Social Engineering
I try to stay away from blogging on Friday. Call me lazy. But I ran across this story about social engineering and couldn't resist.
Years ago I attended a hackers convention in New York City. Among other things the participants were treated to sessions on picking locks, using dialtone generating devices to make free long distance calls and other questionable skills. One of the most interesting sessions was a tutorial and workshop on social engineering.
Two individuals retired to a room in the hotel to make some calls. Audio feed from that room was piped into the auditorium. We listened in while employees from the LEC were pumped for passwords. Several approaches were used and eventually the desired informaton was obtained. It was a simple matter and the whole demonstration took less than 20 minutes.
I must strongly state that my affiliation with this group wasn't of a nefarious nature. I was legitimately representing a large company and was trying to understand the nature of hacking and the reality of security vulnerabilities. That said, I was really impressed. And not in a pleasing, reassuring way. I came away from the conference with the feeling that no data is ever truly secure. Not as long as there are people with passwords out there.
Anyway, social engineering is interesting. Here is an excerpt from the article:
Companies eager to tighten up their information security perimeters should focus not on technology but on teaching their employees how to say 'no', ex-hacker done good Kevin Mitnick told a full house at Toshiba's MobileXchange conference in Melbourne yesterday.
Mitnick became a cyberspace legend after his success in penetrating networks at major telecommunications firms -- including Pacific Bell and Motorola, Nokia, Fujitsu, Novell and NEC -- led the FBI on a 15-year manhunt that ended when his 1995 capture put him behind bars for nearly four years. Older and seemingly wiser, he now uses his skills for good as a Los Angeles-based security consultant, stopping in Australia briefly to address the crowd at the annual Toshiba event.
Many companies invest heavily in security technologies to protect their networks, but Mitnick was quick to point out that even the tightest technological barriers never stopped him; rather, some carefully planned social engineering [^] or even a bit of Dumpster diving in one[base ']s spare time -- can often be far more effective at penetrating the weakest security link at most companies: their people.
"What you can find in the trash is simply amazing," said Mitnick, holding up a "souvenir" from his earlier days: a printed directory listing the name, phone number, email address, direct reports and other information about every employee in the company. "People throw out notes, drafts of letters, printouts of source code, printouts of project documentation they[base ']re working on. In some cases they even write down passwords and access information, or calendars that list every person that person has talked to or met with".
This information provides invaluable assistance to hackers keen to worm their way into a company by, say, impersonating an employee and calling the internal help desk, or dropping into the site and pretending to be a business associate. Because people hate to say no even when they[base ']re suspicious of a well-presented stranger, Mitnick says, smooth talking has gotten many a hacker far closer to a target company[base ']s network than days of brute-force technological attacks.
10:03:44 AM 
|
