IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 3.45 Inadequate checking of the identity of
communication partners
During personal conversations, on the phone or using e-mail, many people are
prepared to pass on a lot more information than they would do in writing or if
they had a larger audience. Often it is tacitly assumed that the communication
partner will treat the content of the conversation or e-mail as confidential.
There is also a disinclination to enquire as to the identity of a caller as this will
appear impolite. The same considerations deter people from querying the
reason for the call or enquiring as to the person on whose behalf the caller is
ringing ("I work for XY Bank and need some detailed information on your
income level.") Such behavioural patterns can be exploited through "social
engineering" (see also T 5.42 Social engineering).
Example:
There are many cases known in which journalists have phoned up important
people and pretended to be other important people. In this way they have
succeeded in obtaining information from celebrities or public figures which
was not intended for the public. This has proved to be dynamite where the
information was transmitted directly over the radio so that it was not possible
to reverse publication.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Thoughtless disclosure
of internal information