Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
According to the article 90% of them gave their password away,
not 75%. 95% of the men and 85% of the women did.
It's sad because no matter how much I know this, people are
still able to shock me. 90% of them gave their passwords away!
I would've thought maybe 10% or 20%, but 90%?!?
As a corollary to this article, Kevin Mitnick's book "The Art of
Deception" is fantastic. I tend to think of myself as fairly
security conscious, but this book opened my eyes.
Social Engineering is a very real threat, something IMO will
take decades to be addressed. At a certain level I think Social
Engineering can never be totally defeated or even necessarily
defeated to any large degree. The problem lies with
efficiency. Any large organization that works with a large
number of external organizations is *extremely* vulnerable to
this type of attack, even with incredibly strong security
measures in place.
The company that I work for has very, very stringent control
policies for security. They are by far the most security
conscious company that I have ever worked for, yet I am
supremely confident that even a poorly executed Social
Engineering attack would be highly successful. There is no
doubt about it, when it comes to security humans are definately
the weakest link.
I wonder if the reason the numbers were a little low last year
was due to the september 11th attacks. After the attacks people
were highly conscious of security, but as time passes people
relax more and begin to trust other people more. They just
don't realize how small pieces of information can incur such a
large cost.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
Sure, most people might not be smart enough. But I'd have fun with it.
Guy: "What's your password."
Me: "My favorite tool. Dickfore."
Guy: "What's a dick-"
Me: "Nahahaha!" *scamper off*
What is music when you despise all sound?
Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
-Eod
If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.
... free pen.
'Cause, you know
Until the people who ran this survey actually *test* their findings, their data isn't very valid.
Tuus crepidae innexilis sunt.
A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
WTF is a sig?
As far as I know, all of my passwords are ********
Easier to remember that way.
actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.
The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.
Nothing like severely limiting the keyspace for making good security.
There are some odd things afoot now, in the Villa Straylight.
It's ********
Pen, please?
I have a great idea for the next Slashdot poll. Here we go ...
My computer password is:
- 12345
- jennajameson
- password
- Other, type here: _____________
- cowboyneal
Cyde Weys Musings - Scrutinizing the inscrutable
okay - I really laughed when I read this article ... but ...
The number of things that I have to remember a fscking account name and password for in my life in insane.
To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!
So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.
Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.
A little paranoia would work wonders here.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
It's Frodo.
Don't worry about sending the pen, I called up your ISP and said I was Bob the field service tech and you were having trouble logging in, would they mind verifying that your password was 'patthebunny', they indicated it must have been changed, I indicated you had tried to change it to 'patthebunny', which hadn't apparently gone through, "maybe the password change object garbled it, what does it show?" With that tidbit I looked into your account and found a cookie with your Visa card number and some email with your home address. I called up Visa and changed the billing address (tip o' the hat to your mom wishing you a happy birthday) A carton should be arriving at the neighbor's (who happens to be away on business, but I have a fake DL with his name on it, thanks to the DMV who never check anything.)
Whoops! Look at the time. Better get my duds on and stroll into the governors mansion like I belong there. (I need to complete 6 place settings and only have 4 so far.)
Ta!
A feeling of having made the same mistake before: Deja Foobar
Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.
I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.
If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.
Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.
-- Waht? Tehr's a preveiw buottn?
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.
Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:
Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for
Please help metamoderate.
In his book "Security Engineering"
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."