Re: Technical measures against social engineering

Don't let anyone with the IQ of a cabbage have any outside contact with the world. That'll solve most problems

Re: Technical measures against social engineering

I have a difficult time believing that any technical measures will ever make a significant dent in SE.

Re: Technical measures against social engineering

I agree with theprez98, for the simple reason that most SE attempts are an end-run around technical blocks in the first place.

Here's the classic example:
Technical block: Username & Password.
SE: Obtain username and password from one who can supply it. "Hi the is John in IT. Your account seems to be causing some problems with other people's data. What username did you log in under? Uh ha, that's good. And what password? Yup, that's right. OK, look, I'll check some more on this end and get back to you."

As to the one possible solution you mention, I understand that many of those "voice polygraph" devices fail with phone systems due to audio compression & distortion that is a natural consequence of the telephone system.

The biggest failure in an SE attempt is the social aspect. People tend to be trusting in nature and are usually trying to help. Mix that with a certain apathy about security, and SE works.

SE doesn't work where people are conditioned and rewarded not to be helpful, to be suspicious of all persons, and to be aggressive about their responses. But that rarely works in most applications.

Re: Technical measures against social engineering

Well, on the password example there's a simple solution.

1) Don't give any IT people direct access to any passwords. They have the ability to set a password or to do an automatic reset where they never see the new one.
2) Make sure all employees know that NO ONE will *EVER* ask for their password. And make sure IT doesn't ever actually do it.

Kallahar

Re: Technical measures against social engineering

I was just about to add this. You're reading my mind again.
Considering the accuracy problems of polygraphs in even the most scientific of settings, it seems to me that Voice Polygraph over POTS (vPOP, I just coined a new term) would have a long way to go to pass any sort of reasonableness test. And not to mention, having employees sign a user agreement that tells them their voice is being monitored for truthfulness! 1984, here we come.
Quid pro quo, a favorite ingredient of SE.

Re: Technical measures against social engineering

A good idea, but that doesn't prevent someone from pretexting as IT and asking.
I teach this all the time as one of the simple rules of passwords, yet it is easily and quickly forgotten.

Re: Technical measures against social engineering

Agreed. Definitely agreed.

But like I said, these ideas don't have to be very... I don't want to say good but let's say that they don't have to be something very realistic. OK, basically I'm doing my thesis (I've made another SE thread in here a while ago) and one of the questions I have in it is technical measures against SE. Naturally I argue, as well as anyone else would, that this is a social problem. What you can do is have good policies, security awareness, educate and training of the staff, well thought out access control and a combination of all these things is what should be done.

But it's more... it's just an interesting question and it doesn't really matter if nothing good comes up. What I would do is go over these measures and evaluate them. I mean if there were some magic trick, I guess that person would be very very rich, so I guess there just are none. So the idea is just to go over them, even if it's an idea that wouldn't work, it's still worth mentioning. If nothing really comes up, then I can basically come to the conclusion that there are no technical measures that we can come up with.

And the ideas can be pretty wild, it doesn't really matter if they can be implemented, this is academia after all :)

Re: Technical measures against social engineering

I think what you'll end up doing is having a list of x technical measures and how they might put a dent into SE. Analyze each of them for strengths and weaknesses, and then inevitably conclude that technical measures by their nature are meant to be bypassed by SE and thus do not work (much?).

Re: Technical measures against social engineering

I completely agree, but it doesn't prevent the social aspect from taking place. Besides, users are notorious for ignoring rules especially when someone is being nice, and the user is just being helpful.

But that portion of it is actually beside the point. The idea I was trying to get across is that you have a technical solution to protect and defeat SE which is used to defeat some technical protection, just gets a repetitious and cyclic.

Must be some of those psychic powers rubbed off.

Polygraphs are 90% junk science, which is why they don't pass Frye tests, they should never be allowed in court, and any lawyer worth his salt won't let clients take a poly exam. It's mainly psychological. A good polygraph examiner works with the subject's belief that the "box" can't be beat, and works them into a corner. There are several well-known ways polygraphs can be beat with relatively simple techniques. Of course, the simplest technique is to never allow yourself to be polygraphed.

Re: Technical measures against social engineering

i have tried to absolutely ram this concept down all my users' throats more than anything else in my interactions with them.

besides saying (and visibly posting) things like "there is absolutely no reason for anyone to ever know your password EVER for ANY reason" i will occasionally test people (either myself while on the phone with them or with people acting on my behalf) and it's known to be a standing rule that if you adequately resist interrogation, pleading, etc etc etc and refuse to divulge your password i'll personally buy you a beer after work. once word of that got out i was amazed at how many people started telling me to buzz off when i attempted to needle their passwords.

Re: Technical measures against social engineering

Possibly. It is the most likely outcome. It's not trivial enough to be concluded that no evaluation was necessary, because it's common sense that it is a social problem and has to do with people. This isn't my main research question though, but it's a chapter dealing with measures against SE and they can be pretty abstract as well.

This sounds like a fool's errand, but trust me, this isn't the bread and butter of the thesis. That said, I still think this is an interesting question. Technical measures can extend to all kinds of things we already have like surveillance, biometrics etc. So the idea is to mention what is out there, the ideas behind them, evaluate them and possibly introduce some abstract ideas, and these ideas don't have to work. If the evaluation shows that the idea is impossible to implement, there is no such technology yet and so forth, then that's a result as well.

The thing is, I'm dealing with sociology, social psychology and sort of... introducing SE in what can be thought as valid frameworks within those fields and one of my main statement is that comprehensive security is sociotechnical, it deals with social issues as well as technical, they are often overlapping etc, you're all familiar with it so I'm not going more into it now, but I'd like to also get... just some technical sides to it and that's a part of it. And basically my view so far is that there are technical measures to be taken, combined with social measures. It's not necessarily one single technology that will determine a situation and reveals it as SE. That's not very feasible.

So... I'd still appreciate any crazy ideas you guys have!

I don't mind if this thread moves into a discussion about SE, not enough discussion about it

Re: Technical measures against social engineering

About IT and passwords, it works surprisingly well I figure. There's plenty of ways to exploit the user in this scenario. For example you don't have to ask the password, you can just call and say this it the IT support and then start talking about the new policies regarding passwords. No patterns, no names of your relatives or part of those names, you have to have at least two numbers, big and small letters blaablaablaa. You could say that in addition to this, the policy still is that you shouldn't give your password to anyone, including myself. Then just basically say that the old password will be invalid soon and that you will give the person a new password and that the user should change the password now and see if it works already, because it should work. I mean, naturally you'll know what the password is at this point.

It's just a variation of the same scenario, endless ways to just spin it a little and it works like a charm. And that's just establishing authority by pretending to be the support.

What users should understand is that the password is a secret between the user and the computer. Period. No one knows it or should know, be it support, your boss or whoever. No one. Just you and the computer.

Re: Technical measures against social engineering

I don't really see how technical measures can accurately prevent SE, especially something like a password reset etc. ? I assume this is geared towards the business work place?

I really think the question separates into different areas...
Is this Technical measures against social engineering, assuming a situation where IT is in place and the user is vulnerable to contact for help, (they make the initiative to put themselves in the situation in attempt to solve an issue).


Or technical measures to protect someone from releasing information otherwise?

Obviously by email, would be easiest way to put in place something that counters attempts.
But by Phone?
Maybe a trigger that disconnects the phone when they say "my password is.."

Its hard to put a technical measure into an enviorment/situation that has many variables and exceptions.

Indeed it would be interesting to see what complex piece of technology could perform this duty.


I think a Shockey Monkey would be effective.

Re: Technical measures against social engineering

This thread reminded me that I did actually have a username without numbers in it once, and had signed up before 06.

Sometimes a unique password every 3 years, instead of 3 months policy can be favorable although risky.
Thanks. :D