topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 5:35 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Inadvertent Social Engineering - It's that easy?!?  (Read 11544 times)

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Inadvertent Social Engineering - It's that easy?!?
« on: November 28, 2012, 07:34 AM »
This is sort of bizarre, and slightly disturbing.

I have a bank account that I rarely use, and the last time was a few years ago. Anyways, they have a kind of wacky login procedure, and I'd forgotten my password. Not wanting to get locked out, I phoned after 2 attempts to have the password reset.

Now, they have security questions, and one was "what kind of account" I have. Now, I had no clue and couldn't remember. But, wiggling around enough, I was able to get what type of account it was from the person on the phone, and I wasn't even trying.

People are just so darn helpful~! ;D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #1 on: November 28, 2012, 08:11 AM »
This is sort of bizarre, and slightly disturbing.

I have a bank account that I rarely use, and the last time was a few years ago. Anyways, they have a kind of wacky login procedure, and I'd forgotten my password. Not wanting to get locked out, I phoned after 2 attempts to have the password reset.

Now, they have security questions, and one was "what kind of account" I have. Now, I had no clue and couldn't remember. But, wiggling around enough, I was able to get what type of account it was from the person on the phone, and I wasn't even trying.

People are just so darn helpful~! ;D


I've come across bunches of different examples where the first part of social engineering is scary-easy. "Small towners" think "properly trained security conscious" reps aren't "friendly enough". They are used to and like that Bob at the Grocery knows them and doesn't need ID. I've caught a couple of places doing the "what is your account number" "_________" "Is your name John Smith?"

That kind of thing leaves me thinking "Really?!"

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #2 on: November 28, 2012, 08:21 AM »
P.S. Bonus:

Once a fair while ago some utility customer service was giving my friend a hard time. So I borrowed the phone, threw them a bad copy of a Frank Welker bad guy neo-British voice and formal language choices and went on the attack and then the rep backed down and fixed the problem (which I no longer recall.) Heh always end such things with "Thank you. Have a nice day." It seals the deal.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #3 on: November 28, 2012, 11:30 AM »
I once socially Engineered my way into a domain name registrar, a hosting company, and an ISP. All in the space of about an hour. Fortunately for the company being targeted...they had hired me to make said changes...or their web presence would have gone poof by morning.

It's just one of many hats one has to wear to be a Network/Systems Admin. People need things. These same needy people also never seem to document shit...and are always in a hurry. Which leaves you sitting on the phone with some typically disinterested support drone pretending to be any number of people in various moods. It really is mortifyingly easy.

The only company that I could not SE my way past was the folks at WatchGuard. These folks just don't screw around. It took an entire week to get that issue resolved ... But that's ok. At least I know they really are doing their job.

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #4 on: November 28, 2012, 03:41 PM »
I've come across bunches of different examples where the first part of social engineering is scary-easy. "Small towners" think "properly trained security conscious" reps aren't "friendly enough". They are used to and like that Bob at the Grocery knows them and doesn't need ID. I've caught a couple of places doing the "what is your account number" "_________" "Is your name John Smith?"

That kind of thing leaves me thinking "Really?!"

Just did something similar. I have two bank accounts at the same place, and needed to file a change of address form.

Well, I could only find the checkbook for one of them. So I went in and gave them the number I had, and the teller was all "Oh I see there is a business account with your name on it. Should I change that too?"

People really do get relaxed about security when there hasn't been any major events. Like at the local courthouse you have to go through metal detectors and have your wallet/purse x-rayed to make sure you aren't bringing anything dangerous in.

I was sitting near the detector for a while filling out paperwork, and half the people coming into the building set off the detectors, yet they weren't re-scanned or examined. Kind of defeats the whole point of it if the sheriff deputies operating the scanners simply ignore it when it trips.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #5 on: November 28, 2012, 03:50 PM »
People really do get relaxed about security when there hasn't been any major events. Like at the local courthouse you have to go through metal detectors and have your wallet/purse x-rayed to make sure you aren't bringing anything dangerous in.

Few years back I was doing a service call at the local court house. I put my Leatherman (with a 3" blade) in the basket and went through the scanner. The deputy working security asked about the blade, and I told him it was a tool I used as part of my job. He said ok...but we'll have to put it in your "tool bag" (laptop case), and waved me through.

Oh yeah ... This was the third trip through the scanners ... Nobody had noticed the blade on the first two trips.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #6 on: November 28, 2012, 05:47 PM »
Oh yeah ... This was the third trip through the scanners ... Nobody had noticed the blade on the first two trips.

I had a similar situation one time going through airport security.

I was on my way from Seoul to Hong Kong to visit my sister, aunt and uncle. I quickly packed, as usual, grabbed my laptop bag, threw my laptop into it, and headed to the airport. Flew to Hong Kong, had a nice visit, and went to the airport to fly back.

I was stopped at security for having a small Swiss Army knife in my laptop bag. I'd completely forgotten about it when I left, and they missed it at security in Seoul (or they didn't care as it was quite small - the blade was just over an inch or so, and certainly less than 2 inches). They wanted to keep it, but it had sentimental value as it was a gift. I asked how I could keep it, and they put it in a bag, sent it around security, and I picked it up in Seoul.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #7 on: November 28, 2012, 07:59 PM »
Oh yeah ... This was the third trip through the scanners ... Nobody had noticed the blade on the first two trips.

I had a similar situation one time going through airport security.

I was on my way from Seoul to Hong Kong to visit my sister, aunt and uncle. I quickly packed, as usual, grabbed my laptop bag, threw my laptop into it, and headed to the airport. Flew to Hong Kong, had a nice visit, and went to the airport to fly back.

I was stopped at security for having a small Swiss Army knife in my laptop bag. I'd completely forgotten about it when I left, and they missed it at security in Seoul (or they didn't care as it was quite small - the blade was just over an inch or so, and certainly less than 2 inches). They wanted to keep it, but it had sentimental value as it was a gift. I asked how I could keep it, and they put it in a bag, sent it around security, and I picked it up in Seoul.
  And then there's people like me that gets caught in Okinawa with a clip of high powered rifle rounds with tracers in my duffle-bag because my dumb-ass ex-wife put them in there.  They didn't get discovered in the states in the 3 airports I went through to get there.....

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #8 on: November 28, 2012, 08:07 PM »
And then there's people like me that gets caught in Okinawa with a clip of high powered rifle rounds with tracers in my duffle-bag because my dumb-ass ex-wife put them in there.  They didn't get discovered in the states in the 3 airports I went through to get there.....

The TSA at work! High powered rifle rounds are fine, but if you have an apple juice you're a terrorist!

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #9 on: November 28, 2012, 08:12 PM »
And then there's people like me that gets caught in Okinawa with a clip of high powered rifle rounds with tracers in my duffle-bag because my dumb-ass ex-wife put them in there.  They didn't get discovered in the states in the 3 airports I went through to get there.....

HAHAHAHA~! That's hilarious~! ;D

The TSA at work! High powered rifle rounds are fine, but if you have an apple juice you're a terrorist!

And sadly, that's true...  :'(
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #10 on: November 29, 2012, 05:20 AM »
Never underestimate the social engineering power of a hysterical, crying girl.

Awhile back, when my daughter was having a rather bad day, anxiety level quite high, she needed to pay her cell phone bill online. Navigating the company's website to view the balance due, without submitting payment, was a nightmare for her, in her already stressed out condition. Once she knew the balance, she tried to log into her bank's site to check if she had enough in her account to cover it. For whatever reason, she couldn't seem to remember her username/password combo and tried everything she could think of. Finally, she called the bank and almost in tears asked what she was supposed to do. They asked her a few simple to answer questions that anyone possessing a copy of one of her bank statements could have answered, then moved on to the tough one...her user name on her online account. When she got it wrong, repeatedly, and broke down in tears, telling the guy that all she wanted to do is pay her cell phone bill and go to sleep, the guy on the other end just told her what it was...and the password.

And I know from experience that a "wife" with a handful of info about any guy can gain access to just about anything related to him, if she explains to the person she is talking to that her "husband" can not handle these things for himself because he's a clueless idiot. In fact, it works even better as a team, if the call begins with a guy that seems like a complete idiot, rambling on about something that doesn't make any sense, and a woman rips the phone out of his hand and takes over. Medical info, financial info, information about debts owed, just about anything can be had, except the identity of the beneficiary of his insurance policy (that will cost you $20 for a copy of the policy and has to be done through the mail).


Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,612
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #11 on: November 29, 2012, 05:24 AM »
This thread seems to be kinda growing into a knowledge base... :-[

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #12 on: November 29, 2012, 05:53 AM »
I am the wife of a clueless idiot who couldn't remember the pin number for his debit card, has no clue who the beneficiary of his life insurance policy is (we still don't know if it is me, his ex-wife, or his sister because he still refuses to pay $20 to find out), needs someone else to navigate phone menus for him, needs someone else to fill out job applications for him, etc. And the call to the lawyer after the car accident was almost funny enough to make the lawyer cry, till I took the phone out of his hand and talked to the lawyer myself. That lawyer must think he suffered brain trauma in the accident.

By the way, if you have been feeling tired, thirsty, and forgetful lately, have any sort of tingling in your hands or feet, and people you know are beginning to think you lost half your brain cells in the last few years, get checked for Type 2 Diabetes. High blood sugar really can do a number on your brain if you don't take care of it.

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #13 on: November 29, 2012, 05:59 PM »
I am the wife of a clueless idiot who couldn't remember the pin number for his debit card, has no clue who the beneficiary of his life insurance policy is (we still don't know if it is me, his ex-wife, or his sister because he still refuses to pay $20 to find out), needs someone else to navigate phone menus for him, needs someone else to fill out job applications for him, etc. And the call to the lawyer after the car accident was almost funny enough to make the lawyer cry, till I took the phone out of his hand and talked to the lawyer myself. That lawyer must think he suffered brain trauma in the accident.

By the way, if you have been feeling tired, thirsty, and forgetful lately, have any sort of tingling in your hands or feet, and people you know are beginning to think you lost half your brain cells in the last few years, get checked for Type 2 Diabetes. High blood sugar really can do a number on your brain if you don't take care of it.

  So what are you saying, you married him for his looks?   ;D  You are very correct about diabetes, when my blood sugar level gets too high or too low, I can't think any better than a 2 year old.  (Now just wait for the jokes to start flowing.) 
Spoiler
I'm looking at you Renegade....


NigelH

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 210
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #14 on: November 29, 2012, 08:13 PM »
I debated about posting this, but I figured perhaps not too many have read the article.
Quite a bit about Social Engineering in it

http://www.wired.com...password-hacker/all/

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #15 on: November 29, 2012, 08:14 PM »
 So what are you saying, you married him for his looks?   ;D  You are very correct about diabetes, when my blood sugar level gets too high or too low, I can't think any better than a 2 year old.  (Now just wait for the jokes to start flowing.)  

For myself, it's less about blood sugar level, and more about blood alcohol level. :P
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #16 on: November 29, 2012, 08:23 PM »
I debated about posting this, but I figured perhaps not too many have read the article.
Quite a bit about Social Engineering in it

http://www.wired.com...password-hacker/all/


Interesting article. Not sure if I agree with everything, but a lot of it.

The whole "secure password" thing kind of irks me. e.g.

82&#jkfh&ih

is less secure than:

ifihadahotdogi'deatitwithmustardtodayortomorrow

Which is easier to remember? But, that whole debate has been raged over enough.

The bit about Kevin Mitnick was interesting. :)
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #17 on: November 29, 2012, 08:24 PM »
For myself, it's less about blood sugar level, and more about blood alcohol level. :P

If memory serves in re. high-school biology, we convert alcohol to sugar  :P.  Although, alcohol has been known to create symptoms similar to insulin imbalances (one (1) grandfather died of diabetes, btw, and the other of alcoholism, so it prolly runs in the family  :-\).

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #18 on: November 29, 2012, 08:26 PM »
If memory serves in re. high-school biology, we convert alcohol to sugar  :P

I'll still take a bottle of whiskey over a chocolate bar any day~! :D
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #19 on: November 29, 2012, 08:29 PM »
I'll still take a bottle of whiskey over a chocolate bar any day~! :D

 :Thmbsup: Works for me  :-* :P!

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #20 on: November 30, 2012, 02:24 AM »
So what are you saying, you married him for his looks?   ;D  You are very correct about diabetes, when my blood sugar level gets too high or too low, I can't think any better than a 2 year old.  (Now just wait for the jokes to start flowing.)

I am not referring to the temporary stupid that you get with the occasional spikes & dips, where as soon as your blood sugar returns to normal, you return to normal. I am talking about what happens when it goes untreated and your blood sugar is chronically too high. It causes permanent non-reversible damage to your memory and cognitive abilities, which in my husband's case, kind of mimics a cross between the very early stage of Alzheimer's (which some scientists now nickname Diabetes type 3) and ADD.

Tinman57

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,702
    • View Profile
    • Donate to Member
Re: Inadvertent Social Engineering - It's that easy?!?
« Reply #21 on: December 01, 2012, 09:10 PM »
So what are you saying, you married him for his looks?   ;D  You are very correct about diabetes, when my blood sugar level gets too high or too low, I can't think any better than a 2 year old.  (Now just wait for the jokes to start flowing.)

I am not referring to the temporary stupid that you get with the occasional spikes & dips, where as soon as your blood sugar returns to normal, you return to normal. I am talking about what happens when it goes untreated and your blood sugar is chronically too high. It causes permanent non-reversible damage to your memory and cognitive abilities, which in my husband's case, kind of mimics a cross between the very early stage of Alzheimer's (which some scientists now nickname Diabetes type 3) and ADD.

  Diabetes is a horrible disease.  When you go a long time with your BSL too high you start losing your limbs or worse, your internal organs start shutting down.  An old family friend of mine lost both of his legs to diabetes.  My mom has the "Type 3" symptoms.  Her reasoning, problem solving, and decision making skills are not so good to say the least.  She had diabetes for years before she finally went to the doctor.  Did your husband know he had diabetes during this time?