Slashdot Mirror
Social Engineering in the Workplace
An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"
The fact that someone once did it does not prove everyone else can do it.
;)
No, but that isn't what he was saying, was it?
The fact that someone once did it proves that it CAN be done, and lends evidence that someone else can probably do it.
There's a whole lot of space between only one person being able to do something, and everybody being able to do it.
Dark Nexus
"Sanity is calming, but madness is more interesting."
At the last company I used to work for they once showed us a video about the importance of information privacy, and how social engineering works. In this particular example, the person would have been caught right away because he was wearing a suit. No one wears a suit on our floor, unless they're having a job interview, or meeting with the executives or something.
The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.
You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.
If you can get into the cafateria without any security stuff you can just go to lunch there for a couple weeks, get to know people's name who work in the IS departments, and maybe even come across a dropped security badge. You can then fordge your own to get to the elevators, and then wait for someone else to open the door to get by needing a keycard. (Assuming the badge you came across didn't also have the person's keycard.)
Then getting information out might be easy. And at the company I used to work for you could probably steal hadware just by putting it on a cart. We had multiple buildings so it was common for people to be carting PCs from building to building. How many security guards would recognize the difference between a PC and a server?
Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe. And unless you have a zero tollerance policy on holding the door open for someone, your information is not safe. How many companies are willing to do this?
I hate Liberals and Conservatives.
If you are a Liberal or a Conservative, then HAVE A NICE DAY!
Courage.
What's the deal with calling cheating and conning people "social engineering"? Giving it a catchy name doesn't make it any more fashionable or acceptable. I guess we have the l337 underground crowd to blame for this idiotic euphemism.
Can you social engineer your way to getting some stuff from a store and get away without getting arrested? I've noticed that with most social engineering test the people leave themselves VERY exposed in terms of being caught later. I saw this with a coworker. He did a hypothetical social engineering/hacking scenario. It was all well and good excpet that I gaurentee that had he does it in reality, he'd have been thrown in jail
since there were at least 10 people that could make an easy ID.
It's one thing to BS your way in and steal some stuff, it's quite another thing to get out and not get ID'd or videotaped. This is where most crimes go wrong. It's not that the crime itself doesn't work out ok, the criminals often get what they want, it is the aftermath that goes wrong. The crime gets reported, an investigated, and they find out who did it, and that's all she wrote.
Then again, just imagine if that story got around to the managers of all your favourite shops...would they tighten security so that nothing like that happened to them? On second thoughts...
As Isreal pointed out: No manager likes to do manual labor.
Social Engineering "as we know it" is going to be impossible to combat or educate against.
No amount of technology or education can or more accurately 'will' stop SE from being effective.
The only hope is that most thieves are too dumb to use it.Those who are smart enough almost deserve to get away with it.
SE requires knowledge of methods, practices and the weaknesses inherent in such.
A smart business will simply acknowledge the existence of such and absorb minimal losses associated... and raise prices accordingly. Very similar to piracy of IP.
It will happen and you can do very little to stop it and what you can do will cost you more than the loss involved.
Soooooo.... minimize, minimize, minimize.... your losses as much as possible by identifying effective deterents and ignoring all else.
I'm sure companies do this already.... co this may or may not have been an effective exercise... was it realistic in terms of statistical attempts to steal merchandise? Probably not though it can identify weak areas in security that can be improved to catch less skilled SE perps...
A fool throws a stone into a well and a thousand sages can not remove it.
This time the phrase conveys additional information. Engineering is probably best described as the art of applying science to control failure. A typical con, ala Matchstick Men, The Grifters, etc is all about craftsmenship, using the people. Where social engineering is all about a well planned design for a well understood system, using the bureaucracy. One is personal, one is impersonal, one depends on personal charisma, one depends on blending in.
Well, I guess it comes down to how nice people are. If every person you passed asked for your identification, your papers, what you're doing here... hum... sounds like Germany back when...
But seriously, you can get to the point of having people anal and trusting no one. Everyone is suspicious of the other, and while I suppose that is a good way to reduce theft, it also makes the place not very nice to work and shop or be around.
**FREE** Track and view your phone's via CellID and/or WIFI and/or GPS
If you pay someone $6 an hour, do you really expect them to be vigilant defenders of company property?
We recently had an internal discussion of how to reduce theft in the company - we are a retail group and often there's thousands of pounds worth of sports gear etc. parked temporarily in corridors. One of the astonishing revelations was that a large percentage of the theft had to be internal! Our own staff were stealing from us!
After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them. Senior execs were not prepared to negotiate a rise in the shop-floor staff wages, so we took the strategic decision to drop the whole issue.
Not really a difficult conclusion, just an unpalatable one.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
I'm sorry, but I fail to see how it is bad that people are trusting and helpful. Apparently, stuff gets stolen infrequently enough this way that people can afford to be trusting and helpful--otherwise, the employees would already be more careful. OTOH, if someone in "Vernstown" is really waiting for his five computers and isn't getting them because some employee forgot his badge, the business may be in trouble--the customer doesn't give a damn why he isn't getting what he ordered, he just knows the products didn't arrive when promised.
There may be procedures that you can follow that avoid this sort of social engineering and still let the business function--but devising them, implementing them, and training the employees for them has its own costs. A phone call would have done the trick in this case and may have been prudent, but getting each employee to remember to make the phone call is difficult. Employing a separate person keeping track of everything that leaves the store and asking the right kind of questions would be better and ensure that only one person was distrusting, but it has an obvious cost--another salary to pay.
Efficient businesses need a lot of trust and initiative on the part of employees. If you try to make this kind of social engineering too difficult, you may be preventing more thefts, but you also may be preventing your business from working. Given that this was demonstrated through a staged theft, it seems like the real thing is happening rarely enough for employees to be aware of it; this sort of thing is self-limiting--once the first real theft like that happens, people become less trusting automatically--with all the costs that that entails.
There are no easy answers--in some environments, you just have to bear the costs that come with increased security--but one also shouldn't automatically assume that it is automatically better to adopt business procedures that prevent loss or theft.
Exactly, and from the article, it sounds like Israel has not only done this before, but has a theme in mind for how he would approach the situation. Of course, every store would be a variation on the theme, but it would be rather similar nonetheless.
A $3500 take isn't much, especially considering that you aren't going to get full value on it when you pawn it off or sell it on e-bay. However, there are hundreds of stores just like that one in large cities, and perhaps thousands in a state. $3500 a day for a few hours work, isn't bad at all, considering some people barely make that much in a month. If you are patient enough, smart enough, and mix it around enough, you could probably get away with it for many many years pulling this job on a regular basis.
The question, unfortunately, is philosophy. If you are smart enough to regularly defraud hundreds of businessess, then you would either have a difficult time justifying your actions to yourself (your conscience), or you would have to acknowledge to yourself that you are an evil, evil person. And who wants to look at themselves in the mirror every day thinking that? That there is no redeeming factor to your life and existance.
Man, I gotta write a journal entry about some of my philosophical meusings sometime. Especially when it comes to perceptions about good and evil.
I haven't lost my mind!
It is backed up on disk...somewhere...
Now this happened at a company I used to provide tech support for, and it just goes to show you how your average person doesn't care the slightest bit about security:
I needed to do something in someone's account and didn't know their password. I also didn't want to reset it in the server because then I'd have them calling me saying the computer didn't work or whatever. So I thought of asking the guy working across the cubicle from where I was, not really expecting a reply:
"Say, you wouldn't happen to know this guy's password would you?"
"Well no... but wait a second.. *shouting across to another cubicle and whoever was willing to listen* HEY, DOES ANYONE KNOW DAN'S PASSWORD?!"
"*reply from somewhere* YEAH SURE, IT'S '34567'"
I wanted to bang my head against the desk and strangle the bastards. One *could* enforce a password policy, but that would just make people keep their passwords in a yellow sticky note on the computer screen. One *could* try and educate people it's not a very good idea to share passwords among themselves, but that would just make them go behind your back. One *could* try to explain why they just spent $5000 in server software so that everyone could have clearly defined privileges, but they'd just ignore you and head for the water machine.
My point being, of course it's easier to social-engineer your way somewhere because quite frankly people just don't want to go to any great efforts to protect their network/office/whatever.
Your average office worker's idea of a disaster is when someone spills the coffee before anyone has had any in the morning.
after reading about stuff like this, I feel empowered and justified to never have any kind of unjust run-in with any less-than-ethical coworker or supervisor looking to gain by hurting others and putting them in unjust situations.
the ability to talk your way out of anything, ESPECIALLY when you actually haven't done anything wrong, but are being used as a scapegoat or a target to help someone else look good, or say, for instance, in a situation where you may be eventually threatening you manager's job or competing with someone for a promotion; things like that.
It's very refreshing and empowering to realize that any pressure that you feel is probably there because you are putting it on yourself, or are in some way contributing to placing yourself in a position where you are allowing others to place pressure on you.
It's really about what's right and what's wrong; and the right thing to do is to do good work, to be effective and to do things right; to respect yourself and those around you. Seeing through other's motives, or ignoring their confused senses of right and wrong in order to protect that respect, and to protect that sense of right and wrong, enabling yourself to continue to do good work for the right reasons, and to avoid pressures and lies and half-truths that represent a generic methodology or philosophy that many employees could care less about working or not working, these are the right things to do.
It seems that you really need a kind of social engineering in order to continue respecting yourself and those around you. That's the most important thing, to respect those around you. This social engineering comes across as respect, actually... the whole idea of being smooth under pressure. Applying that to a situation where a manager may be looking for a reaction from you, applying that to a situation where you, as an employee, may not feel quite so respectful, really just shows that remaining courteous and respectful will basically allow you to get away with anything (especially if that something is nothing), so in that sense, remaining courteous and respectful even when you are in a situation where there is an unjust attempt to elicit a negative response, using social engineering will allow you to remain respectful towards yourself and respectful to those around you. You can use it for bad, but you can also use it against bad, for good. On top of everything else, the unjust individuals will never know what happened to them, which is, in a sense, a way of bringing those who have not realized the importance of respecting of others to a type of silent justice.
There's a difference between "should" and "will have to because it's all I can afford".
Yours Sincerely, Michael.
Ha! I wish I pulled in $3500/month! If I did, I wouldn't have to get all my electronics by stealing them. (KIDDING about the last part!)
But the point isn't really whether someone could make a living doing this, but whether he could get himself an extra $3500 worth of gear just by deciding to do it.
http://alternatives.rzero.com/
That my friend would indicate you don't have very much experience working with legislation.
This effect is known as "The law of un-intended consequenses". And is the main reason I do not approve of government programs to solve any problem with the exception of Policing the streets, and Defending the borders. I think the main problem with "un-intended consequenses", is that the implementors don't pay for them, hence there is no learning. Sometimes I think Legislators use "un-intended consequenses" to provide continuance in their sucessful campaign aginst invisible dragon du-jour. For instance, Pistol Packing Diane Feinstein (US Senator from California) wants to install gun control on the plebesite. So she authors legislation which (she and any lawyer knows) is un-constutional. She and her pals bask in the glory of success. Later the Supreme Court of the US strikes down some minor provision in the bill. Now she has a reason to publicly admit defeat, and a continued fight aginst firearm ownership by the plebes. Start round II.
- High Tech workers, please say NO to Union Carpenters, their Union sees fit to control our compensation.