back to article Hacking human gullibility with social penetration

Security penetration testers Mike Bailey and Mike Murray rely plenty on attacks that exploit weaknesses in websites and servers, but their approach is better summed up by the famous phrase "There's a sucker born every minute". That's because so-called social penetration techniques are more reliable and easier to use in …

COMMENTS

This topic is closed for new posts.
  1. jake Silver badge

    Social penetration?

    New one on me ... Us old-timers call it "social engineering".

    50% is a low rate of success. In most corporations that I audit (with manglement's blessing, I hasten to add), I can get around 50% from the supposed IT staff, never mind hoi polloi (65-70%) ... Management is closer to 85% ...

  2. Anonymous Coward
    Anonymous Coward

    3E's

    A balance in all things is required.

    1. Education

    2. Engineering

    3. Enforcement

    Industry spends immense amounts on 2 & 3. with all manner of tools, processes, procedures and penalties. Some money is spent on 1 but it is mainly education about 2 & 3.

    Using the eating analogy and "accepting that some folks will die" is a tough way to go but "natural" at this stage in our technical evolution? Humanity eliminated dangerous predators and food from social environments and warned society about, for example, rhubarb leaves. We have done some of the latter but the former persist in many guises.

    Ideally a change in the technology and the psychology and accompanying education is required but while there is an industrial momentum this wont happen. More education on caution is required?

  3. Anonymous Coward
    Anonymous Coward

    SMIME

    Time for moro ganisations to adopt S/MIME for email to verify senders plus the training to recognise "Do not trust anyone where this little bar isn't green"

    "Even if it is green, treat what they say with due caution anyway!"

  4. Anonymous Coward
    Paris Hilton

    Drill your own staff to prevent social penetration by outsiders.

    I've often found the direct approach works even better. Find a telephone number in the IT department, play dumb by pretending to have called the wrong number, ask for a named person elsewhere in the organisation and to be transferred to them. Once connected, tell named person you're new and from IT (external CID often doesn't pass around phone systems, instead it will show the CID of the person transferring you) and ask for their username/password because there's a problem with mailboxes or shared drives or similar.

    There is no easy cure, you have to drill it into your staff that under no circumstances do they *ever* give their passwords, to anyone, *ever*. Even then, it will still work a week or so after the dire warnings.

    Simples.

    Paris, Well drilled and plenty of social penetration experience.

  5. Anonymous Coward
    Anonymous Coward

    I asked my girlfriend for some social penetration

    she said no

  6. Anonymous Coward
    Anonymous Coward

    IT security for dummies.

    The other day a bloke sat opposite to me on the train. Around his neck he had one of those ID badges on a chain that ID'd him as the IT manager of a company.

    I asked him if he considered that displaying his ID for all to see was a good idea. He didn't see the problem. I imitated his voice and asked him what would happen if I called his place of work, on an allegedly bad line, and, pretending to be him, asked the person who answered the phone for their network password.

    He went a funny colour at that point.

    Regarding passwords. I have a big issue with, supposedly, secure password regimes. Must contain a mix of numbers and letters, have at least one capital and be changed monthly.

    People just can't remember them. What do they do? They write the sodding things down.

    If they don't write them down they keep forgetting them and need them to be reset, making them a prime candidate for social engineering.

    1. Elmer Phud

      Writing it down

      I have found that many of these written passwords can be found n a post-it under the keybord -- that or in the little pen and odds and sods drawer that doesn't lock.

      Or in a note book left on the desk.

      But this is usualy as a result of loads of different systems needing different passowrd formats that also expire at different times. The grunts haven't a hope in remembering them all - especially the ones that have a long history file and require several caps and numbers and no repetition or easy words or phrases or or or . . .

      If in doubt see if there is a text or doc file with 'passwords' somewhere.

      There are several born every minute.

      1. Paul 4

        Grunts

        "The grunts" perhaps a little less of this attitude from IT would help people feel they can tell someone to sod of when they phoen up and say "I'm from IT and".

      2. CD001

        Thing is though...

        If someone has access to the "passwords" file on your machine, you're pretty much hosed anyway - especially if that file is already encrypted, password protected and stored in a hidden volume (granted the odds on that happening are slim to none).

        I read once that the "best" thing to do would be to use passwords you've not a hope in hell of remembering with upper and lower case letters, numbers, symbols, whatever - write them down on a bit of paper and keep it in your wallet.

        If you lose your wallet you've already got the hassle of getting all your plastic cancelled so you're just adding "change passwords" to you list of things you've already got to do.

        1. Cameron Colley

          @CD001

          Did you read that in the comments section here? It sounds a lot like my comment on an article about password security.

          I stand by it as the best way of keeping your passwords safe.

    2. amanfromMars 1 Silver badge

      Global Operating Devices Play Dice and Love Poker

      "If they don't write them down they keep forgetting them and need them to be reset, making them a prime candidate for social engineering." ..... Anonymous Coward Posted Thursday 4th March 2010 10:14 GMT

      The Fate and Destiny of All AC Mankind, AC?

    3. Ken Hagan Gold badge

      Re: It security for dummies

      "People just can't remember them. What do they do? They write the sodding things down."

      Good for them. They probably know how to keep a piece of paper safe. Also bear in mind that remote attackers will typically have dictionaries but will not have physical access to a desk drawer, so a strong password written down is better than a weak one remembered.

      If the main threat comes from the employees themselves, you might want to take a different line, but there's nothing intrinsically wrong with devising a really strong password, writing down and keeping it in your wallet. It is, after all, how most of us keep our cash.

    4. John H Woods Silver badge
      Thumb Up

      I AGREE

      I keep jumping on my little soapbox here, but we need a CAMPAIGN.... and el Reg is the place to start it.

      Campaign: "Password expiry is a counterproductive strategy" (PECS).

      It's not just unproductive, it is counter productive:

      1) it engenders a false sense of security

      2) it encourages weak passwords

      3) it balloons 'password reset' requests, making social engineering easier

      4) it causes people to write passwords down

      5) it causes people to use a pattern to progress their passwords, making it much easier to guess a current password from a historic one.

      6) it wastes huge amounts of everyone's time.

      Any takers?

  7. Anonymous Coward
    Anonymous Coward

    "Social engineering"

    ...has been the key stone to hacking since before the word meant hacker let alone cracker.

  8. spencer
    WTF?

    Same story here - word for word

    google says it was posted earlier, doesn't link to or mention this website

    http://hackingexpose.blogspot.com/2010/03/hacking-human-gullibility-with-social.html

    1. bluesxman
      WTF?

      Eh?

      Well yes google is infallable.

      Register story posted around 07:00GMT on 4th, the blogspot one claims it was posted at 5pm on 4th. No great mystery there. Unless the blogspot clock is localised in a timezone in the vicinity of Australia...

  9. Anonymous Coward
    Anonymous Coward

    Campus Life

    From: Mr Joseph Hope [mailto:Joseph.Hope@yale.edu]

    Sent: 28 January 2006 05:26

    To: Xxxxxxxxx, Xxxx

    Subject: Campus Life

    Hello,

    We are planning to include you in the new campus magazine in an article

    titled "Campus Life". Can you approve the photo and article for us before

    we go to printing please?

    If any details are wrong then we can amend before printing on Wednesday

    the 1st of February so please get back to us as soon as possible. We have

    attached the photo and article.

    Many Thanks & Best Regards,

    Joseph Hope

    Editor

    *************************************************************************

    Please respond before February 1st to ensure we have time to edit!

    *************************************************************************

    source: http://www.lancs.ac.uk/iss/a-virus/v-joseph.htm

    Nothing new here - move along, And yes as the above poster mentioned, "social engineering" however a custom trojan/virus/dropper still needs to be written so it's a mix of the 2 really.

  10. Robert Carnegie Silver badge

    You need a "password" that you can't give away.

    That is, not a password, but one of those electronic "key" devices that transmits a different unique signal each time. If it's the right signal, you pass.

    Otherwise, one fairly simple "password" could be a long bar code that can be read by a webcam or other cheap scanner. Easy to change if need be, unlike fingerprints, which are fashionable just now. Easy to steal, I suppose - in the way that housekeys also are.

    As for authenticated e-mail requests, bear in mind that penetration includes either getting someone hired or bribing someone already there. For the first, references and exam certificates may be faked. What I'm saying is that a certified internal message may also be an inappropriate request. That can be addressed by including meaningful job titles along with names on e-mail. If someone is a "Customer Experience Supervisor" and their job is to water plants in the public area of the building, you have left the path of wisdom.

    1. Anonymous Coward
      Anonymous Coward

      i think

      a physical passkey is probably the way to go, but it needs to be implemented right. Make it the staff photo id card, that logs you on to a pc, gets you through every single door, lets you use vending machines etc, otherwise it will be permanently left logged in.

      So, you have to be physically present at a logged on machine, and if you leave your key in the machine, you can't get out of the building, into any of the toilets, vending machines, canteen etc. If you lose it, or it gets stolen, it's a standard report it to security, get it cancelled and be issued a new one. you can also track any logged access that happend after reported.

      a lot of busy bars even use this sort of thing for logging into the tills

      1. BigJon

        You Reckon?

        Before you (or the previous poster) rush off with your great idea and make things worse - you better think to implement a PIN with your 'Access All Areas' pass card. ...otherwise if someone should find or steal your card then they ARE you. What happens between it being stolen and you discovering it's been stolen?

  11. Graham Bartlett

    Complicated passwords

    Conventional wisdom used to be that you should have one password for each system you use. This ran into precisely the problem mentioned, where people either write down their passwords bcos they can't remember which one works for which, or they choose bad passwords which are easier to remember.

    Bruce Schneier's take on this was simply that you should have one good password, and use it everywhere. The chances are much lower that someone from one of those systems will read your password and use it to try hacking into another system that you might potentially use, than that some external hacker will try using a dictionary attack on your account, or that someone would look under your keyboard (or in your diary after stealing your bag) and find the written-down version.

    1. RandSec

      Schneier Goes Nuts?

      If Schneier really thinks that "you should have one good password, and use it everywhere," he is an idiot, and you can tell him I said so. The solution is to use a password manager, with a different long, random password for every device, site and account. We might even use his own design, Password Safe. (Nowadays, I use LastPass.com)

      from 2003: http://www.schneier.com/crypto-gram-0307.html#7

      "Many computer users today have to keep track of dozens of passwords: for network accounts, online services, premium Web sites. Some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications, which makes life easy for intruders of all kinds. Password Safe is a free Windows utility (originally developed at Counterpane Labs) that allows users to keep their passwords securely encrypted on their computers. A single Safe Combination -- just one thing to remember -- unlocks them all."

      1. Graham Bartlett

        @RandSec

        Nice idea in theory. Back in the real world, it's impractical for anyone with more than one PC, it's *way* too much hassle for your average civilian, and it's not secure enough for the tinfoil-hatters.

        Schneier's comment, which I paraphrased slightly for brevity, was that multiple strong passwords are indeed the best solution. But since it'll be a frosty day in hell before the world adopts that password-safe thing, and no-one can remember multiple strong passwords, he realised that having one good one is a damn sight better security than the alternatives of either writing down your passwords or using multiple weak passwords.

        1. RandSec

          Just Use LastPass. Just Do It.

          @Graham Bartlett

          "Back in the real world, it's impractical for anyone with more than one PC...." Nonsense. I use LastPass.com on several Windows PC's and even more Linux "live" DVD's for banking. LastPass encrypts the little password database locally, then sends it to the cloud. When I change machines, it brings the encrypted database down from the cloud, and adds any new entries to the current machine. Easy peasy.

          "it's *way* too much hassle for your average civilian." Nonsense. My wife claims to be an "average civilian," and she uses LastPass. I just needed to get her started.

          "and it's not secure enough for the tinfoil-hatters." The issue is web security: banking, buying, email, docs, so on. LastPass encrypts passwords locally, and nobody else has the master key. (Do not forget that key.) LastPass also offers little text "Secure Notes" storage for private details beyond the usual password.

          "...having one good one is a damn sight better security than the alternatives of either writing down your passwords or using multiple weak passwords." So, just because it is slightly easier to use the same password everywhere (and then be unable to change it) than to learn to use LastPass, that makes it a good idea?

          1. jake Silver badge

            @RandSec

            "I use LastPass.com on several Windows PC's and even more Linux "live" DVD's for banking. LastPass encrypts the little password database locally, then sends it to the cloud. When I change machines, it brings the encrypted database down from the cloud, and adds any new entries to the current machine. Easy peasy."

            You don't see the issues with what you see as a solution?

            Where do I start ... "Windows", "cloud", "current personal machine friendly" ... Go back to school, kid. You have absolutely no idea what you are talking about.

            1. RandSec

              Lots of Complaints, No Research

              "Where do I start ... "Windows", "

              Windows, Mac, Linux, whatever.

              Firefox has an add-in. Most browsers can use a bookmarklet.

              There is a stand-alone "portable" version.

              Everyone has my permission to look at the lastpass.com webpages for themselves.

              "cloud",

              The encrypted databases are kept both locally and in the cloud. That is the amazing new innovation called "off-site backup." (Although, with "automatic backup synchronization," it actually is pretty amazing.)

              "current personal machine friendly" ...

              Some of us really do go from machine to machine and need passwords. As suggested previously, we might just remember one good password and use that everywhere, which is dumb, dumb, dumb. Or we can use that password to open an encrypted database with lots of distinct and better passwords. The choice is just not that hard.

              1. jake Silver badge

                Lots of Caps, No Understanding

                You run personal data thru' systems that you don't control?

                There is a big difference between "off site backup" and "cloud". One you have control over, the other you do not.

                Did you purchase "LastPass Premium!"? Why? Why not? Do you feel more/less secure as a result?

                One ring to rule them all ... Kids these days.

    2. Basic
      FAIL

      Except

      "Bruce Schneier's take on this was simply that you should have one good password, and use it everywhere"

      Which is fine until you find out that the site you just signed up for not only doesn't encrypt passwords in their DB but also very kindly just EMAILED you the damned thing (a pet peeve of mine).

      So now there's an unprotected, plain-text trail from their server to your home machine and anyone in the middle knows your uber-secret password...

      And even if there is no email - your security is now at the lowest common denominator of all the sites you've used that password on.

  12. Anonymous Coward
    Coat

    Nothing to it...

    On our highly decentralized company with about 40 different office locations, I started my job there assisting with a large project to replace CRT screens for LCD ones, inkjets for laser-printers and replacing ~100 XP machines with thin clients. Ok, so I was new.

    The first thing you do of course when you enter an unfamiliar building looking for a department where you don't know anyone is applying basic courtesy and introduce yourself. But after having met the so-many'th uninterested office worker, and such a long line of offices still on the todo list, I started to play a little with it.

    I went into an unfamiliar office building. Tried some doors, until I found one that was unoccupied and the door open, and walked out with computer equipment. Crazy! But with this success, I went further. I asked random people if they could unlock locked offices. And they did, without me even introducing myself, and I mostly wasn't questioned. The few times that I was questioned, I just said I was there to take away computer equipment.

    Note that none of the things I did was announced. Roughly 95% of the people didn't know me. We have no company clothing (in fact, I'm a shorts and sandals type). And just for sport I made sure I went in empty handed and walked out with equipment.

    Of course, with this job being legitimate and all, I made sure I'd bring in replacement equipment, and made an effort to get introduced to the office workers. But not before I had my fun with pretending to 'steal' equipment.

    In all this time, only one user made an effort to verify my actions with her manager, and one who denied me access until I was able to convince her I was legit. This as opposed to me borrowing some six or seven master keys, and having bin in dozens of offices unsupervised, and walking out with loads of equipment unquestioned.

    .

    All this trust in a fellow human is of course beautiful. But I don't think it's an inherent trust that allowed for this. Rather, disinterest and/or fear to confront someone. But it also has to do with attitude. If you walk in with a determination to do something, people recognize that and will comply with you quite easily.

    One last example, as it stands out above the others. We have a couple of small (often part time) support offices in the office buildings of other companies for some joint ventures we have. Really nobody knows me there. I walk in, and I have not a clue who to turn to or where to go.

    But the human hierarchy works a bit like DNS. Nobody knows everything, but everyone knows someone who might know more. The first person I met was a cleaner, and I ask who could know where I should go. Somebody else gets called, and she knows the office I need to be, but it's locked. Long story short, the president of that company is the only one with access to the key I need.

    So he gets called from the meeting he's in, and I borrow his personal keys (home, car, a dozen others) and I have the master key of his company. Now I've only given him my first name, made a vague reference to that I 'work in IT' and that I 'have to be in that office'.

    The moral of the story, kids, is that you hardly have to shave, don't need a suit (sandals and shorts suffice) and you can leave buildings much richer than entering them. But remember that stealing is illegal in many countries, so be sure to consult your local authorities if you are in doubt about applicable laws.

    /This on the subject of (in)security, please excuse the long post.

    1. Rattus Rattus

      That magical phrase

      "I'm from IT, could you please..."

      It will open so many doors, both literal and figurative.

      The original BOFH, from the Striped Irregular Bucket days, is sadly not that far from the truth.

    2. David Adams
      Boffin

      Trust based

      The example above is a fine example of a trust based system.

      If every level had to verify who you were it would waste time and resources so they accept that, as you have been passed to them by someone they already know and trust, you are legit.

      Each higher level assumes that the level below them has authenticated you and they take it on trust that you are who you claim to be.

      By fooling 1 low level of the system you can gain access to much richer pickings.

  13. jon 72
    Alert

    IT Security - the short version

    Here's a little teaser worthy of BOFH and the PFY from Jon & Julie with their little webste of gems.

    When did you last physically check for key loggers fitted between the PC and the keyboard.. that's it go on .. take a look... you know you're gonna have to inspect them all now.

    Gotta go, must remember to remove boot CD and hoover under the desk while I'm here.

  14. Phil Edwards
    Grenade

    Not that hard, surely...?

    Multiple secure passwords that are easy to remember, without requiring purchase of (presumably proprietary and therefore of dubious trustworthiness) software:

    1. Make up a sentence that you can remember easily. A good example is the one that I just typed...

    2. Reduce said sentence to initials, capitalising the first letter of the last word, so we have "muastycrE"

    3. For every web site/service that requires a password or other secure logon, e.g www.lloydstsb.com for your online banking, drop the 'www.' part and the TLD part, leaving just "lloydstsb"

    4. Pick your favourite character from the top row of your keyboard, I happen to like the "%" sign

    5. Stick all 3 elements together to give a password of muastycrElloydstsb% that you only use on the lloydstsb.com web site

    6. Rinse and repeat for other sites. For sites or network admins that require you to change passwords monthly (I'm looking at you, $EMPLOYER!!!) just put a number on the end that you increment each month

    Secure enough for most purposes, I think. Grenade icon, because any mechanism is only secure until the day it blows up in your face...

    1. Marvin the Martian
      Badgers

      I use a similar recipe

      You overlook the fact that quite a lot of passwords are limited to some arbitrary length, often 8digits. Meaning you have to vary the "website" part (so you may forget what you did), and the "fixed" part has to be short.

      Still, as you use this approach to all sites (from relatively secure well-designed things via the ones that email you your password plaintext to whatever shoddy thing), it's not unthinkable that you get sniffed one or two --- and from that the attacker knows your recipe and can systematically try access to all.

      I combine it with a security level system: I trust anyone that I borrow my bike to with my phone as well --- so my numerical bikelock (a wtf in itself) and phone have same access number. So my bank cards and logins have the same password, as they're equally trustworthy; and my computer and email do too. But borrowing my phone (old nokia, has no sensitive info outside phonebook) and my bank access are very different things, so those pass digits are different.

  15. Anonymous Coward
    Anonymous Coward

    trust

    "The vulnerability stems from humans' inherent tendency to trust one another. ... When one person saw that a group of his peers ate a particular berry and didn't die, he ate the same fruit - and survived as a result."

    That's not trust.

This topic is closed for new posts.