People Skills in the Digital Age
Social Engineering and Owning the BoxI once worked as a Security guard for Quebecor World in Lincoln, NE. Nothing glamorous by any means, but unique in the fact that my 5.75 an hour rent-a-cop security guard job required me to go through a 1 month background check complete with credit records and criminal record pulls, interviews with the State Patrol, and multiple inquiries into my previous employment history. Why would this be necessary for such a mundane job? Who cares about the criminal background of a security guy on third shift at a printer?Quebecor prints, among other things, AOL CDs and pre-approved credit card applications and has at any time several hundred thousand names, addresses, phone numbers, credit card numbers, and social security numbers in (relatively) plain view. The dumpsters are locked outside. A special shredder devours waste paper into confetti pieces smaller than the end of an infants little fingernail, and then shreds them again. Not that these precautions are not a good start, but in about 10 minutes, an employee inside with a grudge or someone with access to some money can enlist the help of a for profit company to reconstruct paper shreddings into a sembla
Forewarned is forearmed, especially when it comes to social engineering. Kevin Mitnick's journey through the criminal system is disheartening at best for any computer user that wants to pursue a career in computer security or intrusion detection and response because many of the tools utilized to trace such activities can be used for illegal reasons. Social engineering, and its related type of information attack 'dumpster diving', is IT slang for using non-technical means to compromise an information system. How does an organization defend against social engineering? Defending against social as well as technical threats should be part a "defense in depth" strategy, but it's often ignored. Sometimes the calls were charged to the phone company itself as a way of thumbing a nose at the establishment. * Requirement that users log off or use password protected screensavers when away from the computer, cautionary instructions on ensuring that no one is watching when you type in logon information, etc. * The policies must be disseminated to all users of the network, with education and training provided as to why compliance is essential. Security awareness should be part of the training of every employee who uses the network, and in order to be effective, it should be ongoing. Draper earned his name from his use of a toy whistle found in a cereal box that generated the 2600HZ tone necessary to fool the phone system. Another well knows social engineer needs almost no introduction. Among those victims are Novell, Nokia, and SUN Microsystems- companies that suffered no losses , but because Mr. The gray goo scenario of Eric Drexler (famous for saying that 'smart, microscopic computers could take over the earth), though a possibility in the future, is not possible at this time because of the current limitations of technology. I have used both technical and non-technical means to obtain the source code to various operating systems and telecommunications devices to study their vulnerabilities and their inner workings. The information was already out there, though, and until AT&T updated their switching technology and proceeded to subpoena phreakers under the wire fraud act it continued sporadically into the early 80s.
Common topics in this essay:
Bruce Schneier,
AOL CDs,
Prior Internet,
Steve Wozniak,
Arrested February,
Eric Drexler,
Relationship Awareness,
Thompson Mitnick,
Lincoln NE,
Prison California,
social engineering,
phone company,
etc *,
phone system,
information system,
computer systems,
non-technical means,
wire fraud,
source code,
etc * policies,
intrusion detection,
|
Acceptance Essays
