's 47% of the company had a password that anyone could guess in 10 seconds! WHAT?? OK, I believe people are stupid, even REALLY stupid. But this I'm not sure I can believe. This study has to be tainted or something-- did they test all these passwords to make sure people weren't making them up? Seems to me that 90% of the people I know would lie about their password for a free pen.
This is of course assuming that nobody's name was password, or their birthdate was 4/9/ers or anything.
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.
A little paranoia would work wonders here.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
That's because most employees are wage slaves with no meaningful stake in the data.
The GIs in WWII used to have a saying when they abused a jeep by running it over a pothole or something: "Oh well, it's not my jeep."
Same thing with passwords: "Oh well, it's not my data."
Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
I turned on strong password authentication when I was promoted.
Did you ever consider going biometric?
A bunch of U.are.U (or similar) fingerprint readers would probably be a fair bit safer than any system that forces difficult-to-remember passwords, and many users would like the instant-login possibility.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
Well, 'Anonymous Coward'... As you can see, I am now using your password to access your /. account!!!
Now that I have your password, I am going to use your account to post as many trolls as I possibly can, bringing your karma down as far as possible!
The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.
I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.
At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...
(I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)
"Fundamentalism" isn't about divine morality. It's about human authority.
http://geodsoft.com/cgi-bin/pwcheck.pl
This seems to be a good password evaluator. Only problem, your password is displayed on the screen... so you have to make sure no one is watching you as you type (and to clear your history once your done using it...)
'Please enter a new password'
Penis
'Password too short'
I think you just answered your own question.
Money I owe, money-iy-ay
I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,
It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.
My beliefs do not require that you agree with them.
no mention of the "n" in the study. so we have no idea the statistical power of the %s they throw out. How many people did they interview? 20, 200, 2000? this leads to a big difference in the importance of the results.
At the school I go to, in 7th grade (on a Novell network), we were assigned joe passwords (password=username). I hated this, but there was no way to change the password. It was all done through Novell's application explorer. The Upper School students (I'm in 9th grade now) got to use a change password icon, while we were stuck with our joe passwords. But I found a SETPASS.EXE in one of the shared folders and changed mine. I got in a lot of trouble and was *banned* from using the computers for a few months.
The point is here: both sysadmin and users need to know about good security. How can I as a user protect my account if the sysadmin is assigning unchangable joe passwords?
...there is an underlying reason why people are predisposed to trust other people. I wonder if anyone's done any studies on whether such a predisposition is somehow an evolutionary strategy? Perhaps overall it's good for society to be cooperating instead of distrustful and angst-ridden?
Maybe *gasp* Stallman was right after all?
Protection from cheaters (con men) is fine and dandy, but perhaps the structures that require that level of protection are the problem, and not the people who are unnaturally forced to conform to security standards they don't want to?
I get such a kick out of all these Slashdot geeks sitting back, smug that their anti-social, paranoid behaviour makes them less of a target for con-men trying to "score big," while completely ignoring the corrolary: A lack of cooperation or trust in general means you don't get to reap the benefits of normal socialization.
I'm not sure which person is more sad: The one who trustingly gives away meaningless "passwords" to systems that are flawed and poorly designed anyway, or the ones who think they are somehow superior for being paranoid nutjobs about things that Don't Really Matter.
Many of you seem to think your systems are the target of every smooth-talking "social engineer" out there--get over yourselves. Nobody is interested in getting access to your porn-ridden home directories.
Kevin Mitnick's book was an interesting read, but he wasn't describing social engineering, he was describing a con artist whose prize wasn't money, but the thrill of lying convincingly to otherwise normal people. This is an asset? What the hell man? Here's an analogy that pops into mind: I can walk up to someone and sucker-punch them in the gut. Even the most seasoned martial-artists can be taken in by a sucker-punch. So what?! Should we all wander around in an extreme state of combat readiness? Should I be crowing about my own superiority just because I can sucker-punch a Ninjitsu nth-degree blackbelt god?
I call bullshit. Bull-effin-shit.
Would somebody please put this in Linux?
The subject says it all!
In my personal life, I have about half that. So yeah, I do use the same password in different places. But I usually have a "low" "medium" and "high" security password algorithm that I use. My more secure ones are up to 15 characters, my least secure are blank. (for dumb apps at work)
Managing passwords can get pretty cumbersome, but I do it because I know it needs to be done. Most people don't realize that.
I still remember working in the computer lab in college, and having to reset people's passwords daily because they would forget them. In true suave-geek fashion, every hot chick got her password changed to my name. (that never did work out the way I had hoped) :-)
My beliefs do not require that you agree with them.
Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.
Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.
-- Waht? Tehr's a preveiw buottn?
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.
Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:
Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for
Please help metamoderate.
If I give out my password do I get Karma points on /.?
Fat, drunk, and stupid is no way to go through life, son.
By browbeating her password out of her this way, you reduced her resistance to future social engineering attempts. You should be teaching your users that they don't ever need to give out their passwords, regardless of who asks or in what circumstances. That's an easy rule to remember. Any complication you add to it just introduces confusion that an attacker can use.
Honest and open accounting is probably a good thing, but only if the company its self is entirely on the up and up. And I am not talking about various strictly illegal activities either.
Do you think that there would be a morale increase when it becomes common knowledge that the owners unqualified son in a junior position is paid more then people with greater amounts of skill?
Or when the 2 highest paid employees ae the owner and his secretary (who is also his girl friend).
How about when the executives get a raise that is roughly equal to the amount of payroll reduction in the last round of lay offs?
Odds are that if office morale is in the crapper already, that there is a good reason for it.
END COMMUNICATION
Thanks to Michael Moore's Bowling for Columbine, everyone now knows that up here in Canada, we don't even bother to lock our doors (unless we live in a border town).
I might as well also mention that we don't use passwords either. We don't really worry too much about crackers - most of them are just bored kids with nothing better to do.
"I have never let my schooling interfere with my education." - Mark Twain
In my engineering school there was this story about a guy in the CS department who had been "living" in front of one of the workstations for years.
On one occasion, he was helping some newbie with something; and he allowed the guy to log into his account. Naively, the newbie asked for the password across the room; everyone else in the computer center listened up expecting a refusal.
But instead, this CS guy just started to tell his password "j3Y9_fg..." loudly; the newbie started to type. But the password just kept comming; it was up towards 50 completely random characters long!
It turned out that the system insisted on a changed password every month; but the default selection was the old password. Rather than coming up with something new every month, this guy had just added one more character every time. Of course, it is not too hard to memorize one more character per month month either.
Tor
Maybe it is more than having nothing, but it could be just obsolete (as in I gave you the PW to a dead acct).
Despite the sloppiness, the outcome of the study is clear, and I'd like to see a more rigorous study...
Other good ones are 'obscure' and 'secret', always fun if someone asks you for the password.
-What's your password?
-It's obscure.
-Good, but what is it?
-I told you, it's obscure.
-OK, let's start at the top, what's your login?
-It's secret. No, really! No, not the comfy chair!
Money for nothing, pix for free
i have three passwords to remember at work. maybe four, i can't remember. but i have to change at least 3 of them every month. man, my memory just ain't that good. sometimes i can't even remember the fact that i have changed a password, let alone remember what the word is. and the door to my office has a digital lock, nevertheless anytime anybody knocks they are let in with no questions asked.
Just breathing on some scanners is enough to "reactivate" the previous user's print (from the oil they left behind). Or, when the scanner also checks for temperature, press a baggy filled with warm water against the sensor.
Iris scanners were defeated by pasting a picture of the user's iris on your glasses, or in some cases just holding a picture of the person up to the camera. A video of the person, played back on a laptop held in front of the camera, also worked.
Remember - the more complicated the technology, the more points of failure/compromise are possible.
In his book "Security Engineering"
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."
Ah, you don't need a password to do that.. But to make all the headers perfect, do it from their workstation, or at least don't do it from yours. :)
:)
------------------
> telnet smtp.yourcorp.com 25
helo yourcorp.com
mail from: victim@yourcorp.com
rcpt to: ceo@yourcorp.com
data
Cc: supervisor@yourcorp.com
Bcc: victim@yourcorp.com
Subject: Asshole!
Hey asshole,
I'd just like to remind you that you really suck donkey dong! I'd tell you to go screw yourself, but it seems the VP is already in "the position".
P.S., don't go home early tonight, I'll be there banging your wife and daugher.
Love,
victim
.
quit
------------------
Sometimes they call me a troublemaker. I don't know why.
Back in the day, I used to do this for personal entertainment, but it wasn't anything rude like this. I'd do messages from Bill Gates offering jobs and crap like that. One guy almost quit and went to Microsoft, til he saw me laughing my ass off when he was showing everyone in the office the printed Email.
Serious? Seriousness is well above my pay grade.
Here are the details.
And, btw, U.S. labor law protects concerted activity even if you aren't actively organizing a union.
You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.
Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.
Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.
Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.
The website had a simple "type in your username and password" form.
Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)
(Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)
A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.
A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.
Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
One problem with that kind of poll is you don't know the quality of the responces.
If someone walked up to me on the street and said "I'll give you this pen for your password" I'd say "fluffy" or something like that, take the pen and be on my way. "fluffy" Isn't my password anywhere, but they wouldn't know that.
How many people did they ask that just wanted the pen? (This wouldn't count for tbe people like the CEO who they actually tricked in to giving the password, just the ones who answered right away).
The place I work for used to have no passwords, meaning that any time an employee was asked to login, they just had to type their login name and hit enter. Not only that, but they were all running windows 2000 with administrative shares enabled, and every user was a member of the "domain admins" group. Anyone sitting at any computer in the company had full read/write access to every computer in the office, with no need to break any logins. In addition, none of them ever installed patches on their systems. Any time they opened an infected email attachment, which happened really quite often, especially at the CEO level, the virus would often spread to all the computers, and the network admin, who was actually just a shipping manager who had some computer experience, would have to clean all the computers again and sometimes restore them from previous backups.
They're doing much better now, but they still have a long way to go. Many of them still don't use passwords, and the rest use very predictable ones, but enforcing sound security practices is not in my job description.
At least there's the double firewalls, one in the office and one at the isp. There's also the frequent backups. They keep tape backups for the last 5 days and 1 tape goes to offsite storage every week. In addition, I took the liberty of writing a program to backup all the changes to the databases 3 times a day, so that they can be restored to any point in the last 8 months. If I can't force them to be secure, at least I can protect their data and patch any really major holes, like disabling the administrative shares.
Call up Me and Eds or Pizza Hut and tell them you want to order a pizza for delivery. Give them your phone number and name, and they will happily read you back their address. Then hang up.
-Pat
BTW I quote this under the terms of the GNU Free Documentation License.
Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.