Security book chapter: The Truth About Identity Theft

Jim Stickley, author of The Truth About Identity Theft, explains how easy it really is to hack a password.

The Truth About Identity Theft

Author: Jim Stickley

Official book page

Read all of Chapter 11: Social Engineering (.pdf)

The following is an excerpt from the book
The Truth About Identity Theft . In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password.

People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them.

A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office.

Jim Stickley talks about password hacking
Listen as Jim Stickley walks you through Chapter 11 and talks about some real-life security disasters.
So I went back to my office, sat down, and picked up the phone. The fi rst call I made was to fi nd out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actually another bank's email address that it was coming from. I thanked him for his help and hung up. Obviously, the email address I told him was different, because I didn't want any red fl ags to continue at the bank's offi ce, and I wanted the call to end quickly.

That night I called the main offi ce number and got the voice mail system. After browsing around for a while, I had gathered a number of names and extensions for employees throughout the organization. The next morning I was ready for action.

I called an employee at the company from the list I had obtained the night before and identifi ed myself as Bill Smith from the IT department. My caller ID was spoofed (easily done with publicly 11 available tools), so it appeared as though I were calling from an internal line. I explained to the employee that I was calling to see if she had any troubles logging into the system, adding that it appeared on my end that she was having login issues. She agreed to log off and log back in while we were talking. I told her that I wasn't seeing her account and asked for her username and password so that I could log in to her account on my end to check the problem. She gave them to me. I ultimately had access to the VPN—without raising any suspicion about my real identity or purpose.

Read the rest of the chapter

Finsh Chapter 11 on social engineering to find out how to actually stop your employees from giving up their passwords.
And just like that, the call was over, and I had a username and password that was allowed VPN access into the network. Now, you might be thinking to yourself that you would never be so foolish as to fall for such as obvious attack....( cont.)

Reproduced from the book The Truth About Identity Theft Copyright [2008], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.

This was first published in March 2009

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close