Slashdot Mirror
Social Engineering in the Workplace
An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"
If a stranger could do that, I'd follow his example. :)
"thousands of dollars in merchandise"
Why merchandise?
Just take the cash and scram! O.o
Ken Lay did it to the tune of several billion dollars in California so I'd say it's very possible.
~S
I love it. Load it up, the very first line of the page is "SlashDot defense provided by Nexcess.Net"
There's forethought, with some free advertising thrown in.
|>
Here be Dragons
No way. I'm too lazy to help the people I should be helping. Why would I help a stranger?
At the last company I used to work for they once showed us a video about the importance of information privacy, and how social engineering works. In this particular example, the person would have been caught right away because he was wearing a suit. No one wears a suit on our floor, unless they're having a job interview, or meeting with the executives or something.
The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.
You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.
If you can get into the cafateria without any security stuff you can just go to lunch there for a couple weeks, get to know people's name who work in the IS departments, and maybe even come across a dropped security badge. You can then fordge your own to get to the elevators, and then wait for someone else to open the door to get by needing a keycard. (Assuming the badge you came across didn't also have the person's keycard.)
Then getting information out might be easy. And at the company I used to work for you could probably steal hadware just by putting it on a cart. We had multiple buildings so it was common for people to be carting PCs from building to building. How many security guards would recognize the difference between a PC and a server?
Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe. And unless you have a zero tollerance policy on holding the door open for someone, your information is not safe. How many companies are willing to do this?
I hate Liberals and Conservatives.
If you are a Liberal or a Conservative, then HAVE A NICE DAY!
Courage.
This is a great read! One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?
,something with the Australian customs office. And there is the now really famous French guy who used to simply walk in on high level government events and get his picture taken.
How hard can it be to get usernames/passwords this way? And since we are in linux-land here: I would bet that more than half of the sysads here would open up their systems to the first pretty girl that would walk along their cubicle. Obviously she cannot be too pretty as that would be VERY suspicious.
There are plenty of stories going around about people just walking into a server room, and taking a few servers home with them. We even had one of those on slashdot here a few months ago
But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...
I work tech support at an isp, and after reading Kevin Mitnick's "The Art Of Dection", I've had a keen eye for situations were social engineering could be going down, the thing is if policy dictates that you respond a certain way, you do so reguardless. The funny thing is how much more helpful other internal departments are if you use some social engineering techniques. Sometimes the billing dept. will help a save desk agent more than techsupport; sometimes a field rep. gets less lip than tech.support to escalate an issue. Guess it goes to show any tool can be used for good or evil.
What's the deal with calling cheating and conning people "social engineering"? Giving it a catchy name doesn't make it any more fashionable or acceptable. I guess we have the l337 underground crowd to blame for this idiotic euphemism.
Can you social engineer your way to getting some stuff from a store and get away without getting arrested? I've noticed that with most social engineering test the people leave themselves VERY exposed in terms of being caught later. I saw this with a coworker. He did a hypothetical social engineering/hacking scenario. It was all well and good excpet that I gaurentee that had he does it in reality, he'd have been thrown in jail
since there were at least 10 people that could make an easy ID.
It's one thing to BS your way in and steal some stuff, it's quite another thing to get out and not get ID'd or videotaped. This is where most crimes go wrong. It's not that the crime itself doesn't work out ok, the criminals often get what they want, it is the aftermath that goes wrong. The crime gets reported, an investigated, and they find out who did it, and that's all she wrote.
..so we don't have stuff worth thousands of dollars sitting around. I'd wish that someone would steal some crappy old computers sitting around though. Please take away the Apple IIs...please..
Social Engineering "as we know it" is going to be impossible to combat or educate against.
No amount of technology or education can or more accurately 'will' stop SE from being effective.
The only hope is that most thieves are too dumb to use it.Those who are smart enough almost deserve to get away with it.
SE requires knowledge of methods, practices and the weaknesses inherent in such.
A smart business will simply acknowledge the existence of such and absorb minimal losses associated... and raise prices accordingly. Very similar to piracy of IP.
It will happen and you can do very little to stop it and what you can do will cost you more than the loss involved.
Soooooo.... minimize, minimize, minimize.... your losses as much as possible by identifying effective deterents and ignoring all else.
I'm sure companies do this already.... co this may or may not have been an effective exercise... was it realistic in terms of statistical attempts to steal merchandise? Probably not though it can identify weak areas in security that can be improved to catch less skilled SE perps...
A fool throws a stone into a well and a thousand sages can not remove it.
made me think for a moment this article was about how to score on chics and get laid ....
This time the phrase conveys additional information. Engineering is probably best described as the art of applying science to control failure. A typical con, ala Matchstick Men, The Grifters, etc is all about craftsmenship, using the people. Where social engineering is all about a well planned design for a well understood system, using the bureaucracy. One is personal, one is impersonal, one depends on personal charisma, one depends on blending in.
Homeless people near my university used to pass themselves off as grad students to steal scrap metal to sell to those who deal in such things. To pull this off, they left their carts near exits to the building, and proceeded as normal.
Actually, it's his second slashdotting, and his CMS, Drupal, has an anti-slashdotting mechanism built in--caching.
Not really knocking anything you say. I think your right, it is going to be impossible to combat or educate against (mostly). But I don't see how this is anything new? You con for money, you con for information, whatever. Social engineering seems like an old dog with a new, more marketable face.
Quack, quack.
When I read the title to this article, my immediate assumption was that "social engineering" referred to the misguided attempts by "progressives" to re-work society into a socialist utopia.
"Social Engineering in the Workplace" could easily be an article about the problems created by such policies as affirmative action, or the reactionary knee-jerk responses to charges of sexual harassment or discrimination that are so common nowadays.
I guess this is what happens when you're someone whose interests include fields which use the same terms to mean very different things.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Well, I guess it comes down to how nice people are. If every person you passed asked for your identification, your papers, what you're doing here... hum... sounds like Germany back when...
But seriously, you can get to the point of having people anal and trusting no one. Everyone is suspicious of the other, and while I suppose that is a good way to reduce theft, it also makes the place not very nice to work and shop or be around.
**FREE** Track and view your phone's via CellID and/or WIFI and/or GPS
I'm not sure someone could walk out of my business with thousand dollars in merchandise, as I work at MacDonalds.
It's a place where no worker will listen to any social engineering attempt, you know. And anyway, thousand dollars of McDonalds food will probably kill anyone, in horrible pain.
____
nico
Nico-Live
I worked at a finacial institution, with doors that can only be opened with swipe cards, these were on each floor.
We were visited by a deaf woman (we assumed she was deaf from her speech, and her hearing aides, we learnt from the police that she was really deaf and was wanted in connection with other thefts) who was only just barely communicating that she was selling raffle tickets in something, no one knew sign language but let her in anyway assuming someone had let her in the building.
She used the time during lunch when most people werent at their desks to take wallets, go through draws or whatever, for some reason i was having lunch there, being the cheap bastard I am, I didnt buy a ticket, but my co-worker did.
For some reason I stood up to look at the woman operating from the otherside of the room, she looked a bit strange, she looked back so i sat back down. We found out later that she had her run of about 3 or 4 floors before someone challenged her being there.
It was also a running joke for us asking the co-worker who bought a ticket if she had won anything yet...
Be you Admins? nay, we are but lusers!
Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?
/offtopic
Offtopic...
But this occurred in the last 24 hours.
I live with some close friends in a 'share-house'. We all have common interests and we enjoy a fair deal of household harmony.
Recently, I did a big favour for a friend by letting him store some of his belongings at my house while he moved.
All of this was pretty normal until last night. Now, one of my room-mates gave me a celeron 750 box to mess around with. I had to throw in some parts myself, but I got it going. Then he asked for it back so he could give it to his grandma (she's still running a pentium 150!).
This morning I woke up to loud cursing coming from the living room. My friend who's storing his stuff here, came in during the middle of the night, unscrewed the case and took the cd-rom(!). Ignoring the dvd, vcr, pentium 4 and other valuables in the living room, only the cd-rom from the box my room-mate was working on was gone.
My room-mate intended to deliver the PC to his grandma today, and he was so annoyed, he promised to 'stab the bastard in the face'. What puzzles me, however, is how he showed such disrespect for other peoples' property, while we happen to be storing his 21" monitor (amoungst other valuables) for him. Doesn't make much sense? We suspect drugs might be involved.
I ran a benchmark on my quantum computer, now I can't find it anywhere!
"I followed one of the girls as she was taking off her jacket so I could take a look at the coat rack."
oh yeah baby take it off
It happened on a Saturday.
White panel truck with appropriate lettering pulled up to corporate headquarters. Man wearing logo'd shirt gets out and approaches security guard, papers in hand. He is supposed to remove typewriters for cleaning, and is supposed to come back Sunday to return them. Papers are signed by an executive of that company.
[ uh-huh. right name, but *that* executive has never even seen the papers. Its just a signature. ]
Guard is cautious. Needs to call and check. Truck driver agrees to wait. Executive out of town. Guard says no-go. Truck driver says fine, just sign here that I showed up. Your company still must pay the $5000 fee for weekend overtime service as per the contract. ( Shows contract details to guard ). No biggie to me. ( Guard gets ansy. A lot of money, What's his boss gonna say about losing more money than his monthly pay just because he wouldn't let another man do his work? ). The guard refused to sign anything. The truck guy notes down his name from his badge, notes it on his form, looks at his watch again, dates and signs the form, and asks the guard to let 'em know he was there. Leaves the guard a business card, and mentions that the next available window to do the cleaning work on a weekend is about 3 months away. Another fee will be assessed for the next service. He tells the guard he has 50 people at his plant right now ready to clean typewriters, and when he gets back, he has no work for them, so he will pay them their four hours Union wage for showing up and send them home.
The guard is really sweating now. He doesn't know exactly what to do, but he doesn't wanna find out he screwed up the company something fierce by keeping someone from doing their job, so he relents. He even helps load the truck!
We never saw those typewriters again.
The truck? Bogus plates. Plain white panel truck with vinyl stick on lettering. Run of the mill truck. The guy even had shelves in it made in such a way so he could load up the completely full. Seeing how professional the truck was equipped for the job impressed the guard and reassured him that everything was indeed on the up-and-up.
The forms? Yes, lots of forms! Every typewriter was duly noted on its own form..serial numbers and all! Obviously our con-guy had gotten a hold of an inventory list, because every form indicated where the typewriter was. Why even a copy of each form was even left with the guard! The only traceable signature was that of the guard. There were other signatures on the forms, but no one ever found out who the actual signers were.
Come Monday, Management was very puzzled and disturbed over the missing typewriters.. a little over a couple hundred of them. There were investigations. There were lots of phone calls to the non-existent phone numbers, people, and attempted visits to the addresses referenced to in those oh-so-professionally done forms.
Yup, some clever guy invested in a couple hundred dollars worth of "movie props" and walked out with several hundred thousand dollars worth of nearly brand new IBM typewriters.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Social engineering isn't rocket science -- it boils down to exploiting the trust that exists between people. Smart-alec geeks and slashdotters seem to take pleasure in pointing out how stupid victims of social engineering are. Granted, many social engineering schemes are successful due to mere ignorance. But is it inherently stupid to trust people? Here's the problem: there are costs and benefits to an environment in which people don't trust each other.
.5% if it means being free of stifling bureacracy and draconian security. Given that, trusting each other is a choice we make because the risks it entails is, on the balance, worthwhile.
Yes, this Israel fellow demonstrated very well what happens when people trust each other too much, but what happens when you take it to the other extreme? You end up with stories about like Walmart where employees are locked in to prevent theft and can't call an ambulance when the forklift rolls on them. Some might think that it's worth compromising on a theft rate of, say
That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key. If they did, they'd suffer more lost business than the cost of insuring against the occasional theft of a guest's belongings.
Everything is a compromise.
A con is an appeal to a persons estimation of you as a person. You want them to like and trust you.
Social engineering is appealing to a persons sense of obligation to serve another authority, and to seem the part.
You don't need to train everyone. You just need to train the people at the door. I believe Best Buy has practices which might be similar to what is necessary to deter such behavior, but I could be mistaken.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I have been doing these security checks all over the country, and with the exception, of Cleveland, this place has the WORST security in the nation!
"The following article is NOT a textbook for stealing/shoplifting." :-)
So you think.
Property is theft.
What legislators and lawyers who write legislation do is social engineering. What people do to turn a guise of authority against members of some institution is as well. They're both wielding knowledge to control how society fails. (In the case of lawyers in legislatures there's more mysticism than knowledge, and Tacoma Narrows Bridge events are frequent, but they are trying to herd cats by the hundreds of millions.) A structural engineer can use some tools to put a building up, and others can use its mass to crush itself. A materials engineer can use his know-how to create a better armor, and another can use his to pierce it. An aerospace engineer can design a plane that flys beyond the reach of all surface to air missles, and turn around a build a better missle.
is that a long-lost Frank Zappa track?
that's obscure
If you're interested in social engineering attacks(and how to defend against them), Kevin Mitnick's The Art of Deception is a must-read. The book is all about the human-shaped holes in security systems, and has almost nothing to do with computer-based hacking. The example security policies at the back are worth the price of admission - and the book's war stories make it easy to explain why these procedures are necessary.
We are a small company and we know everyone who comes in and out of the office. If we don't we don't let them to far past the front counter. But that is also because we fix our own stuff and we only let employees into were the expensive stuff is. But doing subcontracted calls for other companies I get to walk into a company say I am from a company that I don't work for, then I Fix their gear then leave, Sometimes if there is a major problem I take the gear then bring it to the office. Now that is fine because I am doing my job and once the stuff is fixed then we return it. But the level of trust in the companies that don't as for ID, even if they did, it doesn't help much, because they rarely record it down. So the truth is that there is not much that can stop me or anyone else from leaving with thousands of dollars of gear. Plus if it is heavy the manager will help me out by giving me an employee or a hand truck to move the gear.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
But it sure reminds me of Castle Wolfenstein.
Sure they asked for papers, but you could always bribe them with a few marks, shoot them, or throw a grenade at a wall.
The issue of social engineering is taken so seriously here that there is a dedicated team whose job it is to attempt to compromise the network by any means possible. Their electronic attempts are generally significantly less successful than the attempts that include a human element. Because this is a large scale organization with multiple shifts of employees that rarely overlap, seeing strange faces is par for the course. The "red" team takes advantage of this during shift turnovers, and will attempt to follow people through passcode protected doors and use a USB flash device on an unlocked workstation once inside to compromise the network. We as employees are told to challenge anyone who passes a secured doorway without keying in, and lock any unlocked workstation we find (or report it to security).
Overall, I would say our electronic countermeasures are significantly more successful at defending the network than our human ones, so the security team takes social engineering very seriously.
Social engeneering is fun.
:)
;) )
It's even more fun when others don't notice that you are on to them and feeding them complete bull.
(from MSG)
'Isn't that that guy, from that other network? The script kiddy?'
'Yes.'
'the one that tried to hack you.'
'Yes.'
'And you are talking to him?'
'Yes.'
'WHY?'
'Shh,Watch.:)'
(In chan, after some yacking about and playing stupid, he was posing as a billing person from my ISP
'Oh, you need my new credit card info for that. let me msg it to you.'
'ok.'
(later, after he left)
'WTF! You gave him a CC number?'
'Yeah, of a old card.'
'I don't understand.'
'The card was reported stolen a year ago.'
'Yeah...okay..so, it won't work.'
'No, it wont, but guess what happens when you try to use a *stolen* credit card?'
'......'
'OHHHHH!'
Hee!:)
My new top secret key -> C>N|KB
If you pay someone $6 an hour, do you really expect them to be vigilant defenders of company property?
We recently had an internal discussion of how to reduce theft in the company - we are a retail group and often there's thousands of pounds worth of sports gear etc. parked temporarily in corridors. One of the astonishing revelations was that a large percentage of the theft had to be internal! Our own staff were stealing from us!
After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them. Senior execs were not prepared to negotiate a rise in the shop-floor staff wages, so we took the strategic decision to drop the whole issue.
Not really a difficult conclusion, just an unpalatable one.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
At my uni you didn't even have to resort to social engineering to get the basics. All you had to do was show up at the finance office for your student loan.
They made everyone sign next to their name on a big printout that sat close to the counter. This was in surname order, but also contained forenames, date of birth, matriculation number, department, and a couple of other bits and bobs.
Which was great. Especially given that the network user IDs all took the form [first initial][last initial][matric no].[department code] and the default password was the date of birth.
As far as I'm aware, this wasn't used for anything beyond "I don't like Bob, log in as Bob, look at doggy-porn, print doggy-porn, log off, run" - which would still be pretty bad news if you were Bob. But it would have been so easy for anyone with even more malicious intent to take a few pages of the printout and use it to extract even more personal information.
Scary, really.
He would walk into a store, pick up a box with say a microwave... open it and head towards the returns department and get credit/cash on it. I also witnessed him walk out of a store with a shopping cart full of groceries without paying... no freaking clue how he pulled that one off. He just said it was all about confidence.
They can try to change everything they like, but i know who they are talking about. This story is about walmart. Having worked for them at one time in their electronic department i can tell you this level of ignorance is the rule and not the exception.
I remember that people returned a vcr in a xbox box, bricks in a tv box, run out the door with computers, and the list goes on. Most of the time when i was working we caught these people, or didn't because i couldn't find a manager fast enough to stop them ( you as an employee weren't allow to confront them). Also i remember an incident where 10 people distracted every employee on one side of the store and made off with $8000 of printer cartridges ( the cartridges were on anti-theft peghooks too). There were days i was expected to watch 4-5 departments by myself, basically 1/3 of the store, and there was many thefts.
I was actually fired for speaking up about it. Oh well not my problem now.
A Fatal OE Exception has occurred, Sig will now reboot.
Can you social engineer your way to getting tech support at Dell???
And yet his total take was a meager $3500, offset by the very real risk of arrest and imprisonment. To make criminal behavior like this truley worthwhile, one would have to consistently defraud the target retailer of much more than the above amount.
People rob liquor stores for $100 and some Boone's Farm. Those aren't sustainable crimes either, yet they happen all of the time in every city around the world.
He's not saying it's a perfect crime, he's just saying that on the scale of crimes, it's way above the liquor store holdup in terms of the risk/reward payoff, and it's a very real risk for the stores involved.
What's your damage, Heather?
I'm sorry, but I fail to see how it is bad that people are trusting and helpful. Apparently, stuff gets stolen infrequently enough this way that people can afford to be trusting and helpful--otherwise, the employees would already be more careful. OTOH, if someone in "Vernstown" is really waiting for his five computers and isn't getting them because some employee forgot his badge, the business may be in trouble--the customer doesn't give a damn why he isn't getting what he ordered, he just knows the products didn't arrive when promised.
There may be procedures that you can follow that avoid this sort of social engineering and still let the business function--but devising them, implementing them, and training the employees for them has its own costs. A phone call would have done the trick in this case and may have been prudent, but getting each employee to remember to make the phone call is difficult. Employing a separate person keeping track of everything that leaves the store and asking the right kind of questions would be better and ensure that only one person was distrusting, but it has an obvious cost--another salary to pay.
Efficient businesses need a lot of trust and initiative on the part of employees. If you try to make this kind of social engineering too difficult, you may be preventing more thefts, but you also may be preventing your business from working. Given that this was demonstrated through a staged theft, it seems like the real thing is happening rarely enough for employees to be aware of it; this sort of thing is self-limiting--once the first real theft like that happens, people become less trusting automatically--with all the costs that that entails.
There are no easy answers--in some environments, you just have to bear the costs that come with increased security--but one also shouldn't automatically assume that it is automatically better to adopt business procedures that prevent loss or theft.
That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key.
I used to travel a lot for work, and I've been to a lot of hotels, all over the country. All hotels nowadays use swipe cards or something along those lines, and if you lose your card, yes, you show ID to get back in. I've lost my card on a number of occasions (usually only to find it later hidden in the depths of my wallet) and they *always* prove that you are who you say you are. Some places are satisfied with a driver's license, but some require you to show the credit card you used to pay for the room, so they can compare the numbers in the computer to the numbers on the card.
Maybe if you stay in a place that allows non-credit card transactions, but I haven't seen a place that'll take cash for a hotel room for years and years...
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Funny you should mention it, but a large Sun server (about 300,000 Euros ) "disappeared" from our loading bay recently. It's that heavy that it would take 2 or 3 men, and a van to move it. Apparently all the cameras "work", but there's nothing on them. Weird that.
Posting anonymously to avoid embarrassing the company.
Big computer trade fair in Germany. Big three letter US computer company.
Right after it is over a big truck pulls up, a couple of people get out and start loading everything (computers, decoration, even prototypes and engineering samples) onto the truck. Everybody helps them. Some paperwork and inventory is checked. They leave.
30 minutes later the real truck arrives...
Isreal may have done a slick job at getting the computers out of the warehouse, but I wonder if he would be so good at social engineering if he was trying it at a place he didn't work for. Knowing all of the procedures and stuff definitely helps.
Not that you don't have to be aware of employees or ex-employees who are trying to game the system, but being able to SE someplace you're familar with is an order of magnitude easier then trying to scam someplace else because you know all the right internal buzzwords and procedures.
Cheers,
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
My wife's stepfather is a classical violinist. He tells us that he played for the BBC after the war. They used to have two studios, and would sometimes move a Steinway grand piano from one to the other.
One day a couple of guys turned up to move the piano to the other studio. It was never seen again.
Now this happened at a company I used to provide tech support for, and it just goes to show you how your average person doesn't care the slightest bit about security:
I needed to do something in someone's account and didn't know their password. I also didn't want to reset it in the server because then I'd have them calling me saying the computer didn't work or whatever. So I thought of asking the guy working across the cubicle from where I was, not really expecting a reply:
"Say, you wouldn't happen to know this guy's password would you?"
"Well no... but wait a second.. *shouting across to another cubicle and whoever was willing to listen* HEY, DOES ANYONE KNOW DAN'S PASSWORD?!"
"*reply from somewhere* YEAH SURE, IT'S '34567'"
I wanted to bang my head against the desk and strangle the bastards. One *could* enforce a password policy, but that would just make people keep their passwords in a yellow sticky note on the computer screen. One *could* try and educate people it's not a very good idea to share passwords among themselves, but that would just make them go behind your back. One *could* try to explain why they just spent $5000 in server software so that everyone could have clearly defined privileges, but they'd just ignore you and head for the water machine.
My point being, of course it's easier to social-engineer your way somewhere because quite frankly people just don't want to go to any great efforts to protect their network/office/whatever.
Your average office worker's idea of a disaster is when someone spills the coffee before anyone has had any in the morning.
after reading about stuff like this, I feel empowered and justified to never have any kind of unjust run-in with any less-than-ethical coworker or supervisor looking to gain by hurting others and putting them in unjust situations.
the ability to talk your way out of anything, ESPECIALLY when you actually haven't done anything wrong, but are being used as a scapegoat or a target to help someone else look good, or say, for instance, in a situation where you may be eventually threatening you manager's job or competing with someone for a promotion; things like that.
It's very refreshing and empowering to realize that any pressure that you feel is probably there because you are putting it on yourself, or are in some way contributing to placing yourself in a position where you are allowing others to place pressure on you.
It's really about what's right and what's wrong; and the right thing to do is to do good work, to be effective and to do things right; to respect yourself and those around you. Seeing through other's motives, or ignoring their confused senses of right and wrong in order to protect that respect, and to protect that sense of right and wrong, enabling yourself to continue to do good work for the right reasons, and to avoid pressures and lies and half-truths that represent a generic methodology or philosophy that many employees could care less about working or not working, these are the right things to do.
It seems that you really need a kind of social engineering in order to continue respecting yourself and those around you. That's the most important thing, to respect those around you. This social engineering comes across as respect, actually... the whole idea of being smooth under pressure. Applying that to a situation where a manager may be looking for a reaction from you, applying that to a situation where you, as an employee, may not feel quite so respectful, really just shows that remaining courteous and respectful will basically allow you to get away with anything (especially if that something is nothing), so in that sense, remaining courteous and respectful even when you are in a situation where there is an unjust attempt to elicit a negative response, using social engineering will allow you to remain respectful towards yourself and respectful to those around you. You can use it for bad, but you can also use it against bad, for good. On top of everything else, the unjust individuals will never know what happened to them, which is, in a sense, a way of bringing those who have not realized the importance of respecting of others to a type of silent justice.
After I got my bachelor's I took a temp job with a caterer, just picking up stainless chafing tables and the like.
One assignment was cleaning up a Christmas party at a big pharmaceutical company. While the guards were carding employees, they let me drive unasked onto the factory grounds in my unmarked van. I drove to the building, wandered around until I found my department, carted it into the freight elevator and loaded the van. This stuff was in boxes used for antidepressants. I walked through the warehouse that cached these antidepressants. I could have taken a few extra boxes.
NO ONE questioned me. Then again, I have ordinary looks and a casual air.
I was soon hired by this same company to do real work. I snigger at the security precautions.
Now I doubt that I made it clear that this is the linked article, not one of my own experiences. Hopefully his site holds up and this is irrelevant and modded Troll.
Etc, etc, ad nauseam, and so on and so forth.
If he's talking about WalMart, they catch stock shrinkage within a few days, even for nickledime stuff. The video would have identified him. Fred was probably fired. Cameras are everywhere but the crapper, but the aisles into the crappers are videod to death
Where WalMart loses it is with the outbound greeters, the staff watching the exit. Once a thief gets to the parking lot, it's theirs. Only the police can touch them, and by the time they respond the stuff is long gone.
Seems to be working great here. It's the american way.
h ttp://www.google.com/search?q=microsoft+laura+did io
http://www.google.com/search?as_q=sco+lawsuit
boycott slashdot February 10th - 17th check out: altSlashdot.org
I've been told that if a business in this state has security tapes, there is a retention time of > months and months, if not years, required by law.
This was the stated reason for not putting in cameras. The video retention required by law was burdensome.
Assembly is the reverse of disassembly.
maybe I'm just in a bad mood but that guy seems to really enjoy being a smartass and getting people in shit. I hope one of the employees he dupes socially re-engineers his teeth next time.
I'm studying abroad in China and that's how things work here. It's really annoying. Every time I bring a friend to my dorm room I have to spend five minutes filling out a complicated visitor registration form and showing ID. I could see the point if my friend was a stranger, but I've been living here for four months and the security guards already know my best friends by name, since they visit every single day. But their orders are to follow visitor registration procedures blindly without thinking, thus anyone that they can recognize as a non-resident must register on entry.
The really silly thing is that these rules don't prevent unauthorized entry at all. There are simply too many people living in the dorm for security to memorize them all, so most visitors walk right in without bothering to register. Only the most frequent visitors, which are probably the lowest security threats, are actually forced to waste time registering.
From this experience I can definitely see that blindly following a set of procedures to thwart social engineering is not necessarily the way to go, and can actually weaken security. Plus, I've found that such suspicion doesn't make for a very nice living environment.
Manufacture in China
When I was in college, two of my fraternity brothers made it a game to try and walk out of stores with ANYTHING. The bigger the better.
So one day they decided that they needed to snag a canoe from Sears. They walked in and waited until no one was looking and grabbed a canoe and headed for the door.
As they got near the door, a clerk stopped them and said "Excuse me, did you pay for that canoe?"
"No, we're just walking out the door with it!" they responded sarcastically. The clerk backed off and held the door open for them as they left.
When RFID tags are put on expensive stock, then each authorization can be linked to the tag. When the stock is seen leaving the building (warehouse or retail store), the event can be correlated with the authorization (purchase or transfer authorization). No match, ring the alarm bells. This reduces the need of people to be a pain in the ass to each other. The reduction of trust of each other really sucks. -aggles
As of 9:30AM, the site is DOWN!
Not the best testimonial for an anti-/. capibility.
Truth isn't Truth - Guliani
RICKY: Hey, how's it going? I just need this table here... ... just let me call my supervisor please.
WORKER: Uh wait.. we're just about to start a production meeting.
RICKY: Yah I know, there's new furniture coming here in about 5 minutes. I'm just going to take this stuff.
WORKER: Uh just
RICKY: Actually I'd love to, but we need this phone, so sorry about that.
--
Hillarious.. here's a torrent.
It's working for me just fine.
Good story, kinda reminds me of a couple of my past experiences.
Just out of High School I'm a gofer at a major chain hardware store, it's holiday season (without a doubt, best time to social engineer) and because it's so busy, I'm stuck helping load customers vehicles with bulk merchandise at a usually closed side door.
A guy backs up a station wagon up and comes up to me (the youngest looking employee in the store) waving a "receipt" and saying he's here to get his pallet of Presto Logs. So being young and dum... errr... I mean, eager to help out, I went over to my very busy "dickish" "boss" and asked what to do, his curt reply was "Get him the logs, I'm busy.", and then he rapidly walked away toward the front of the store.
So I got a pallet jack and moved a whole pallet of Presto logs across the whole store to this side door, and proceed to load up his station wagon till it was sagging badly in the rear, but I got 'em all in.
The poor guy was in a BIG hurry because his wife was at another store and he had to go get her since her car had broken down, and he had a bad back so he couldn't help me load the boxes of "logs", but I loaded that whole pallet of "logs" into his station wagon in record time.
And not 30 seconds after he drove off than another guy drives up in a pickup truck wanting his pallet of Presto logs!
Well, I had just loaded up the last pallet of Presto logs...
Thats when I knew I'd been had...
Luckily, I'd asked my loser boss, and he had to take the heat, but that was a BIG lesson for me in Social Engineering.
Move ahead several years to 1977, I'm working for a private interconnect (TELCO) company in SillyCon Valley. We don't have company uniforms, or even name tags, really low budget, but we do have tool belts and butt sets (linemans test set), we had to buy those too.
So I'm one of the company's troubleshooters and we had many high tech clients, one of which is where I was making some changes to the state of the art TDM PBX our company sold and installed Waaaay better than anything MaBell had at the time. Merlins... what a joke.).
My boss (a "real" boss, yaaaa.) arrived unexpectedly to give me some good news (a raise!) and as we were leaving the building I joked that I could go anywhere I wanted with only my toolbelt and buttset.
My boss gave me the look and then smiled and said "no way".
Mistake...
We happened to be in a large room full of desks looking at a wall of glass, behind which was the computer room, you know, raised floors, BIG banks of BIG six foot tall computers with BIG reels of tape slowly spinning away, heavy duty air conditioning, guys in white lab coats! The whole deal. And the only door in/out was protected by an armed security guard.
Nobody had noticed us yet as they were all busy doing their jobs, and I looked at the computer room and said to my boss "Wait here and watch." He got an unsettled look on his face but didn't stop me as I calmly but purposefully walked straight toward the door with the guard.
I noticed that the guard was alert and saw me coming, so I was all ready to talk my way into the computer room, but as I got close enough to talk, he just opened the door for me! I said I needed to check out something and would be right out as I was calmly (yeah, right!) walking by him into the "secure" computer room.
The white lab coat guys totally ignored me even though there were NO phones in that room! I walked through the whole large room, looking at all the cool computers and stuff and attempting to look "official".
I finally got my fill of sightseeing and went back to my boss, who by now was angry at me, but I pointed out that no harm was done, and I had made my point to him. He forbade me to ever do it again, anywhere, but when we got back to the shop I was a big hit for my "ballsy" behavior and he was bragging about it and laughing like crazy.
Yeah... social engineering... it can work.
If the minimum wage plus a couple of bucks guard can prevent the blustering VP of Operations who forgot his security pass from entering the building WITHOUT repercussions AND the guard knows it; you have a chance of social engineering not working.
There's a probably apocryphal story of one of the von Siemens being stopped from getting into one their own buildings by some old German guard. The punch line is the old guy saying "Yes, I admit you LOOK a lot like von Siemens and you PROBABLY are von Siemens but without papers you are not getting into this building". von Siemens thought about it for a while, settled down and gave the old guy a big bonus. The story was passed around to everyone as how security should be done.
Couple of guys show up in a white van. Go into the school and start loading up some rather valuable antique wooden chairs.
Student arrives. 'Can I help you take those chairs out ?'
A couple of students helped the criminals load up in double-quick time. Needless to say, several thousand quid's worth of chairs were never seen again.
Fuck you.
I would be angry with this guy too if I was an employee of that business. Everyone already knows that people can get away with this kind of stuff, and it doesn't take anyone cockily calling it "social engineering" to change that. James already knew that people could steal shit if they wanted.
between these 'test' penetrations and journalists writing articles is the consequences of failing, i.e., getting caught. If the manager of the store got suspicious of the guy with the pallet of PC's and nabbed him and held him untill police arrive they would just say it was a security check, good job, and go on. However for a real criminal the stakes are much higher, and sometimes they can get nervous and give themselves away, or not have as much chutzpah to begin with.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Fred? Is that you? Hope you didn't get fired.
I had a friend who worked part-time at Home Depot. He told me a story from a couple of years back where a similar thing happened. A guy walks in with a Home Depot vest on, grabs a pallet jack from the back and loads up a pallet of generators. He walks right out the door with them saying he was picking them up for transfer to another store some miles away. Of course, they never saw them again...
Your story raises a side question. Is it wrong to work more than one job? Especially in this economy.
Thieves and fraudsters have been stealing from shops and workplaces since way back when. In what way is this relevant to a news for geeks site?
How many people would appreciate a society where this type of act (any social engineering for large value crimes) was impossible? I was wondering if that would mean fingerprint readers and badges for everyone, everywhere, all the time. Wondering also if a nearly perfect solution would be to never trust anyone without (and reading it first) paperwork. Comments?
Unless your workplace is security-friendly with respect to this, I strongly suggest that you report vulnerabilities like this anonymously.
:/
It's just not a good idea to do otherwise, since people will start to trust you less (even though you're trying to help them...) and you could easily wind up being a suspect should anyone else discover and exploit the flaws you found...
And yes, I've submitted pretty much all of the vulnerabilities I've found anonymously. You do have to follow up to make sure they don't ignore it, however.
Article mentioning 50% of people not noticing that they're talking to a different stranger after being interrupted.
;).
;).
Anyway why it's easy:
1) Most people are trusting and not paranoid.
2) Most people are too busy doing their main jobs.
3) Most people aren't observant.
4) Most people aren't very smart.
5) It's hard to be polite to people especially customers while at the same time be suspicious/wary of them. For most businesses it's better to err on the side of politeness. Let insurance etc take care of the other stuff. Remember if customers don't buy anything coz you pissed them off, the creditors come and take everything
6) High staff turnover is bad for security - makes things even harder - as a worker you can't stop every new face you see whilst trying to get you job done so that you don't lose your job. By the time you get around to training newbs about security they're already on their way out - you're lucky if you even managed to finish training them how to do their main jobs.
7) The people who aren't easily fooled aren't cheap and plentiful. Plus they probably got sacked or changed jobs coz they weren't easily fooled by management
Did the security guard get fired?
A couple months back I bought a couple DVDs from Future Shop - Yes, I payed for them - but the de-magnetizing thing didn't do its job.
Walked through the door - Alarms went off - but just for the hell of it I kept walking like I didn't notice (Yes, I DID pay for everything). Just one of those things where you want to see what happens.
Both sets of automatic doors still opened for me, I think I heard one clerk yell out "Sir! Sir!", and that's it.
Calmly walked through the parking lot, nobody followed me.
Even went back to the very same shop the very next day to pick up a PS2 game, and nobody said shit to me.
...Also, I didn't know Buggalo could fly.
After dealing with my cable modem connection being flaky for months and no one doing anything about it, I got fed up. From the looks of traceroutes and pings, it looked like a router 2 hops past me either had a flaky interface or one of the links was being saturated.
I ended up finding a phone number for the NOC at the ISP, and gettting the person on the phone to believe I was a tier-3 support guy and need him to log into a router for me and take a look at the interfaces on it. Turns out one of the interfaces was flaky and my problems were fixed within a couple of days.
Sometimes the only way to get things done is to bluff your way around.
Need Free Juniper/NetScreen Support? JuniperForum
Where I grew up, noone locked their doors, and garages stayed open even when people went out to the store. Did people loot? NO! Such an act would be so immoral it would be unthinkable.
Just because some asshole can convince a store owner that they can carry a bomb inside doesn't mean all stores should start searching people they way they do in airports.
Rather, teach people stealing is bad, and set community standards that discourages lying scammers that try to steal from stores and that try to sell them "security" from made-up problems.
This guy's FUD is going to destroy that community.
Sometimes I have to wonder what could happen if I were a malicious individual.
Things that tend to happen:
1. I wear my ID with blank side showing. I get asked for help in any store, regardless of whatever uniform standards in place. If qualified, I generally will assist, but then people are surprised to find out that I don't work there.
2. I am in an automotive dealership (not exactly a very innocent place). I need to copy a few dozen pages from a service manual. I ask where I can do it, and I am advised to use the copier in the showroom. Now, this is a networked copier that also happens to be the printer for ALL customer paperwork (credit apps, driver licenses, insurance cards, you name it) that's associated with a vehicle sale transaction. Now, I basically monopolized the copier for over 40 minutes, and I was asked if there is something wrong with the machine and what would it cost to have it moved away from public sight by the dealership's GM. At this time, I was wearing my usual generic logo shirt and a blank ID. I explained I wasn't there to service the machine. I also advised him of this risk. The risk is simple - sniff the network and an access point.
I can't count how many times I walked into restricted areas by mistake and never got asked any questions. The logo gear I wear can be purchased from any corporate store on the web that allows its customers to promote the company by wearing its logo on a hat and shirt.
The public is conditioned to white piece of plastic and any logo as a universal access device.
The world is really lucky I am not malicious.
Leonid S. Knyshov
Find me on Quora
At MSOE ~10 years back, all student accounts on the unix system were generic named sequentially numbered usernames. They might have been student ID#'s, I can't remember. The default passwd was supposed to be the student's SSN
Except, someone was too lazy to enter in thousands of SSNs for default passwd. (at least thats what I figured)
Want another account? Find someone unlikely to use theirs and just hit enter for the password on your first login. Then change the passwd and the username to something better, or leave the name as-is to be more stealth.
I think this DEC OSF unix box was named Odo or Obrien, I know it wasn't Picard which was VMS.
"NightStalker"
Shout out to Jason, Ray, and Phill you little OS/2 geek - thanx for loaning me that linux distro way back then, MS windows has yet to return...
Actually, it 's especially easy to hide mysql from the Internet if it's on the same machine as your webserver; just put the following in /etc/my.conf:
Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing?
Let's ask Kevin.
Rich people don't have to steal so they can decide to follow their morals. When you cannot afford a computer and you really need one, why not steal it? This is survival of the fittest, steal or die.
People don't exist to serve systems, systems exist to serve people.
When you assume humans can be trusted you are going against human nature. Any security system should assume by default that no human can be trusted. Capitalism is working because it goes with and not against human nature. Security can only work when you calculate human nature into the equation. Humans are selfish, greedy, and untrustworthy/dishonest by nature. Design systems which assume this from the beginning and security works.
People don't exist to serve systems, systems exist to serve people.
...except for the camera angle. but all in all, smooth.
Funniest one I ever read about was the phony night deposit box. All official looking, placed next to the banks night deposit slot, tape a BORKEN, DON'T USE sticker over the real one. The thing sat there until it was stuffed,lotta bars and restaurants, etc stuffing it in after closing time. The perps were rolling it into their truck in the early AM, (they got guard uniforms on), the real cops show up and HELP THEM LOAD IT UP.
Hit canadian show trailer park boys where they do this to a government building
... this reminds me of a number of NYT articles by a pulitzer prize winning former journalist.
This sounds great, just the perfect amount of detail, some "sorry, can't give you some details because I don't know", and what not.
Can anyone check this article out? Or do we all, unanimously, believe it true, because it has to be true, because it meets our deepest suspicions, because the author uses all the right phrases?
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...
Actually, those removed from a situation are best able to observe it. Kids learn the 'social tricks' instictively, to the point where even they don't know what they're doing. Outcasts have to play catch-up with their peer group. They tend to socialize with knowledge rather than instinct.
The asshat at work, if I see him approaching and I don't want to speak with him, I initate the conversation with his catchphase, "Hey, What's up?" It throws him off, because he's unuse to dealing with people without it. (Yes, sometimes I see the him bluescreen and reboot. It's interesting, midconversation and he'll ask me what's up after we've covered it.)
If you're running on instinct, you'll never notice it, but if you're running on knowledge instead, you can spot patterns of human interaction. And you can use them to your benifit.
Distract the boss so he forgets you made a mistake yesterday. Come in late on purpose and get yelled at, inorder to avoid a bigger punishment that should have taken place at that time.
The only catch is, you can only dazzle someone with bullshit for so long, before they catch on. With hacking style social engineering, you can. However, with office politics, I've taught myself to avoid manipulating people for my benifit, inorder to avoid a situation down the road.
~~~
Click here, you know you wanna!
The reason they check your purchases is to check up on the cashier. A crooked cashier could easily fail to scan items for confederates/friends real easily. Or ring them up as something far cheaper, so that hard drive which should have been $100 gets rung up as a $1 battery. Someone looking from a distance would see what looked like a real transaction. Crooked employees are the cause of around half of all retail losses. This is the same reason for the black glass panels above cashiers in supermarkets. Take a look up next time you shop. For some psychological reason, people won't look up. And why there is commonly an LCD next to the scanner that is placed to show directly upwards. It is not for your benefit, it is for the benefit of the video camera behind the black glass. Social engineering works because no one can know all the rules. Especially when the managers change them on a whim. And when the penalties for failing to follow a rule are totally capricious.
I also "don't get it". If slashdot links to an interesting article on some dude's site, and I go read the article, why the fuck should I care about checking out all the other useless crap on the site that isn't necessarily of interest to me, like pics of the guy's gf or his blog or whatever? That's just stupid. You think everyone here has time to not only read all the /. headlines, but all the linked articles, AND all the other resources on all the sites with those articles? WTF should anything other than the linked article interest me?
So you go on ahead and don't just "surf the front page", whatever you think makes you "cool" on slashdot and superior to your other slashdotters. Creeps, that's sad.
How exactly would you get into a good university without a computer?? What if you have kids and you want them to actually go to a real college instead of a community college? A computer is a requirement if you want to be an elite student.
People don't exist to serve systems, systems exist to serve people.
Personally I feel that the two concepts should be differentiated.
....
"Social Engineering" should referr to the engineering of a social network (eg. a brueecracy, a stereotype, ect...)
"Socilogical Engineering" should be reserved for engineering a society through reform of some sort.
ps. please excuse any spelling, grammer errors.
I work in security in a moderate sized high-rise filled with lawyers, stockbrokers, marketing firms, white collar stuff in general.
While it might be possible to have truly tight security, it isn't really practical the way things are set up.
First of all, there was often contractor going in and out of the building installing wiring, moving sheetrock, hauling all sort of stuff in the freight elevator. A perfect example are window washers. They can get virtually anywhere. Janitors go everywhere when everyone is out.
People often don't look like the ID photos. People change their look, or naturally have a generic look about them. ID photos are often small and of poor quality. In a real security line with an guard checking ID's people expect to get through quickly, and the managment expects to get by with as few guards as possible. How would you feel if you're in line while a guard is carefully looking at ID's and faces. How would you feel if you were the guard with a line of people sighing and looking at thier watches.
Security guards get fired because they try to do their jobs. Bosses get annoyed when they question some who is "clearly OK" because they are well dressed, or pretty, or a member of the manager's family.
Employees get nervous about calling about a suspicous person. I've been called up to a floor to investigate a person nobody recogized using the company shower rooms. I knocked on the stall, and eventually figured out that she was a valid employee who usually works on another floor. Lots of people were embarassed, even though they did the right thing calling security. The next time they see someone they don't recognize, they will, unfortunately, think twice about calling security.
If you want to rip people off, you can. Eventually you'll get caught, but if you do it just every now and then, you'll be fine with a little luck. You could have a very secure enviroment, but it would be expensive, and a miserable place to work.
This stuff happens more than you think. It's called a uniform job. They joke about it in the movies all the time, but it takes great skill and composure.
Just think about it, in an office if the main printer quits working, someone will call the help desk, who will (after rebooting stuff at random) call HP or Xerox to send over a repairman. The repairman is a stranger to the company, but since he's wearing an HP badge and is dressed like a repairman, he gets in real easy, maybe he just needs to know the name of someone on the inside to let him in. Then he can pretend to check things and a short time later he might conclude that he needs to "bring it in the shop". This stuff happens all the time.
Now if an imposter were to try this, and act his part well enough, he just scored himself a nice big office laser printer worth several thousand dollars. By the time the staff starts worrying about their printer's whereabouts he will be long gone and nobody will remember him.
-Billco, Fnarg.com
My brother wears his drug store shirt when he gets off work, and is often asked for assistance in the store from other customers when he stops in Rite Aid to buy something. He works for CVS, just as it says on his ID badge and shirt...
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.