Social Engineering Dangers

  • Comments posted to this topic are about the item Social Engineering Dangers

  • This is something worth reiterating. One of the methods a hacker employs is social engineering. It makes the hacking job so much easier. Employees really should be careful about what they say, write, tweet, or blog.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Interesting take on social networking, Steve. I personally don't use any social networking features (except participating in forums on sites like Microsoft community pages, BeyondRelational, SQLAuthority, SQLAloha and SSC 🙂 ). However, I do believe that more often than not, something inevitably winds up on the social networking sites (what domains a company is working on, in what geographical areas are it's customers distributed, etc) - which is quite important information if you think about it. The competitor might just be starting to "invade" the home-ground and social networking sites might be the best early indicators of such a scenario.

    Also interesting is the timing of this editorial - the Dilbert comics since the last two days have a reference of social networking evils in them.

    Rightly said, Steve - security is only as good as it's weakest link.

    Thanks & Regards,
    Nakul Vachhrajani.
    http://nakulvachhrajani.com

    Follow me on
    Twitter: @sqltwins

  • preaching to the converted...

    the dba's are probably not the audience to address here.

    edited to take out too many "the's"

    Peter Edmunds ex-Geek

  • I agree with the thrust of today's editorial, but I think when we are talking about security there is only one enemy. It is a rapacious and devious enemy, one who is with us all the time and in these days and times, one that is growing by leaps and bounds each day. What enemy is that? Simple: stupidity.

    I spent a great deal of time studying the data theft at TJX - I wanted to know how a company like that could have been robbed of hundreds of thousands of client credit card records. For those who don't recall this robbery, two hackers drove through their parking lot with a couple laptops, cracked into their wireless network, and made off with some 300,000 records. The data was not encrypted and so in essence, TJX's data Wizards simply popped unsecured data into the "air", and sure enough, some enterprizing hackers said "Thank you" and made off with a bundle. Thankfully they were caught.

    It seems each time I read about some security breach stupidity seems to live at the core of most of the tales of data theft. Companies spend a fortune securing their network, and then someone loses a laptop in an airport, or downloads the "Mother load" to a memory stick which they then lose.

    Against this backdrop, one has to wonder if all the big companies trying to secure data actually stand a chance. Indeed, it seems to me the encrypting data is the only real solution - well, hurdle that companies can use. What is the point of "highly secure" networks when two hackers never even enter the building and yet make off with the data?

    In my career I have seen the enemy, and the enemy is us. While we allow Phd's and 'super-brains' to come up with new and wonderful security systems and ideas, what the heck good is that when someone padlocks the door, leaving the window next to it wide open?

    There's no such thing as dumb questions, only poorly thought-out answers...
  • Based on the cases I've read about, it seems that only a small pecentage of data breaches are the result of someone hacking the actual database server. From what I recall about the TG Max case, the hackers were able to eavesdrop on unencrypted or weakly encrypted data transmitted from the point of sale terminals. I think the most common scenario is where printed reports are taken from trashcans or from the hard drives of printers or photo copiers. A few months ago, either Discover or Scientific American magazine had an article about the use of telescopes to eavesdrop on PC display monitors in downtown financial districts. There are even ways to pick up the electromagnetic radiation coming from PCs and office equipment and then decode it back into text.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I understand the gist of this thought process but it seems to me to be a sad way to have to live. I love that Microsoft encourages their employees to blog about their work and hate the way Apple is so closed and secretive about everything.

    I think it is possible to distinguish between the relatively small amount of data that really needs to be secured and the larger amount of data that might be better off in the public domain. I am a huge fan of transparency in business and life and think it is a better policy than clandestine secrecy.

    Lets take an example. Right now SSN's can be used with a little other info to get credit in someones name. Thus we try and often fail to keep our SSN's secret. However if all SSN's were public information we would actually be less likely to have our identity stolen because we would by necessity require a more intensive process before getting credit in someone's name, ideally including a real life meeting of two people where a standard form of photo ID is checked by the agency issuing the credit, possibly against a public copy database of all state IDs, thus proving that the person getting the credit matches at least the picture and maybe the fingerprint of the person they say they are. (Or at least matches who the state thinks they are.) In this area trying to use a secret piece of information to secure our credit actually makes our credit less secure, and I think this argument can be extended much more widely.

  • I guess it's the always thinking and always curious human nature that is the driving factor behind this. If you say that something is not supposed to be done, the human race and our constant drive for superiority over other living creatures will one day lead us to doing that in order to prove that it can be done and achieved by humans.

    We were told that the Earth was flat - Christopher Columbus proved us wrong. We thought flying was impossible - the Montgomery proved us wrong. We find a strong encryption algorithm, somebody finds out an equally stronger decryption algorithm.

    We think something is secret & cannot be known - we prove ourselves wrong.

    Somewhere, deep down, I believe it is our basic survival instincts that are kicking in. In the TJX case, somebody must have had to believe that the modus operandi used was possible - the thought must have come from somewhere.

    With respect to social networking, we should start by cultivating basic alertness - why tell somebody that you are going out of town for a couple of days and that there's going to be no one in the house? Why talk to a bank on a train where you might accidentally give out the last 4 digits of your SSN? Why send out an E-mail on the public domain saying you think that an organization is doing badly and might collapse? - that very communication coupled with the right data/market scenarios might cause mass hysteria and cause the organization to crash.

    Simply by being alert, we can reduce such incidents dramatically.

    Thanks & Regards,
    Nakul Vachhrajani.
    http://nakulvachhrajani.com

    Follow me on
    Twitter: @sqltwins

  • Eric Russell 13013 (9/15/2010)


    Based on the cases I've read about, it seems that only a small pecentage of data breaches are the result of someone hacking the actual database server. From what I recall about the TG Max case, the hackers were able to eavesdrop on unencrypted or weakly encrypted data transmitted from the point of sale terminals. I think the most common scenario is where printed reports are taken from trashcans or from the hard drives of printers or photo copiers. A few months ago, either Discover or Scientific American magazine had an article about the use of telescopes to eavesdrop on PC display monitors in downtown financial districts. There are even ways to pick up the electromagnetic radiation coming from PCs and office equipment and then decode it back into text.

    It is a little crazy how far people will go to get information. However I think it's easier to protect against those issues if we try to follow better security practices and not dismiss them as pains in the arse. Too often we have people doing things for the sake of expediency, or to be a "nice guy/gal", and they compromise security.

  • krowley (9/15/2010)


    I understand the gist of this thought process but it seems to me to be a sad way to have to live. ...

    ... we would actually be less likely to have our identity stolen because we would by necessity require a more intensive process before getting credit in someone's name, ideally including a real life meeting of two people

    I agree with both these thoughts. Worrying about security is hard. And sad. Recently I stumbled on this site (http://icanstalku.com/), which is sad. It's a problem for me to post photos to share with my family and friends?

    I agree with you on the latter. While it's nice and convenient to get new things done from home, I think for the sake of security that banks, medical companies, etc. should require face to face interaction for new accounts or the release of information.

  • Krowley,

    You make a very good point.

    Here's an example of where that same process would hurt commerce and inconvenience us.

    Doing what you suggest, however, negates my ability to log onto Dell's website and get an instant loan for the new laptop I want to buy right now.

    Dell may think the losses due to fraud are small enough that they prefer the additional business that capability brings in.

  • david_wendelken (9/15/2010)


    Dell may think the losses due to fraud are small enough that they prefer the additional business that capability brings in.

    This is why we would need regulation. Companies left to their own devices often don't think beyond their walls to the larger problem.

  • I worked with a guy who used social engineering to join the Board of Regents of a major State University. He just showed up at one of their meetings and acted like he belonged.

    After a meeting or two, someone asked him who he was. He just silently gathered up his things, slowly stood up, and then looked at the person. He said, "You wound me." and walked out without another word.

    He waited a few meetings, then went back.

    No one questioned his right to be there again.

    It was simply brilliant.

    I thought the message he got the regents to send out concerning the health risks of computer viruses was amusing...

  • Steve Jones - Editor (9/15/2010)


    david_wendelken (9/15/2010)


    Dell may think the losses due to fraud are small enough that they prefer the additional business that capability brings in.

    This is why we would need regulation. Companies left to their own devices often don't think beyond their walls to the larger problem.

    In this case, I think the risk of my getting compromised via that commerce mechanism is far less than the certain annoyance of having to arrange funding in person.

  • Steve Jones - Editor (9/15/2010)


    david_wendelken (9/15/2010)


    Dell may think the losses due to fraud are small enough that they prefer the additional business that capability brings in.

    In this case Dell should be responsible for any losses due to fraud and should not be allowed to knock my credit history if the loan goes bad, particularly if it was not me who got the loan in the first place. I am willing to let companies give out credit without a face to face meeting as long as the company is the one taking all the risks and this can in no way come back on my credit history if someone steals my SSN and applies for credit from this company. Right now it is too easy for someone else to get credit in my name pretending to be me. And after that happens it is WAY to hard to go back and clear my credit history etc...

Viewing 15 posts - 1 through 15 (of 22 total)

You must be logged in to reply to this topic. Login to reply