I can apply every CPU (Critical Patch Update) that Oracle comes out with. I look at parts of the database that are not secure such as powerful packages that are granted to public and then revoke privileges on those packages. But what I can’t do is get people to be smart on the phone.
The IRS IG did a simple audit of security. Call a user and convince them to reset their password.
Here is how the attack goes:
Attacker: Hi, I am with the help desk and trying to track a problem with the network, can you log into your account so I see what is going on?
Attacker: Okay what are you typing now.
User: I’m typing my user name
Attacker: tell me each key stroke:
User: user name
Attacker: okay now what are you typing:
User: my password.
Attacker: I don’t see it, can you temporally reset your password to password? Here is how you do it.
User: okay
The user has now been hacked. Not all attacks involve exploiting bugs in the software. Frequently the attacker exploits bugs in the wetware. The willingness to help is a big problem when it comes to security.
If someone calls you asking to help. Get as much information from them as you can. What phone number can I reach you at? Who do you work for? If they are not willing to give you that information, call your security group. If they do give you the information, lookup in the employee directory the name of their boss, call him/her and confirm they do work for them and what they are asking. Then call the person back to help. But never give out your password or reset your password. If that person is truly with the help desk, they can reset your password for you and in many cases become you on the system.
Read the IG’s report, the percentages of people who gave up their password are staggering
http://www.ustreas.gov/tigta/auditreports/2007reports/200720107fr.pdf
Showing posts with label Attacks. Show all posts
Showing posts with label Attacks. Show all posts
Tuesday, August 07, 2007
Monday, August 06, 2007
Under cover reporter outed at Defcon
In my business I take systems security very seriously. I am always looking for ways to crack my own systems so I can secure them better. Conferences like Defcon and Black Hat provide the tools people like me need to make my data more secure.
Michelle Madigan of NBC “Dateline” attempted to infiltrate Defcon to get video of someone admitting to committing a crime and to “out” a federal agent. Only she is the one who go “outed.” Defcon has strict rules about filming people without their permission.
Why am I not surprised her cover was blown even before she got on the plane to Las Vegas? She is a 20 something producer working for NBC and she is walking into a place filled with people who are paranoid about security. Now, “Dateline” may be good at catching predators, people who may not be the sharpest tool in the shed. The people at Defcon and Black Hat are about as sharp as they come.
What really surprises me is the people at Defcon offered her to get a press not once but four times. And she still did not realize her cover was blown.
Michelle Madigan of NBC “Dateline” attempted to infiltrate Defcon to get video of someone admitting to committing a crime and to “out” a federal agent. Only she is the one who go “outed.” Defcon has strict rules about filming people without their permission.
Why am I not surprised her cover was blown even before she got on the plane to Las Vegas? She is a 20 something producer working for NBC and she is walking into a place filled with people who are paranoid about security. Now, “Dateline” may be good at catching predators, people who may not be the sharpest tool in the shed. The people at Defcon and Black Hat are about as sharp as they come.
What really surprises me is the people at Defcon offered her to get a press not once but four times. And she still did not realize her cover was blown.
Later, Dive / Fly / Ride / Sail Safe
-Rob
Subscribe to:
Posts (Atom)
