LINUX SECURITY --- August 08, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Securing your network against human error.
*********************************************************************
Social Engineering
by Rick Johnson
The single most successful way to compromise security is often the
easiest to overlook. It does not require superior programming skills or
the exploitation of inadequate coding. This marvel of the black hat
arena relies on one simple ingredient: human nature. Once you
understand how people will react in a given situation, you have the
ability to use that information to your advantage. This is the concept
behind Social Engineering.
There are many ways to Social Engineer a password. The walkthrough
method is extremely popular. Personnel habitually leave their passwords
written on sticky notes somewhere on their desks. Wandering through an
office and glancing at desks can yield very interesting results.
Teaching employees to avoid writing down their password offers
tremendous help in stopping this type of attack.
Another popular method, dumpster diving, entails looking through the
company dumpster. It will often lead to a username and password
combination scrawled on a piece of scrap paper. This exploit is
avoidable with proper education on the use of a paper shredder.
Here is an example from my own past experiences:
I placed a call to the helpdesk of a multi-national corporation and
received your basic front-line technical support operator. I identified
myself as Joe Blow Vice President of Whatever, a name that was
conveniently listed on their Web page. I then proceeded to rant in the
most obnoxious voice possible and explained how "this stupid thing" was
not working again. I followed this up by yelling about my password,
"blah," not working when I dialed into the network while on the road.
The official policy required the operator to verify the caller's contact
information before making any changes. However, in accordance with the
unwritten company policy of being as helpful as possible, they
immediately offered to help however I wished. Then, I issued an
ultimatum that if my password was not set to "blah" within ten minutes,
their supervisor would be contacted. Fearing for their job, the password
was quickly changed and an apology for the inconvenience given. With
one phone call and a bit of creative acting, I achieved executive level
access into their internal network. Not bad for only using a telephone.
After this incident, we spoke with the individual who broke with policy
and changed the password. Their reason for this infraction was simple:
they had stood their ground in the past, only to have management
chastise them for inconveniencing an executive. The process had failed
due to a manager who felt the policies did not apply to them.
Those who are out to do harm will try to use human nature to their
advantage. Thankfully, other traits can just as easily stop them in
their tracks. My two favorites are suspicion and paranoia. To help
protect your network against this type of malicious attack, follow these
three main rules:
* Have clear policies in place to allow for verification of user
identities.
* The entire company must adhere to the policies, including
management.
* End users must be educated on proper password management.
Social Engineering is by far the easiest way to compromise a network. No
matter how successful you are at locking down your Linux servers, all it
takes is one person to give away their password. Knowingly or not, the
result is always a disaster.
Resources
The human side of computer security
What are the effects of social engineering on Internet security?
http://www.sunworld.com/swol-07-1999/swol-07-security.html
How secure are you?
Read this security Q&A to determine whether or not you're overlooking
any major security holes.
http://www.sunworld.com/swol-11-1998/swol-11-webmaster.html
Web Security & Commerce: Make room on your shelves for this one
The latest Garfinkel and Spafford book tells us why we should worry
about Web security and why Web servers are so vulnerable to attack.
http://www.sunworld.com/sunworldonline/swol-08-1997/swol-08-security.html
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>