Slashdot Mirror


Social Engineering in the Workplace

An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"

9 of 316 comments (clear)

  1. Re:Yes it is by Dark+Nexus · · Score: 4, Insightful

    No, but that isn't what he was saying, was it?

    The fact that someone once did it proves that it CAN be done, and lends evidence that someone else can probably do it.

    There's a whole lot of space between only one person being able to do something, and everybody being able to do it.

    --
    Dark Nexus
    "Sanity is calming, but madness is more interesting."
  2. Human Limits of Security by Anarcho-Goth · · Score: 5, Insightful

    At the last company I used to work for they once showed us a video about the importance of information privacy, and how social engineering works. In this particular example, the person would have been caught right away because he was wearing a suit. No one wears a suit on our floor, unless they're having a job interview, or meeting with the executives or something.

    The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.

    You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.

    If you can get into the cafateria without any security stuff you can just go to lunch there for a couple weeks, get to know people's name who work in the IS departments, and maybe even come across a dropped security badge. You can then fordge your own to get to the elevators, and then wait for someone else to open the door to get by needing a keycard. (Assuming the badge you came across didn't also have the person's keycard.)

    Then getting information out might be easy. And at the company I used to work for you could probably steal hadware just by putting it on a cart. We had multiple buildings so it was common for people to be carting PCs from building to building. How many security guards would recognize the difference between a PC and a server?

    Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe. And unless you have a zero tollerance policy on holding the door open for someone, your information is not safe. How many companies are willing to do this?

    --
    I hate Liberals and Conservatives.
    If you are a Liberal or a Conservative, then HAVE A NICE DAY!
    Courage.
  3. Stupid Catch Phrases by chamenos · · Score: 5, Insightful

    What's the deal with calling cheating and conning people "social engineering"? Giving it a catchy name doesn't make it any more fashionable or acceptable. I guess we have the l337 underground crowd to blame for this idiotic euphemism.

  4. The real question is by Sycraft-fu · · Score: 5, Insightful

    Can you social engineer your way to getting some stuff from a store and get away without getting arrested? I've noticed that with most social engineering test the people leave themselves VERY exposed in terms of being caught later. I saw this with a coworker. He did a hypothetical social engineering/hacking scenario. It was all well and good excpet that I gaurentee that had he does it in reality, he'd have been thrown in jail
    since there were at least 10 people that could make an easy ID.

    It's one thing to BS your way in and steal some stuff, it's quite another thing to get out and not get ID'd or videotaped. This is where most crimes go wrong. It's not that the crime itself doesn't work out ok, the criminals often get what they want, it is the aftermath that goes wrong. The crime gets reported, an investigated, and they find out who did it, and that's all she wrote.

  5. Never will be ready by foniksonik · · Score: 4, Insightful

    Social Engineering "as we know it" is going to be impossible to combat or educate against.

    No amount of technology or education can or more accurately 'will' stop SE from being effective.

    The only hope is that most thieves are too dumb to use it.Those who are smart enough almost deserve to get away with it.

    SE requires knowledge of methods, practices and the weaknesses inherent in such.

    A smart business will simply acknowledge the existence of such and absorb minimal losses associated... and raise prices accordingly. Very similar to piracy of IP.

    It will happen and you can do very little to stop it and what you can do will cost you more than the loss involved.

    Soooooo.... minimize, minimize, minimize.... your losses as much as possible by identifying effective deterents and ignoring all else.

    I'm sure companies do this already.... co this may or may not have been an effective exercise... was it realistic in terms of statistical attempts to steal merchandise? Probably not though it can identify weak areas in security that can be improved to catch less skilled SE perps...

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  6. It's more than lingo. by Anonymous Coward · · Score: 5, Insightful

    This time the phrase conveys additional information. Engineering is probably best described as the art of applying science to control failure. A typical con, ala Matchstick Men, The Grifters, etc is all about craftsmenship, using the people. Where social engineering is all about a well planned design for a well understood system, using the bureaucracy. One is personal, one is impersonal, one depends on personal charisma, one depends on blending in.

  7. How nice people are by some1somewhere · · Score: 5, Insightful

    Well, I guess it comes down to how nice people are. If every person you passed asked for your identification, your papers, what you're doing here... hum... sounds like Germany back when...

    But seriously, you can get to the point of having people anal and trusting no one. Everyone is suspicious of the other, and while I suppose that is a good way to reduce theft, it also makes the place not very nice to work and shop or be around.

    --
    **FREE** Track and view your phone's via CellID and/or WIFI and/or GPS :- http://tinyurl.com/la6fhd
  8. Low-paid employees are complicit by BillsPetMonkey · · Score: 4, Insightful

    If you pay someone $6 an hour, do you really expect them to be vigilant defenders of company property?

    We recently had an internal discussion of how to reduce theft in the company - we are a retail group and often there's thousands of pounds worth of sports gear etc. parked temporarily in corridors. One of the astonishing revelations was that a large percentage of the theft had to be internal! Our own staff were stealing from us!

    After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them. Senior execs were not prepared to negotiate a rise in the shop-floor staff wages, so we took the strategic decision to drop the whole issue.

    Not really a difficult conclusion, just an unpalatable one.

    --
    "It's not your information. It's information about you" - John Ford, Vice President, Equifax
  9. Re:It beats holding up liquor stores by D.A.+Zollinger · · Score: 4, Insightful

    Exactly, and from the article, it sounds like Israel has not only done this before, but has a theme in mind for how he would approach the situation. Of course, every store would be a variation on the theme, but it would be rather similar nonetheless.

    A $3500 take isn't much, especially considering that you aren't going to get full value on it when you pawn it off or sell it on e-bay. However, there are hundreds of stores just like that one in large cities, and perhaps thousands in a state. $3500 a day for a few hours work, isn't bad at all, considering some people barely make that much in a month. If you are patient enough, smart enough, and mix it around enough, you could probably get away with it for many many years pulling this job on a regular basis.

    The question, unfortunately, is philosophy. If you are smart enough to regularly defraud hundreds of businessess, then you would either have a difficult time justifying your actions to yourself (your conscience), or you would have to acknowledge to yourself that you are an evil, evil person. And who wants to look at themselves in the mirror every day thinking that? That there is no redeeming factor to your life and existance.

    Man, I gotta write a journal entry about some of my philosophical meusings sometime. Especially when it comes to perceptions about good and evil.

    --
    I haven't lost my mind!
    It is backed up on disk...somewhere...