Social Engineering in the Workplace

An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"

Stupid

[divine_13]

"thousands of dollars in merchandise"
Why merchandise?
Just take the cash and scram! O.o

Re:Stupid

[TinheadNed]

Well, because while the warehouse guys and shop flunkies can come and go on a weekly basis, nobody, NOBODY ever gets to pay with the money. Two people are normally required to do the counting, and then it gets put in the safe.

Also, while moving merchandise round is done everywhere in broadly the same way, the cash routines are normally more tightly fixed and less easy to predict. Also, the money has to be counted nice and carefully as the cashiers need to check they haven't screwed up during the day.

Pages /. defended.

[Thornae]

I love it. Load it up, the very first line of the page is "SlashDot defense provided by Nexcess.Net"

There's forethought, with some free advertising thrown in.

Help someone carry shit out of the office?

No way. I'm too lazy to help the people I should be helping. Why would I help a stranger?

Human Limits of Security

[Anarcho-Goth]

At the last company I used to work for they once showed us a video about the importance of information privacy, and how social engineering works. In this particular example, the person would have been caught right away because he was wearing a suit. No one wears a suit on our floor, unless they're having a job interview, or meeting with the executives or something.

The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.

You might need a security badge to get by a security desk, and a key card to get onto the floor. But people sometimes loose their badges and keycards and will be let by just this once.

If you can get into the cafateria without any security stuff you can just go to lunch there for a couple weeks, get to know people's name who work in the IS departments, and maybe even come across a dropped security badge. You can then fordge your own to get to the elevators, and then wait for someone else to open the door to get by needing a keycard. (Assuming the badge you came across didn't also have the person's keycard.)

Then getting information out might be easy. And at the company I used to work for you could probably steal hadware just by putting it on a cart. We had multiple buildings so it was common for people to be carting PCs from building to building. How many security guards would recognize the difference between a PC and a server?

Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe. And unless you have a zero tollerance policy on holding the door open for someone, your information is not safe. How many companies are willing to do this?

Re:Human Limits of Security

For entertainment, the people one of my friends work with started showing costco cards to the security instead of their id's. They tired of this as none of them ever noticed. Also, they've got such a poorly implimented network with so many different passwords, it's actually a pseudo-policy that they have them written down near their workstations. Once more many of them have local administrator access to their workstations. It's hard to imagine what people so motivated might walk off with.

Re:Human Limits of Security

[dilweed]

Correction: He wasn't wearing a suit. He was wearing a black polo and khakis, aka the casual corporate uniform.

It's been said that with a hard hat and a clipboard you can get into nearly any building. This is just another example of that taken a step further.

Re:Human Limits of Security

[Walt+Dismal]

I once worked for a CBS subsidiary. They decided to improve security so we were all required to get our photos taken for badges. (This was before card reader badges.) One VP took a picture of his dog and pasted it on a badge. Next morning flashed it at the guard and walked through with no problem.

A lot of people are blind to anything that does not look out of place in their limited world. And a lot of others are sheep to any authority that comes along, anyone with confidence and some acting skills.

Re:Human Limits of Security

[JaredOfEuropa]

The reality is that most medium sized companies can be vulnerable to social engineering. In most cases the weak point in any security system is going to be on the human level. When you work with people you have to have some element of trust to make things more efficient.

A few years ago, a journalist showed how easy it was to get into the maximum-security area of the Prosecutor's Office in the Netherlands. It was as simple as forging a badge on a photocopier, checking out who went into that area, making sure he looked like he belonged there (no furtive glances, right clothes etc.). Then he just followed a guy into the secure zone, with the guy courteosly holding the door open for him. He was able to do this several times.

And unless you have a zero tolerance policy on holding the door open for someone, your information is not safe

That's just what they had in the military place I used to work. I notice that most larger offices and places with sensitive information are starting to use turnstyles and keycards, which amounts to the same thing. No badge = no entry. Forget your badge? You can get a 1-day pass at the security desk, but they will check your face against a photo on file, and require ID. Having reasonably good yet uncumbersome security is not that hard to implement for low-level security (i.e. against thieves). Problem is: many companies only pay passing attention to security (physical as well as electronic), and think one rent-a-cop at the door is sufficient.

Unless you have security guards that require written permission for every single hardware move your hardware is not going to be 100% safe.

Also becoming more commonplace... These days, the most popular target for thieves is laptops. Easy to carry, valuable, and it's the one piece of equipment the guards will expect people to carry out.

Re:Human Limits of Security

I guess I have to chime in with my story as well. I was working at a military base (as a contractor) and some of the uniformed guys had a contest to see what they could flash at the guards instead of their military ID and make it through. They started with driver's license and then somebody got through with a library card. The winner? Got through by flashing a piece of toast...

Re:Human Limits of Security

[beer_maker]

While in the Marine Corps I was a student (and later an instructor) at an all-services training base run by the Air Force - with just such a turnstile/guardhouse at the classroom area. We never thought very highly of the SPs (Squadron Police AKA Sky Pigs) guarding the facility, but did our best to avoid the temptation of screwing with them ... it was just too easy.

As a student, the worst stunt I pulled was when I noticed the SPs would come into the chowhall for lunch and just leave their M-16s at a table with their headgear & other junk. The USMC is very particular about always leaving a "complete safe weapon", so I strolled over, popped out the magazines, checked the chambers, and verified the selector was set to "Safe." The two "security specialists" didn't even notice!. The next day they came in and left the rifles again - so I made them safe again. To make the point more obvious, I removed the firing pins and left them sitting on top of the SP's jaunty black berets in the middle of their table. The look on their faces was priceless.

Our commander was forced to order us to "stop helping the SPs", though he did so with a smile on his face. They stopped leaving the rifles out, at least while I was there.

When I later returned to the same base to be an instructor they had a much smarter officer in charge of the guard force. Some of my students were telling me they had been drawing moustaches and/or sticking pictures on the front of their badges and getting in without being challenged, but before I could test this myself I was invited to assist the SP colonel in a little experiment: He asked me to check in (& out if possible) using a fake badge he had made up. It was a quality job, using the regular forms and professional lamination - but it said I was Vladimir Lenin (with his picture) and a member of the KGB!

Sadly, I got right through - one of the guards touched the badge to verify I had one, but none of them looked at it. The colonel was so disgusted those guards were immediately pulled and sent back to their original training base. I wanted to keep the badge, but the colonel said he might need it again, if his guys got sloppy again ...

I expected to get some flack from the other guards, but they all felt that "anybody that careless was no loss".

"social engineering" is the easy way.

[RanBato]

This is a great read! One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?

How hard can it be to get usernames/passwords this way? And since we are in linux-land here: I would bet that more than half of the sysads here would open up their systems to the first pretty girl that would walk along their cubicle. Obviously she cannot be too pretty as that would be VERY suspicious.

There are plenty of stories going around about people just walking into a server room, and taking a few servers home with them. We even had one of those on slashdot here a few months ago ,something with the Australian customs office. And there is the now really famous French guy who used to simply walk in on high level government events and get his picture taken.

But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...

social engineering is useful at work.

[0x12d3]

I work tech support at an isp, and after reading Kevin Mitnick's "The Art Of Dection", I've had a keen eye for situations were social engineering could be going down, the thing is if policy dictates that you respond a certain way, you do so reguardless. The funny thing is how much more helpful other internal departments are if you use some social engineering techniques. Sometimes the billing dept. will help a save desk agent more than techsupport; sometimes a field rep. gets less lip than tech.support to escalate an issue. Guess it goes to show any tool can be used for good or evil.

Stupid Catch Phrases

[chamenos]

What's the deal with calling cheating and conning people "social engineering"? Giving it a catchy name doesn't make it any more fashionable or acceptable. I guess we have the l337 underground crowd to blame for this idiotic euphemism.

The real question is

[Sycraft-fu]

Can you social engineer your way to getting some stuff from a store and get away without getting arrested? I've noticed that with most social engineering test the people leave themselves VERY exposed in terms of being caught later. I saw this with a coworker. He did a hypothetical social engineering/hacking scenario. It was all well and good excpet that I gaurentee that had he does it in reality, he'd have been thrown in jail
since there were at least 10 people that could make an easy ID.

It's one thing to BS your way in and steal some stuff, it's quite another thing to get out and not get ID'd or videotaped. This is where most crimes go wrong. It's not that the crime itself doesn't work out ok, the criminals often get what they want, it is the aftermath that goes wrong. The crime gets reported, an investigated, and they find out who did it, and that's all she wrote.

It's more than lingo.

This time the phrase conveys additional information. Engineering is probably best described as the art of applying science to control failure. A typical con, ala Matchstick Men, The Grifters, etc is all about craftsmenship, using the people. Where social engineering is all about a well planned design for a well understood system, using the bureaucracy. One is personal, one is impersonal, one depends on personal charisma, one depends on blending in.

How nice people are

[some1somewhere]

Well, I guess it comes down to how nice people are. If every person you passed asked for your identification, your papers, what you're doing here... hum... sounds like Germany back when...

But seriously, you can get to the point of having people anal and trusting no one. Everyone is suspicious of the other, and while I suppose that is a good way to reduce theft, it also makes the place not very nice to work and shop or be around.

I saw this happen at one company...

[anubi]

About 20 years ago.

It happened on a Saturday.

White panel truck with appropriate lettering pulled up to corporate headquarters. Man wearing logo'd shirt gets out and approaches security guard, papers in hand. He is supposed to remove typewriters for cleaning, and is supposed to come back Sunday to return them. Papers are signed by an executive of that company.

[ uh-huh. right name, but *that* executive has never even seen the papers. Its just a signature. ]

Guard is cautious. Needs to call and check. Truck driver agrees to wait. Executive out of town. Guard says no-go. Truck driver says fine, just sign here that I showed up. Your company still must pay the $5000 fee for weekend overtime service as per the contract. ( Shows contract details to guard ). No biggie to me. ( Guard gets ansy. A lot of money, What's his boss gonna say about losing more money than his monthly pay just because he wouldn't let another man do his work? ). The guard refused to sign anything. The truck guy notes down his name from his badge, notes it on his form, looks at his watch again, dates and signs the form, and asks the guard to let 'em know he was there. Leaves the guard a business card, and mentions that the next available window to do the cleaning work on a weekend is about 3 months away. Another fee will be assessed for the next service. He tells the guard he has 50 people at his plant right now ready to clean typewriters, and when he gets back, he has no work for them, so he will pay them their four hours Union wage for showing up and send them home.

The guard is really sweating now. He doesn't know exactly what to do, but he doesn't wanna find out he screwed up the company something fierce by keeping someone from doing their job, so he relents. He even helps load the truck!

We never saw those typewriters again.

The truck? Bogus plates. Plain white panel truck with vinyl stick on lettering. Run of the mill truck. The guy even had shelves in it made in such a way so he could load up the completely full. Seeing how professional the truck was equipped for the job impressed the guard and reassured him that everything was indeed on the up-and-up.

The forms? Yes, lots of forms! Every typewriter was duly noted on its own form..serial numbers and all! Obviously our con-guy had gotten a hold of an inventory list, because every form indicated where the typewriter was. Why even a copy of each form was even left with the guard! The only traceable signature was that of the guard. There were other signatures on the forms, but no one ever found out who the actual signers were.

Come Monday, Management was very puzzled and disturbed over the missing typewriters.. a little over a couple hundred of them. There were investigations. There were lots of phone calls to the non-existent phone numbers, people, and attempted visits to the addresses referenced to in those oh-so-professionally done forms.

Yup, some clever guy invested in a couple hundred dollars worth of "movie props" and walked out with several hundred thousand dollars worth of nearly brand new IBM typewriters.

Been there, done that.

[Ketnar]

Social engeneering is fun.

It's even more fun when others don't notice that you are on to them and feeding them complete bull. :)

(from MSG)
'Isn't that that guy, from that other network? The script kiddy?'
'Yes.'
'the one that tried to hack you.'
'Yes.'
'And you are talking to him?'
'Yes.'
'WHY?'
'Shh,Watch.:)'

(In chan, after some yacking about and playing stupid, he was posing as a billing person from my ISP ;) )
'Oh, you need my new credit card info for that. let me msg it to you.'
'ok.'

(later, after he left)
'WTF! You gave him a CC number?'
'Yeah, of a old card.'
'I don't understand.'
'The card was reported stolen a year ago.'
'Yeah...okay..so, it won't work.'
'No, it wont, but guess what happens when you try to use a *stolen* credit card?'
'......'
'OHHHHH!'

Hee!:)

It Works!

Good story, kinda reminds me of a couple of my past experiences.

Just out of High School I'm a gofer at a major chain hardware store, it's holiday season (without a doubt, best time to social engineer) and because it's so busy, I'm stuck helping load customers vehicles with bulk merchandise at a usually closed side door.

A guy backs up a station wagon up and comes up to me (the youngest looking employee in the store) waving a "receipt" and saying he's here to get his pallet of Presto Logs. So being young and dum... errr... I mean, eager to help out, I went over to my very busy "dickish" "boss" and asked what to do, his curt reply was "Get him the logs, I'm busy.", and then he rapidly walked away toward the front of the store.

So I got a pallet jack and moved a whole pallet of Presto logs across the whole store to this side door, and proceed to load up his station wagon till it was sagging badly in the rear, but I got 'em all in.

The poor guy was in a BIG hurry because his wife was at another store and he had to go get her since her car had broken down, and he had a bad back so he couldn't help me load the boxes of "logs", but I loaded that whole pallet of "logs" into his station wagon in record time.

And not 30 seconds after he drove off than another guy drives up in a pickup truck wanting his pallet of Presto logs!

Well, I had just loaded up the last pallet of Presto logs...

Thats when I knew I'd been had...

Luckily, I'd asked my loser boss, and he had to take the heat, but that was a BIG lesson for me in Social Engineering.

Move ahead several years to 1977, I'm working for a private interconnect (TELCO) company in SillyCon Valley. We don't have company uniforms, or even name tags, really low budget, but we do have tool belts and butt sets (linemans test set), we had to buy those too.

So I'm one of the company's troubleshooters and we had many high tech clients, one of which is where I was making some changes to the state of the art TDM PBX our company sold and installed Waaaay better than anything MaBell had at the time. Merlins... what a joke.).

My boss (a "real" boss, yaaaa.) arrived unexpectedly to give me some good news (a raise!) and as we were leaving the building I joked that I could go anywhere I wanted with only my toolbelt and buttset.

My boss gave me the look and then smiled and said "no way".

Mistake...

We happened to be in a large room full of desks looking at a wall of glass, behind which was the computer room, you know, raised floors, BIG banks of BIG six foot tall computers with BIG reels of tape slowly spinning away, heavy duty air conditioning, guys in white lab coats! The whole deal. And the only door in/out was protected by an armed security guard.

Nobody had noticed us yet as they were all busy doing their jobs, and I looked at the computer room and said to my boss "Wait here and watch." He got an unsettled look on his face but didn't stop me as I calmly but purposefully walked straight toward the door with the guard.

I noticed that the guard was alert and saw me coming, so I was all ready to talk my way into the computer room, but as I got close enough to talk, he just opened the door for me! I said I needed to check out something and would be right out as I was calmly (yeah, right!) walking by him into the "secure" computer room.

The white lab coat guys totally ignored me even though there were NO phones in that room! I walked through the whole large room, looking at all the cool computers and stuff and attempting to look "official".

I finally got my fill of sightseeing and went back to my boss, who by now was angry at me, but I pointed out that no harm was done, and I had made my point to him. He forbade me to ever do it again, anywhere, but when we got back to the shop I was a big hit for my "ballsy" behavior and he was bragging about it and laughing like crazy.

Yeah... social engineering... it can work.

The funniest part of his HOWTO

[dereklam]

Here's the funniest part of his HOWTO:

If your site is getting hammered on a single web page, you can make a static version of it for short-term use that has no graphics or database requests in it. [...] A single page may not sound like it would make much difference, but less than a thousand out of nearly 40,000 visitors from SlashDot ever clicked links to other resources on the same site after visiting the page in question.