Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Your computers may not be vulnerable, but what about your employees?

By hstl in Culture
Fri Feb 09, 2001 at 07:13:24 AM EST
Tags: Security (all tags)
Security

Computer security is not the only thing to remember in corporate systems. Often it will be easier for an intruder to gain access via your staff than by compilicated technical means. While not conclusive here are a few things to look out for.


In this article the term "Social Engineering" (from here on referred to as SocEng) is used to describe the confidence tricks used by hackers to get into systems. Psychologists also use the term Social Engineering, but I am unsure in what context. Social engineering is a fine art and many security breaches would be near impossible without it. "H4x0r cr3w 0wnz j0ur b0x" type web defacements are unlikely to utilise SocEng, and most attacks using it are so subtle they are never even noticed.

Please bear in mind this article is intended to make you think twice about what you do at your workplace, it's not a guide to make a living from hacking. If you are confident and smart enough to do this stuff lying no doubt comes naturally to you and you no doubt already know this stuff. Stop and think for a moment, when was the last time you got a helpdesk call for a lost password from Bob in Finance. Did you know Bob? Did you know there WAS a Bob? Did you verify that Bob really was Bob? Chances are, like most people, you took it for granted it was Bob, spat out a new password and continued whatever you were doing. It seems to be human nature to accept things as true unless there is a strong indication otherwise. It's the same as checking money. You assume bills are not forgeries when you get them in change. It's only when they are smaller, blue in color rather than green, and the Monopoly figurehead has replaced Benjamin Franklin that you begin to wonder...

Real mercenary Black Hats are not script kiddies. While a misconfigured firewall and an unpatched Redhat 5.2 box as a mail gateway will provide them with an easy way in, technology is not the only resource at their command. What easier way to get access to a system than to stroll in, wave to the security guard, sit down at a terminal and use the password stuck to the bottom of the desk drawer. Its more risky, but also more subtle than smashing packets against a firewall trying to find an open port.

There was a story published in (as I recall) WiReD a few years ago where a Security Consultant gained access to a system via walking in, physically subverting a lock (using a screwdriver or suchlike), and sitting down at the main console. He informed the indignant head of security at the company and gave his advice towards fixing the physical access issue. When re-testing the company a week or two later he was still able to do exactly the same thing. You may be installing all your vendor patches within an hour of release, but how good are your locks? Do you have CCTV? How often do you walk away from a root console to grab a cup of coffee?

In relation to my "Bob from Finance" example before, this can work both ways. What if Bob got a call from Lance in the IT Department. Lance asks if Bob's computer has been freezing. Bob doesn't think so, but Lance says Bob better tell him his password so he can fix it just in case. Bob hands over his password and hangs up the phone. Bob doesn't remember meeting anyone called Lance in IT, but Lance seemed to know what he was talking about and there are lots of people in the organisation Bob has never met. When the witch hunt for Industrial Espionage reaches Bob a few months later, once all the audit trails lead to his account, he will no doubt have forgotten about his call from Lance.

Corporate databases contain a lot of valuable information. Things like payroll databases tend to have sanity checks in them, but if all the figures inside the databases add up inside their universe no one is any the wiser. If the Human Resources database has a record for the five phantom employees who have been added to the Payroll database, who is to know they are not real? I've never heard of a large company doing roll calls to make sure all the employees are real. Provided it was done carefully who would ever suspect that five out of the four hundred people employed by the company were money syphons? Truth be known four fake employees could be a lot less costly than many other alternatives.

When you are next auditing or designing a system, or even moving buildings, stop and think about this stuff. Shape your corporate policy to be aware of it. Stop now and send out a memo reminding staff that Helpdesk people will never ask for their password. There were confidence 'hackers' in Biblical times, and there will be a long time into the future....

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Does your employer have a policy on things like this?
o Yes, we have guidelines on guessable passwords, writing them down, giving them to others 17%
o Sort of, we know what we shouldn't do but its not on paper anywhere. 10%
o We don't need them. Nothing we do is of value. 11%
o We have policies? 16%
o I have an employer? 25%
o Yeah, I remember someone mentioning something like that when I was IRCing as root on my unpatched Linux 1.2.13 gateway box 18%

Votes: 90
Results | Other Polls

Related Links
o Also by hstl


Display: Sort:
Your computers may not be vulnerable, but what about your employees? | 17 comments (4 topical, 13 editorial, 0 hidden)
+1 because its at least decent (1.75 / 4) (#11)
by cadfael on Thu Feb 08, 2001 at 11:13:38 PM EST

Not the greatest written article ever, but at least I can vote +1 because I understand what you wrote and why you wrote it...

Security
People who get between me and my morning coffee should feel insecure.
IETF RFC on HTCPCP
This should be an editorial comment (none / 0) (#16)
by vectro on Fri Feb 09, 2001 at 11:38:11 AM EST

That way, if/when the story makes it to the main page, your comment won't show up by default.

“The problem with that definition is just that it's bullshit.” -- localroger
[ Parent ]
Guns don't kill people (3.16 / 6) (#13)
by jabber on Fri Feb 09, 2001 at 01:26:21 AM EST

People are the ONLY security concern there is.

Computers don't crack themselves. Take computers out of the equation, and you still have security problems. There are security concerns where ever there are... people.

  • It's people that write buggy, crash-prone software; and it's people who exploit these flaws.
  • It is people who write programs like crack, and it is people who write their passwords on post-it notes.
  • It's people who overflow buffers and it is people who type rm -rf /* at an unmonitored # prompt.
  • It's people who plant logic bombs when they expect a lay-off and it is people who deface web-sites.
  • It is people who poke software with various sticks to see what makes a hole.
  • It's people that convince and are convinced that 'site security' needs their password to 'test a new feature'.
Let's not forget the 'people' factor. By all means. Lest we blame Stanley and MasterLock for burglaries, and Ford for car theft, and Krylon for grafitti and Ginsu for stabbings.

[TINK5C] |"Is K5 my kapusta intellectual teddy bear?"| "Yes"

Password guessing (none / 0) (#17)
by crankie on Sun Feb 11, 2001 at 08:29:15 AM EST

Pretty much all of our internal passwords are formed using a very simple rule which is based on a user's login name. Pretty much all of the user login names are formed using a very simple rule which is based on the users real name. The theory is that if the person is missing and you need info from there machine, you can get in, but others outside the company can't.

I'll admit, this is starting to change now. When I joined, my user name was my initials. Big company :-) But we've progressed a bit (hell, we even have some *nix boxen now). But basically, those who needed the important passwords had them, and pretty much anyone with a certain level of company knowledge could get at the un-important ones.

Of course, when you take into account the high staff turnover and whatnot... well that's another story.

~~~
"The great thing about hardcore socialists is the silence they emit once they start earning a decent wage." - tombuck
Your computers may not be vulnerable, but what about your employees? | 17 comments (4 topical, 13 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!