Re: Technical measures against social engineering

A one time daily authentication code is useful to verfiy the caller with tamper protection on the one time pad. Then use a PKI encrypted phone, this will encrypt and verfiy the caller.

Pretty secure, pretty expensive.

Re: Technical measures against social engineering

Synapse, It can be any kind of technical measure, not just voice detector or something that has to do with phones. Basically anything that can be seen as a technical measure against a social "attack", but for example in this case, IDS would be considered a technical measure against a technical problem, so if a user raises his user group or privilidges high without permission, that would still count as a technical type of event.

So basically a technical measure can be anything that protects information from social attacks. This isn't an easy subject and if it was, we'd already have a long list, because the premise is that you can't counter social attacks with technical measures. So, creativity and imagination is called for and like I said, it doesn't have to be something that we already have, I'm after just general ideas I could evaluate. For example authentication through phone would be one idea, using password. It's not much, but it's still an idea to process and to evaluate.

Shinobi, Can you explain what you mean by one time pad?

Re: Technical measures against social engineering

2 or more parties have access to a system by which a daily code is used to authenticate the other user. Some are paper based where others can be electronic time-lapsing tokens like the RSA tokens.

Granted if these are compromised you have problems. However you attempt to keep them secure. Nothing is perfect but it's pretty close.

Re: Technical measures against social engineering

http://en.wikipedia.org/wiki/One_time_pad

Re: Technical measures against social engineering

Ahh nice one Wikipedia, also check out number stations. They use one time pads.

Re: Technical measures against social engineering

Hmm... this is fairly interesting. I'll take a closer look at this.

Anyway, if you had PKI encrypted phones, wouldn't that already authenticate both parties pretty well? I guess you want to add an extra layer of security, but IMO if you would have the public key principle in use, that in itself would be pretty good, because that's the biggest problem with phones, not being able to authenticate the other party.

I know there are encrypted phones, a quick search on the subject and it looks like there might be PKI encrypted phones as well. I would agree, this would be pretty secure.

Re: Technical measures against social engineering

As with most, I'm not a big fan of Wikipedia, but it for general encyclopedia information it's generally pretty good.

Re: Technical measures against social engineering

Yes there are PKI encrpted phones and they authenticate the user. But like you said that extra level of security is useful.

Re: Technical measures against social engineering

Yeah some of the information's accuracy is dubious..