Home page logo
/

basics logo Security Basics mailing list archives

Re: RE: Social Engineering
From: pg_vlad () hotmail com
Date: 5 Jan 2006 22:27:26 -0000

The ideas aren't bad but that really won't stop SE attacks. Well perhaps some, but consider "SE-Attacker:Hello, this is 
Blah from Bank of X Visa. It seems that you have reported far fewer records to us today than usual, I'm calling to 
verify the number of card transactions vs the number we have recieved on record.
SE-Victim (employee of company A):Oh well we had 70 credit card transactions today.
SE-A:Hmmm we seem to have recorded on 10, if you don't mind I can submit a work order for your point of sale machine 
blah.
SE-V:Sure that would be great!
SE-A:While I'm at it I could log in the transactions we haven't recieved.
SE-V:Ok, hold on."

This is of course hypothetical, nonetheless if even one number was gleaned the attack would be a success.

And in a larger corporation, let's say the website has Bob Rupertrandal's name as the author. You call the receptionist 
and say you are him and updating records for employees to go on the webpage adn you need information from here, using 
your methodologies she would see that yes he is in the company, but she still has no way or even a clue that it may not 
be him, so why should she doubt and refuse to give him the imformation?

The best way to thwart SE attacks is to educate your users. After all you can have the biggest toys, if you have one 
users with a weak pass or whom gives out his pass, or the (and you lie if you don't have users who do this, ARG the 
post it note with pass info on it) then all your hard work is down the drain.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault