First-Person Account of a Social Engineering Attack

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

Hmm...

[The Zon]

You know, I was wondering why that guy needed my password to fix the copier.

Re:

[Anonymous Coward]

Who modded this insightful?
This is funny mods.. funny. Not insightful

Re:Hmm...

[Anonymous Coward]

Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

Re:Hmm...

[bcattwoo]

And ironically your insightful comment was modded funny.

Re:Hmm...

[dr_strang]

Are there ironic mod points? Because that would be ironic.

Re:Hmm...

[LordSnooty]

Yeah, but they cancel each other out.

Re:

[nacturation]

I know what you mean as it basically blows the whole common concept of what most people understand irony to be right out the window. Some references I've seen do describe that kind of irony but the more authoritative ones indicate that irony is when what you say has a different literal interpretation than what you mean. So if you *described* an event which had what you call situational irony, it could be ironic... but the event itself isn't. Wikipedia covers the controversy [wikipedia.org] over the varying opinions.

The

Not quite news

[otacon]

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

Re:

[arun_s]

But it sure does make for an interesting read :)
Plus, this is a bank that was the victim of the attack. That's pretty worrying, I think. News like this (that illustrate how trivial social engineering can be) should hopefully make more people in important places (like banks) get over their false sense of security.

Re:

[onepoint]

think interesting was an understatement. I found it wonderful and should be sent to every VP. basic security is so rare.

I had a job on wall street many years ago. And I consistently caught people whom were trying to get info about our main frames or dumpster diving. I ended up putting a strict policy, and I was able to buy one heck of a schreader ( this THING was as big as a wide screen TV and could eat your hand if you were not careful).

I still do my transaction thier because the guy I left in charge was

Not news... but still useful

[Khomar]

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

Yikes! So much effort!

[moore.dustin]

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

Re:

[venicebeach]

Yes, but this is a bank, not an office. They are in the business of securing money. I think a bank requires a little more awareness on the part of the staff than most offices.

That said, these people do seem to have access to some special equipment:

"Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things.

and

"Using our past experience with copier folks, we

Re:

[EvilTwinSkippy]

From what I'm seeing, this chucklehead got into the offices and sniffed the network.

When someone bluffs his way into the vault, I'll be shocked. If he tried to monkey with the IT systems, he would probably have been snagged faster than a spawning salmon. Bank, Casinos, etc have people watching the people who watch the people.

Re:

[venicebeach]

He's not in the vault, true, but he is in the public part of the bank itself, not some separate administrative office building. The people he is interacting with are the same people who have access to the vault and must be aware enough to protect it.

(To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. )

Re:Yikes! So much effort!

[mallgood]

My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Re:Yikes! So much effort!

[mrogers]

Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

"Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

Re:Yikes! So much effort!

[Solra Bizna]

Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...

You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.

Wait, we are talking about Uplink, right?

-:sigma.SB

Re:

[Mysticalfruit]

I agree. The only real things worth of value stored in vaults these days are in safety deposit boxes. Even then, when your looking at a wall of a couple hundred boxes, you've got several challenges.
You need to get into the vault alone. Everytime I've ever gone to add/remove stuff from my SDB I've been escorted into the vault where I was put into a small room while then unlocked the safety door to the vault, not the big solid door, but a smaller internal door. On this door was a lock. Also the whole are

Re:

[rvw14]

Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.

If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.

Re:

[markov_chain]

What gets me is that he was able to sniff the president's login and password off a LAN. Seems like they need to do some work on their intranet security.

Re:Yikes! So much effort!

[Negadecimal]

I think a bank requires a little more awareness on the part of the staff than most offices.

That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.

Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.

Re:

[dynamo52]

I am a private IT consultant and I was recently contracted by a Fortune 500 insurance company subsidiary on a very minor issue (2 days). I was hired through an ad on an online bulletin board. The president of the company hired me over the telephone without requesting any references or inquiring about background, education, or even aptitude with the systems they had in place.

Upon arriving for the appointment, I was led into the server room and immediately left alone, laptop in hand. I left the first day

Re:Yikes! So much effort!

[erpbridge]

Card printers with stripe encoders are fairly inexpensive. In 2000, picked one up for a previous employer for $400.

However, also being the guy who ran the prox card access system, I can tell you this: Prox cards are not easy to reprogram. They are usually hard coded with technology that resembles a primitive form of a RFID chip and small battery that only energizes when in the prescence of a mildly strong magnetic field (more than kitchen refrigerator magnets, but not as strong as the rare earth magnets you can buy for cheap), has a transmit range of 6 inches, and is attached to a antenna/induction coil loop that circles the length of the card about 5-10 loops.

Theres a reason you don't leave a prox card on top of a unchielded stereo speaker... Not only does the stripe become scrambled over time, but the battery, which is constantly in the range of the magnetic field, will stay energized and keep broadcasting the signal untill.... well, until its dead. Typical prox cards are specced for about 10-20 access per day, with a usable lifespan of 5 years.

Prox cards from HID (one of the biggest manufacturers of prox security equipment) are sold with a two-fold identifier: 4-digit site ID, and 6-digit card number. Yes, these are both printed on the card. Yes, HID keeps track of which company owns which site ID, so they can sell further stock in the future with the same site number...and also so they don't sell the same site number to someone else in the same region.

Prox reader controllers (a closet component that is what the readers are wired to, each controller capable of holding a token-style chain of 127 modules that can each control up to 8 doors on each module) are programmed to accept only a certain set of site ID's. They keep a local database, updated at regular intervals from the master controller, a server (anywhere from 15 mins to an hour) of what card numbers within each site are allowed to access a specific reader/door combo.

If the communications to the server is down, the controller tries to contact the nearest controllers it knows about (up to 255), which also keep the same database. If no redundundant communication to other controllers or to server is available either, the controller maintains its current memory and security settings for 72 hours from last communication. After that, no access is allowed at readers until communications are enabled again and a database synch is performed.

Of course, this info is all dated to 2002, for Andover Controls security systems... but is pretty much standard to all prox systems.

Re:

[TubeSteak]

How would you feel about a stranger shoulder-surfing?

It's much easier to just plug into the LAN & sniff for l/p's (which shouldn't be sent as cleartext in the firstplace, but frequently are)

And why is it that way?

[blueZ3]

Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)

Re:And why is it that way?

[Maxo-Texas]

Completely agree.

I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.

1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)

Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.

Re:

[geekoid]

B00B13s_giB!a is an easy to remember password, and you only need to change the last letters.

Of course most password policies still have there roots into the mainframe world.

Re:

[Iron Condor]

This is veering dangerously OT, but here's what has worked (so far!) for me: I had a nice, secure password that I never wrote down. When they made me "change" it regularly, I started using the same password but with my right hand shifted one letter down on the keyboard. 6 months later, shift the other hand down. 6 months later, shift the right hand outward. I intend to move around in this fashion until I can return both hands back to home position.

The only part that requires brainpower is "what to do when

Re:

[camperdave]

<homer>Mmmm... Salted hash!</homer>

Re:

[hey!]

It's ironic when you think of it. Companies implement "cheap" security schemes that introduce small but regular bits of frictional loss into everybody's productivity, and that actually make the problem worse.

A secure login token system would be, after the intial purchase has been amortized, cheaper, more secure, and more convenient than some draconian password policy. It's certainly cheaper than absorbing the risks of allowing weak passwords.

Re:And why is it that way?

[Beryllium Sphere(tm)]

My explanation of why you *should* write down your password [berylliumsphere.com]. Bruce Scheier has made the same point.

All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.

Re:

[AcidLacedPenguiN]

I don't know about anyone else but I feel I have the best password creation system. . . I go and look at half a dozen other employee's sticky notes then I bolt them up like Voltron to form my own superpassword.

Re:

[Capt James McCarthy]

"All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor."

How about this: I _HAD_ a user who made the MS Flying banner hold his password. I would have never believed it had I not seen it myself.

negative vs positive

[theStorminMormon]

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

He didn't say they succeed 9 times out of 10

[Von Rex]

Here's what he said:

Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

He's saying that, when they do get caught, nine times out of ten i

penetration tester

[neuro_guy]

penetration tester. now that's a job! is it somehow related to the porn industry?

Re:

[lixee]

penetration tester. now that's a job! is it somehow related to the porn industry?

Yep! One that blows (the job that is).

Re:

[LMacG]

No, that would be the fluffer [wikipedia.org].

No - In Porn They're Called "Troubleshooters"

[Petersko]

With the trend in porn towards the foot-long as standard, I doubt anybody needs a penetration tester.

Re:

[Iamthefallen]

How about Penetration engineer? [securityfocus.com]

Man that'd make a badass business card.

Re:

[EvilTwinSkippy]

Sounds too much like a porn star.

Re:

[neuro_guy]

nah, "engineer" sounds so technical and... theoretical. you know, penetration is all about love and practical experience.

Hmm

[malkir]

I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?

Re:

[Anonymous Coward]

All back-end systems and PCs of all branches of that bank are connected to a single gigantic hub. In addition, all employees are constantly login and log from those systems using only non-encrypted protocols. The guy just had to plug his laptop and fire up his sniffer. Easy. Took him seconds.

Re:

[dave562]

A lot of things could be done, but unfortunately the reality of the situation 95% of the time is that IT staffs are so overburdened that they don't have time to activate all of the nifty little, wouldn't it be cool features that are out there. Sure you could impliment a managed switch, but then every time a NIC fails, or a workstation fails, you need to go reprogram the switch. It becomes just another thing to do on a task list that is already too long to begin with.

I'm not super knowledgable in the area

In the words of the Paranoia RPG

[Billosaur]

1. Stay alert
2. Trust no one
3. Keep your laser handy

Just Check!

[Thansal]

I need to call someone about what you're doing

Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.

If some one is poking around who I do not know I will check it with my boss.

Re:

[QuantumRiff]

You would, but would your minimum wage receptionist? How about the custodian that has keys to everywhere? Would they know that someone had called ahead of time? Or would they just assume someone in another department called, and let them in?

Would Biometric Security Devices Mitigate Sniffing

[w33t]

I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?

Re:

[earnest murderer]

Depends on the device. Most that I have seen are just a print recognizer that inputs your password for you. That is, you spend 1 second compared to 2 filling in the password box. A neat trick, but doesn't do anything for security. Even if a system used the print itself, you're just trading a few characters for an image.

You could make the argument that they weaken security since the password has to be stored twice. And in many cases if you know what you are doing, a good print (good enough to fool the reader

good grief...

[Gary W. Longsine]

In this case I wrote his password on a ream of paper and tucked it under the machine.

An amusing stunt perhaps, but perhaps not the best solution to the problem.

Re:

[spellraiser]

Please RTFA before commenting in this vein.

Immediately after that sentence comes:

When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

The password

perhaps I wasn't clear enough

[Gary W. Longsine]

This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.

Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.

Intel v. Randal Schwartz: Why Care? [mabuse.de]
Clearly, Randal was someone who should have kno

Re:

[spellraiser]

Yes indeedy. Sorry for the misunderstanding.

There are better ways to prove that an attack worked than just leaving a password somewhere, that's for sure.

Look under your keyboard...

[From A Far Away Land]

..go ahead, look.

If you see your password there, that proves I was in your place.

"In this case I wrote his password on a ream of paper and tucked it under the machine."

If it says "12345" it proves you watched Spaceballs.

Re:Look under your keyboard...

[DarthTaco]

thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!

Amazing!

[Anonymous Coward]

That's the same combination I use on my luggage.

Re:

[jacks0n]

moderator sarcasm

No 802.1x?

[lukas84]

When we installed Wireless LAN at our company, we switched all network access ports to 802.1x authentication.

It required some effort, since we had to "quarantine" non-802.1x devices to separate networks, but i think the security advantages outweigh the work needed.

We're just a small IT service company, not a bank. I really wonder why a bank wasn't using 802.1x since several years.

Re:

[EvilTwinSkippy]

Simple: You never ever ever ever ever trust a chunk of the network that doesn't have a lock on the door.

We don't secure our wireless because it is a pain, and futile. Anyone who wanted to seriously crack into the system would use a hard line, an idle terminal, MAC spoofing, etc.

We secure the servers, and monitor for odd behavior. Mostly because most or our problems aren't foriegn invasion, they are inside jobs, mistakes, etc.

Re:

[Nimey]

But the bank had hardwired Ethernet.

Mac Addresses are easily faked

[imaginaryelf]

Mac addresses can be trivially faked.

What you need to do is assume that your wireless network has already been penetrated by Joe sitting at Starbucks, and then develop a defense from there. For example, one solution is having all wireless clients go through a VPN client with strong authentication mechanisms just to get back into the corporate network.

Re:

[lukas84]

How is the VPN solution different from using 802.1x? Except that the VPN solution is a crude hack?

Re:

[imaginaryelf]

Mostly for ease of deployment. Assuming that everyone already has a VPN client for connecting from home or hotels, etc. Your users then don't have to do anything special like 802.1x for wireless but VPN for something else, and your administrators have one less variable to control.

1 ream = 500 sheets

[Anonymous Coward]

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)

Dont really need that.

[Lumpy]

$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

Re:Dont really need that.

[shadwstalkr]

Why pay them? Just fill out an application and make a few extra bucks while you prepare for your big heist.

The copyer hole

[Anonymous Monkey]

At one point I worked for a copier repair company (Dispatcher, accountant/bookkeeper, & some computer stuff). Each month I got calls from people who fell victim to one of two scams.

1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)

2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.

Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.

The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.

Some do

[ackthpt]

Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your

Re:

[geekoid]

"Common sense: If you don't know about some repairman, then it's not your fault when you turn them away."

haha.. asdly most common sense goes out the window in the corp. world.

If that repairman was to fix a critical issue, you would get inot trouble in most places. Even if you where following policy.

It's that kind of crap that makes an employee not want to question anything.

Man I Wish...

[eno2001]

...I could be a penetration tester. On Jenna Jameson. ;P

Re:

[UbuntuDupe]

You *would* say that, since you believe in allocating goods based on need.

And your need for that good is pretty high after this latest dry spell, eh?

Re:

[eno2001]

Damn homey! Dat's FUCKED up! You just put me in my place now didn't you! (So how often do you track my posts looking for opportunities to respond again?) ;P

Re:Man I Wish...

[6Yankee]

If you ever do get the chance, just remember the basic rule of any pen test:

• Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
• File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P

Yes, I have mod points, but this seemed like more fun :)

Employees are not conditioned to be security aware

[simm1701]

I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!

Re:Employees are not conditioned to be security aw

[GigsVT]

Once they realize it's AWOL and they call the original owner who says he returned it, they'd report it stolen and then getting pulled over wouldn't be so easy to get out of.

Re:Employees are not conditioned to be security aw

[jandrese]

You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.

In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a

No DHCP!

[smooth wombat]

I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network.

At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.

Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.

ObSneakers

[Rob T Firefly]

"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

True story.

[Maxo-Texas]

Friend of a friend got a job doing security audits for a major energy company here in houston.

1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

But that's the real world for you.

Re:

[earnest murderer]

So I am understanding that someone distributed his picture to thwart the security efforts of their own company?

Shit, I'd fire then sue them.

Re:

[Maxo-Texas]

Company politics.

And they were reasonably clever about it.

They didn't say "WARNING! THIS MAN IS DANGEROUS!" they said something like "This man is our new security officer. Make sure you help him out and ensure we follow all security requirements!"

Re:

[dr_dank]

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

So they hire your friend to pen test their security and, rather than implement his findings, they made up a "wanted poster" and did nothing else? What was the point of hiring him in the first place?

Re:True story.

[Danny Rathjens]

Most nuclear power facilities are run by private companies, but a separate government organization is responsible for safety inspections. When a government inspector finds something wrong, the company involved can face massives fines.

I know a guy who was an inspector at our local nuclear power plant. He said that once he found a guard sleeping so he went and got the supervisor so it could be documented. On the way back, he said the supervisor was talking loudly and stomping his feet. Not surprisingly, the guy was awake when they reached him, and consequently, that supervisor saved the power company a couple hundred thousand dollars.

He did learn his lesson, and in later similar situations would only tell supervisors to come with him and not the reason. :)

Re:

[Joe Snipe]

what the hell is a man-trap?

Re:True story.

[Beryllium Sphere(tm)]

It's like an airlock: two doors in series, only one of which can open at a time. Crooks hate things that could slow down a getaway and if you implement your access check on someone in the middle with both doors locked, well, if they're a crook you've got them in custody.

Re:True story.

[Maxo-Texas]

And in this case, the airlock had a standard drop in tile false ceiling. The real concrete ceiling/floor of second story was 2' above the false ceiling.

He apparently reached up, grabbed the wall, pushed up the ceiling panel, and climbed up easily using the door handle to step on. It held him about 30 seconds.

More than just social security problems here...

[jonadab]

There were a number of technical security flaws he exploited as well. Among them:

> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.

This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive s

Re:

[WuphonsReach]

Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.

The switches, they do *nothing*! (See the various attack methods for turning a switch into a hub on the fly, then sniffing all traffic.)

The better question is why the company is sending passwords in the clear in the first place? Just about every protocol under the sun can be encrypted now. And in an

teach employees?

[Lord Ender]

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.

Why not a male model?

[Incarnate13]

"Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."

One of the classics

[mkro]

Lineman.net is gone, but one of Isreal's entertaining/scary stories are still to be found on the redirect, AllYourTech.com: Introducing social engineering to the workplace [allyourtech.com]. Recommended reading.

Or... He could have hacked the copier

[The Infamous TommyD]

and made it fax out what it found everynight. See: Penetration Analysis of a XEROX Docucenter DC 230ST:"

If you call them on it, people get upset.

[Animats]

Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.

They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.

Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.

That's what happens when you do it right. Annoys everybody.

for the sake of clarity

[Gary W. Longsine]

Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.

Backwords

[geekoid]

Social engineerins is a subset of lying. Usually deception or implications.

Yes deception is lying.

If you say "I'm going to the movies" then drive to the movie wait 5 minutes, and then go to a motel to bang your mistress, you have still lied. I would argue the worst kind of lie.

Re:Backwords

[rthille]

Which is why you should bang your mistress in the back of the theater.

neither Backword nor Forward

[Gary W. Longsine]

Consider two propositions.

(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie [wikipedia.org]) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types

Re:

[Anonymous Coward]

Yes it is lying, however its also quite a bit more than that.

Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.

As far as distinction in vocabulary and vernacular of language, that wou