First-Person Account of a Social Engineering Attack

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

Hmm...

[The Zon]

You know, I was wondering why that guy needed my password to fix the copier.

Geez

[Anonymous Coward]

There are way too many first person games in the U.S.

penetration tester

[neuro_guy]

penetration tester. now that's a job! is it somehow related to the porn industry?

In the words of the Paranoia RPG

[Billosaur]

1. Stay alert
2. Trust no one
3. Keep your laser handy

1 ream = 500 sheets

[Anonymous Coward]

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)

Re:Look under your keyboard...

[DarthTaco]

thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!

Man I Wish...

[eno2001]

...I could be a penetration tester. On Jenna Jameson. ;P

ObSneakers

[Rob T Firefly]

"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

Why not a male model?

[Incarnate13]

"Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."

Re:Hmm...

[Anonymous Coward]

Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

Re:penetration tester

[neuro_guy]

nah, "engineer" sounds so technical and... theoretical. you know, penetration is all about love and practical experience.

Re:Yikes! So much effort!

[Anonymous Coward]

Some of us are blind you insensitive clod! We have a hard enough time [slashdot.org] with regular money, cards are completely useless!

Re:For the love of all things holy

[Anonymous Coward]

Unless you're an executive, in which case it's called "pretexting".

Re:Yikes! So much effort!

[mrogers]

Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

"Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

Re:Backwords

[rthille]

Which is why you should bang your mistress in the back of the theater.

Re:True story.

[Joe Snipe]

what the hell is a man-trap?

Re:teach employees?

[Anonymous Coward]

That is why all your coworkers hate you behind your back

Re:Yikes! So much effort!

[Solra Bizna]

Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...

You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.

Wait, we are talking about Uplink, right?

-:sigma.SB

Re:And why is it that way?

[AcidLacedPenguiN]

I don't know about anyone else but I feel I have the best password creation system. . . I go and look at half a dozen other employee's sticky notes then I bolt them up like Voltron to form my own superpassword.

Re:Yikes! So much effort!

[sentientbeing]

A silver briefcase on wheels?!

Damn. What a giveaway. If you see two guys walking into a building with that you know something bad is about to go down.

Dont they show Die Hard in the training inductions?

Re:Hmm...

[dr_strang]

Are there ironic mod points? Because that would be ironic.

Re:And why is it that way?

[Anne_Nonymous]

YuL1P3729? That's the combination on my luggage!

Re:Hmm...

[LordSnooty]

Yeah, but they cancel each other out.

Re:And why is it that way?

[camperdave]

<homer>Mmmm... Salted hash!</homer>

Re:Man I Wish...

[6Yankee]

If you ever do get the chance, just remember the basic rule of any pen test:

• Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
• File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P

Yes, I have mod points, but this seemed like more fun :)