lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <423B5546.70503@sdf.lonestar.org>
Date: Fri, 18 Mar 2005 17:25:10 -0500
From: bkfsec <bkfsec@....lonestar.org>
To: "Jay D. Dyson" <jdyson@...achery.net>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	news@...uriteam.com
Subject: Re: Social Engineering: You Have Been A Victim


Jay D. Dyson wrote:

>
>      It's not just government workers.  It's any human being who's 
> been raised to be social.
>
>      According to Judeo-Christian theology, humanity gained knowledge 
> of Good & Evil in the Garden of Eden.  Unfortunately, the ability to 
> differentiate between the two was not part of the package deal.  This, 
> coupled with the demands of a "polite society," is why social 
> engineering can strike anyone, anywhere...regardless of their vocation 
> in the public or private sector.

Except, of course, that the book of Genesis is really a tome of myths 
and the so-called "Garden of Eden" doesn't really have an effect on 
polite society.

What you're referring to are social norms of politeness that affect 
society, and they are passed down via social means.  Though they have an 
impact on people's rejection of those who are out to harm them, they 
don't explain all of the occurances. 

There's a BIG difference, for instance, between being helpful and giving 
someone the keys to your house so that they can rob you.


>
>      It is considered socially unacceptable to be unhelpful to others, 
> even strangers over the phone.  Hell, some people can't even tell 
> telemarketers to buzz off so they have to buy an electronic device to 
> do it for them.
>
>      This is why social engineering works so well...and why folks like 
> ourselves are considered "paranoid" and "anti-social" when we start 
> pulling IDs and taking names.
>
ID'ing people and giving out your password or sensitive information are 
NOT analogous events.

The helpfulness argument has some traction on information that is not 
obviously compromising to the person providing it.  However, even in 
that case it has a LOT more to do with the confusion factor than 
anything else.

The average person is easily confused about technology and, as such, 
their perspective will always be that if a tech calls them up and says 
there's a problem or some information they need, they're going to 
provide that information because they simply don't know any better.  As 
far as they know, there's a problem that needs to be solved and that's 
what needs to happen to fix it.

It has more to do with trust and a lack of education/understanding than 
it ever will with polite society being based on a mythical story about 
the inability of mankind to differentiate between good and evil.

There's something to what you're saying, but it just is not the whole 
story.  In order to get the compromising information, the social 
engineer has to pass from A -> B -> C.  Politeness gets them to B.  A 
lack of information and understanding on the part of the end user is 
what gets the social engineer to C.

             -Barry


 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ