<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d13953979\x26blogName\x3dDigital+Squid\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLACK\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://digitalsquid.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://digitalsquid.blogspot.com/\x26vt\x3d-1185506453169371183', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Thursday, June 01, 2006

Dhiraagu vulnerable to Social Engineering

This is the details of a social engineering attack pulled on Dhiraagu (for a good cause again).

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

A friend of mine has called me to help him with his ADSL connection which keeps on dropping the signal every 2 seconds. They have recently moved to this new building and Dhiraagu has moved their ADSL also to this new building. I went to meet at him around 17:30 hrs on a Thursday.

I asked my friend for the username and password of the ADSL router which he has in order to find out what could be wrong. He didn't have that information as usual with most of us who doesnt keep those type of information in a safe place. I then asked him whether he has the ADSL username and password in case if I have to reset the router back to factory settings to access it. He didn't have that either.

I called up Dhiraagu 123 from my mobile (which has no relation to the address where the ADSL was connected) and directly told the guy that I don't have my username and password of my ADSL connection and the only information which I can give him is the address where the ADSL is connected to.

The Direct Attack: Just Asking for It

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with the support person.

The guy looked up the database and simply gave me the username, I then asked for the password, he gave me the same. Then I asked him for the username of the ADSL router (which Dhiraagu provides), he gave me the username and password for the router too.

The Direct Attack: Just Asking for It

Many social engineering attacks are intricate, involving a number of steps and elaborate planning, combining a mix of manipulation and technological know-how

A skillful social engineer can often achieve his goal with a simple. Straightforward, direct attack. Just asking outright for the information may be all that’s needed—as you’ll see.

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

What if somebody uses Social Engineering to harm these organisations and its customers?

posted by asoa @ 12:02 AM

6 Comments:

At 01 June, 2006, Anonymous Anonymous said...

nice article actually. but better if u could have pointed out possible method of protection against such an attack.

 
At 01 June, 2006, Blogger diabolicaldevil said...

i tried that with ROL sometime back when i got their DB, they ask for the mac add of the modem now

 
At 02 June, 2006, Anonymous Anonymous said...

hmmm

they didnt ask for anything? :O

 
At 27 June, 2006, Anonymous Anonymous said...

I think Dhiraagu has done a good job with that.

I have two ADSL lines, and
I can only use the Username given to either physical link. I cannot use the Username other than the registered line. I tried this coz it was hard to remember both passwords.

As far as ADSL is concerned, there's NO risk. I cannot use someone elses User/PASS. And the bill always go to the line, NOT for the USERNAME.

 
At 18 July, 2006, Anonymous Anonymous said...

there r many more issues than this than with Dhiraagu. A friend of mine told he got screwed from her wife b'coz she checked his call history from a Dhiraagu Staff. Seems its very easy for staff to get call details of any customer. So guys be carefull, ur gf/bf may be watching ur call history. lol

 
At 13 September, 2006, Blogger Daadi said...

heard of a similar case with bf/gf issues with phone records being looked up for friends/relatives etc.

i inquired about it.. it seems all you have to do is inform dhiraagu that it has happened.. and they will terminate the employment of the staff if they find out they did it.

ppl just dont bother to report it in. which is why ppl dont care abt privacy. but at a policy level i think dhiraagu has in place that staff shouldnt divulge such infomation

 

Post a Comment

<< Home




Disclaimer: Some images and logos that are listed here, and which are contained are owned by their respective owners. we do not claim ownership of such images and logos.