Social Engineering - The oldest and best trick in the book.

in ,

The Washington Post has a good article on social engineering attacks. It is a good treatment of the topic.

Short answer, humans are the weak link, and can be defeated with extremely high probability.

The take away from this whole thing is that we need to be building security systems that don't rely on humans not being tricked into compromising their own security. A lot of security architects take a "blame the victim" stance. User's have other things to worry about than security. We need to make sure security happens even if they are not paying attention to it.

Facebook Introduces "Places" location services

in , ,

There has been a lot of excitement in the privacy community around the introduction of a social location service by Facebook. Having blown the dust off my test account, I don't really understand all the fuss.

It appears that this capability only applies to mobile devices right now (although I have blogged in the past about the ability to locate your computer). When using the mobile site, or the FaceBook app, there is a button that allows you to "Check In" at your current location. It appears that this is exclusively an overt act, and that nothing is taking place passively in the background.

The privacy defaults (at least for me) were fairly restrictive. My check-in is only shared with "friends" by default. The only really interesting setting was that it defaults to show your location to others who are checked-in at the same location around the same time, but that was easily changed.

The FAQ talks about and links to the privacy settings in a prominent way. It feels strange to say this, but I don't think they have done a bad thing here. Obviously there are major privacy and security implications to telling people where you are all the time, and it may lead to stalking and/or home robberies, but you really have to ask them to do it to you. Caveat emptor.

Of course, none of this should suggest that I have any intention of ever using the service myself.

I note that most of the other social location players, like Gowalla, Yelp, Booyah and Foursquare were at the announcement. This could certainly impact them in a big way, either for good or ill. That seems like the real story, and my thoughts on that are well out of scope for this blog.

An example of the power of social engineering

in , , ,

Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to "secure" government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won't do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.