Help - Search - Members - Calendar
Full Version: Social Engineering
Dumpshock Forums > Discussion > Shadowrun
Backgammon
Here's an article discussing social engineering, the art of manipulating people so they hand information over to you (such as passwords) with a smile. It's certainly something all shadowrunners should know!

Kyoto Kid
...pretty interesting.
Platinum
security is only as strong as its weekest link..... and face it ... there is a high percentage of weak links out there. Half the population is below average. There is 50% of the problem right there.
nezumi
Training will continue until everyone scores above average.
Kagetenshi
Actually, it seems to me that decently over half of the population would be above average. Maybe I'm underestimating how high-functioning the highest-functioning people are, but given what's available at the lowest parts of the scale…

~J
stevebugge
Given a sample size over 6 billion it would be unlikely that median and average differ much at all.
Shrike30
I just phrase it as "50% of the population has sub-median intelligence."
Kagetenshi
QUOTE (stevebugge)
Given a sample size over 6 billion it would be unlikely that median and average differ much at all.

Only assuming humans are normally distributed, which is what I'm challenging. If they aren't, it would be pretty unlikely for them to be close together.

~J
Calvin Hobbes
Intelligence is also a funny thing: more people live in countries with a below-average education, especially in Shadowrun.
Drraagh
With the fact that our world is just becoming more and more wired, it is a lot easier to have social engineering. I work in a callcenter with at least a hundred to two hundred people. We teach our sales people social engineering in the way for them to try and talk people into a sale, but look at it from the flip side.

You want to get someone's information so you pick a name at random from a phone book and call in with that name, phone number and address. That information you have. Then you start getting some bits of info from the helpful service staff, like what email they have on file, maybe change it to yours so you can get into their account. Not very much you can do there, except maybe place an order and ship it somewhere else or try to redirect a package, but lets say you were calling a credit card company, or an insurance company or whatever.
Backgammon
You don't have to be below average IQ to fall for social engineering. I've worked in a few large corporations, but I have a shadowrun mind so I'm really wary of people I don't know calling me.

But it's CLEAR to see the attitude of wanting to be helpful, combined with not knowing people from other departments, makes for a very easy social engineering trap. Just about all office phones have caller ID, and as soon as you see it's coming from the internal, most workers will assume it's safe to be helpful, because god forbid you say No and a week later your boss brings it back into your face that you're a bad employee. Most corps will have drilled into their employees NEVER EVER to reveal passwords, and most employees will get that. But a good social engineer can weasel around a conversation so that you reveal stuff you should, like that CEO who says his password is his daughter's name, and a bit later he reveals his daughter's name.

But I've also seen smaller outfits where half the personnel is down right computer illiterate. They certainly don't get the importance of password protection, and if you make them believe you are tech support, they will gladly reveal anything just because they are (rightly) insecure about their computer skill levels and will assume the tech guy knows best, even if her boss told her not to reveal her password.

Bottom line: a high Con skill is helpful for hackers looking to a password. Hacking firewalls is for chumps!
James McMurray
Many corporations these days install software and upgrades via remote computing. Some software requires you to install it as the user you are, and requires higher than normal user access. The quickest route for this is usually for the IT guy to get your password and remote login as you. Unfortunately, I've worked for places that used that method, thinking themselves safe because the IT guy has to email you first. Return email addresses are so easy to spoof that an average corporate lackey (up to and including upper management) would never notice it, and would happily hand over the keys to the castle when asked by the friendly new IT guy.
Rajaat99
Having worked in a place with "restricted access", I can tell you that it's not that people who work there are stupid, they just don't care. Like in the story:
"Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. "

This is a classic example of people not caring.

"The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password."

This was a stupid person.

"No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured. "

Maggie and Will don't care, they just want a paycheck.

"Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole."

This is, almost, the way I was at work, I just didn't care.
emo samurai
How much did you use the "employees don't give a shit" phenomenon in your game?
ShadowDragon8685
QUOTE (emo samurai)
How much did you use the "employees don't give a shit" phenomenon in your game?

This is Shadowrun, not IRL.

At IRL's worst, unless they actively participate in a security breech, an employee suffers risk of the termination in his job.

At Shadowrun's worst, an employee who was alert and actively fought the security breech, and failed (and somehow came away with his life) suffers risk of termination of his life.

Good incentive to give a shit.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Dumpshock Forums © 2001-2012