2.2. Social and Physical Vulnerabilities
One fascinating field of vulnerabilities has almost nothing to do with code: the land of shoulder surfers, piggybackers, and social engineers. Some of the most famous system attackers use entirely noncode vulnerabilities to get to their targets. Kevin Mitnick's book The Art of Deception details dozens of cases where individuals use nontechnical schemes to get access to confidential information. You can build a site that limits such attacks, but you'll probably never be able to fully protect against a social engineering attack by a talented and dedicated attacker. One example from my own life shows how our best intentions for security can go wrong.
2.2.1. The Vendor Password Please?
A client needed a way for vendors to perform maintenance on the website. The client uses a secure virtual private network system to provide access from outside the firewall into the servers that run the website. Company policy is to change passwords every month so that an attacker who learns the password would be able to use it for only one month. Every month when the password changes, each vendor simply calls the IT support desk and requests the new password. Initially to get the password a caller was required to identify himself by name, confirm the vendor he worked for, confirm the project, and confirm the name of the internal employee who is the project sponsor.
This process has been going on for years, and more vendors are using the process. The IT support ...
