Home page logo
/

basics logo Security Basics mailing list archives

Re: RE: Social Engineering
From: Mike Lisanke <mikelisanke () gmail com>
Date: Thu, 5 Jan 2006 17:37:15 -0500

This scenario is why, even for the most benign conversation with a
company/creditor, I tell the caller that I will call them back via
there general number. If the receptionist for the companies published
number does know the 'team' which called me, I've thwarted the SE
attack. I never answer in-bound calls excepts to receive status (which
I then go on to verify in writing or a call back to the company). All
the security people at creditor are happy with my process.

On 5 Jan 2006 22:27:26 -0000, pg_vlad () hotmail com <pg_vlad () hotmail com> wrote:
The ideas aren't bad but that really won't stop SE attacks. Well perhaps some, but consider "SE-Attacker:Hello, this 
is Blah from Bank of X Visa. It seems that you have reported far fewer records to us today than usual, I'm calling to 
verify the number of card transactions vs the number we have recieved on record.
SE-Victim (employee of company A):Oh well we had 70 credit card transactions today.
SE-A:Hmmm we seem to have recorded on 10, if you don't mind I can submit a work order for your point of sale machine 
blah.
SE-V:Sure that would be great!
SE-A:While I'm at it I could log in the transactions we haven't recieved.
SE-V:Ok, hold on."

This is of course hypothetical, nonetheless if even one number was gleaned the attack would be a success.

And in a larger corporation, let's say the website has Bob Rupertrandal's name as the author. You call the 
receptionist and say you are him and updating records for employees to go on the webpage adn you need information 
from here, using your methodologies she would see that yes he is in the company, but she still has no way or even a 
clue that it may not be him, so why should she doubt and refuse to give him the imformation?

The best way to thwart SE attacks is to educate your users. After all you can have the biggest toys, if you have one 
users with a weak pass or whom gives out his pass, or the (and you lie if you don't have users who do this, ARG the 
post it note with pass info on it) then all your hard work is down the drain.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------



Best regards,
--
Mike

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]