Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
According to the article 90% of them gave their password away,
not 75%. 95% of the men and 85% of the women did.
It's sad because no matter how much I know this, people are
still able to shock me. 90% of them gave their passwords away!
I would've thought maybe 10% or 20%, but 90%?!?
As a corollary to this article, Kevin Mitnick's book "The Art of
Deception" is fantastic. I tend to think of myself as fairly
security conscious, but this book opened my eyes.
Social Engineering is a very real threat, something IMO will
take decades to be addressed. At a certain level I think Social
Engineering can never be totally defeated or even necessarily
defeated to any large degree. The problem lies with
efficiency. Any large organization that works with a large
number of external organizations is *extremely* vulnerable to
this type of attack, even with incredibly strong security
measures in place.
The company that I work for has very, very stringent control
policies for security. They are by far the most security
conscious company that I have ever worked for, yet I am
supremely confident that even a poorly executed Social
Engineering attack would be highly successful. There is no
doubt about it, when it comes to security humans are definately
the weakest link.
I wonder if the reason the numbers were a little low last year
was due to the september 11th attacks. After the attacks people
were highly conscious of security, but as time passes people
relax more and begin to trust other people more. They just
don't realize how small pieces of information can incur such a
large cost.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
Sure, most people might not be smart enough. But I'd have fun with it.
Guy: "What's your password."
Me: "My favorite tool. Dickfore."
Guy: "What's a dick-"
Me: "Nahahaha!" *scamper off*
What is music when you despise all sound?
Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
-Eod
If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.
... free pen.
'Cause, you know
Until the people who ran this survey actually *test* their findings, their data isn't very valid.
Tuus crepidae innexilis sunt.
A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
WTF is a sig?
As far as I know, all of my passwords are ********
Easier to remember that way.
actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.
The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.
Nothing like severely limiting the keyspace for making good security.
There are some odd things afoot now, in the Villa Straylight.
It's ********
Pen, please?
from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)
Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...
errr....umm...*whooosh* *whoosh* Is this thing on ?
I have a great idea for the next Slashdot poll. Here we go ...
My computer password is:
- 12345
- jennajameson
- password
- Other, type here: _____________
- cowboyneal
Cyde Weys Musings - Scrutinizing the inscrutable
okay - I really laughed when I read this article ... but ...
The number of things that I have to remember a fscking account name and password for in my life in insane.
To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!
So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.
Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
Probably well over 50% of users use a common password within the top 10 category. (source silicon.com and Egg (UK bank))
Top 10 list:
1. Blank
2. password.
3. Cartoon(s).
4. Footbal team or player.
5. Pets.
6. Date of birth.
7. Girfriend name.
8. Something nasty; words like sex, fu** or prOn.
9. Sci-fi or fantasy (Gandalf, Yoda, etc.).
10. Company name.
Other common alternatives:
-Names on children
-qwerty and asdf
-Same password and login (root and root)
It's sad; but Joe-users are (generally) very ignorant about this problem.
Melius mori in libertate quam vivere in servitute.
Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.
A little paranoia would work wonders here.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
It's Frodo.
Don't worry about sending the pen, I called up your ISP and said I was Bob the field service tech and you were having trouble logging in, would they mind verifying that your password was 'patthebunny', they indicated it must have been changed, I indicated you had tried to change it to 'patthebunny', which hadn't apparently gone through, "maybe the password change object garbled it, what does it show?" With that tidbit I looked into your account and found a cookie with your Visa card number and some email with your home address. I called up Visa and changed the billing address (tip o' the hat to your mom wishing you a happy birthday) A carton should be arriving at the neighbor's (who happens to be away on business, but I have a fake DL with his name on it, thanks to the DMV who never check anything.)
Whoops! Look at the time. Better get my duds on and stroll into the governors mansion like I belong there. (I need to complete 6 place settings and only have 4 so far.)
Ta!
A feeling of having made the same mistake before: Deja Foobar
Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.
I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.
At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...
(I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)
"Fundamentalism" isn't about divine morality. It's about human authority.
Everywhere I have ever worked (USA) has warned us that our salaries are confidential. Which stopped about 1% of us from comparing them. All a company accomplishes by hiding salaries is being able to pay people less, which is a very bad thing from an employee perspective.
I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,
It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.
My beliefs do not require that you agree with them.
Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.
Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.
-- Waht? Tehr's a preveiw buottn?
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.
Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:
Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for
Please help metamoderate.
By browbeating her password out of her this way, you reduced her resistance to future social engineering attempts. You should be teaching your users that they don't ever need to give out their passwords, regardless of who asks or in what circumstances. That's an easy rule to remember. Any complication you add to it just introduces confusion that an attacker can use.
In my engineering school there was this story about a guy in the CS department who had been "living" in front of one of the workstations for years.
On one occasion, he was helping some newbie with something; and he allowed the guy to log into his account. Naively, the newbie asked for the password across the room; everyone else in the computer center listened up expecting a refusal.
But instead, this CS guy just started to tell his password "j3Y9_fg..." loudly; the newbie started to type. But the password just kept comming; it was up towards 50 completely random characters long!
It turned out that the system insisted on a changed password every month; but the default selection was the old password. Rather than coming up with something new every month, this guy had just added one more character every time. Of course, it is not too hard to memorize one more character per month month either.
Tor
In his book "Security Engineering"
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."
You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.
Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.
Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.
Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.
The website had a simple "type in your username and password" form.
Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)
(Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)
A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.
A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.
Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Man! I thought you wer joking, but I guess Taco is the one with the weird sense of humor.
One thing though... when I'm logged him as him, I can't see any of the articles. Any suggestions?
Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.