False Requests for Information Watch out for posers

[Spectre 0]

The single biggest threat in security is the human element. Methods such as social engineering are one of the easiest ways for an intruder to gain access to information they shouldn't know.

It is important that everyone watch out for false claims of authority, and requests for sensitive information - especially passwords. If you receive a private message or email from someone claiming to have permission from an administrator, or that they are in a position to rightfully have access to such information, then it is strongly recommended that you check that what they are saying is true, with either myself, or another administator.

One example might be:

The admin just told me to check your account for any problems, but I need your password to do it.

Or another:

Hey, its me, the admin. For some reason, I can't login to my account, and it's not letting me reset my password. Could someone please change it to X for me, so I can log back in?

Properly structured and planned social engineering attempts will generally be much more clever and sneaky than this, and often seem valid enough that the user is fooled into complying with whatever the attacker is requesting.

Anyway, my point is just to be careful if someone starts asking for something that seems a little bit suspicious. If you see something that you don't trust, then report it to an administrator as soon as possible.

[Too_Hot 0]

kk thanks for the heads up, i'll be more vigilant

[odomike 0]

thanks sauron...i will be much more careful from now onwards

[Bash 0]

The admin just told me to check your account for any problems, but I need your password to do it.

lol, i dont think anyone's gonna fall for that

[EricDrinkard 0]

Thanks for the infomation. I'll keep a sharp eye out.ThanksEric Drinkard

[Spectre 0]

You would be suprised what people would 'fall for', Bash. Especially if you appear to be coming from a position of authority.

 

As I said, a real attempt to gain information would most likely sound much more convincing. I don't want to give anyone any material to work with, so I am keeping it simple here.

[odomike 0]

thats good sauron. it is better to prevent something than to try healing it when it has inflicted someone.Keep doing the good work.

[X3r0X 0]

Yeah, i cant believe people realy would do something like that. Evil has infested these forums, search and destroy lol, just watch out everyone

Edited August 21, 2004 by Genocide (see edit history)

[NeXDesigns 0]

hey Genocide i am going to need your password and your credit card number for account verification. lol i just dont get where some would fall for it, forum admins never need users password unless for troubleshooting, even then the admins can control user accounts from the acp(this may not be true with IPB but it is with phpbb)

[Shackman 0]

Good one there.I would like to add that usually the only reason the admin needs your password is when he need to modify your account or troubleshoot it.So far, admin has never asked me for my cpanel or forum password although I have been with Xisto for quite some time already.admin usually won't ask you for your account password unless you approach him about something like say maybe something wrong has gone wrong withy our account and you approached him to help you. Other than that, he won't ask you for it.Yes, properly structured and planned 'social engineering' attacks can be seem very real. Thousands of people have fallen for it before on bigger issues such as credit card passwords. These people are generally wealthy adults who are very smart. And yet, they fall for these tricks. Don't look down on these atackers. They are smarter than you think!

[iGuest 3]

cheers fot the info, i will keep an eyeout and inform u on any findings.

[zip_mc 0]

i'll be watching...Spectre why does it say your a newbie...

[Spectre 0]

zip_mc, because I thought it was suitable title :DShackman, the root admin doesn't need your password to modify your account - he can do whatever he needs to from where he stands.

[NeXDesigns 0]

like my phpbb forum, i can edit anyones profile from the admin control panel. No password needed all i need is a name.I can edit anything from their password to their signature without them ever knowing... so the admin or anyone for that matter should NEVER need a password. mabey username or email but that is it.on a side note: i have never changed a users password, i just disable their account, -- after a few warnings of course. Ill be nice untill you start hacking my forum, then you are treading very bad ground.

[Triple X 0]

*wouldn't give his p/w out to anyone for any reason ever* I'm not stupid as some people can be