Everything You Wanted to Know about
Social Engineering -- But Were Afraid to Ask...
Social Engineering Physical Access
Would a hacker be audacious enough to walk right into your
home or office and compromise a computer from the console? You
bet! And it can be amazingly easy to worm one's way into any
facility.
Appeals to authority are an especially powerful social engineering
tactic. George Koopman once told me how his Army Intelligence
unit would test the security of US military bases in Korea. A
sure fire tactic to get into restricted areas was to claim to
be with the fire department. Who would stand in the way of a
fire marshal's inspection team?
Ira Winkler reports that in another penetration test, "I
decided that the best method for gathering information on-site
was to pose as a supervisor for information security. Most people
assume that security personnel require access to sensitive data."
Winkler started his penetration by simply enough. Because
at this stage he had no company badge, he just wandered about
the victim company's public, free access area. His goal - to
find a company business card. He finally lifted one from a jar
in the cafeteria where people had deposited them for a drawing.
He took it to a print shop and requested copies of the card using
a fake name and title.
He returned to the victim company and announced himself to
the receptionist. She assumed his business card was valid, and
gave him paperwork for a building pass. Winkler filled it out
with fake everything. "Nobody… bothered to check the
veracity of my form, which was typical when a temporary employee
was involved."
Armed with his building pass and his business cards, he was
able to go anywhere. And once you have physical access to a computer,
you can always compromise it. It merely audacity - and the willingness
of employees to assume that a stranger with a business card and
building pass must be legitimate.
If you want to learn how to deflect social engineering penetrations
of your company, I highly recommend Winkler's book.
In the meantime, here's a quick test for whether someone is
legitimate: small talk. It's polite to do small talk, but it
also serves a purpose. If you start chatting with some newcomer,
and he or she doesn't want to talk, it's time to get suspicious.
If you small talk long enough, the impostor will probably make
a slip. Also, the longer you chat, the more anxious a criminal
intruder will become.
This tip won't save you from a really good social engineer,
so please read Winkler's book!
You think Winkler's corporate penetrations were complex? He
typically needed only a few days of homework to pull them off.
In cyberspace there are far more complex social engineering scams.
More on social engineering --->
Back to the index of "Everything You
Wanted to Know About Social Engineering -- But Were Afraid to
Ask --->
