Social Engineering….Your IT’s biggest threat?

Posted by Josh on July 23, 2012 in Security |


Social engineering has slipped to the way side a bit when people think of IT security.   A focus on patch management, packet inspecting, IDS/IPS, and the like taking the main stage, leaving social engineering as a back burner project.

Social engineering has evolved from the old movie staples of “dumpster diving” to flashy websites and emails designed to “spoof” people in to entering their real logon and password on a fake site via methods like spear phishing and similar domain names.  Even with these new methodologies some of the tried and true methods still work.

Many times, it is the simple things that can be the biggest risk to your network and data.  A simple stroll around most office areas will reveal things like username/passwords taped to monitors or “hidden” in places like under a mouse pad or keyboard or in a desk draw.   Even access methods such as “shoulder surfing” and unattended and logged in systems will be routinely found within most office environments.

The company’s own Storage Area Network or SAN can be a social engineer’s playground.  Simple searches of a company “share drive” will often reveal several files with titles like “password.txt” or MS Word Documents that contain usernames/password for various systems/sites.   Confidential communications compromise can occur by storing a Microsoft PST file on an improperly secured “share drive”.*

Thinking this kind of accessibility on a simple walk around can lead to the next eventual question of how are we controlling access to our buildings?   A person shows up in a “uniform” with an ID badge stating they need access to your communications closet to “check something out”.  Are the front desk personnel verifying that someone within the company actually requested service?  Are they calling the company and verifying the employee presenting him or herself?    Un-supervised access to a communications closet can potentially harm the entire company’s network.   Anything from simple wiretaps to full network access, especially if port security is not used, can be had depending on the assets within a given communications closet. 

These are truly simple examples, but the hard truth is, without an IT policy and methods to check and enforce compliance, they exist almost universally in any type of corporate environment.   

As you read this, you might think I do not work for company and just have my home computer.   Social engineering still affects you as well.  Many home users do not even have a password set for their computer and often are using a full administrative account.  This, simply put, means anyone with physical access to your system, has full control of it.  When you take in to account connectivity options like WiFi, if someone can connect to your access point, they likely can access your whole computer without ever stepping a foot in your home.  Home users are just as susceptible to spear phishing attacks as well via their personal email accounts with spoofs of their banking intuitions or online payment sites being very common.

The bottom line is that often no matter how hardened a network or IT system is, your weakest link is the “people” that use those systems.  Time spent on training and compliance will be worth the efforts.


*Note: Use of PST’s located on network storage and connected to a local MS Outlook client   is not a supported configuration.

Tags: , , , ,


Password Security

Posted by Josh on July 12, 2012 in Security |

With the recent password leaks from both LinkedIn.com and Yahoo.com, the topic of passwords has been at the forefront of many citizens and specifically IT departments.  It is not uncommon to walk in to an office environment and see things like passwords taped to monitors or hidden on sticky notes under mouse pads, keyboards, and in desk drawers.

The first element of a good password is complexity.   Complexity is a method to make your password more difficult to “crack”.  The first step of creating a complex password is not to use any dictionary words.  Unfortunately, when coupled with the requirement for special characters and numbers and upper and lowercase.  These kinds of requirements often leads people do as one FBI agent did in the exposed Yahoo hack and create a password like PA$$w0rd01.  This is only marginally better than simply using “password” since hackers using any dictionary-based attack will account for these kinds of simple letter substitutions.

A good password should have at least two uppercase, two lowercase, two special characters and two numbers, not contain any dictionary words or simple substitutions, and be at least 15 characters long.  These requirements also have evolved to not include things like keyboard patterns or progressions like QWer12#$ or 13qeadzc!#QEADZC.   The final requirement is not use personal information like names, birthdays, anniversaries, pet’s names, and the like as the basis or in your passwords.   Combining all of these greatly increases the complexity of your password which makes it harder to “crack” using brute force attacks.

Because of these all these requirements, people often have a hard time thinking of passwords that are “secure” but easy enough to remember not to have to write them down.

An easy way to create a secure password that is EASY to remember is to take a phrase that you know well and use that as the base for a cipher.

I will use the two most famous lines from “A Few Good Men” to illustrate now to do this.

“I want the truth! You can’t handle the truth!”


Another method is to develop a passphrase and a cipher box that contains the 26 letters of the alphabet and a mix of number and special characters. Below I will use a line from the movie “The Boondock Saints” to show now this can be done.


“And shepherds we shall be!” when used with the below cipher box becomes “H7Vg-qm-qsVgFqg-h$$We6”

Ah BW Ch DV Eq F1 G% H- ID Jy
Kz L$ M4 N7 OU Pm Q? Rs Sg TL
U2 VR WF X7 Y8 Ze 15 2! 3i 4T
5@ 6Z 7c 8# 9^ 0K !6 @9 #o $B
%& ^N &3 *j (* )P _( =a +1 ?x


This primer doesn’t cover all the possible good password creation methods, nor does it begin to touch on some of the cool things being done in biometric and  two-factor authentication.

Tags: , ,


PKard Smart Card Reader

Posted by Josh on July 8, 2012 in Review, Security |

After about a month of testing Thursby’s PKard Smart Card Reader for iOS devices, I am happy to say I am rather impressed.  The interface is smooth and clean, with only some minor glitches one would expect in v1.0 software.    The two major functions that I use is the ability to CAC authentic to Outlook Web Access as well as Microsoft SharePoint and web sites.  With PKard’s recent FIPS 140-2 compliance Thursby is taking all the right steps in the right direction.

The area’s were PKard still needs quite a bit of work is signing and encrypting emails, without this key capability, it is only a half solution to its target audience’s needs.  The other area that really needs work is better handling of documents, especially PDF’s with a method to edit, digitally sign, and send  within the product suite.

If Thursby really wants to step up their game and garner increased adoption, the usefulness of the product line would be to open and sign .xfdl files used by the Air Force and Army for many of the documents within the departments.  IBM has stated they are not putting any effort in to an iOS app for the documents as they are moving to a server centric implementation that the Air Force and Army likely will not move to any time soon.

The bottom-line, the product is good, but does have plenty of room to grow!

Tags: , , , , ,


Why am I here…

Posted by Josh on July 7, 2012 in Uncategorized |

This is simply a website/blog/file server for my own personal amusement and ponderings.  Nothing fancy or with any real purpose in mind.

Copyright © 2012-2019 All rights reserved.