

Office Intruder - Using Social Engineering to steal data - Nekojoe
http://news.bbc.co.uk/1/hi/technology/7843206.stm
Using social engineering tricks to steal data
======
ErrantX
It always amuses me to read these recent news articles about social
engineering and what a threat it is. I swear the BBC reported on much the same
thing in the middle of last year.

At the end of the day there is nothing much you can do to stop the social
engineering. Sure we can minimise it to the point where intrusions are no
longer so simple (good education is the main key there) but the process is
fundamentally reliant on human error.

Maximise education, minimise data exposure, get over the fallacy that internal
data need not be encrypted and compartmentalize departments of people and you
have done all you can. Then it is up to a vigilant IT department and giving
staff the confidence to challenge potential intruders.

------
TallGuyShort
Education has to go both ways, though. Sure, employees and users need to to
know the dangers (for instance - Facebook users need to know how dangerous it
is to give Facebook the password to their email accounts) but Facebook thinks
it's dangerous for it's users to understand security.

The first time I ever saw a Phishing scam on Facebook I took a screen shot and
emailed it to Facebook, because I was almost certain that Phishing was not
occurring on a large-scale on their web-site at that time. The result? They
blocked my account for almost a week. I guess the fact that I knew what a
Phishing scam was made me "suspicious".

If the IT department where I work called me and asked for my password, I would
hesitate to refuse because odds are, they'd think I was trying to hide
something. They honestly wouldn't understand why it was a bad idea for me to
give them my password.

~~~
cvboss
I think in a typical firm very few people would refuse to give their
passwords... most of us would give it with a "sure, no problems, you are
welcome" smile :)

