Give Me Your Password: A Social Engineering Intro || kuro5hin.org


	create account \| help/FAQ \| contact \| links \| search \| IRC \| site news

Everything

We need your support: buy an ad | premium membership

Give Me Your Password: A Social Engineering Intro

By kpaul in MLP
Fri Jun 04, 2004 at 10:05:27 PM EST
Tags: Security (all tags)

"Big Giant Idiot Corporation, this is Pam, may I help you?" the sweet lady says with a throaty twang.

"Quick! This is Thomas from the MacKenzie group! I need the log-in for the bradley server! Quick! It's a matter of money! You don't know what it is!? What?! Tell you what, I'll show you how to get it from the system and if you do that for me ... right now ... I won't tell the boss you're slacking..."

No, we didn't just witness a woman keeping her job because of her ability to think on her feet (or seat). Instead, we saw someone use social engineering to get information. Maybe not the most elegant approach, but it could work in the right circumstances.

The idea of social engineering has been around a long, long time - as getting people to give you things (goods, information) when they're not supposed to give you anything at all. Now, though, people use the skills to talk their way into getting computer passwords most of the time.
In the past it was a lot easier because computers weren't as ubiquitous as they are now. There were probably a lot of people at work who would "walk over to a notebook and read off the numbers..." if you sounded important enough.
As more people became computer literate, though, it became more difficult to social engineer passwords and other juicy details. That's not to say it doesn't still happen, though. In fact, virus writers sometimes employ social engineering to disguise their malicious code. Infamous hacker Kevin Mitnick teaches a course on social engineering, as it used to be one of his favored techniques for compromising systems. He even wrote a book about it.
The technique can be used by those on the other end of the phone line as well. In India, call center workers were being bribed by organized crime to get info on British computer systems. I wonder how many across the world are still bribed to get information by calling consumers and companies.
Jakob Nielson just used the phrase social engineering in an article for C-Net:
We'll also spend a big percentage of the computer power on defense mechanisms such as self-healing software (to root out bugs and adapt to changing environments) and aggressively defensive virus antibodies. We'll need such software to protect against "social engineering" attacks, such as e-mail that purports to come from your boss and asks you to open an attachment.

I have to respectfully disagree with Mr. Nielson. That is, social engineering is best protected against by humans, not software. I mean, aren't humans better at detecting social engineering techniques? Nielson is, though, talking about SPAM social engineering, which is an entirely different beast really.
In any case, a lot more people are exposed to the social engineering terminology. Today even, Google News found a Christian Science Monitor article that uses the term in a broader sense:
Sen. Roberts, chairman of the Senate Intelligence Committee said last week that "We need to restrain what are growing US messianic instincts - a sort of global social engineering where the United States feels it is both entitled and obligated to promote democracy - by force if necessary."

Global social engineering is a bit scary, no? Maybe a bit, but as humans, a lot of us like to think about social engineering on a mass scale.
And yet, while social engineering attempts should be seen for what they are rather easily, they aren't, as shown in this Australian IT article:
While the US Federal Trade Commission estimates identity theft is costing individuals and businesses some $US53 billion ($74 billion) annually, the social engineering tricks used by fraudsters should be fairly easy to avoid, NetIQ chief security architect Chris Pick says.

That's a big chunk of change. Which shows why it's used by the dark forces to trick people to gain access to hardware on the 'net. The techniques are also used by trolls, though, so I wouldn't say there's one type of person who's good at social engineering.
Will social engineering ever wane? Or will ignorant and uninformed people always exist in abundance? Be careful what info you give over the phone to people as you don't know what they'll do with the information. Also, they might just be your boss!

I called Kelly and said, "Hi, this is Peter Livingston from the computer department, have you noticed your computer slowing down recently?"
"Who are you?"
"Oh, I'm Mark's assistant. He asked me to check with everyone regarding the recent slowdown of our filing system. Did you notice anything slowing down?"
"Well, it did seem rather slow the other day."
"OK, hang on, I'm going to log onto your terminal, now your user name is kblake?" I gave the person's name with first initial before the last name.
"No, it's kblakey."
"Ah, thanks. Sorry I'm still new here, OK. Hang on, oh, what's your password?"
"sam89," she replied.
"Thanks, now Kelly, would you please come to the security session meeting you were scheduled for. You just allowed a total stranger access to the system."

D'oh.
Have you ever been on either end of a social engineering exploit? Do share.

Sponsors

Managed Hosting
VoxCAST Content Delivery
Raw Infrastructure

Poll

kelly should:

keep her job 47%

lose her job 52%

Votes: 57
Results | Other Polls

Give Me Your Password: A Social Engineering Intro | 158 comments (115 topical, 43 editorial, 2 hidden)

Someone tried it on me (2.33 / 6) (#1)
by NaCh0 on Thu Jun 03, 2004 at 11:05:32 PM EST

This one time I was going to Lake Havasu for spring break. An old lady at a truck stop (in her mid 50s?) asked me for a ride across the street because she was afraid to cross it. I tried ignoring her so that she'd go away but she didn't. Since I was in a good samaritan mood, I said that she could hop into the back of my pickup truck and I'd take her. She told me to fuck off and walked over to the next island of cars!! THAT OLD WHORE WANTED TO ROB ME!!! Luckily I locked the passenger side door before I hopped out to refuel. I laughed about it for the next hour.

--
K5: Your daily dose of socialism.

hah. i want to believe you. i really do. by kpaul, 06/03/2004 11:10:41 PM EST (none / 2)

It's true by NaCh0, 06/03/2004 11:30:02 PM EST (none / 2)

check out the movie 'the big empty'... by kpaul, 06/03/2004 11:33:23 PM EST (none / 2)

Will do by NaCh0, 06/03/2004 11:48:07 PM EST (none / 2)

Vibes by strawser, 06/05/2004 07:19:15 AM EST (none / 3)

Devil's Advocate view... by cluke, 06/09/2004 09:57:28 AM EST (none / 0)

I work in a hospital (3.00 / 12) (#5)
by debacle on Thu Jun 03, 2004 at 11:12:40 PM EST

Every once in a while I walk into a random department, act busy, and walk out with a PC, a printer, a half-dozen laptops, or even an X-ray machine. Speaking quickly and talking in a confident tone, I usually get out without anyone asking if I even work there.

Last week, a similar thing happened, though it wasn't me. Someone walked into the head and neck center (They had security open the door no less!) and walked out with every piece of equipment in the department.

Needless to say, I wont be doing any more randomized theft any longer.

It tastes sweet.

Just a note by debacle, 06/03/2004 11:15:24 PM EST (2.60 / 5)

i used to like my job (a lot)... by kpaul, 06/03/2004 11:22:49 PM EST (none / 3)

weekend's big conspiracy feat? by m a r c, 06/04/2004 01:35:20 AM EST (none / 2)

this? by cronian, 06/04/2004 03:54:25 AM EST (none / 2)

Must be from Qld. by Ta bu shi da yu, 06/04/2004 08:28:38 AM EST (none / 3)

Good old Aleister Crowley by Perianwyr, 06/04/2004 12:07:42 AM EST (3.00 / 7)

amazingly successful by cronian, 06/04/2004 04:04:48 AM EST (2.80 / 5)
done that plenty of times by iGrrrl, 06/04/2004 12:41:31 PM EST (2.75 / 4)

reverse happened to me by Djehuti, 06/05/2004 08:22:12 PM EST (none / 2)

Other end by strawser, 06/05/2004 07:29:13 AM EST (2.87 / 8)

+1 boasting about brazen theft by Ta bu shi da yu, 06/04/2004 08:25:44 AM EST (2.60 / 5)
Yeah I have done similar stuff here... by haplopeart, 06/04/2004 08:43:36 AM EST (none / 2)
Health Care by Aphexian, 06/05/2004 08:38:36 PM EST (none / 2)
Not social engineering ... by Chakotay, 06/07/2004 02:53:40 AM EST (none / 1)

-1, Move to vote: Uses the word "boxen" (1.05 / 20) (#12)
by I Hate Jesus on Thu Jun 03, 2004 at 11:36:17 PM EST

Do you hate Jesus too?

i'll take it out. by kpaul, 06/04/2004 12:06:48 AM EST (none / 2)

also by speek, 06/04/2004 10:01:29 AM EST (1.75 / 4)

Global Social Engineering (1.09 / 11) (#24)
by wji on Fri Jun 04, 2004 at 01:00:10 AM EST

Gosh, you're even less politically aware than most geeks. In this sense, "social engineering" is a right-wing bromide similar to "political correctness", referring to evil liberal efforts to turn us all into pot-smoking homosexuals.

In conclusion, the Powerpuff Girls are a reactionary, pseudo-feminist enterprise.

technological solution to human problems (none / 3) (#35)
by dimaq on Fri Jun 04, 2004 at 07:07:21 AM EST

there is some truth in your saying that human problems should be solved with human techniques, however I would like bring a following hypotesis.

assume that a good social engineer is like an intelligence field agent.
assume that majority of regular company clerks are not trained to deal with intelligence agents.
is there really any hope that your regular clerk can go mano-a-mano with a spy?
I don't think the clerk stands much chance unaided.

There could be quite a bit of tech aid around - one could dream up a corporate commuication idenity scheme where when you receive a call you immediately know who you are dealing with. Not like such scheme itself could not be hacked or socially engineered, but if that's harder than taking on an average clerk, it's probably good enough.

Moreover a regular clerk should not have access to anything that could compromise a higher level of security even with help of an all-knowing social engineer. This would help against ill-meaning employees too btw.

so IMHO technology can help againt social engineering - an example of this could be ancient paper (or wood or whatever) tech currently known as passports and money.

They don't by clambake, 06/06/2004 09:27:40 AM EST (none / 1)

Technology *is* the defense (2.75 / 8) (#42)
by porkchop_d_clown on Fri Jun 04, 2004 at 08:46:29 AM EST

Not in security software as such, but in making the machines more tolerant of their meat-sack masters.

It's easier to fix the tech than it is to fix the people, so we need to make the tech adapt to the people rather than the other way around. In this case it means switching from a password model to either biometrics or a smart-card model. You might give out your PIN over the phone, but you can't give them the card that way.

Now where did I put that clue? I know I had one just a minute ago!

meat-sack? by kjb, 06/04/2004 12:26:52 PM EST (2.66 / 9)

"Stupider?" (n/t) by drakosha, 06/05/2004 03:43:56 AM EST (none / 2)

Stupider by kjb, 06/06/2004 01:22:08 AM EST (none / 1)

Grammar, i.e., correct. by porkchop_d_clown, 06/07/2004 08:17:24 AM EST (none / 0)

"Meat-sack" - yeesh by smithmc, 06/05/2004 11:43:58 AM EST (1.75 / 4)

Excuse me by kjb, 06/06/2004 01:23:51 AM EST (none / 1)

How about a mark on the righthand or forehead? (nt by Skywise, 06/04/2004 02:25:53 PM EST (2.77 / 9)

Social Engineering (2.40 / 5) (#45)
by Ward57 on Fri Jun 04, 2004 at 09:46:22 AM EST

is a term used to describe trying to design society, or on a grander level, moral structures. Which side invented the term I'm not sure, but religion invented the practice.

true by vqp, 06/05/2004 11:56:36 AM EST (none / 2)

Now, if only geeks could (2.14 / 7) (#55)
by Skywise on Fri Jun 04, 2004 at 11:54:12 AM EST

"social engineer" their way into a date...

How do you think we've been able to breed? by Imperfect, 06/04/2004 10:59:33 PM EST (none / 3)

Er... by edo, 06/05/2004 08:46:09 AM EST (none / 2)

Geeks have bred. What about Billy G? by Imperfect, 06/06/2004 10:39:23 AM EST (none / 1)

Being insanely wealthy != social engineering [n/t] by sydb, 06/06/2004 04:51:26 PM EST (none / 1)

I doubt she married him just for the money. by Imperfect, 06/07/2004 09:21:00 AM EST (none / 1)

It's not over till the final whistle by sydb, 06/07/2004 12:30:28 PM EST (none / 1)

Lack of time by Imperfect, 06/07/2004 04:57:04 PM EST (none / 1)

Well by sydb, 06/07/2004 05:27:53 PM EST (none / 1)

You can be a marketing nerd. by Imperfect, 06/08/2004 12:34:02 AM EST (none / 1)

Feh. What about Kenny G? by white light, 06/07/2004 06:36:02 PM EST (none / 0)

SE girls by Sloppy, 06/05/2004 05:40:25 PM EST (none / 2)

Then later... by sydb, 06/06/2004 04:52:30 PM EST (none / 2)

Pretty easy, actually by epepke, 06/07/2004 01:02:05 AM EST (none / 1)

It's funny how sensitive passwords are suppose to (none / 2) (#63)
by lukme on Fri Jun 04, 2004 at 02:28:44 PM EST

be, and how sensitive they actually are.

In one company I had a technical lead who routinely gave me his password on various systems. It was completely against the company policy - especially, since the systems were owned by the client. I just pasted them into my notebook, and was sure to give the notebook to our boss when I left. I am glad I am out of that job - I wound up doing his job as well as mine.

In another company, during my exit interview, I had to write down my username/password for every system I had access to. One of my passwords was like MichaelIsAMoron ("Michael" was an coworker who knew nothing, though he was there for years).

It's funny how both companies had the policy that you were not suppose to give your password to anyone under no circumstances.

-----------------------------------
It's awfully hard to fly with eagles when you're a turkey.

Ah, passwords by Karmakaze, 06/06/2004 01:01:15 AM EST (3.00 / 4)

Aspie Perspective What You've All Been Waiting For (1.62 / 8) (#75)
by NeantHumain on Sat Jun 05, 2004 at 03:07:33 AM EST

As nimbly minded as I like to think I am, I figure it would be seriously difficult for me to come up with a credible series of lies to obtain sensitive information. Most people with Asperger's syndrome are this way. Social engineering, in the hackish sense, basically amounts to social manipulation; and manipulation isn't our speciality.

The Slashdot summary: I'm an aspie, you insensitive clot!

I hate my sig.

Sure ya can. by Russell Dovey, 06/05/2004 03:01:43 PM EST (none / 2)

They won't get my password (1.00 / 5) (#80)
by Orion Blastar on Sat Jun 05, 2004 at 10:27:25 AM EST

no they won't. I picked one so easy for me to remember but I'll never give it to them.

It is "1234" the same combination my luggage has.

When they call me up and ask me for my account and password I tell them:

"root@127.0.0.1"

and for the password:
the exact digits in the value of Pi, all of them!

Oh come on, they might figure out it is bogus info, so if they ask for my real info, I give them this:

User ID: OBlastar

Password: Fuchubeotch

They'd have to install a key logger or packet sniffer to get my "1234" password. Heh! ;)
*** Anonymized by intolerant editors at K5 and also IWETHEY who are biased against the mentally ill ***

microsoft problem (1.83 / 6) (#81)
by treat on Sat Jun 05, 2004 at 11:03:57 AM EST

Windows requires that IT staff have user passwords to properly maintain the system. A password can not be changed and then changed back in a reasonable way unless you know the original password.

Therefore it is normal for IT staff to request of users their Windows domain password.

Therefore IT departments can not tell users to not give their password to anyone.

Therefore users will give their password to anyone, because they can't know everyone in the IT department who is authorized to request it.

ROR -nt by vqp, 06/05/2004 11:47:44 AM EST (none / 3)

What does ROR mean? [nt] by Mike Green Challenge, 06/05/2004 01:30:56 PM EST (none / 1)

Refund On Return by CoolSpot, 06/05/2004 03:57:18 PM EST (none / 1)

not true by vqp, 06/05/2004 11:53:17 AM EST (none / 3)

well by treat, 06/05/2004 05:08:40 PM EST (none / 2)

It's called... by ckaminski, 06/28/2004 01:03:39 PM EST (none / 0)

re: not true by jerdenn, 06/06/2004 02:31:04 PM EST (none / 1)
A.D. stores passwords in a plain text file, eh? by zerocommazero, 06/10/2004 02:27:24 PM EST (none / 0)

Re: microsoft problem by drsmithy, 06/05/2004 11:00:06 PM EST (none / 3)

I've got one by Xptic, 06/07/2004 11:39:58 PM EST (none / 2)

beggin' for the BOFH treatment by anonymous cowerd, 06/13/2004 09:39:34 PM EST (none / 1)

Something sounds wrong somewhere. by Anonymous Hiro, 06/06/2004 12:49:28 AM EST (none / 3)

I see this all the time by willie, 06/06/2004 07:15:10 AM EST (none / 1)

Multiple root users by dougmc, 06/06/2004 09:00:42 AM EST (none / 1)

multiple root users using PAM by Dwonis, 06/06/2004 02:11:57 PM EST (none / 0)
Absolutely correct. by willie, 06/07/2004 08:14:06 AM EST (none / 0)

Not the same by Anonymous Hiro, 06/06/2004 09:50:24 AM EST (none / 0)

lose/lose by treat, 06/06/2004 12:44:02 PM EST (none / 0)

Training 1000 users vs 5 admins? by Anonymous Hiro, 06/06/2004 11:04:42 PM EST (none / 0)

How so? by willie, 06/07/2004 08:32:22 AM EST (none / 0)

something definitely is wrong by treat, 06/06/2004 12:38:38 PM EST (none / 0)

It is That Easy by Xptic, 06/07/2004 11:32:54 PM EST (none / 0)

You are misinformed. by vetgirig, 06/07/2004 06:31:08 AM EST (1.00 / 2)

Please inform me then. by Anonymous Hiro, 06/07/2004 10:09:04 AM EST (none / 0)

Bad Design? by NateTG, 06/07/2004 02:09:24 PM EST (none / 0)
User/Group Permissions by Xptic, 06/07/2004 11:20:31 PM EST (none / 0)

gid 0? by Anonymous Hiro, 06/08/2004 04:55:52 AM EST (none / 0)

UID/GID by Xptic, 06/08/2004 06:07:57 AM EST (none / 0)

Re: ignorant and uninformed people (3.00 / 11) (#86)
by frozencrow on Sat Jun 05, 2004 at 12:04:46 PM EST

Will social engineering ever wane? Or will ignorant and uninformed people always exist in abundance? ...

You don't have to be ignorant and uninformed to fall for a social engineering attack. You just have to let down your guard for half a second. People who say that social engineering only works against the ignorant/uninformed are either stupid, or they have little or no experience defending against social engineering.

Direct attacks are easy to defend against. Obviously, you should never give your password away. Ditto for your credit card numbers, PINs, SSN, and all those kinds of things. Direct attacks are flashy, and they're the ones the folks like to use as examples of OMG YUO AR3 H4X0R3D!!! They're not the only attacks you need to be worried about though.

Indirect attacks are much more difficult to defend against. What's the harm in confirming a co-worker's job title? Telling someone how many domains your company has registered (and maybe list a few of them off?) Listing a fax number for the Corporate Communications department? Any of those items, by itself, doesn't do much for an attacker. However, an attacker with these little pieces of information can use them as leverage to get more information, as well as to build a profile of the target. So which pieces of information do you give out, and which ones do you not? The simple answer is to not give out anything, but this is not a viable option for most. (Should the office assistant really refuse to tell you where Bob's cube is? Should the hostmaster refuse to confirm whether or not he is a valid point of contact for a given IP address?)

Part of my job function is to serve as an external point of contact for things related to our IP allocations and domain registrations. I get calls from people all the time:

"Hi, this is Valerie with Verisign's Managed Services Group..."

"Hey, Tom from $consultant_group_whose_name_i_dont_recall here. I'm calling to confirm that $coworker is still employed there?"

"Hello, my name is Stephanie, and I represent Blue Cat Networks. May I speak with an email administrator?"

Hi, I'm Sam with $regulatory_agency, and I'm trying to track down somebody to report a case of network abuse to..."

"HELLO. THIS IS AN AUTOMATED MESSAGE FROM MBNA TO THE SMALL BUSINESS OWNER INFORMING YOU THAT YOU HAVE BEEN PREAPPROVED FOR A CREDIT LINE OF $8000."

Fucking telemarketers.

Anyway, my point is that most people are required to give out some information to some people all the time, and the rules for this information dispensation are typically fuzzy. Good social engineers will slip under your radar to make themselves appear to be valid targets for information, and in most environments, that's extremely hard to defend against. I don't know anybody who can defend 100% against information retrieval attacks, even if they are wary. I'm both wary and experienced, and I still fall for the occasional ploy. For example, I fell for caller number 2, above, confirming that $coworker was indeed an employee. (About an ohnosecond later, I realized what I'd just done, but by that point, it was a little late.)

You don't have to be stupid, you don't have to be uninformed. You just have to be human.

There is a limit by omrib, 06/06/2004 11:49:43 AM EST (2.75 / 4)

well, actually... by frozencrow, 06/07/2004 08:13:13 AM EST (none / 1)
Systems Answer by Xptic, 06/07/2004 11:01:20 PM EST (none / 2)

Pray tell by TheOnlyCoolTim, 06/09/2004 03:59:04 PM EST (none / 0)

Best Anti-Telemarketer Line Ever by mikelieman, 06/07/2004 06:33:41 AM EST (none / 1)

Most people prefer to live in a nice world (2.91 / 24) (#90)
by Anonymous Hiro on Sat Jun 05, 2004 at 02:21:36 PM EST

Most people prefer to live in a world where people are nice and polite, with minimal conflicts etc. Where they don't have to be suspicious of everyone (it's hard for some people to be suspicious and NOT fearful).

So they do things like hold the door open for you, instead of slamming it shut so that you are forced to use your (nonexistent?) access card to enter despite both of your hands being used to carry a big and heavy parcel ( or baby - e.g. trying to get into apartment). Even though I know all that, I often still hold doors etc open.

They also prefer to respond naively to questions people ask them, and provide more info than necessary because in real life most people ask superfluous questions and provide superfluous information as a matter of conversation and building rapport.

They allow anyone with a uniform (heck even not recognisable ones) to fade into the background and do their jobs without being pestered.

They regard voice authentication as strong authentication even though there are people who can mimic voices very well (I believe there are programs that can do that too - well at least there's one that sings and mimicks singers).

They prefer to live in a world where it's not common for collegues and acquaintances to be fired just yesterday (high staff turnover definitely doesn't help security - nobody knows who's staff for sure).

Furthermore security guards who actually do their job are often regarded as arseholes trying to be self-important. Say they give you a hard time for not carrying your ID, even tho "Hey I've been working here for months, and you know me". Well you could have been fired yesterday or something. One security guard actually followed me and asked questions as I lugged a PC out the building (legitimately). That's one out of dunno how many over the years. And there's really little he could do - he could either let me go my way or risk creating a lot of inconvenience and potential unpleasantness by stopping me and forcing an escalation to higher authorities. It's not his fault there weren't forms and existing formalized procedures etc to help deal with that situation (not that those forms are worth anything given the typical security guard ;) ).

The trouble with a merciful world is that the bad guys get away. The trouble with a merciless world, is most people need mercy more than they need protection from the bad guys.

Mercy is the lubricant of the world. While it lets the bad guys slip away, it lets us have a decent time in the world despite our numerous imperfections and failings.

So you have to weigh things carefully. Too little mercy and you actually lose much more than you gain - could lose customers, useful employees etc.

Sure an experienced hacker could probably get in anytime, but don't overreact - look at the big picture. How much security do you need in the various areas? What are the odds? What are the costs? What are the benefits?

I mean, ID cards, confiscating nail clippers and tiny scissors hardly helps reduce the odds of a terrorist attack does it?

What you need an increased awareness and procedures + rules that actually help. If the person who held open the door noticed me walking off somewhere unexpected, he could challenge me and if I were legit, I would expect to be challenged and so respond correctly (not take offense etc). You try to set procedures, guidelines with example scenarios so that hopefully things could be more secure without losing too much friendliness and pleasantness.

Is "engineering" the right term? (2.85 / 7) (#94)
by McMick on Sat Jun 05, 2004 at 04:24:05 PM EST

It sounds like it should be called "social deception" or "taking unfair advantage of the nature of people", or perhaps just "lying". It certainly bears no resemblence to any form of engineering I've encountered. Alas, it must be another corruption of the English language which has been brought about by the Internet.

It's jargon [n/t] by epepke, 06/06/2004 01:29:01 AM EST (2.75 / 4)
Everything is "engineering" these days by flo, 06/07/2004 08:17:31 AM EST (none / 2)
'engineering' by CAIMLAS, 06/09/2004 11:29:34 AM EST (none / 1)
manipulation by bartok, 06/09/2004 03:36:22 PM EST (none / 0)
Corruption by the internet? by dclinton, 06/12/2004 02:47:07 PM EST (none / 2)

Takes me back, (2.90 / 10) (#95)
by Sesquipundalian on Sat Jun 05, 2004 at 04:25:01 PM EST

When I was a kid, my brother and I shared an Apple IIe color personal computer (6502@1Mhz,128k,40/80 column color, those were the days..).

We had this weird competitive thing going on and so I password protected all of the disks that I was using, I mean it's not like there was anything on them, I was just feeling tense. I even set the boot sector up to alter the ctrl-apple-apple vector (the equivelent of ctrl-alt-del), so he couldn't get by the password screen with the ML debugger.

Heh, he socially engineered access to the disks by crying to our parents who insisted that I unprotect the disks.

SO let's not forget; in some cases, social engineering can actually destroy a security system.

Did you know that gullible is not actually an english word?

Does password guessing count? (none / 1) (#130)
by flo on Mon Jun 07, 2004 at 08:45:35 AM EST

I remember a web administrator who had used the word "webmaster" as his password. That was the very first thing I tried...
---------
"Look upon my works, ye mighty, and despair!"

passwords (none / 1) (#144)
by ZorbaTHut on Tue Jun 08, 2004 at 04:44:19 AM EST

At one point I was getting fed up with the school's Linux admin, so just for amusement value I installed a brute-force password cracker on it and ran it.

In about one second I had the root password ("Cheese"), the admin's password ("clover4"), and about a dozen accounts whose password was the name of the school.

I looked at it in total disbelief, then hacked in and fixed the problems I'd run into. I maintained that server for six months until the "real" admin installed a new network card, couldn't figure out how to configure it, and decided to just reformat the hard drive and reinstall so he could go through the pretty GUI again (of course, this destroyed everyone's files and email and accounts, but what did he care? he backed his stuff up first.)

There's worse by TheOnlyCoolTim, 06/09/2004 03:57:12 PM EST (none / 0)

I win... (none / 1) (#147)
by creativedissonance on Tue Jun 08, 2004 at 03:06:25 PM EST

...I've social engineered my way into free food and beer more times than I can count. Its very easy, and no, I'm not telling you how.

flip flops

ay yo i run linux and word on the street
is that this is where i need to be to get my butt stuffed like a turkey - br14n

this girl i knew... by kpaul, 06/08/2004 07:55:42 PM EST (none / 0)

I suppose *Everything* is Engineering (none / 2) (#155)
by thoennes on Fri Jun 11, 2004 at 09:22:51 PM EST

"Social Engineering" AKA lying.

What is it with technical people that they need to put the word "engineering" in something to pump it up?

The people who lie to trick other people into something are called "scam artists". It's an art, not engineering. Like programming, itself.

Give Me Your Password: A Social Engineering Intro | 158 comments (115 topical, 43 editorial, 2 hidden)

All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.