Category Archives: Social engineering

Understanding Scam Victims

Posted on by
Reply

BBC has broadcast a set of TV documentaries “The Real Hustle“. In this documentaries, Paul Wilson, a con-artist, scams real people with real scams. When you look them, you are upset because they are sometimes extremely simple but devastating. For instance:

Frank Stajano from Cambridge Computer Laboratory has co-authored with Paul Wilson a paper that analyses these scams. The analysis extracts seven principles that may drive human behavior:

  •   The Distraction Principle
  •   The Social Compliance Principle
  •   The Herd Principle
  •   The Dishonesty Principle
  •   The Deception Principle (Dear to Mitnik :Happy: )
  •   The Need and Greed Principle
  •   The Time Principle

Frank explains how these principles may infer with security systems. We all know that human is the weakest link. Knowing that human behavior is driven by these principles, it may be possible to build systems that mitigate the importance of the human weak link.

Most of these principles are not new. Some have already been disclosed in books like “Beyond Fear” or “The science of fear”. Nevertheless, the paper is worth to read, even if it is just to better discover the world of scam (and may be increase our awareness and saving us in the future) Good summer reading.

Retrieving lost passwords through social interaction

Posted on by
Reply

What happens when you forget your password? Often there is an automatic back up procedure that allows to get it back. Sometimes, it is just an authentication through mail address, i.e. the password or a new one is sent to the address you registered. More often, it uses secret questions that should authenticate you. For instance the name of your pet, your birth town… Obviously, these secret questions have two problems:

  • They are easy to guess because too simple. You may harden it by cheating with the answer, but you need to remember your cheating.
  • If they are too complex, then you may have forgotten the answer.

In other words, they are inadequate, although largely deployed.

SCHECHTER S., EGELMAN S. and REEDER R. from Microsoft describe an interesting solution to this problem in “It’s not what you know, but who you know“. Each user defines a list of trustees. Each trustee will receive a recovery code. To retrieve the password, the user must obtain form his/her trustees their recovery code.

The experiment highlighted two issues:

  • After a while, the user often forgets his/her trustees. Thus, you need a procedure to retrieve the trustees’ identity.
  • Many trustees would provide the recovery code to someone close to the user.

I would also add one major one. It takes a lot of times. One subject took 5 days to get three recovery codes. Often, you want immediate access.

Nevertheless, an interesting paper to read. I recommend the section that describes how the trustee gets the recovery code. It was designed to highlight many risks of social engineering. Nice work.

A glimpse at hacking mentality

Posted on by
Reply

While reading spring 2008 issue of hacker magazine 2600, I had fun with the paper Password Memorization Mnemonic from Agent Zero. The paper in itself is not extraordinary. Agent Zero has reinvented the notion of key derivation. He proposes, in a non formalized way, to use a password generating function for each site that would use the name of the site has parameter. He ends up with passwords in the format <site name><code name><number>. This is a typical trick and you may devise your own function adding for instance special characters.

Is it a good trick? In fact, it is hardly more secure than using the same strong password on all sites. The security relies on the secrecy of the <code name> and of the algorithm (Kerckoff!). And with such a weak algorithm (mandatory weak because it is a mnemonic), if you have the password for one site, it is not difficult to guess the algorithm.

The interesting point comes at the end of the paper. Some sites, for instance mySpace, limit the length of the passwords. This ruins the algorithm. Normal users would propose a derived function that would concatenate to stick in the requested length. But Agent Zero is a hacker, therefore he proposes:
1. Find a similar site with a better password policy.
2. Crack the webpage, system, or server. Show the webmaster or system administrator just how weak their current policy is, thereby spurring them to strengthen it. Admittedly, this is a more extreme-not to mention illegal-road to take, but it has been taken, and it has gotten results. (Extract)
I love option 2. Definitively another mentality  :Wink: