Slashdot Mirror

← Back to Stories (view on slashdot.org)

First-Person Account of a Social Engineering Attack

Posted by kdawson on from the in-by-the-front-door dept.

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

25 of 347 comments (clear)

  1. Hmm... by The+Zon · · Score: 5, Funny

    You know, I was wondering why that guy needed my password to fix the copier.

    --
    Some attitudes replaced or by cgi optimizes
    1. Re:Hmm... by Anonymous Coward · · Score: 5, Funny

      Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

    2. Re:Hmm... by dr_strang · · Score: 4, Funny

      Are there ironic mod points? Because that would be ironic.

      --
      This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
    3. Re:Hmm... by LordSnooty · · Score: 3, Funny

      Yeah, but they cancel each other out.

  2. Geez by Anonymous Coward · · Score: 1, Funny

    There are way too many first person games in the U.S.

  3. penetration tester by neuro_guy · · Score: 2, Funny

    penetration tester. now that's a job! is it somehow related to the porn industry?

    1. Re:penetration tester by neuro_guy · · Score: 2, Funny

      nah, "engineer" sounds so technical and... theoretical. you know, penetration is all about love and practical experience.

  4. In the words of the Paranoia RPG by Billosaur · · Score: 3, Funny
    1. Stay alert
    2. Trust no one
    3. Keep your laser handy
    --
    GetOuttaMySpace - The Anti-Social Network
  5. 1 ream = 500 sheets by Anonymous Coward · · Score: 5, Funny

    In this case I wrote his password on a ream of paper and tucked it under the machine.
    That seems like an awful lot of effort, when you could just write it on one sheet. :)

  6. Re:Look under your keyboard... by DarthTaco · · Score: 4, Funny

    thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!

  7. Man I Wish... by eno2001 · · Score: 2, Funny

    ...I could be a penetration tester. On Jenna Jameson. ;P

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
    1. Re:Man I Wish... by 6Yankee · · Score: 4, Funny
      If you ever do get the chance, just remember the basic rule of any pen test:
      • Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
      • File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P
      Yes, I have mod points, but this seemed like more fun :)
  8. ObSneakers by Rob+T+Firefly · · Score: 4, Funny

    "Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

    --
    Slashdot Burying Stories About Slashdot Media Owned
  9. Why not a male model? by Incarnate13 · · Score: 2, Funny

    "Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."

  10. Re:Yikes! So much effort! by Anonymous Coward · · Score: 1, Funny

    Some of us are blind you insensitive clod! We have a hard enough time with regular money, cards are completely useless!

  11. Re:For the love of all things holy by Anonymous Coward · · Score: 1, Funny

    Unless you're an executive, in which case it's called "pretexting".

  12. Re:Yikes! So much effort! by mrogers · · Score: 5, Funny
    Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

    "Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

  13. Re:Backwords by rthille · · Score: 4, Funny

    Which is why you should bang your mistress in the back of the theater.

    --
    Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  14. Re:True story. by Joe+Snipe · · Score: 3, Funny

    what the hell is a man-trap?

    --
    Sometimes, life itself is sarcasm...
  15. Re:teach employees? by Anonymous Coward · · Score: 1, Funny

    That is why all your coworkers hate you behind your back

  16. Re:Yikes! So much effort! by Solra+Bizna · · Score: 4, Funny
    Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

    Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...

    You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.

    Wait, we are talking about Uplink, right?

    -:sigma.SB

    --
    WARN
    THERE IS ANOTHER SYSTEM
  17. Re:And why is it that way? by AcidLacedPenguiN · · Score: 2, Funny

    I don't know about anyone else but I feel I have the best password creation system. . . I go and look at half a dozen other employee's sticky notes then I bolt them up like Voltron to form my own superpassword.

    --
    disclaimer: I've been known to store numbers in my ass for which to dig out when quantities are required.
  18. Re:Yikes! So much effort! by sentientbeing · · Score: 2, Funny

    A silver briefcase on wheels?!

    Damn. What a giveaway. If you see two guys walking into a building with that you know something bad is about to go down.

    Dont they show Die Hard in the training inductions?

    --

    ------
    beware he who would deny you access to information, for in his mind he dreams himself your master
  19. Re:And why is it that way? by Anne_Nonymous · · Score: 2, Funny

    YuL1P3729? That's the combination on my luggage!

  20. Re:And why is it that way? by camperdave · · Score: 2, Funny

    Mmmm... Salted hash!

    --
    When our name is on the back of your car, we're behind you all the way!