Home page logo

basics logo Security Basics mailing list archives

Re: Social Engineering
From: List Spam <listspam () gmail com>
Date: Thu, 5 Jan 2006 11:15:20 -0800

On 1/4/06, coder <elite.coder () ntlworld com> wrote:

Idea 1: A Directory site.
Well, first an admin is nominated from the company (pref. someone who is
"up" on security i.e. a sys admin)
This admin will register the company with the site,
Then he will register everyone in the company with the site

To the no-doubt eager to please and/or ego-inflated admin:  "Thats a
pretty cool system you have setup.  Can you show me how it works?"
(record authentication mechanism - something as simple as video-taping
the keystrokes while looking over his shoulder should suffice)

If you want to view info in the site, you will have to use the un/pass sent
when the admin registered you,

"Hi, I'm the new directory maintainer for the company.  The previous
guy left a little to be desired in his documentation process and I'm
following up and making sure that everyone has a valid account.  Can
you forward what was originally sent so that I can make sure it's in
the list?"

to prevent terminated users staying on the server, en email is sent from the
site every X days with a link
(like the one securityfocus sends for you to finish your registration)
if you do not reply to the email after X days, you are put into an MIA list

Subject: Directory Maintenance
Body: In order to maintain an active listing in the company directory,
please follow the link below and login to renew your entry:

(Chances are, you just gained valid credentials for other services)

(if someone searches for you, you will not be found...
but you are not deleted either)
when this happens the admin will receive an email asking why you haven't
replied and if you should be deleted.

Idea 2. Folder security information.
So I want to write a program then, when you open a folder on the file
server, a message will pop-up saying:

The info. in this folder is Priority X,
this means you... blahablahblah..

You are already socially engineering them with this approach, thereby
providing an environment where it is expected that the user do what
they're told simply because they're told.

So, let me know what you think, it would be interesting to hear if this
ideas are silly.


Davie Elliott

Thinking about ways to minimize the impact of social engineering is
never silly, nor is soliciting input on those ideas.  Whether the "bad
guy" socially engineers a user, an admin, an exec, a vendor, a
partner, a supplier, etc. is really out of your control.

What you need, IMHO, is to determine a worst-case scenario resulting
from someone that can adverselly affect you suceeding with their
efforts.  Build in policies, processes, and technology (preferabiy in
that order) to reduce exposure and/or liability.  Social engineering
is not new, existed before the "Information Age", and seldom employs
technology in it's execution.  As such, relying exclusively on
technology to combat it will ultimately fail as it is not a technology

My two cents.  Take them for what they are - the ramblings of a list poster.

Keep plugging along though, because by at lease thinking about it, you
are already ahead of many of your peers in protecting your company's
assets - be they physical or perceptual.


The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]