I can apply every CPU (Critical Patch Update) that Oracle comes out with. I look at parts of the database that are not secure such as powerful packages that are granted to public and then revoke privileges on those packages. But what I can’t do is get people to be smart on the phone.
The IRS IG did a simple audit of security. Call a user and convince them to reset their password.
Here is how the attack goes:
Attacker: Hi, I am with the help desk and trying to track a problem with the network, can you log into your account so I see what is going on?
Attacker: Okay what are you typing now.
User: I’m typing my user name
Attacker: tell me each key stroke:
User: user name
Attacker: okay now what are you typing:
User: my password.
Attacker: I don’t see it, can you temporally reset your password to password? Here is how you do it.
User: okay
The user has now been hacked. Not all attacks involve exploiting bugs in the software. Frequently the attacker exploits bugs in the wetware. The willingness to help is a big problem when it comes to security.
If someone calls you asking to help. Get as much information from them as you can. What phone number can I reach you at? Who do you work for? If they are not willing to give you that information, call your security group. If they do give you the information, lookup in the employee directory the name of their boss, call him/her and confirm they do work for them and what they are asking. Then call the person back to help. But never give out your password or reset your password. If that person is truly with the help desk, they can reset your password for you and in many cases become you on the system.
Read the IG’s report, the percentages of people who gave up their password are staggering
http://www.ustreas.gov/tigta/auditreports/2007reports/200720107fr.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment