Breaking inside out

Security gets more complicated yet social engineering remains the same threat as ever.

The Trojans learned that no matter how impressive your citadel was, if the people inside can be manipulated then those fortifications amount to naught. Like The Chaser's War on Everything proved a few weeks ago, people haven't learned from those lessons.

Over the past couple of days the topic of social engineering raised its vile head again, and while the stories I am about to tell are semi-humorous, the consequences are not.

It began on Monday when a young man called "Miguel Sanchez" sent an e-mail letting his fellow employees know that they could receive a free upgrade to a Web site if they sent him their username and email address.

"Miguel" meant for people to give him their username so he could pass it onto the Web site admin who would simply tick the magical checkbox. Instead, a high number of people included their username and password!

The fact that people would so easily give up their passwords is quite scary.

On Tuesday, I heard a story from Kingston City Council which did some social engineering tests of its own. An individual was hired to wear a suit and see what he could gain access to without any type of clearance.

He hung out around doorways and people let him onto every floor of their building. He even gained access to the server room by telling the people behind the help desk he was there to service the UPS.

Fortunately some good things did happen -- a few people asked him why he was walking around and a broadcast e-mail was sent warning employees about the "guy in the suit".

Kingston's IT manager summed it up by stating "the biggest threat to security is staff". How true.

As developers how can we code against social engineering? We can't. The only way to counter it is to educate users and hope that they "get it". If not ... lather, rinse, repeat. Because most of us also double-up as help desk from time to time, the work begins at home.

You may have hundreds of thousands of dollars worth of equipment, the first class security policy, a complete firewall and demilitarised zone implementation, but if just one user lets their guard down you may find that your security castle was merely a house of cards.

And now for the Trojan Chaser vid: