You want real security? Ask more questions!
April 6, 2009 – 10:57 pmBack in 2003 there was a military experiment that was intented to measure how weak is the human link in the security chain in the army.
The experiment was as the following, an experienced person was given a military phone, his mission was to find out as many details as possible about other departments and teams in a certain facility.
So, he began his research. His first step was to try calling near numbers to his, so if his number was 213991, he phoned 213992 and so on until he got a response. Once someone answered he asked for “John”, most of the times, in most phone calls he was told that there is no John in here and he probably dialed the wrong number. Every few phone calls he tried retrieving some data in a stealth fashion, for example “Oh, there’s no John there? I was given that number by another department.. hold on, where did I call?”, and although it sounds stupid and simple, the soldiers answered his questions.
When he called and there was in fact a “John” present, he started talking to him as he knew him and talked to him before, and then that John stopped him and told him that he doesn’t think he knows him and he must be confused. And then, he asked him “Hold on, which john am I speaking to?”, and John answered his full name, the next question was “Wait. Where did I call?”. And again, of couse, John answered.
In these methods and other similar to this, the person assigned for that mission was able to map the whole branch of which he was assigned to in under a week and all that was possible because of the human factor in the security chain.
Using tools like NMap, can help you get even more information.
Nmap is a network discovery tool, it’s highly sophisticated and can analyse networks in many different formats.
One of its main features is to tell you what kind of hardware is used within an organization. Nmap does that by calculating time delays between responses and learning certain stamps that every hardware vendor has.
Knowing that a certain organization is using a specific model of “Cisco” routers in order to route his whole network is a lot of power. Because a very simple method is just to call the organization and tell them that you are a technician from Cisco, and you know that they are using this specific model and they are currently exposed to a security breach. In order to prevent that you have to come over there and install a security patch. Or even better, you can say that you can do it remotely, but you will need to have the password.
And by knowing the specific model, you have gained trust. Because the way the Technical Department of that organization sees it is that only Cisco or any other trusted company could know and have the records that they are using that specific model.
Nowadays there are courses that teaches workers to ask more questions and to be curious. Because if I were to do something like that kind of scam, I would get nervous when someone started asking me a whole bunch of questions.
For instance, if that John guy from the beginning of the post just asked the question “Which department are you from”, he could tell that the other guy was lying and trying to manipulate him.
I hope everyone will try to educate their workers to be more curious and always be just a little bit paranoid, not too much.