Security book chapter: The Truth About Identity Theft

The Truth About Identity Theft Author: Jim Stickley Official book page Read all of Chapter 11: Social Engineering (.pdf)

The following is an excerpt from the book

People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them.

A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office.

Jim Stickley talks about password hacking Listen as Jim Stickley walks you through Chapter 11 and talks about some real-life security disasters.

So I went back to my office, sat down, and picked up the phone. The fi rst call I made was to fi nd out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actually another bank's email address that it was coming from. I thanked him for his help and hung up. Obviously, the email address I told him was different, because I didn't want any red fl ags to continue at the bank's offi ce, and I wanted the call to end quickly.

That night I called the main offi ce number and got the voice mail system. After browsing around for a while, I had gathered a number of names and extensions for employees throughout the organization. The next morning I was ready for action.

I called an employee at the company from the list I had obtained the night before and identifi ed myself as Bill Smith from the IT department. My caller ID was spoofed (easily done with publicly 11 available tools), so it appeared as though I were calling from an internal line. I explained to the employee that I was calling to see if she had any troubles logging into the system, adding that it appeared on my end that she was having login issues. She agreed to log off and log back in while we were talking. I told her that I wasn't seeing her account and asked for her username and password so that I could log in to her account on my end to check the problem. She gave them to me. I ultimately had access to the VPN—without raising any suspicion about my real identity or purpose.

Read the rest of the chapter Finsh Chapter 11 on social engineering to find out how to actually stop your employees from giving up their passwords.

And just like that, the call was over, and I had a username and password that was allowed VPN access into the network. Now, you might be thinking to yourself that you would never be so foolish as to fall for such as obvious attack....(cont.)

Reproduced from the book The Truth About Identity Theft Copyright [2008], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk management strategies Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Database Security Tools and Techniques Multifunction security device safeguards SOA, streamlines company's infrastructure Safend expands data leakage prevention product to plug more gaps How to prevent memory dump attacks Database activity monitoring lacks security lift Report: Firms avoid encrypting backup tapes, databases Cryptography for the rest of us Recent breaches show data theft prevention basics lacking Unpatched vulnerability discovered in Microsoft SQL Server How to use Excel for security log data analysis SQL injection continues to trouble firms, lead to breaches RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.