• Choose a category
• All
• Classic-Fiction

A Message for Rosemary

Rosemary Morgan was delighted with her new job. She had never worked for a magazine before and was finding the people much friendlier than she expected, a surprise because of the never-ending pressure most of the staff was always under to get yet another issue finished by the monthly deadline. The call she received one Thursday morning reconfirmed that impression of friendliness.

“Is that Rosemary Morgan?”

“Yes.”

“Hi, Rosemary. This is Bill Jorday, with the Information Security group.”

“Yes?”

“Has anyone from our department discussed best security practices with you?”

“I don’t think so.”

“Well, let’s see. For starters, we don’t allow anybody to install software brought in from outside the company. That’s because we don’t want any liability for unlicensed use of software. And to avoid any problems with software that might have a worm or a virus.”

“Okay.”

“Are you aware of our email policies?”

“No.”

“What’s your current email address?”

“Rosemary@ttrzine.net.”

“Do you sign in under the username Rosemary?”

“No, it’s R-underscore-Morgan.”

“Right. We like to make all our new employees aware that it can be dangerous to open any email attachment you aren’t expecting. Lots of viruses and worms get sent around and they come in emails that seem to be from people you know. So if you get an email with an attachment you weren’t expecting you should always check to be sure the person listed as sender really did send you the message. You understand?”

“Yes, I’ve heard about that.”

“Good. And our policy is that you change your password every ninety days. When did you last change your password?”

“I’ve only been here three weeks; I’m still using the one I first set.”

“Okay, that’s fine. You can wait the rest of the ninety days. But we need to be sure people are using passwords that aren’t too easy to guess. Are you using a password that consists of both letters and numbers?”

“No.”

We need to fix that. What password are you using now?“

“It’s my daughter’s name—Annette.”

“That’s really not a secure password. You should never choose a password that’s based on family information. Well, let’s see ... you could do the same thing I do. It’s okay to use what you’re using now as the first part of the password, but then each time you change it, add a number for the current month.”

“So if I did that now, for March, would I use three, or oh three.”

“That’s up to you. Which would you be more comfortable with?”

“I guess Annette-three.”

“Fine. Do you want me to walk you through how to make the change?”

“No, I know how.”

“Good. And one more thing we need to talk about. You have antivirus software on your computer and it’s important to keep it up to date. You should never disable the automatic update even if your computer slows down every once in a while. Okay?”

“Sure.”

“Very good. And do you have our phone number over here, so you can call us if you have any computer problems?”

She didn’t. He gave her the number, she wrote it down carefully, and went back to work, once again, pleased at how well taken care of she felt.

Analyzing the Con

This story reinforces an underlying theme you’ll find throughout this book: The most common information that a social engineer wants from an employee, regardless of his ultimate goal, is the target’s authentication credentials. With an account name and password in hand from a single employee in the right area of the company, the attacker has what he needs to get inside and locate whatever information he’s after. Having this information is like finding the keys to the kingdom; with them in hand, he can move freely around the corporate landscape and find the treasure he seeks.

mitnick message

Before new employees are allowed access to any company computer systems, they must be trained to follow good security practices, especially policies about never disclosing their passwords.

NOT AS SAFE AS YOU THINK

“The company