Re: Technical measures against social engineering

Yeah some of the information's accuracy is dubious..

Re: Technical measures against social engineering

Yes there are PKI encrpted phones and they authenticate the user. But like you said that extra level of security is useful.

Re: Technical measures against social engineering

As with most, I'm not a big fan of Wikipedia, but it for general encyclopedia information it's generally pretty good.

Re: Technical measures against social engineering

Hmm... this is fairly interesting. I'll take a closer look at this.

Anyway, if you had PKI encrypted phones, wouldn't that already authenticate both parties pretty well? I guess you want to add an extra layer of security, but IMO if you would have the public key principle in use, that in itself would be pretty good, because that's the biggest problem with phones, not being able to authenticate the other party.

I know there are encrypted phones, a quick search on the subject and it looks like there might be PKI encrypted phones as well. I would agree, this would be pretty secure.

Re: Technical measures against social engineering

Ahh nice one Wikipedia, also check out number stations. They use one time pads.

Re: Technical measures against social engineering

http://en.wikipedia.org/wiki/One_time_pad

Re: Technical measures against social engineering

2 or more parties have access to a system by which a daily code is used to authenticate the other user. Some are paper based where others can be electronic time-lapsing tokens like the RSA tokens.

Granted if these are compromised you have problems. However you attempt to keep them secure. Nothing is perfect but it's pretty close.

Re: Technical measures against social engineering

Synapse, It can be any kind of technical measure, not just voice detector or something that has to do with phones. Basically anything that can be seen as a technical measure against a social "attack", but for example in this case, IDS would be considered a technical measure against a technical problem, so if a user raises his user group or privilidges high without permission, that would still count as a technical type of event.

So basically a technical measure can be anything that protects information from social attacks. This isn't an easy subject and if it was, we'd already have a long list, because the premise is that you can't counter social attacks with technical measures. So, creativity and imagination is called for and like I said, it doesn't have to be something that we already have, I'm after just general ideas I could evaluate. For example authentication through phone would be one idea, using password. It's not much, but it's still an idea to process and to evaluate.

Shinobi, Can you explain what you mean by one time pad?

Re: Technical measures against social engineering

A one time daily authentication code is useful to verfiy the caller with tamper protection on the one time pad. Then use a PKI encrypted phone, this will encrypt and verfiy the caller.

Pretty secure, pretty expensive.

Re: Technical measures against social engineering

This thread reminded me that I did actually have a username without numbers in it once, and had signed up before 06.

Sometimes a unique password every 3 years, instead of 3 months policy can be favorable although risky.
Thanks. :D

Re: Technical measures against social engineering

I don't really see how technical measures can accurately prevent SE, especially something like a password reset etc. ? I assume this is geared towards the business work place?

I really think the question separates into different areas...
Is this Technical measures against social engineering, assuming a situation where IT is in place and the user is vulnerable to contact for help, (they make the initiative to put themselves in the situation in attempt to solve an issue).


Or technical measures to protect someone from releasing information otherwise?

Obviously by email, would be easiest way to put in place something that counters attempts.
But by Phone?
Maybe a trigger that disconnects the phone when they say "my password is.."

Its hard to put a technical measure into an enviorment/situation that has many variables and exceptions.

Indeed it would be interesting to see what complex piece of technology could perform this duty.


I think a Shockey Monkey would be effective.

Re: Technical measures against social engineering

About IT and passwords, it works surprisingly well I figure. There's plenty of ways to exploit the user in this scenario. For example you don't have to ask the password, you can just call and say this it the IT support and then start talking about the new policies regarding passwords. No patterns, no names of your relatives or part of those names, you have to have at least two numbers, big and small letters blaablaablaa. You could say that in addition to this, the policy still is that you shouldn't give your password to anyone, including myself. Then just basically say that the old password will be invalid soon and that you will give the person a new password and that the user should change the password now and see if it works already, because it should work. I mean, naturally you'll know what the password is at this point.

It's just a variation of the same scenario, endless ways to just spin it a little and it works like a charm. And that's just establishing authority by pretending to be the support.

What users should understand is that the password is a secret between the user and the computer. Period. No one knows it or should know, be it support, your boss or whoever. No one. Just you and the computer.

Re: Technical measures against social engineering

Possibly. It is the most likely outcome. It's not trivial enough to be concluded that no evaluation was necessary, because it's common sense that it is a social problem and has to do with people. This isn't my main research question though, but it's a chapter dealing with measures against SE and they can be pretty abstract as well.

This sounds like a fool's errand, but trust me, this isn't the bread and butter of the thesis. That said, I still think this is an interesting question. Technical measures can extend to all kinds of things we already have like surveillance, biometrics etc. So the idea is to mention what is out there, the ideas behind them, evaluate them and possibly introduce some abstract ideas, and these ideas don't have to work. If the evaluation shows that the idea is impossible to implement, there is no such technology yet and so forth, then that's a result as well.

The thing is, I'm dealing with sociology, social psychology and sort of... introducing SE in what can be thought as valid frameworks within those fields and one of my main statement is that comprehensive security is sociotechnical, it deals with social issues as well as technical, they are often overlapping etc, you're all familiar with it so I'm not going more into it now, but I'd like to also get... just some technical sides to it and that's a part of it. And basically my view so far is that there are technical measures to be taken, combined with social measures. It's not necessarily one single technology that will determine a situation and reveals it as SE. That's not very feasible.

So... I'd still appreciate any crazy ideas you guys have!

I don't mind if this thread moves into a discussion about SE, not enough discussion about it

Re: Technical measures against social engineering

i have tried to absolutely ram this concept down all my users' throats more than anything else in my interactions with them.

besides saying (and visibly posting) things like "there is absolutely no reason for anyone to ever know your password EVER for ANY reason" i will occasionally test people (either myself while on the phone with them or with people acting on my behalf) and it's known to be a standing rule that if you adequately resist interrogation, pleading, etc etc etc and refuse to divulge your password i'll personally buy you a beer after work. once word of that got out i was amazed at how many people started telling me to buzz off when i attempted to needle their passwords.

Re: Technical measures against social engineering

I completely agree, but it doesn't prevent the social aspect from taking place. Besides, users are notorious for ignoring rules especially when someone is being nice, and the user is just being helpful.

But that portion of it is actually beside the point. The idea I was trying to get across is that you have a technical solution to protect and defeat SE which is used to defeat some technical protection, just gets a repetitious and cyclic.

Must be some of those psychic powers rubbed off.

Polygraphs are 90% junk science, which is why they don't pass Frye tests, they should never be allowed in court, and any lawyer worth his salt won't let clients take a poly exam. It's mainly psychological. A good polygraph examiner works with the subject's belief that the "box" can't be beat, and works them into a corner. There are several well-known ways polygraphs can be beat with relatively simple techniques. Of course, the simplest technique is to never allow yourself to be polygraphed.