Re: Social Engineering

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-01-05 elite.coder () ntlworld com wrote:
> OK, Everyone seems to think that Social Engineering cant be solved with
> software, so I shall show you some of the ideas I have to defeat SE with
> software.
>
> Idea 1: A Directory site.
>
> The site will be used by companies to find out if Person X works at
> company Y. how will this work?
>
> Well, first an admin is nominated from the company (pref. someone who is
> "up" on security i.e. a sys admin)
> This admin will register the company with the site,
> Then he will register everyone in the company with the site

First of all: you still need the target of the social engineering attack
to actually do that lookup. But if people did cross-check, social
engineering wouldn't work at all. Please re-read Mitnick's book. You
seem to have completely missed his point.

In addition to that, even if people did look up in a directory like you
suggest, what would prevent an attacker from picking an existing name
from that directory? What good would the lookup do in that case? This
scenario was already mentioned in one reply you got.

Other issues are: who will maintain that directory? Who will be allowed
to register people? Why do you consider maintainer and registrar
trustworthy? How will the directory be protected from forgery (e.g.
attacker registers forged name prior to attack)?

And last, but absolutely not least: what makes you believe that every
company would want to publish a complete list of their employees?

> If you want to view info in the site, you will have to use the un/pass
> sent when the admin registered you, to prevent terminated users staying
> on the server, en email is sent from the site every X days with a link
> (like the one securityfocus sends for you to finish your registration)
> if you do not reply to the email after X days, you are put into an MIA
> list (if someone searches for you, you will not be found... but you are
> not deleted either) when this happens the admin will receive an email
> asking why you haven't replied and if you should be deleted.
>
> if someone tries clicking on the link after the expiration time for a
> new link to be sent (or if you are deleted), nothing will happen.. just
> incase the person who got canned tired to reactivate his/herself.
>
> I don't think I have covered all the bases here, but I will do more
> thinking later.

Please do.

> =------------------------------------------------=
>
> Idea 2. Folder security information.
>
> In Mitnicks book he says it is a good idea to rate information by
> security priority.
>
> e.g. If its Priority 1, then you cant send it tom anyone... even if
> they work in the same company P2, you can send it to a verified person
> in the company etc...
>
> So I want to write a program then, when you open a folder on the file
> server, a message will pop-up saying:
>
> The info. in this folder is Priority X, this means you...
> blahablahblah..

This would require educated users who actually *read* the popped up
text. However, if all users were that educated, social engineering
wouldn't work at all.

Regards
Ansgar Wiechers
-- 
"Der Computer ist da, um zu rechnen, nicht um Ausreden wie 'Kann nicht
durch Null teilen' auf den Bildschirm zu schreiben."
--Marco Haschka in de.org.ccc

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------