With everything that you hear about in the news lately regarding social engineering attacks (
twitter), it makes you wonder how vulnerable you are to this particular type of attack. Now I have always had some common sense with creating passwords and security questions, but I have not always been that concerned with security and bottom line, IM LAZY.
These days there are multiple levels of authentication that are necessary in order to retrieve a password and although it makes it a little more difficult, if it is successful, it usually results in multiple accounts being compromised (myspace --> email --> other email). I have always tried to create unique difficult security questions for each service or application but this can really become a mess. It seems as though the only current solution to this type of mess is something like OpenId or a password manager, which has security issues and theories on its own, so I will not get into them. So for the most part, you are stuck with multiple sites, with multiple passwords, with multiple security questions, that might be dependent on another service or application for fulfill your password request whether it be authentication or reset.
While pondering all of these security issues with passwords and social engineering, the first thing that I went out and did, was try and reset my password on multiple services and applications to verify that I do not have a week security question or password. This was somewhat of a difficult task, because how would you define which services are in danger of being used for social engineering. I possible cannot figure out every single service that I have signed up with and setup my password and secret question for. What I have to do is analyze which services would ultimately lead to the compromise of high priority or sensitive services, whether it be its own, or another service.
I have included in this list.
Email accounts
Social Networking Sites
Financial institutionsEducational Institution
Work Related Sites.All other sites I would use generic unique throw away passwords, and If I happen to forget, I would just have it reset to to my email address. I am not sure if this would be classified as a security technique, but more likely classified in the laziness category.
The next thing that I did, was visit any social networking sites that I belong to, to make sure I am not just giving away sensitive information that would assist in social engineering. I searched these sites for things like making sure my background is not my favorite color (although I would never try to use that type of question as my security question.). I feel that social engineering sites have the potential of giving away more security questions, than doing a deep dive search into someones background. This leads me to the third step that I checked out which is doing a basic search on sites like google for more information on myself. I was amazed that the majority of information leakage came from the registration of this domain (thanks whoever, to bad it is not very accurate). I thought when I purchased this domain, I payed for suppression of my information but I guess I need to revisit that.
It is not very easy to assess the difficulty of being victim to Social Engineering attacks. I think in all reality, the only way to really know, is by waiting. I guess it would be a good idea to ask a really good friend who knows you really well to try to get into some of your services even using his above average knowledge of your life. For me, if some type of compromise would ever occur, it would be more embarrassing than damaging and either way, I would love to prevent it from ever occurring.
Until then, thank you to google and yahoo for going back and reminding me to change my security questions and provide a secondary email address. That was very thoughtful.
Posts
