I fear that the need for salacious headlines from the
has grossly misconstrued how social engineering works:
So, say one of the city’s IT guys has a down-low life as a S&M fetishist; he’s
not hurting anyone beyond his self-selected group of fellow BDSM enthusiasts,
but still, it’s not the kind of information he wants Richard Butts or the other
managers at City Hall to find out about. The city, however, will now hire a
hacker to try to break into the IT guy’s Facebook account, discover that he’s a
member of the private “Halifax Bondage” group, and then try blackmail the guy…
This was in response to Halifax tendering a security assessment:
Halifax Security Tender (PDF).
While social engineering could technically include such things, it’s fanciful
to think that the person conducting the vulnerability assessment would go to
such lengths(also, this would be illegal, there is no permission to blackmail
given!). This is analogous to draining a lake to catch a fish; sure –
it works, but nobody is going to do it, unless, that is, they’re writing a
Hollywood movie. The goal of the security assessment is to get inside the
network, not destroy someone’s life. There are better, more fruitful, attacks
such as: spear phishing, “found” USB key attacks with specially crafted
payloads, cloning legitimate websites, and many more. Security assessments
aren’t charity work, nor are they witch hunts- they are billable time. The
attacker isn’t going to invest precious billable time into this exotic
situation constructed by the Examiner, rather, they’re going to leave a USB
key on top of a urinal, or beside the coffee machine.
When it comes down to it, this is something that I can’t tolerate:
Furthermore, in my eyes, this completely destroyed the trust that I had in Tim
Bosquet/The Halifax Examiner. I have a specialized skill set and knowledge, so
when something that I know about is so grossly misrepresented, it makes me
wonder about all the other things that have made good headlines. Trust is
destroyed in a moment, and now it’s gone.
I was paying to receive this misinformation.
This is a Security Bloggers Network syndicated blog post authored by Invisible Threat. Read the original post at: Invisible Threat