Jump to content
xisto Community
Spectre

False Requests for Information Watch out for posers

Recommended Posts

The single biggest threat in security is the human element. Methods such as social engineering are one of the easiest ways for an intruder to gain access to information they shouldn't know.

It is important that everyone watch out for false claims of authority, and requests for sensitive information - especially passwords. If you receive a private message or email from someone claiming to have permission from an administrator, or that they are in a position to rightfully have access to such information, then it is strongly recommended that you check that what they are saying is true, with either myself, or another administator.

One example might be:

The admin just told me to check your account for any problems, but I need your password to do it.

Or another:

Hey, its me, the admin. For some reason, I can't login to my account, and it's not letting me reset my password. Could someone please change it to X for me, so I can log back in?

Properly structured and planned social engineering attempts will generally be much more clever and sneaky than this, and often seem valid enough that the user is fooled into complying with whatever the attacker is requesting.

Anyway, my point is just to be careful if someone starts asking for something that seems a little bit suspicious. If you see something that you don't trust, then report it to an administrator as soon as possible.

Share this post


Link to post
Share on other sites

thanks sauron...i will be much more careful from now onwards

Share this post


Link to post
Share on other sites

You would be suprised what people would 'fall for', Bash. Especially if you appear to be coming from a position of authority.

 

As I said, a real attempt to gain information would most likely sound much more convincing. I don't want to give anyone any material to work with, so I am keeping it simple here.

Share this post


Link to post
Share on other sites

thats good sauron. it is better to prevent something than to try healing it when it has inflicted someone.Keep doing the good work.

Share this post


Link to post
Share on other sites

hey Genocide i am going to need your password and your credit card number for account verification. :D lol i just dont get where some would fall for it, forum admins never need users password unless for troubleshooting, even then the admins can control user accounts from the acp(this may not be true with IPB but it is with phpbb)

Share this post


Link to post
Share on other sites

Good one there.I would like to add that usually the only reason the admin needs your password is when he need to modify your account or troubleshoot it.So far, admin has never asked me for my cpanel or forum password although I have been with Xisto for quite some time already.admin usually won't ask you for your account password unless you approach him about something like say maybe something wrong has gone wrong withy our account and you approached him to help you. Other than that, he won't ask you for it.Yes, properly structured and planned 'social engineering' attacks can be seem very real. Thousands of people have fallen for it before on bigger issues such as credit card passwords. These people are generally wealthy adults who are very smart. And yet, they fall for these tricks. Don't look down on these atackers. They are smarter than you think!

Share this post


Link to post
Share on other sites

zip_mc, because I thought it was suitable title :DShackman, the root admin doesn't need your password to modify your account - he can do whatever he needs to from where he stands.

Share this post


Link to post
Share on other sites

like my phpbb forum, i can edit anyones profile from the admin control panel. No password needed all i need is a name.I can edit anything from their password to their signature without them ever knowing... so the admin or anyone for that matter should NEVER need a password. mabey username or email but that is it.on a side note: i have never changed a users password, i just disable their account, -- after a few warnings of course. Ill be nice untill you start hacking my forum, then you are treading very bad ground. :D:D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.