Slashdot Mirror
First-Person Account of a Social Engineering Attack
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)
I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.
After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.
Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.
After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.
I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.
Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
Friend of a friend got a job doing security audits for a major energy company here in houston.
1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.
He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.
But that's the real world for you.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Completely agree.
I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.
1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)
Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
My explanation of why you *should* write down your password. Bruce Scheier has made the same point.
All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.