Sometimes, calling a cautious person "paranoid" or "silly" can be a great way to coax the person to drop his guard.

A variant I've run into revolves around my practice of covering my hands with a hat or other block as I'm entering passwords on the keyboard if a visitor in my cubicle is glancing at the keyboard. One fellow tried the paranoia card to see if I'd stop covering up the keys: "Yeah, like I care about your password! Stop being so paranoid." A variant is "What, you don't trust innocent little old me???" coupled with a hurt expression.

Didn't work but I see how it might work with some people. By the way, a good retort to the "I don't care about your password or account" ploy is "Excellent, then you won't miss it if you don't see it!"

Security awareness making it harder to exploit a workplace network? Convince some users that the security is "paranoid" and that the security administrator is a control freak. Toss in, "that overblown security is getting in the way of work and information sharing." In a really intense version of the social engineering, convince the "security nut's" supervisors to reassign him to the paper clip inventory project.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/320/31597#31597