Slashdot Mirror
First-Person Account of a Social Engineering Attack
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
You know, I was wondering why that guy needed my password to fix the copier.
Some attitudes replaced or by cgi optimizes
It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.
In a world of acronyms, the words are the real victims.
There are way too many first person games in the U.S.
I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.
Invexi - a Phoenix, AZ based web design and web development company.
penetration tester. now that's a job! is it somehow related to the porn industry?
I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?
GetOuttaMySpace - The Anti-Social Network
Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.
If some one is poking around who I do not know I will check it with my boss.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
To get out of trouble you just have to practice ONE skill: how to social engineer the police into believing that you are a penetration tester.
With the trend in porn towards the foot-long as standard, I doubt anybody needs a penetration tester.
I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?
My Computer Music Tutorial Videos
This rant brought to you by my cold, Adobe InDesign and my idiot clients.
I am a believer of momentum and curves.
If you mod me down, I shall become more powerful than you could possibly imagine.
..go ahead, look.
If you see your password there, that proves I was in your place.
"In this case I wrote his password on a ream of paper and tucked it under the machine."
If it says "12345" it proves you watched Spaceballs.
Oh You POS
The most vulnerable aspect of security are the people working. The best security consulting firms focus on this the most, and provide training to employees to be wary of people who might be unauthorized. Stuff like giving out passwords over the phone or over e-mail, to even confronting somebody who might not be who they say they are (like a copier repairman). I know some security firms have their consultants dress up as a UPS or Fedex man making a delivery to gain physical access to the building.
When we installed Wireless LAN at our company, we switched all network access ports to 802.1x authentication.
It required some effort, since we had to "quarantine" non-802.1x devices to separate networks, but i think the security advantages outweigh the work needed.
We're just a small IT service company, not a bank. I really wonder why a bank wasn't using 802.1x since several years.
I do understand the need for security but isn't intentionally breaking in and publishing it on the internet just an invitation for more people to try the same? I know that there are laws against this.
.... NO!
It is very well possible to snatch a baby from a mom. Does that mean you DO it?
Everything is vulnerable to penetration and banks are no exception. The real question is, should the "social engineer" be allowed to do it in the first place?
In this case I wrote his password on a ream of paper and tucked it under the machine. :)
That seems like an awful lot of effort, when you could just write it on one sheet.
$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.
Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.
Do not look at laser with remaining good eye.
1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)
2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.
Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.
The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.
We are the Borg...
Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your fault. Whomever was granting you access failed to inform everyone." Pretty easy to see if they were trying to engineer me after that, depending how they reacted. If they were insistant then I'd call security which would make them change their tune pronto.
Common sense: If you don't know about some repairman, then it's not your fault when you turn them away.
A feeling of having made the same mistake before: Deja Foobar
Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.
If you mod me down, I shall become more powerful than you could possibly imagine.
That's the same combination I use on my luggage.
While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...
Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.
I believe in de-evolution. God made the world perfect, man fell, and its been going downhill ever since!
...I could be a penetration tester. On Jenna Jameson. ;P
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)
I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.
After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.
Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.
After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.
I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.
Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
Interestingly, the network did not have DHCP locked down to not provide an ip address. Although not a big effort to overcome, keeping it open made his job even easier and gives even less sofisticated hackers a chance.
Bank without MAC access filtering and no IDS ???
??????
At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.
Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"
Slashdot Burying Stories About Slashdot Media Owned
Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.
:-)
Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?
Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!"
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Friend of a friend got a job doing security audits for a major energy company here in houston.
1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.
He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.
But that's the real world for you.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Once they realize it's AWOL and they call the original owner who says he returned it, they'd report it stolen and then getting pulled over wouldn't be so easy to get out of.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.
Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).
Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.
-stormin
The Southern Baptist Convention has creationism. On Slashdot, we have porn.
When you check into a public school these days, you have to get a badge from the front desk (after signing in). When you walk around the school with the badge on, no one questions you. If you don't have a badge on, people will accost you. Take a blank business card and hang it from your shirt and no one will stop you.
I tried to point out the futility of such a system, but they don't get it.
If you want the school to be secure, here is the simple solution.
If you see someone you don't know, walk up to them and say "Hi, my name is Charlie, can I help you find anything?" Too busy to do this, DONT EXPECT SECURITY.
God: "I don't leave footprints!"
There were a number of technical security flaws he exploited as well. Among them:
> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.
This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive subnets by a firewall that should only pass the sort of traffic needed for printing/copying/scanning functions, and only if it's coming from the copier's IP address. Discovering the copier's IP address, in order to use it, would be easy enough (our copier has an easy menu interface for configuring that, for instance), but it's an extra thing the attacker has to do, and it should still only get him the ports that the copier normally uses. Defense in depth demands that you erect whatever barriers you can.
Furthermore...
> I started a few of our utilities and started sniffing the traffic on the network.
> Within seconds I had a variety of logins and passwords,
Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.
Cut that out, or I will ship you to Norilsk in a box.
I am not 100% sure if this is covered, but I do recall banks with FDIC insurance will let themselves have holes in their physical security to be robbed. The reason for this is that the banks can argue they were in the middle of numerous high value transactions, which wouldn't have been audited. This way they can get more money back from FDIC than they really lost.
I am not sure how this applies though with that type of theft.
Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.
If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.
It will never happen.
Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.
Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I never really believed the stories about post-it note with passwords under the keyboard. My last job was in a large store with a few computers present on the floor and at the service desk. Most computers where not being watched most of the time. I could not find passwords UNDER the keyboards, but the computer at the service desk had a little piece of paper taped to the top left corner. This was in clear view of all the customers who entered the store. This password was not for the regular login account. The password was more like an admin password. With this password you could not only look for store information but also modify most information. I did not report this information because I didn't think they would understand. I was told not to use keyboard shortcuts to shut down the machines because that was supposed to be bad?!
"Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."
Mac addresses can be trivially faked.
What you need to do is assume that your wireless network has already been penetrated by Joe sitting at Starbucks, and then develop a defense from there. For example, one solution is having all wireless clients go through a VPN client with strong authentication mechanisms just to get back into the corporate network.
Social engineerins is a subset of lying. Usually deception or implications.
Yes deception is lying.
If you say "I'm going to the movies" then drive to the movie wait 5 minutes, and then go to a motel to bang your mistress, you have still lied. I would argue the worst kind of lie.
The Kruger Dunning explains most post on
Depends on the device. Most that I have seen are just a print recognizer that inputs your password for you. That is, you spend 1 second compared to 2 filling in the password box. A neat trick, but doesn't do anything for security. Even if a system used the print itself, you're just trading a few characters for an image.
You could make the argument that they weaken security since the password has to be stored twice. And in many cases if you know what you are doing, a good print (good enough to fool the reader) is easier to get than watching someone type in a password or installing a key logger.
Encripted login would have prevented this particular breech.
Certainly other systems exist, but what I've seen isn't impressive.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
Lineman.net is gone, but one of Isreal's entertaining/scary stories are still to be found on the redirect, AllYourTech.com: Introducing social engineering to the workplace. Recommended reading.
I shall go and tell the indestructible man that someone plans to murder him.
This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.
Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.
Intel v. Randal Schwartz: Why Care?
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --
Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.
There, that should be clear enough.
If you mod me down, I shall become more powerful than you could possibly imagine.
True but bear in mind this is a drop off at the airport.
And the way they have their system they are not necessarily notified that a car will be arriving, nor do the cars necessarily go stright back to the original branch, and the airport opens odd hours which often vary depending on customer bookings while the normal branch do mon-sat 9-5
Add to this that I pick up a car in the morning and on that case had a late evening flight so I actually had the car contracted til the next morning - as I suspect would be common for airport drop offs.
Put all that together and you have a car that someone could easily steal and get to any location within the uk with relative impunity.
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.
In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a pain in the rear to find the right person at the other company who could verify that the technician you have is supposed to be there now, not to mention the cleaning staff and all of the other people who need access to your building. You could escort them, but most companies don't have enough dedicated security guards or people without work to do to watch over the guy for 2 hours while he works on some machinery. Even if they do, most of the people at your local bank would have no idea that what he's doing is actually sniffing passwords off of the network, not working on the copier. This guy went to plenty of trouble to make himself look like a copier repairman, he could have easily set up a "diagnostic" program on his laptop and plugged it into the copier's network port (when in actuality he's plugging the network cable into his laptop), and sniff passwords for some time.
That said: How much danger is his knowledge of the passwords? Obviously it isn't good, but what does that actually get you in the bank? Access to the printers and network shares? Without knowing the bank's IT setup it's hard to know how valuable that information is. Clearly he couldn't try to fire up a copy of their software on his laptop (if he even had it), because any teller walking into the copy room would no doubt recognize it and put up a red flag. Presumably the transactions from that software would be encrypted (at least I hope it would be), and they may have additional protections.
I read the internet for the articles.
and made it fax out what it found everynight. See: Penetration Analysis of a XEROX Docucenter DC 230ST:"
Yep... Even when you have people come in from a firm you *did* call for service, you have to keep a close eye on them.
I used to work for a mid-sized company that occasionally called different vendors in the Yellow Pages for printer service. (Our networked laser printers broke down too infrequently to justify a costly maintenance agreement on them, so we were a little better off just calling someone to fix them on a case-by-case basis.) One of the firms we called did a good job the first couple times we used them, but when we called them a 3rd. time, a different repair tech showed up. The office manager caught the guy snooping around in our supply closet, apparently trying to steal some of our toner cartridges and other printer/office supplies!
I'm surprised that the article talks about the dangers of social networking, but didn't comment that a sniffer was able to detect unencrypted passwords over the network. Isn't that an equally significant problem? Doesn't every major protocol these days incorporate password security by default? I'm just thinking right now about the protocol's I've used this morning:
SSH
Remote Desktop
POP3, SMTP (over SSL)
Whatever protocol Outlook uses for email. (???)
SQL server
As far as I know, all of these at least support decent password encryption, most encrypt the data, and all by remote desktop support certificates to prevent MITM attacks (which this guy didn't seem to use anyway). I can't speak for Outlook though. So, what protocols were sending unencrypted passwords? Or do I have too much confidence in the protocols above? What did I miss?
Tech: "I'll need the copier password."
Secretary: "Ok. It's 1 2 3 4 5."
T: "1 2 3 4 5?"
S: "Right. 1 2 3 4 5"
T: *shaking his head* "Amazing. That's what an idiot would have as the combination to his luggage." *Mutters 1 2 3 4 5 while typing it in and department head walks by.*
DH: "1 2 3 4 5? That's the combination to my luggage!"
A casual stroll through the lunatic asylum shows that faith does not prove anything. - Neitzsche
That's certainly a problem, but the larger problem is that they have a trivial point of entry into their network where passwords can be sniffed. Why aren't all authentication mechanisms on the network encrypted so sniffing passwords will accompish nothing? Maybe you can prevent SOME of the trivial cases of outsiders gaining entry to the network.. but this kind of thing does nothing to protect from an insider doing the same thing.
Some people here have suggested secured ethernet switches that only allow connections from certain MAC addresses. That'll help a little, but MAC addresses are trivial to spoof. What you should be doing is making sure that any authentication to a bank system that goes over the network (fileserver, IMAP, pop, etc) is encrypted and protected from Man in The Middle attacks.
AccountKiller
... especially if this was a large company. When you work in a large company, 95% of the people in the building are strangers. Just about all the people in other buildings or other divisions (or outsourced services, like repairmen) are strangers.
In large companies where you regularly have to work with "strangers" one always wants to be a team player.
Social Engineering is not lying; Social Engineering includes lying. See the difference? This story could have been about an actual copier repairman, who actually repaired the copier and carried a non-fake ID, and he still could have sniffed the passwords while he was there. No lying, but an attack anyway.
I'll say "web browser" when you think I should say "Mozilla" and I'll say "pointing device" when you wonder why I didn't just say "mouse." But someday, when you see me use my laptop with its weird pencil-eraser type thingie in the middle of the keyboard instead of a mouse, running Konqueror, and you'll understand. Sometimes when you want to be accurate, you can't be precise.
But yeah, I have no idea what the difference is between a beverage and a drink.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
Get hired as a temp somewhere, walk in with a USB drive with something nasty on it. Not that I'd try that sort of thing.
With the amount of superfluous network "chatter" going on in your average LAN (waves at Windows!), MAC address filtering does just about nothing. Bring a hub with you, find an existing machine plugged into a network port, plug it and your laptop into the hub and within about 10 seconds you can assume that MAC. Voila, I've just completely broken your MAC filtering with pretty much no extra effort.
:)
About the only thing MAC filtering will protect you from is open LAN ports, but if you're really that paranoid, turn those off at the switch when there's nothing plugged into them and only re-enable them upon request.
Depends, though - in an environment with mostly laptops that get taken home your idea does have some merit, as locking down ports is obviously feasible
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
"Nailing" seems an inadequate term to describe building a house, and "lying" seeems inadequate for the long-planned and carefully parlayed scams that end up with people FTP'ing their source repository to Kevin Mitnick and thinking it's a good idea.
... let some security breech happen than challenging a stranger. My employer doesn't pay me enough to risk my life for one of his alleged secrets.
What these security auditing clowns are actually doing is not improving security, but putting untrained employees at risk by asking them to deal with potentially dangerous people.
I don't get it. How did he get a password? They don't really transmit passwords in cleartext for something, do they?
The RSA patent has expired, and there's also DH. Nobody should be able to passively (i.e. no MitM) snoop anything anymore. Unless your box is so damn overworked that it doesn't have the time to do the crypto (yeah, because CPU power is sooo expensive these days), this level of protection is free now.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
http://www.oxid.it/cain.html
Here's what we used in Security Class. Creates a ton of network traffic, but very good at tracking down every password on a network.
only one everything
Depending on the building and number of employees in the company, it may be easier
than that. At the last place I worked, you needed a card reader to get into the
office areas (on different floors), but the stairwell was shared with other companies
in the building. If you wanted to "break in", all you needed to do was carry some
large boxes and fumble for the "access card" in your pocket. Without fail, someone
would always open the door (to be nice) within a few minutes and not ask further
questions as long as you say "thank you" (after all, you're carrying a load and
since you were looking for an access card, you must have one. Right?).
Its one thing to sling a few "bots" together from another continent and "see if you can get in" anonymously from the safety of your den or bedroom. Its takes quite another breed of individual to walk their living flesh in the front door and risk being taken out in handcuffs. To face felony theft in months of court time later. . .
Yes, its a valid demonstration of what is available if they make it in. . . I'm not sure its at all statistically or even operationally significant by any practical stretch. . .
Why should I risk my own freedom? How about instead of going in, I just wait will the branch manager comes out on his way home, club him over the head, and extract the passwords I need from him directly. After I've transferred a few hundred million to my bank account in an extradition free country (do we still have those? And can someone list them for me?) then I'd be all set.
Comparing the type of "in your face, willing to risk capture and jail-time" type of personality, with the "I'd like to stay safe at home" type of crime. . . seems too much Apples and Oranges comparison to suit my tastes.
How many 13 year old adolescent pimple faced copier repair men do you typically expect to see in your average work day? And how many "back alley club-you-over-the-head" thieves are pulling major-league cyber-crimes?
Apple crimes for Apple risk, or Orange crimes for Orange risk, but this is Orange risk for Apple crimes.
jkh
No, I don't remember your name. But the memory mapped screen on a TRS80 from 1977 is from 15360 to 16383 if that helps.
It's the total solution. I mean completely. With some good rules:
1) No repeating letters or numbers
2) Must contain upper and lower case
3) Must have at least 4 numbers
4) No letter or number can be in the same place as the last four passwords
5) Daily checks to make sure it's not written down anywhere on the monitor, in the desk, or in their wallet.
6) Change password daily
And before you know it, not even the employees will know their passwords. How the hell can they give it to an attacker if they don't know it?
As long as there are employees, there's someone to give out the passwords, so you have to take them away from the employees. If you don't, no matter what you do about changing passwords, it won't work.
Here is a suggestion for passwords. I have to change mine every 3 months for a client I work for. I have owned numerous cars over the years. I can remember the make/model/year for most of them. I use this library to generate passwords. Most secure passwords now require 8 digits, special characters, and numbers. So I do this.
;)
Example: 1986 Honda Accord
Variation 1: Hond!1986
Variation 2: 1986@Acco
Example: 1999 Chevy Tahoe
Variation 1: 1999!Chev
Variation 2: Taho!1999
You get the picture. Most people have no idea what cars I owned except for the last few. I tend to use the first 4 letters of the make or model and usually stick with the same special character if I can. This works great for me since I've had 14 vehicles since I first started driving. Course you can also use classic cars or cars you like/desire. This way I get a decent password(s) that I can remember. This is a great method for those visual folks out there.
Note: All cars in this example were not cars I owned to protect the innocent, of course if you owned a '86 Accord or '99 Tahoe you're screwed!!
You wrote the password 500 times?
He's saying that, when they do get caught, nine times out of ten it's because someone wants to verify their presence with someone higher up. I don't think he said how often they actually do get caught.
when I read
Is everyone that sloppy when they set up networks? Where I work, every jack dedicated to a non-mobile device is exclusively for that device by MAC. Plug in something else and the jack shuts down and an alarm email goes to the telecomm staff every five minutes until the problem is resolved. Jacks used by mobile devices don't shut down that way, but the network still won't allow anything to talk to the network unless the machine name provided by the device is verified. Then logging on requires verification. If the machine name or user account aren't authenticated, there's no communication.
Maybe it's just a copier thing. Some time ago we considered using our copiers as printers and faxes. It sure would be nice to combine those functions. The copier people, however, insisted that the machines be allowed on the network with no real authentification AND insisted that they had to have remote access to those copiers over our network from outside. The copier people really thought that whatever was required (punching firewall holes, dispensing with logon authentification, etc.) we would unhesitatingly do. They were told to go take a hike.
copier next.
Just imagine: "Let me see your ID."
Tech: "But I'm putting in the toner. Both hands full."
Junior Exec.: "Somebody call security."
Like that for an HOUR.
So not only do I have to worry about some punk kids trying to hack my Gibson all the time, now I have to check the copy guy at the door. What is the world coming to!?
"That's right, the mod categories are just like the points on 'Whose Line' -- they don't mean anything..."
In the second-last paragraph the referenced article says:
Is that nine out of the 10 attempts they get caught? A real intruder will not likely even try to break in with a 90% chance of going to jail. Or out of 10 times they get caught, nine are due to this reason?
I did a rant on this topic awhile ago.... I even ranted at the sys admins to tell them how silly it is. Managers ultimatly make the decisions though, and in their eyes, they have done their job to makes things "secure". You by writing down your password simply fail to do yours as you are violating security policy. I have more passwords than you, but only several of them change stupidly. My main one has to be changed every month or 30 days which is just stupid. After a while you figure out a system of passwords (or I did anyway) to beat the system, but even so I have sticky note passwords everywhere. The only saving grace is that one of my accounts they actually unified with the main username, so thats one less damn user name I have to remember also.
This is not flamebait, its FUNNY! Well, it made me laugh.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
if an employee gets hurt (physically or emotionally) from protecting the company from intruders. The company should simply hire guards.
Consider two propositions.
(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types of lying might be considered to fall outside of the domain of social engineering. Lying and social engineering therefore might be thought of as two domains which share an overlapping subset. As an aside, deception is a superset of lying, not an equivalent set as you implied.
(2) Not all social engineering involves lying, but may involve other forms of deception.
A trivial and familiar example is the practice of following someone through a physical access point, known as "tailgating." Tailgating may exploit a natural human trust relationship (I've seen your face before or you dress like you work here or you walk with confidence, make eye contact and smile) or may merely exploit a conflict avoidance instinct without active propogation of a statement believed to be untrue. Tailgating is clearly a tool which could be used to circumvent security controls and can be clearly considered as a type of social engineering, but does not fit within the accepted definitions for lying.
If you mod me down, I shall become more powerful than you could possibly imagine.
Why did they dress their network as a copier repairman? I think the lesson to be learned is that putting clothes on your network does not make it more secure.
... and then they built the supercollider.
Mod -1: incoherent (go back to grammar school)
The method used by most brute-force password cracking programs is:
1) Gain a copy of the password hash file stored on the target computer (by social engineering, service vulnerabilities, etc.)
2) A program takes the hash of your password, and encrypts random strings of text until the encrypted hash is equal to the hash obtained from the target computer.
3) The program knows what it just encrypted, and therefore knows your password.
Surely 911 wasn't required...there's a "normal", non-emergency number one can use to contact their local police department.
Depends on the area, and on whether you actually want anyone's attention. I'm currently just outside city limits, and currently serve by the county cops. There have been a couple minor incidents (a crank caller who didn't know about *69 in one case, in another idiots illegally setting off fireworks — not just sparklers, but serious peonies and salutes!) where I called the main desk and asked for dispatch so I could speak with an officer. I was told to call 911, which in at least the case of the crank caller surely seemed overkill. I guess the desk guy just wanted to finish his donuts?
//Information does not want to be free; it wants to breed.
I once had some youths messing about on my roof (which has velux windows - sloped skylights basically). I called the police and they didn't see what the problem was ... invasion of privacy, harassment, trespass, potential for criminal damage (by either party!) ... I swear unless you sound on the phone like you're being stabbed they just write a post-it and stick it on someone's desk.
Where I work I have to log in to several systems, and the passwords have to be changed at intervals ranging from 1 to 2 months (so the different systems are never in sync). What I do is use the exact same prefix for every password and just modify the last couple of characters. Then I have a little list in the format:
System 1: 0u
System 2: iJ
System 3: #r
etc. Since nobody knows the prefix, this is just as secure as having a single password that never changes.
I like my coffee the way I like my women - roasted and ground up into little tiny pieces.
... but I don't get danger pay.
Sure, the person who's in the office pretending to be a copier repair might not have any inclination to violent behaviour, and if uncovered might just make a hasty exit. But they might also turn nasty. If you want someone to police visitors, hire a security guard who's both trained to handle potentially dangerous situations and insured and compensated appropriately for it. I'll just let them do whatever the hell they want, because my health > your company.
I have more passwords than you, but only several of them change stupidly.
:-)
I don't know if it was intended to be funny, but this made me laugh out loud!