Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security It's funny.  Laugh.

Social Engineering Still Best Way to Crack Security 522

binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
This discussion has been archived. No new comments can be posted.

Social Engineering Still Best Way to Crack Security

Comments Filter:
  • Salaries? (Score:2, Troll)

    by coug_ ( 63333 )
    Aren't salaries in most UK businesses public?
    • I think the word you're looking for is 'pathetic'.
    • not anywhere i've worked
    • Re:Salaries? (Score:5, Insightful)

      by Sparr0 ( 451780 ) <sparr0@gmail.com> on Friday April 18, 2003 @12:33PM (#5760395) Homepage Journal
      Everywhere I have ever worked (USA) has warned us that our salaries are confidential. Which stopped about 1% of us from comparing them. All a company accomplishes by hiding salaries is being able to pay people less, which is a very bad thing from an employee perspective.
      • Re:Salaries? (Score:3, Insightful)

        by diverman ( 55324 )
        Well, in my experience, older people tend not to share salary info. It's people who are relatively new to the working world ( 2-3 years), who like to compare, especially when talking about salaried individuals. I attribute this to people eventually realizing there actually ARE other advantages to not discussing it.

        A company accomplishes a lot more than being able to pay people less, by encourage non-disclosure of salaries. They also keep any feelings of resentment and bad attitudes to a minimum which ca
        • Re:Salaries? (Score:4, Insightful)

          by Sparr0 ( 451780 ) <sparr0@gmail.com> on Friday April 18, 2003 @02:04PM (#5761122) Homepage Journal
          The value of a person's work has no real basis most of the time. The only thing you can base your salary goal on is what everyone else gets paid.

          [blockquote]
          I've seen what happens when people do, and it usually just makes for a bad environment.
          [/blockquote]

          You make my point. The reason the environment is bad is because some people are getting paid more for the same, or even less, work. As long as they can keep everyone in the dark then people are happy.
      • Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.
    • hmmm (Score:4, Interesting)

      by drDugan ( 219551 ) on Friday April 18, 2003 @12:43PM (#5760465) Homepage
      no mention of the "n" in the study. so we have no idea the statistical power of the %s they throw out. How many people did they interview? 20, 200, 2000? this leads to a big difference in the importance of the results.

  • Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!
    • by RLiegh ( 247921 ) on Friday April 18, 2003 @12:04PM (#5760174) Homepage Journal

      Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!

      It's ********
      Pen, please?
    • by ackthpt ( 218170 ) on Friday April 18, 2003 @12:19PM (#5760294) Homepage Journal
      Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!

      It's Frodo.

      Don't worry about sending the pen, I called up your ISP and said I was Bob the field service tech and you were having trouble logging in, would they mind verifying that your password was 'patthebunny', they indicated it must have been changed, I indicated you had tried to change it to 'patthebunny', which hadn't apparently gone through, "maybe the password change object garbled it, what does it show?" With that tidbit I looked into your account and found a cookie with your Visa card number and some email with your home address. I called up Visa and changed the billing address (tip o' the hat to your mom wishing you a happy birthday) A carton should be arriving at the neighbor's (who happens to be away on business, but I have a fake DL with his name on it, thanks to the DMV who never check anything.)

      Whoops! Look at the time. Better get my duds on and stroll into the governors mansion like I belong there. (I need to complete 6 place settings and only have 4 so far.)

      Ta!

    • by Anonymous Coward on Friday April 18, 2003 @12:21PM (#5760310)
      Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
    • by JWSmythe ( 446288 ) <jwsmythe@@@jwsmythe...com> on Friday April 18, 2003 @12:45PM (#5760485) Homepage Journal
      Cmdr Taco's password is "password". :)

      (I should get two pens for that one. hehe)

  • by dtolton ( 162216 ) on Friday April 18, 2003 @11:53AM (#5760073) Homepage
    According to the article 90% of them gave their password away,
    not 75%. 95% of the men and 85% of the women did.

    It's sad because no matter how much I know this, people are
    still able to shock me. 90% of them gave their passwords away!
    I would've thought maybe 10% or 20%, but 90%?!?

    As a corollary to this article, Kevin Mitnick's book "The Art of
    Deception" is fantastic. I tend to think of myself as fairly
    security conscious, but this book opened my eyes.

    Social Engineering is a very real threat, something IMO will
    take decades to be addressed. At a certain level I think Social
    Engineering can never be totally defeated or even necessarily
    defeated to any large degree. The problem lies with
    efficiency. Any large organization that works with a large
    number of external organizations is *extremely* vulnerable to
    this type of attack, even with incredibly strong security
    measures in place.

    The company that I work for has very, very stringent control
    policies for security. They are by far the most security
    conscious company that I have ever worked for, yet I am
    supremely confident that even a poorly executed Social
    Engineering attack would be highly successful. There is no
    doubt about it, when it comes to security humans are definately
    the weakest link.

    I wonder if the reason the numbers were a little low last year
    was due to the september 11th attacks. After the attacks people
    were highly conscious of security, but as time passes people
    relax more and begin to trust other people more. They just
    don't realize how small pieces of information can incur such a
    large cost.
    • by binaryDigit ( 557647 ) on Friday April 18, 2003 @11:57AM (#5760105)
      According to the article 90% of them gave their password away, not 75%.

      No, I said that 75% of them answered the direct question ("What is your password"). The article says that eventually 90% gave up their passwords, but it took a couple more questions to get to that percentage. That's what was so amazing, that 75% didn't even have to be "tricked", they just gave it up when asked.
      • by invenustus ( 56481 ) on Friday April 18, 2003 @12:10PM (#5760227)
        More than a few workplaces hold fire drills to gauge readiness for a fire. It wouldn't cost much for a company to hire a local starving actor to call random employees, spout some technical BS, and ask for their passwords. Then you could determine the percentage of gullible employees, and send out an email reminding everyone never to give out their passwords to someone they don't know, ever ever ever.

        Doing this once or twice a year would be dirt cheap, amusing, and very useful.
        • by eht ( 8912 ) on Friday April 18, 2003 @12:28PM (#5760364)
          Why should they be giving out passwords even to people they know?

          One of the first things I would ever do on the occasion someone gave me a password was tell them to change it immediately after i was done doing whatever I was doing, most of them gave me strange looks.

          IT should never need your password for anything, if they need to login as you for whatever odd reason they should get your permission, wipe out your old password, put in a new temp one, use that, then give you the temp one and tell you to change it.

          They shouldn't even know your password scheme as long as a trip through satan or something similiar doesn't turn anything up, or you force some standards on them like not using your logon as your password and other simple security provisions.
        • by Anonymous Coward on Friday April 18, 2003 @12:48PM (#5760514)
          I once had the network manager ask me my password.

          I replied, "Real systems administators will never need to ask for a user's password. If someone asks you for your password, they must be trying to infilitrate the system."

          This caused his boss, who was standing next to him, to burst out laughing.

          I don't know what he needed to do, but I didn't give him my password.
        • by devphil ( 51341 ) on Friday April 18, 2003 @02:28PM (#5761295) Homepage
          More than a few workplaces hold fire drills to gauge readiness for a fire.

          Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.

          Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.

          The website had a simple "type in your username and password" form.

          Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)

          (Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)

          A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.

          A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.

          Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.

    • by Santos L. Halper ( 591801 ) on Friday April 18, 2003 @12:00PM (#5760146)
      When I do on-site work, I often have to ask people their passwords. I can't think of one time when anybody refused to tell me. In fact, many make it a point to tell me that they use that password for everything. I still remember most of the passwords, too.
      • When I do on-site work, I often have to ask people their passwords. I can't think of one time when anybody refused to tell me.

        They probably figure that they're supposed to. I mean, really, does the average office worker want to tell the boss that their $150/hour consultant had to stay extra time while you figured out whether or not you were allowed to give them the information they requested? Sure, they're still making a mistake, but at least there's a reason for it.

        I wonder if something similar happen
    • by skillet-thief ( 622320 ) on Friday April 18, 2003 @12:27PM (#5760350) Homepage Journal
      Just yesterday I was in a train station where the ticket agents had actually taped a little card on the side of their monitor that reminded them of two different system passwords plus login names! And we are talking about a national network! And this was on the customer side of the box, just to be ure that everyone saw it.
    • by Cthefuture ( 665326 ) on Friday April 18, 2003 @12:34PM (#5760399)
      That's why there are so many companies working on "other than password" authentication methods. Biometrics, smartcards, etc.

      The thing about something like a smartcard is that it adds a physical security layer. Even if you give someone your PIN, they still need your card. While someone could steal your card, you would be more likely to recognize "Hey, someone took my card" so that security could be locked down. Plus it because it a physical layer of security it's less likely that Joe h4xx0r will even be able to steal your card in the first place (ie. you can't physically give your card out over the phone).

      And biometrics let the computer recognize who you are instead of you telling the computer who you are.
      • Don't believe that biometrics is a stupid technology? Just google on "biometric gummy bear" and you'll see how to defeat a fingerprint scanner.

        Just breathing on some scanners is enough to "reactivate" the previous user's print (from the oil they left behind). Or, when the scanner also checks for temperature, press a baggy filled with warm water against the sensor.

        Iris scanners were defeated by pasting a picture of the user's iris on your glasses, or in some cases just holding a picture of the person up to

    • by smoyer ( 108342 ) <smoyer64@@@gmail...com> on Friday April 18, 2003 @12:44PM (#5760478)

      This wasn't even very good social engineering. The best tactics (psychologically) are methods that don't even let the person being "engineered" know that they have given data away


      Try this one (it's my favorite and my most productive tests at the companies that I help with security). Find out the name of an IT employee. Call up the intended victim and say "I'm John Doe from the IT department. We had a problem with our server which caused your password to be corrupted. We've set your password back to Guacamole and we're wondering if you've experienced any problems"


      Invariably, the victim will say "My password isn't Guacamole, it Pastrami!" to which you reply "Oh, I'm terribly sorry, we'll get that fixed before you know it".


      This results in a good password and the victim not even realizing that they've breached the company's security.


      If anyone else has "high yield" social engineering scripts, please e-mail them to me ... I'd love to do a study to see which are most effective and why

    • Actually Social Engineering *is* stoppable. One simply has to stop relying on something that relies on people having to remember anything. If a person has to remember a complex password, they'll very quickly forget it, write it down, or change it to a SE'able code.

      The technology is almost (if not actually) at full ability, it's time to go with Bio-Metric security.

      I'm running a laptop that has one of those fingerprint scanners attached. My "password" is my right mid-digit.

      "Excuse me, but for a free pen, w
    • by 4of12 ( 97621 ) on Friday April 18, 2003 @01:22PM (#5760792) Homepage Journal

      That's why at my workplace every conversation is preceded by an multi-step exchange of public encryption keys and all the conversations that you hear in the hall sound like gibberish.

  • by Jacer ( 574383 ) on Friday April 18, 2003 @11:55AM (#5760083) Homepage
    I never remember my password, I have it on a sticky note on my monitor! It's also my bank account!
    • by beerits ( 87148 ) on Friday April 18, 2003 @12:09PM (#5760218)
      I never remember my password, I have it on a sticky note on my monitor! It's also my bank account!

      Jeez don't you know anything about security? You put the sticky note on the bottom of your keyboard, that way the hackers can't find it.
      • by GlobalEcho ( 26240 ) on Friday April 18, 2003 @12:58PM (#5760610)
        Jeez don't you know anything about security? You put the sticky note on the bottom of your keyboard, that way the hackers can't find it.

        Just for laughs, I have a sticky note on the bottom of my keyboard with a couple random names and some digits on it. It has nothing to do with my password, but I am amused by the idea of somebody coming along and trying zillions of useless combinations based on my red herring.

        After all, who would put a sticky on the bottom of their keyboard unless it was for recording a secret password?
  • by B3ryllium ( 571199 ) on Friday April 18, 2003 @11:56AM (#5760098) Homepage
    As long as people are A) retarded or B) don't listen to corporate policies against this, social engineering will always be an effective tool.

    People.
    Are.
    Stupid.
    • People don't care either. I know I don't - I have nothing to hide. Of course I work in a small office, on a machine that is not connected to the internet, with at least five people who also know the root password. And my employer thinks this is fine - we are all responsible adults.
  • Naughty (Score:2, Funny)

    by EpsCylonB ( 307640 )
    Naughty.

    I love the way the register slipped that in on it's own between paragraphs.
  • by sielwolf ( 246764 ) on Friday April 18, 2003 @11:57AM (#5760107) Homepage Journal
    Sure, most people might not be smart enough. But I'd have fun with it.

    Guy: "What's your password."
    Me: "My favorite tool. Dickfore."
    Guy: "What's a dick-"
    Me: "Nahahaha!" *scamper off*
  • by Arvah ( 664349 ) on Friday April 18, 2003 @11:57AM (#5760113)
    I'm in the middle of reading "Hacking Linux Exposed" second edition right now, and am in chapter 4, which deals with social engineering, trojans, and other tricks like that. It has a burch of examples of social engineering tricks. My favorite is this one. (Spelling errors are mine, if any.)

    For example, at one university dormitory, someone placed a big sheet of paper in the lobby, which read as follows:

    Password Contest!

    Want to show your creativity? Want to win a prize? List your campus username and password here we ll be giving out free school football merchandise to the top five most original and witty passwords. Standard UNIX password rules apply no more than eight characters, case sensitive and the password must be verifiable by our judges.

    There wasn't anything indicating who put up the sheet or where the prizes were coming from, yet within a day, more than 50 usernames and passwords were written on the sheet. The accounts were accessed hundreds of times from all over the globe almost instantly.

    It lists a bunch of different categories of social engineering, and typical examples of how a baddie might use them successfully to breach security. Very enlightening.
  • Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot

    I turned on strong password authentication when I was promoted.

    Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
    • by Rick.C ( 626083 ) on Friday April 18, 2003 @12:18PM (#5760282)
      Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.

      Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.

      A little paranoia would work wonders here.

      • Ah, you don't need a password to do that.. But to make all the headers perfect, do it from their workstation, or at least don't do it from yours. :)

        ------------------
        > telnet smtp.yourcorp.com 25
        helo yourcorp.com
        mail from: victim@yourcorp.com
        rcpt to: ceo@yourcorp.com
        data
        Cc: supervisor@yourcorp.com
        Bcc: victim@yourcorp.com
        Subject: Asshole!

        Hey asshole,

        I'd just like to remind you that you really suck donkey dong! I'd tell you to go screw yourself, but it seems the VP is already in "the position"
    • by Anonymous Coward
      That's because most employees are wage slaves with no meaningful stake in the data.

      The GIs in WWII used to have a saying when they abused a jeep by running it over a pothole or something: "Oh well, it's not my jeep."

      Same thing with passwords: "Oh well, it's not my data."

  • in a related study, engineering isn't necessarily the best way to be social.

    that jerk on the tour that told you chicks dig engineers was a lying bastard.
  • by Greedo ( 304385 ) on Friday April 18, 2003 @11:59AM (#5760129) Homepage Journal
    If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.

    'Cause, you know ... free pen.

    Until the people who ran this survey actually *test* their findings, their data isn't very valid.

  • by chill182 ( 591443 ) on Friday April 18, 2003 @12:00PM (#5760141) Homepage
    A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
  • stupid (Score:5, Insightful)

    by ReLik ( 599554 ) on Friday April 18, 2003 @12:01PM (#5760153) Homepage
    This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
    • Re:stupid (Score:5, Interesting)

      by Lumpy ( 12016 ) on Friday April 18, 2003 @01:08PM (#5760694) Homepage
      Ok fine...

      "Hi this is steve from the network operations center. we have been noticing that your machine has been accessing unapprove websites. I need to verify this is you. What is your login?"

      "Ok thanks"

      2 days later... "Hi this is dave from Information services, we are setting up a new internal website to make human resources files easier for you to access, claim forms and such.. what password would you like?"

      9 times out of ten I will get their network login.

      That is real social engineering... first harvest good usernames then go password harvesting.

      Social engineering is much more subtle that you realize. hell I have in my wild youth had operators and even Telephone company techs give me access number passwords and account information without a second thought over the phone.

      Social engineering is super easy if you know how to do it. and it makes life in general easier.

      I can return any item to any store without a recipt, get a sale price on an item that is 3 days after the sale, or even get the $100.00 bill changed at that gas station that has 500 signs that say "no $50.00 or $100.00 bills!"

      chances are that you will get Social engineered and never EVER know it.
  • my password... (Score:5, Interesting)

    by AssFace ( 118098 ) <`stenz77' `at' `gmail.com'> on Friday April 18, 2003 @12:02PM (#5760162) Homepage Journal
    As far as I know, all of my passwords are ********

    Easier to remember that way.

    actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.

    The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
    It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
    They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.

    Nothing like severely limiting the keyspace for making good security.
    • The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run). It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.

      I had an account with them too (long since canceled) and used the following password for it:

      E6l7rs

      Which, naturally, stands for "Exactly 6 le7ters".

      Even with crappy restrictions, you can usually come up with something that's not going to be easil

    • So your passwords are mostly digits, with maybe 3 other characters mixed in. Can be brute forced in no time. Better change your slashdot and wso.williams.edu passwords before anyone here gets an idea.
    • Yeah, I once had an account somewhere that wanted a max 6 charachters password. I mean really, is password storage overwhelming their memory capacity or what?

      On the other hand, after the account was gone, I decided I liked the sound of the password, so at least I got a new nick out of it.

      cheers,
      2short
    • by Shadestalker ( 598690 ) on Friday April 18, 2003 @12:51PM (#5760539)
      The bad news is, BankOne will be contacting you shortly about the above violation of the DMCA by exposing and discussing the vulnerability.
  • Sadly... (Score:4, Insightful)

    by hafree ( 307412 ) on Friday April 18, 2003 @12:03PM (#5760169) Homepage
    Sometimes the easiest way to obtain information is just to ask for it. It doesnt matter how many locks you have on your door and bars on your windows if you open up for anyone that knocks...
  • by Archfeld ( 6757 ) <treboreel@live.com> on Friday April 18, 2003 @12:05PM (#5760178) Journal
    from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)

    Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...
    • You are right. Everyone believes when they are told "don't let anyone else know, but you are getting paid above average" When word get around who is payed what it only causes problems for PHB's. I absolutly would (and actually have done exactly) pass around salary info that my boss accidently left on the copier,
    • Why is salary and compensation secret ?

      It soon won't be in the UK.

      I can't remember when the law is changing (or if it has already changed) but to prevent descrimination between the salaries of men and women, companies will soon have to reveal how much people are paid to their employees.

      I've always been of the opinion that it's in the long term interest of the company to be reasonably open about how much people are paid, so that the employees can see that people who work hard and work effectively for th

  • I have a great idea for the next Slashdot poll. Here we go ...

    My computer password is:
    - 12345
    - jennajameson
    - password
    - Other, type here: _____________
    - cowboyneal
  • by MyNameIsFred ( 543994 ) on Friday April 18, 2003 @12:07PM (#5760195)
    I have no doubt that social engineering works. I've seen it work. At the same time, I have questions about this survey. How do they know that people told them their real passwords? I'm sure many people did. But I'm also sure other people just made stuff up for the free prize. I would.

    When I was in college, Sears was giving away cups if you applied for a credit card. My friends and I must have applied for 50 of them. Yes, my name is Hugh Ugly. And I live at 314 Pi Street.

  • before referring to something as social engineering. Asking seems more to qualify as "fallen/low fruit harvesting". I mean, did they at least put on fake mustaches? Hold official looking clipboards? Take notes while going "Hmmmmm"?

  • admission (Score:5, Insightful)

    by Anonymous Coward on Friday April 18, 2003 @12:09PM (#5760216)
    okay - I really laughed when I read this article ... but ...

    The number of things that I have to remember a fscking account name and password for in my life in insane.

    To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!

    So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.

    Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
  • by EinarH ( 583836 ) on Friday April 18, 2003 @12:15PM (#5760257) Journal
    Why bother doing social engineering at all?
    Probably well over 50% of users use a common password within the top 10 category. (source silicon.com and Egg (UK bank))

    Top 10 list:
    1. Blank
    2. password.
    3. Cartoon(s).
    4. Footbal team or player.
    5. Pets.
    6. Date of birth.
    7. Girfriend name.
    8. Something nasty; words like sex, fu** or prOn.
    9. Sci-fi or fantasy (Gandalf, Yoda, etc.).
    10. Company name.

    Other common alternatives:
    -Names on children
    -qwerty and asdf
    -Same password and login (root and root)

    It's sad; but Joe-users are (generally) very ignorant about this problem.

  • by jhines ( 82154 ) <john@jhines.org> on Friday April 18, 2003 @12:16PM (#5760270) Homepage
    was "none", which even after telling people, they still would have have problems getting into the account, not thinking literally.
  • WHAT? (Score:4, Insightful)

    by DonkeyJimmy ( 599788 ) on Friday April 18, 2003 @12:17PM (#5760277)
    The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).

    Ok, so that's 47% of the company had a password that anyone could guess in 10 seconds! WHAT?? OK, I believe people are stupid, even REALLY stupid. But this I'm not sure I can believe. This study has to be tainted or something-- did they test all these passwords to make sure people weren't making them up? Seems to me that 90% of the people I know would lie about their password for a free pen.

    This is of course assuming that nobody's name was password, or their birthdate was 4/9/ers or anything.
  • Organizations are aware of the problem and know there are many ways to address it -- but at what cost? You can have Mandatory Access Control, retinal scanners, etc., but the cost of implementing these measures aren't always worth it. If a new employee joins, or one changes departments, or whatever, think of the hassle. It'll probably take the helpdesk 2 weeks to get stuff straightened out. Most places figure it's cost them more in lost productivity than it would to have a few password leaks. It's a gam
  • by One Louder ( 595430 ) on Friday April 18, 2003 @12:27PM (#5760359)
    Perhaps we should not blame the users, but instead accept that passwords are themselves a poor design.

    The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.

    I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.

  • by ianscot ( 591483 ) on Friday April 18, 2003 @12:28PM (#5760363)
    There are a fair number of posts here that say something like:

    This will always be a problem because people are just stupid.

    At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...

    (I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)

  • by gosand ( 234100 ) on Friday April 18, 2003 @12:42PM (#5760464)
    Most of the people I know with a clue have an algorithm for coming up with their password. I do. I just don't tell anyone what it is.

    I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,

    It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.

    • These forms of passwords are much better than words, but still vulnerable if the other security mechanisms aren't in place. For example, accounts must be locked out after a certain number of illegal tries. This may seem a no-brainer, but many large organizations do not set failure thresholds precisely because they do not want to generate password reset requests to overburdened help desks (or pay more to outsourced desks).

      The problem with first-letter of common phrase is that it can reduce the variability o
      • For example, accounts must be locked out after a certain number of illegal tries. This may seem a no-brainer...

        Indeed, it does seem like someone without a brain might sugegst such a bad idea.

        The idea between locking out an account after a certain number of tries is a reasonable one. You want to make it impossible for an attacker to repeatedly try passwords. There are two big problems.

        1. Who can try the password? Anyone with access to your web site? Great, anyone in the world can denial of service a

  • Story.... (Score:3, Interesting)

    by sharph ( 171971 ) <sharp@sauropod.org> on Friday April 18, 2003 @12:44PM (#5760480) Homepage
    At the school I go to, in 7th grade (on a Novell network), we were assigned joe passwords (password=username). I hated this, but there was no way to change the password. It was all done through Novell's application explorer. The Upper School students (I'm in 9th grade now) got to use a change password icon, while we were stuck with our joe passwords. But I found a SETPASS.EXE in one of the shared folders and changed mine. I got in a lot of trouble and was *banned* from using the computers for a few months.

    The point is here: both sysadmin and users need to know about good security. How can I as a user protect my account if the sysadmin is assigning unchangable joe passwords?
  • Perhaps... (Score:3, Insightful)

    by sudog ( 101964 ) on Friday April 18, 2003 @12:46PM (#5760492) Homepage
    ...there is an underlying reason why people are predisposed to trust other people. I wonder if anyone's done any studies on whether such a predisposition is somehow an evolutionary strategy? Perhaps overall it's good for society to be cooperating instead of distrustful and angst-ridden?

    Maybe *gasp* Stallman was right after all?

    Protection from cheaters (con men) is fine and dandy, but perhaps the structures that require that level of protection are the problem, and not the people who are unnaturally forced to conform to security standards they don't want to?

    I get such a kick out of all these Slashdot geeks sitting back, smug that their anti-social, paranoid behaviour makes them less of a target for con-men trying to "score big," while completely ignoring the corrolary: A lack of cooperation or trust in general means you don't get to reap the benefits of normal socialization.

    I'm not sure which person is more sad: The one who trustingly gives away meaningless "passwords" to systems that are flawed and poorly designed anyway, or the ones who think they are somehow superior for being paranoid nutjobs about things that Don't Really Matter.

    Many of you seem to think your systems are the target of every smooth-talking "social engineer" out there--get over yourselves. Nobody is interested in getting access to your porn-ridden home directories.

    Kevin Mitnick's book was an interesting read, but he wasn't describing social engineering, he was describing a con artist whose prize wasn't money, but the thrill of lying convincingly to otherwise normal people. This is an asset? What the hell man? Here's an analogy that pops into mind: I can walk up to someone and sucker-punch them in the gut. Even the most seasoned martial-artists can be taken in by a sucker-punch. So what?! Should we all wander around in an extreme state of combat readiness? Should I be crowing about my own superiority just because I can sucker-punch a Ninjitsu nth-degree blackbelt god?

    I call bullshit. Bull-effin-shit.
  • by Animats ( 122034 ) on Friday April 18, 2003 @12:47PM (#5760508) Homepage
    19 years ago, while at Ford Aerospace, I wrote a small, simple obvious password detector [animats.com] to prevent this. It forces you to choose a password that doesn't have the triplet statistics of English, so you have to use something other than a single word. Most random combinations of letters will work. This is enough to prevent the usual idiotic password choices.

    Would somebody please put this in Linux?

  • by gosand ( 234100 ) on Friday April 18, 2003 @12:56PM (#5760590)
    At work I have at least 10 passwords. Do you want my network login, SAP, ClearQuest, TestManager, RequisitePro, screensaver, Visual Source Safe, 401k, voicemail, or any of the other 10 applications I have to log into to get my job done? They all have different expiration and reset rules too.

    In my personal life, I have about half that. So yeah, I do use the same password in different places. But I usually have a "low" "medium" and "high" security password algorithm that I use. My more secure ones are up to 15 characters, my least secure are blank. (for dumb apps at work)

    Managing passwords can get pretty cumbersome, but I do it because I know it needs to be done. Most people don't realize that.

    I still remember working in the computer lab in college, and having to reset people's passwords daily because they would forget them. In true suave-geek fashion, every hot chick got her password changed to my name. (that never did work out the way I had hoped) :-)

  • by eaddict ( 148006 ) on Friday April 18, 2003 @01:01PM (#5760646)
    Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.
  • Screw that.... (Score:5, Interesting)

    by Mac Degger ( 576336 ) on Friday April 18, 2003 @01:02PM (#5760654) Journal
    If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.

    Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.
    • Honest and open accounting is probably a good thing, but only if the company its self is entirely on the up and up. And I am not talking about various strictly illegal activities either.

      Do you think that there would be a morale increase when it becomes common knowledge that the owners unqualified son in a junior position is paid more then people with greater amounts of skill?

      Or when the 2 highest paid employees ae the owner and his secretary (who is also his girl friend).

      How about when the executives ge
  • by SuperBanana ( 662181 ) on Friday April 18, 2003 @01:15PM (#5760735)
    Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients.

    I turned on strong password authentication when I was promoted.

    Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.

    Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:

    • Approach senior exec, inform him/her of the problem and the risks. Take your time to put your thoughts together and even better down on paper. Point out that a weak password is equivalent to leaving the front door unlocked. Don't get hysterical, don't present unrealistic scenarios about swarms of hackers flooding the company, death/destruction...they can smell BS a mile away.
    • When asked "what can we do?", request/suggest the HR department create new rule(s) regarding passwords. Include the rules you want about what passwords should/should not be; make sure you're reasonable and don't make stupid rules that only marginally increase security in specific cases.
    • Make the "what a password should/should not be" policy effective in one week to give people plenty of time to change them. Make effective -immediately- a policy that passwords are not to be written down nor discussed with ANYONE, except IT personnel who have identified themselves in person, and NEVER over the phone or via email.
    • Make sure it is backed up with a clear consequences and strict punishments(but, say, one 'grace' exception, so nobody looses their job over one slip). Forced leave of absence, followed by termination if repeated...whatever's legal. The HR department will be the best people to decide how to go about this one, since there are often legal issues involved, and keeping employees in line is a problem they deal with every day. All you need to do is say "company secrets" "proprietary information", "potential large-scale data loss", and HR should immediately get the picture.
    • follow it up with password security audits using password cracker tools...make sure accounts aren't shared by checking logs, and conduct surprise office/cubicle "look around only"(ie, don't touch their stuff, please) inspections, looking for said postit notes. If an employee flunks, a letter goes to their manager and HR immediately. It will not take long for word to get around that you're serious about security.

    Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for

  • Free Karma? (Score:3, Funny)

    by CodeHog ( 666724 ) <joe.slackerNO@SPAMgmail.com> on Friday April 18, 2003 @01:18PM (#5760760) Homepage
    If I give out my password do I get Karma points on /.?
  • by RobinH ( 124750 ) on Friday April 18, 2003 @01:34PM (#5760874) Homepage
    Thanks to Michael Moore's Bowling for Columbine, everyone now knows that up here in Canada, we don't even bother to lock our doors (unless we live in a border town).

    I might as well also mention that we don't use passwords either. We don't really worry too much about crackers - most of them are just bored kids with nothing better to do.
  • by f97tosc ( 578893 ) on Friday April 18, 2003 @01:35PM (#5760880)
    In my engineering school there was this story about a guy in the CS department who had been "living" in front of one of the workstations for years.

    On one occasion, he was helping some newbie with something; and he allowed the guy to log into his account. Naively, the newbie asked for the password across the room; everyone else in the computer center listened up expecting a refusal.

    But instead, this CS guy just started to tell his password "j3Y9_fg..." loudly; the newbie started to type. But the password just kept comming; it was up towards 50 completely random characters long!

    It turned out that the system insisted on a changed password every month; but the default selection was the old password. Rather than coming up with something new every month, this guy had just added one more character every time. Of course, it is not too hard to memorize one more character per month month either.

    Tor
  • by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Friday April 18, 2003 @01:54PM (#5761043) Homepage Journal
    'notobviuous'. UUNet had that as the password needed to access the UUCP modem box. You needed a 'real' login/password combo to actually access the server behind it, but this one just cracked me up everytime I saw it. I imagined a PHB telling a tech to come up with a password that wasn't obvious and he cheerfully complied. :-)

    Other good ones are 'obscure' and 'secret', always fun if someone asks you for the password.

    -What's your password?
    -It's obscure.
    -Good, but what is it?
    -I told you, it's obscure.
    -OK, let's start at the top, what's your login?
    -It's secret. No, really! No, not the comfy chair!

    • by Darth RadaR ( 221648 ) on Friday April 18, 2003 @02:08PM (#5761156) Journal
      -What's your password?
      -It's obscure.
      -Good, but what is it?
      -I told you, it's obscure.
      -OK, let's start at the top, what's your login?
      -It's secret. No, really! No, not the comfy chair!


      I did a few similar things with root passwds on development boxen. My two favourites are 'no' and 'not today'. ;)

      I heard about a SysAdmin who wanted to change the pass-phrase[0] for their alarm system to "How should I know? I'm just trying to rob the place."

      [0] The phrase you give the operator from the alarm company when they call after the alarm's gone off.
  • From Ross Anderson (Score:5, Insightful)

    by Checkered Daemon ( 20214 ) on Friday April 18, 2003 @02:08PM (#5761146)
    In his book "Security Engineering"

    "In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."
  • by Enrico Pulatzo ( 536675 ) on Friday April 18, 2003 @02:28PM (#5761291)
    You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.

    Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.
  • A cool trick (Score:4, Interesting)

    by PatJensen ( 170806 ) on Friday April 18, 2003 @03:04PM (#5761537) Homepage
    Have you ever ordered a pizza before? This is a fun one you can do in room full of your coworkers. All it takes is a phone number and someone's name - and you can get their address. Even if their phone number is unlisted!

    Call up Me and Eds or Pizza Hut and tell them you want to order a pizza for delivery. Give them your phone number and name, and they will happily read you back their address. Then hang up.

    -Pat

I've noticed several design suggestions in your code.

Working...