Please support our Tech Talk advertiser: Programming Forums
Featured Entry 
Apr 16th, 2007, 4:56 am
A newly published report by Infosecurity Europe reveals that out of 300 office workers interviewed at London railway stations and IT professionals at a computer show, an amazing 64 percent were prepared to give their passwords in exchange for a bar of chocolate and a smile. The survey also found that 67 percent thought that someone else in their organisation knew their CEO’s password with the most likely candidate being the secretary or PA. The survey was carried out to find out how easy it was to extract peoples work passwords using social engineering techniques with literally just the offer of a chocolate bar for taking part in a survey.
The survey found that it took a little more probing and a bit more coercion than the average office worker, but even the IT professional eventually succumbed to the questions of the attractive researcher who still managed to extract their passwords in exchange for a smile and a chocolate bar!
The researchers asked the delegates if they knew what the most common password is and then asked them what their password was. Only 22 percent of IT professionals revealed their password at this point compared to 40 percent of commuters, if at first they refused to give their password the researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team. By using this technique, a further 42 percent of IT professionals and 22 percent of commuters then inadvertently revealed their password. This then took the total number of people who revealed their password to 64 percent overall for both groups. What many of IT professionals failed to realise is that the researchers, who conducted the survey at the IT exhibition, had also read their names and organisation from their delegate badge as well!
The survey found that 20 percent of organisations no longer use passwords, with 5 percent using biometric technology and tokens for identity and access management and a further 15 percent using tokens.
The average number of passwords used at work was 5 per person, with some using as many as 20. The frequency of changing passwords was 71 percent monthly, 10 percent rarely and 20 percent never as they used biometrics and tokens instead. Some of the IT professionals said that the real issue was not user passwords but the passwords on servers or buried in applications which were never changed as the consequence of changing them on the overall company IT system was unknown and there was a fear that if they were changed a critical part of the system could crash. Some other IT experts said that they often come across servers on which the administrator password was left blank.
When asked if they knew any of their colleagues passwords 29 percent admitted that they did. A person should never need to give their password to someone claiming to be from the IT department but 39 percent said that they would give their password to someone who called them from the IT department. They would not be quite so trusting if asked by their boss as only 32 percent said they would be prepared to give their password if asked.
When asked about confidential information two thirds said that they would look at a file containing everyone’s salary details if they were sent it by mistake and 20 percent said they would pass it on to colleagues. A third said that they would keep it confidential, with many of them also saying that their IT systems tracked everything they looked at and if they passed this type of information on to anyone it would mean instant dismissal. When asked if they would take any contacts or competitive information with them when they left their jobs, 58 percent said that they would. One senior sales manager said I left my job last week and took my whole pipeline with me.
Just under half of people used the same password they used for their corporate access for all their personal web accounts such as online banking, retailing, and email. When asked if they felt safe using online banking half said that they did but only a fifth said they felt safe using online retailing but this figure rose to 52 percent if the retail site was a well know reputable one.
Sam Jeffers, Event Manager for Infosecurity Europe 2007 the information security show which takes place at Olympia, London from 24th to 26th April 2007 said, “This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security. What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk. It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network.”
The survey found that it took a little more probing and a bit more coercion than the average office worker, but even the IT professional eventually succumbed to the questions of the attractive researcher who still managed to extract their passwords in exchange for a smile and a chocolate bar!
The researchers asked the delegates if they knew what the most common password is and then asked them what their password was. Only 22 percent of IT professionals revealed their password at this point compared to 40 percent of commuters, if at first they refused to give their password the researchers would then ask if it was based on a child, pet, football team, etc, and then suggest potential passwords by guessing the name of their child or team. By using this technique, a further 42 percent of IT professionals and 22 percent of commuters then inadvertently revealed their password. This then took the total number of people who revealed their password to 64 percent overall for both groups. What many of IT professionals failed to realise is that the researchers, who conducted the survey at the IT exhibition, had also read their names and organisation from their delegate badge as well!
The survey found that 20 percent of organisations no longer use passwords, with 5 percent using biometric technology and tokens for identity and access management and a further 15 percent using tokens.
The average number of passwords used at work was 5 per person, with some using as many as 20. The frequency of changing passwords was 71 percent monthly, 10 percent rarely and 20 percent never as they used biometrics and tokens instead. Some of the IT professionals said that the real issue was not user passwords but the passwords on servers or buried in applications which were never changed as the consequence of changing them on the overall company IT system was unknown and there was a fear that if they were changed a critical part of the system could crash. Some other IT experts said that they often come across servers on which the administrator password was left blank.
When asked if they knew any of their colleagues passwords 29 percent admitted that they did. A person should never need to give their password to someone claiming to be from the IT department but 39 percent said that they would give their password to someone who called them from the IT department. They would not be quite so trusting if asked by their boss as only 32 percent said they would be prepared to give their password if asked.
When asked about confidential information two thirds said that they would look at a file containing everyone’s salary details if they were sent it by mistake and 20 percent said they would pass it on to colleagues. A third said that they would keep it confidential, with many of them also saying that their IT systems tracked everything they looked at and if they passed this type of information on to anyone it would mean instant dismissal. When asked if they would take any contacts or competitive information with them when they left their jobs, 58 percent said that they would. One senior sales manager said I left my job last week and took my whole pipeline with me.
Just under half of people used the same password they used for their corporate access for all their personal web accounts such as online banking, retailing, and email. When asked if they felt safe using online banking half said that they did but only a fifth said they felt safe using online retailing but this figure rose to 52 percent if the retail site was a well know reputable one.
Sam Jeffers, Event Manager for Infosecurity Europe 2007 the information security show which takes place at Olympia, London from 24th to 26th April 2007 said, “This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security. What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk. It just goes to show that we still have a long way to go in educating people about security policies and procedures as the person trying to steal data from a company is just as likely to be an attractive young woman acting as a honey trap as a hacker using technology to find a way into a corporate network.”
This blog entry was written by Bill Andad, staff writer aka newsguy. It has received 1,959 views, 1 comment, and 12 linkbacks. 2 voters have rated this entry an average of 5 out of 5 stars. It was promoted to featured status Apr 16th, 2007.
•
•
•
•
advertising apple botnet browser business cellphone copyright crime data development email facebook firefox forensic games gaming google hacking hardware ibm internet iphone ipod itunes law legal linux malware microsoft mobile mozilla music news privacy research search security software spam survey technology trojan uk video virus vista web windows yahoo youtube
All Recent Tags Comments (Newest First)
happygeek | He's The Daddy | Apr 16th, 2007
•
•
•
•
The Infosecurity folk do the swap your password for some chocolate thing every year around Easter to drive up publicity for the InfoSecurity expo/conference which takes place in London next week.
Always interesting, although I don't have the result of last years survey to hand I suspect the percentages are much the same. Last year they offered people an Easter Egg for a password and the majority said OK.
The statistic I liked most was the huge drop in people prepared to tell their boss the password if asked
Always interesting, although I don't have the result of last years survey to hand I suspect the percentages are much the same. Last year they offered people an Easter Egg for a password and the majority said OK.
The statistic I liked most was the huge drop in people prepared to tell their boss the password if asked
Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- WinDefender 2008 How to Get rid of it (2 Hours Ago)
- Thunder Tables Kill Microsoft 40-bit Encryption (1 Day Ago)
- Apple Leaves Customers Bugging Out! (4 Days Ago)
- T-Mobile loses 17 million customer records (6 Days Ago)
- Who Really Rules The World? (7 Days Ago)
- Apple iTunes Store Closing Bluff Works (9 Days Ago)
- Elvis cloned! (10 Days Ago)
- Moles attack data (10 Days Ago)
- No iTunes required for 2.1 billion mobile music downloads (12 Days Ago)
- States Begin Requiring Encryption of Personal Data (13 Days Ago)
Related Forum Threads
- Dani's Cookbook (Geeks' Lounge)
- Programming (C++)
- Firefox Hackers Discovered. (Web Browsers)
- Tell us about yourself! (Community Introductions)
- 35 processes, need to trim the fat (Viruses, Spyware and other Nasties)
- no macs? (OS X)
- when i use a proxy, it say's port closed. could it be (Networking Hardware Configuration)
- Microsoft SQL Server 2000 Exploit! (MS SQL)
