Anti-Social Engineering

As a geek growing up, I had always admired and respected such magazines as Byte and Scientific American.  While perhaps not understanding every article as a 12 year old, I still appreciated the technological significance of their content.  In fact, I still posses my original edition of Volume 237, Number 3 of Scientific American, from September 1977.   Containing the articles, "Microelectronics", by Robert Noyce and "Microelectronics and the Personal Computer" by Alan Kay, this is obviously one of my treasured documents.

However, the Internet has led to the content dilution of many once respected journals and publications, such as my blog to Network World.  Actually, it is an online article titled "How I Stole Someone's Identity", currently featured on Scientific American's website which highlighted this fact.  It's watered down material and oversimplified presentations have resulted in its loss of cutting edge credibility.

This article, which outlines Herb Thompson's "experiment" (there's nothing experimental about an everyday occurrence) to "break into" (logic + luck + end user stupidity < breaking into) someone's bank account, holds little value to readers with a shred of intelligence.  What I found most irritating was the text contained in the article's URL, referring to the story as an "anatomy of a social attack".  Data mining, email account discovery, and automated password resets is not "social" nor an "attack".   The process described lacks any social interaction, although, if interacting with a website script is in fact a social process, then I'll start coding some new cool friends.  Furthermore, I'm pretty sure that most security minds wouldn't classify this form of online investigative research as an "attack", or else I've been attacking myself for years.

I'd like to quickly run through some of the techniques used in Mr. Thompson's demonstration, highlighting a few of the unrealistic coincidences and unusually "lucky" circumstances.

Firstly, he started out knowing the target's name, approximate age, state of birth, and place of work.  That's helpful.  Then the target was asked what bank she used and for her username.  This should be the "game over" point.  If anyone, including friends and family, randomly ask you for this information and you provide it to them, you shouldn't be allowed to manage your financial assets.  Still, this information was just handed to him.   

Predictably, a little Googling revealed the usual email addresses, resume and other helpful information.  This shouldn't be new to anyone, although those out of the loop should learn about intel gathering through Google Hacking

Now the ridiculous part.  Apparently the target maintained a blog which read more like a tell-all tabloid.  It conveniently revealed information about grandparents, pets, hometown, birthday, place of birth, pet's name, and bizarrely her father's middle name.  If you currently write a blog that provides this type of information, you might as well just post your social security number, credit card numbers, and all of your login credentials, or just post a link to your blog on Craigslist, with the heading "Free identity for Theft".  Seriously though, if you have this type of information in your blog, stop blogging and just keep a personal journal.

Lastly, he carried out a sequence of email address password resets that eventually provided access to the target's online banking account.  One initial reset attempt, directly to her banking account, resulted in the bank sending the target an email about a recent password reset request, with a link to the necessary webpage.  Once again, a red flag to most, but luckily of no concern in this case.

In general, I'm all for end user security education in any form.  However, this example has a few too many statistical anomalies for demonstrating the insecurities of online personal information.  I'm not sure if this reveals more about Scientific American's readership or content quality.  Regardless, use common sense and trust no one or just stuff your cash under your (non-networked) mattress.

Send your requests for my personal information to: greyhat@computer.org

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022