Social Engineering, what every shadowrunner should know |
Social Engineering, what every shadowrunner should know |
Jul 6 2006, 03:39 PM
Post
#1
|
|
Ain Soph Aur Group: Dumpshocked Posts: 3,477 Joined: 26-February 02 From: Montreal, Canada Member No.: 600 |
Here's an article discussing social engineering, the art of manipulating people so they hand information over to you (such as passwords) with a smile. It's certainly something all shadowrunners should know!
|
|
|
Jul 6 2006, 09:14 PM
Post
#2
|
|
Bushido Cowgirl Group: Members Posts: 5,782 Joined: 8-July 05 From: On the Double K Ranch a half day's ride out of Phlogiston Flats Member No.: 7,490 |
...pretty interesting.
|
|
|
Jul 6 2006, 09:19 PM
Post
#3
|
|
Running Target Group: Members Posts: 1,095 Joined: 26-February 02 From: Ontari-airee-o Member No.: 1,115 |
security is only as strong as its weekest link..... and face it ... there is a high percentage of weak links out there. Half the population is below average. There is 50% of the problem right there.
|
|
|
Jul 6 2006, 09:39 PM
Post
#4
|
|
Incertum est quo loco te mors expectet; Group: Dumpshocked Posts: 6,546 Joined: 24-October 03 From: DeeCee, U.S. Member No.: 5,760 |
Training will continue until everyone scores above average.
|
|
|
Jul 6 2006, 10:25 PM
Post
#5
|
|
Manus Celer Dei Group: Dumpshocked Posts: 17,006 Joined: 30-December 02 From: Boston Member No.: 3,802 |
Actually, it seems to me that decently over half of the population would be above average. Maybe I'm underestimating how high-functioning the highest-functioning people are, but given what's available at the lowest parts of the scale…
~J |
|
|
Jul 6 2006, 10:28 PM
Post
#6
|
|
Neophyte Runner Group: Members Posts: 2,026 Joined: 23-November 05 From: Seattle (Really!) Member No.: 7,996 |
Given a sample size over 6 billion it would be unlikely that median and average differ much at all.
|
|
|
Jul 6 2006, 10:41 PM
Post
#7
|
|
Runner Group: Members Posts: 2,556 Joined: 26-February 02 From: Seattle Member No.: 98 |
I just phrase it as "50% of the population has sub-median intelligence."
|
|
|
Jul 6 2006, 10:43 PM
Post
#8
|
|||
Manus Celer Dei Group: Dumpshocked Posts: 17,006 Joined: 30-December 02 From: Boston Member No.: 3,802 |
Only assuming humans are normally distributed, which is what I'm challenging. If they aren't, it would be pretty unlikely for them to be close together. ~J |
||
|
|||
Jul 6 2006, 10:56 PM
Post
#9
|
|
Moving Target Group: Members Posts: 204 Joined: 27-October 05 From: Waterloo, ON Member No.: 7,900 |
Intelligence is also a funny thing: more people live in countries with a below-average education, especially in Shadowrun.
|
|
|
Jul 7 2006, 01:28 AM
Post
#10
|
|
Moving Target Group: Members Posts: 308 Joined: 1-June 06 From: Nova Scotia, Canada Member No.: 8,631 |
With the fact that our world is just becoming more and more wired, it is a lot easier to have social engineering. I work in a callcenter with at least a hundred to two hundred people. We teach our sales people social engineering in the way for them to try and talk people into a sale, but look at it from the flip side.
You want to get someone's information so you pick a name at random from a phone book and call in with that name, phone number and address. That information you have. Then you start getting some bits of info from the helpful service staff, like what email they have on file, maybe change it to yours so you can get into their account. Not very much you can do there, except maybe place an order and ship it somewhere else or try to redirect a package, but lets say you were calling a credit card company, or an insurance company or whatever. |
|
|
Jul 7 2006, 01:58 AM
Post
#11
|
|
Ain Soph Aur Group: Dumpshocked Posts: 3,477 Joined: 26-February 02 From: Montreal, Canada Member No.: 600 |
You don't have to be below average IQ to fall for social engineering. I've worked in a few large corporations, but I have a shadowrun mind so I'm really wary of people I don't know calling me.
But it's CLEAR to see the attitude of wanting to be helpful, combined with not knowing people from other departments, makes for a very easy social engineering trap. Just about all office phones have caller ID, and as soon as you see it's coming from the internal, most workers will assume it's safe to be helpful, because god forbid you say No and a week later your boss brings it back into your face that you're a bad employee. Most corps will have drilled into their employees NEVER EVER to reveal passwords, and most employees will get that. But a good social engineer can weasel around a conversation so that you reveal stuff you should, like that CEO who says his password is his daughter's name, and a bit later he reveals his daughter's name. But I've also seen smaller outfits where half the personnel is down right computer illiterate. They certainly don't get the importance of password protection, and if you make them believe you are tech support, they will gladly reveal anything just because they are (rightly) insecure about their computer skill levels and will assume the tech guy knows best, even if her boss told her not to reveal her password. Bottom line: a high Con skill is helpful for hackers looking to a password. Hacking firewalls is for chumps! |
|
|
Jul 7 2006, 02:14 AM
Post
#12
|
|
Great Dragon Group: Members Posts: 5,430 Joined: 10-January 05 From: Fort Worth, Texas Member No.: 6,957 |
Many corporations these days install software and upgrades via remote computing. Some software requires you to install it as the user you are, and requires higher than normal user access. The quickest route for this is usually for the IT guy to get your password and remote login as you. Unfortunately, I've worked for places that used that method, thinking themselves safe because the IT guy has to email you first. Return email addresses are so easy to spoof that an average corporate lackey (up to and including upper management) would never notice it, and would happily hand over the keys to the castle when asked by the friendly new IT guy.
|
|
|
Jul 7 2006, 02:56 AM
Post
#13
|
|
Moving Target Group: Members Posts: 355 Joined: 24-August 02 From: Magna, Ute Nation Member No.: 3,166 |
Having worked in a place with "restricted access", I can tell you that it's not that people who work there are stupid, they just don't care. Like in the story:
"Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. " This is a classic example of people not caring. "The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password." This was a stupid person. "No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured. " Maggie and Will don't care, they just want a paycheck. "Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole." This is, almost, the way I was at work, I just didn't care. |
|
|
Jul 7 2006, 04:16 AM
Post
#14
|
|
Dragon Group: Members Posts: 4,589 Joined: 28-November 05 Member No.: 8,019 |
How much did you use the "employees don't give a shit" phenomenon in your game?
|
|
|
Jul 7 2006, 08:24 AM
Post
#15
|
|||
Horror Group: Members Posts: 5,322 Joined: 15-June 05 From: BumFuck, New Jersey Member No.: 7,445 |
This is Shadowrun, not IRL. At IRL's worst, unless they actively participate in a security breech, an employee suffers risk of the termination in his job. At Shadowrun's worst, an employee who was alert and actively fought the security breech, and failed (and somehow came away with his life) suffers risk of termination of his life. Good incentive to give a shit. |
||
|
|||
Lo-Fi Version | Time is now: 26th April 2024 - 10:28 AM |
Topps, Inc has sole ownership of the names, logo, artwork, marks, photographs, sounds, audio, video and/or any proprietary material used in connection with the game Shadowrun. Topps, Inc has granted permission to the Dumpshock Forums to use such names, logos, artwork, marks and/or any proprietary materials for promotional and informational purposes on its website but does not endorse, and is not affiliated with the Dumpshock Forums in any official capacity whatsoever.