How To Rob a Bank: One Social Engineer's Story 111
Posted
by
timothy
from the oh-don't-worry-this-won't-take-long dept.
from the oh-don't-worry-this-won't-take-long dept.
itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."
Duh (Score:5, Interesting)
as a former security auditor myself... (Score:5, Interesting)
As a former security auditor myself, I'd attack the voice response units. Quite frequently those boxes (often standalone towers covered with a quarter inch of dust) were neglected in the corner, with no IDS, no one checking logs and frequently no automatic lockouts. Routed through Skype and/or Google Voice...
And I call (Score:2, Interesting)
Bullshit. You mean to say that this guy both steals stuff from bank employees desks AND installs keyboard loggers, and no one at the bank suspects anything like "hey, these guys stole all this stuff from us, maybe they weren't firemen, maybe security has been breached, let's check to see if computers/equipment has been tampered with!"
From TFA:
At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag.
On our way out, we don't want them to know we're done. We want to be able to come back another time.
Too much mission impossible on TV. This is just an attention whore trying to cash in by pretending to be a crook. Typical of a "security consultant", really.
Not my job.... (Score:4, Interesting)
Physical security and access is not the job of the standard employee. The only job the employee has is to ensure that their credentials are only used for thier access, either physical or digital, and that they are kept secure.
I once was working for a company that had higher a new CIO. The area where the IT people sit was secured with keycards, and was just outside of the server room, which had its own keycard. There was never any problem with letting visitors and other employees in and out to discuss IT projects, etc. In other words, while it had keycard access, it wasn't considered a security zone. The CIO came to visit the IT area and I let him in without knowing who he was. He was then buzzed into the Sever room by one of the operators who did know who he was. Of course, he made a big stink about the whole thing. The funny thing of course, is that nothing changed. He was just trying to make a big splash.
The point is, I am not a security guard. I am not about to put my physical safety in jeopardy for the sake of corporate secrets. I do not have the necessary skills to vett or interrogate every new visitor wandering our halls, nor do I have the authority or tools to throw them out. You can chew out your employees for allowing physical access to this "fireman" but the problem is management not spending the money to have proper security at the door, not the lack of vigilance by the employees.
I will keep my passwords secret, I will choose complex passwords, I will not allow people to tailgate on my keycard access, and I will inform IT security if any of my corporate devices goes missing. I will do all of this, but I will not be your security guard, there are people who do this who are much better at than I could ever be...
Re:And I call (Score:4, Interesting)
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
Re:And I call (Score:5, Interesting)
A true story regarding the problem of walking in behind people (one of the easiest ways to enter a large building you shouldn't be able to access):
Employee walks into the office building. A bit behind that employee was the CEO, but the CEO's badge was not visible, and this was a newer employee who didn't recognize the CEO. The employee made sure the door closed on the CEO. The CEO took swift action to send a message to the whole company: He called security, found out who that employee was, and sent word down the chain of command to give that employee a special award.
Re:And I call (Score:4, Interesting)
I totally second that. For me, it was a tie and a clipboard, and my (totally true and legit) story that I worked for the building's property insurance company and needed to look everywhere and anywhere for risks (blocked doors, covered sprinklers, stacks of live ammo pointed at compressed oxygen canisters, that sort of thing). People would let me into the most amazingly sensitive areas, oftentimes with no escort, just a slap on the back and a "give the key fob back to Tina when you're done". Three hours later I would know every corner of the place.
I ain't that charismatic, so I conclude the clipboard is key.
Re:Poor story. (Score:4, Interesting)
Completely plausible actually.
He does present ID. The fact is though that as long is it looks "official", most people will believe that it is what it says it is. Assuming you're not on your local fire department, do you know what your town's fire-inspector's ID actually looks like? It's not like this guy was handing them a piece of notebook paper with "Fire Inspekter" written on it in crayon.
Plenty of computers use USB keyboards, so there's your enabled port. A keylogger plugs into the port, the keyboard plugs into the keylogger, and done. Same thing went for the old PS/2 ports. Even if your average bank employee looked at the back of their PC (which isn't very likely to begin with), they probably wouldn't recognize anything out of the ordinary.