Security book chapter: The Truth About Identity Theft

The Truth About Identity Theft Author: Jim Stickley Official book page Read all of Chapter 11: Social Engineering (.pdf)

The following is an excerpt from the book

People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them.

A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office.

Jim Stickley talks about password hacking Listen as Jim Stickley walks you through Chapter 11 and talks about some real-life security disasters.

So I went back to my office, sat down, and picked up the phone. The fi rst call I made was to fi nd out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actually another bank's email address that it was coming from. I thanked him for his help and hung up. Obviously, the email address I told him was different, because I didn't want any red fl ags to continue at the bank's offi ce, and I wanted the call to end quickly.

That night I called the main offi ce number and got the voice mail system. After browsing around for a while, I had gathered a number of names and extensions for employees throughout the organization. The next morning I was ready for action.

I called an employee at the company from the list I had obtained the night before and identifi ed myself as Bill Smith from the IT department. My caller ID was spoofed (easily done with publicly 11 available tools), so it appeared as though I were calling from an internal line. I explained to the employee that I was calling to see if she had any troubles logging into the system, adding that it appeared on my end that she was having login issues. She agreed to log off and log back in while we were talking. I told her that I wasn't seeing her account and asked for her username and password so that I could log in to her account on my end to check the problem. She gave them to me. I ultimately had access to the VPN—without raising any suspicion about my real identity or purpose.

Read the rest of the chapter Finsh Chapter 11 on social engineering to find out how to actually stop your employees from giving up their passwords.

And just like that, the call was over, and I had a username and password that was allowed VPN access into the network. Now, you might be thinking to yourself that you would never be so foolish as to fall for such as obvious attack....(cont.)

Reproduced from the book The Truth About Identity Theft Copyright [2008], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Password Management and Policy,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Best practices for (small) botnets Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats Password Management and Policy Microsoft, security firms warn of password meltdown Two-factor authentication, vigilance foil password theft Group to shed light on secure identity management threats Prevent password cracking with password management strategies Brute force attacks target Yahoo email accounts Best Identity and Access Management Products Privileged account management critical to data security Making the case for enterprise IAM centralized access control How to prevent brute force webmail attacks Best practices for a privileged access policy to secure user accounts Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary graphical password  (SearchSecurity.com) identity chaos  (SearchSecurity.com) masquerade  (SearchSecurity.com) onboarding and offboarding  (SearchSecurity.com) OpenID  (WhatIs.com) salt  (SearchSecurity.com) session replay  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) TACACS  (SearchSecurity.com) war dialer  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.