Announcement

N. A. Corbier · 04-22-2006, 12:39 AM

My man Kevin Mitnick. Feared hacker, security consultant, ex felon. I routinely preach social engineering defense. I offer to train conventional security personnel in information warfare awareness and social engineering defense, as well as Joe Corporate.

This article is the exact thing I preach about. Everyone from the secretary to the janitor needs to be aware of information security, social engineering attacks, and how they fit into the information battlesphere. (I love those big words.)

I have penetrated office buildings at night, during the day, etc. Sometimes on purpose, sometimes accidently. With a little con and a little forethought, you can get deep. Passwords, names, contacts, etc....

Michael Ledgerwood · 04-22-2006, 12:50 AM

We get criminals who flee from LE and jump our fence thinking their safe to hide out in our factory. They promptly learn that 1 we will slap the cuffs on you just as quick and 2 we will gladly allow pd in to hunt for you.

Mr. Security · 04-22-2006, 09:41 AM

Originally posted by 1stWatch

.....
Interesting take. Two intruders end up at the production line of a helicopter plant since they end up being convincing to the security guards at the facility. The moral of this is to know and follow your procedural requirements and think about everything said around you.

Actually, this guard did exercise due diligence in trying to authenticate the "visitors." This is what he did right:

*Observed the two w/o ID
* Stopped them and asked for ID. Refused to be distracted by small talk.
* Requested that they accompany him to the security office.
* Verified that the contact information was on-file in the computer.
* Actually contacted a company representative.

His only mistake was letting the visitor take over the phone. The problem is that clients DO NOT want their employees and visitors to feel like they are in a level 4 correctional facility. There is a fine line between enforcing security rules to the letter of the law and not irritating the client.

If the client REALLY wants a no exception policy and backs you up on it, then all well in good. Most put it in writing, but DO want you to be balanced and use common sense. It's a catch 22 sometimes.

N. A. Corbier · 04-22-2006, 10:05 AM

This is why social engineering works so well, nobody cares about security except the contract guard. "Oh, why are you bothering me, he obviously works here. Good night."

Next morning: "Well, how am I supposed to know?! It was 4 AM. Don't you have some kind of book or log or something of who works here?"

Mr. Security · 04-22-2006, 10:08 AM

Originally posted by N. A. Corbier

This is why social engineering works so well, nobody cares about security except the contract guard. "Oh, why are you bothering me, he obviously works here. Good night."

Next morning: "Well, how am I supposed to know?! It was 4 AM. Don't you have some kind of book or log or something of who works here?"

I can tell you've been there before.

Guest · 04-22-2006, 11:16 AM

Originally posted by N. A. Corbier

My man Kevin Mitnick. Feared hacker, security consultant, ex felon. I routinely preach social engineering defense. I offer to train conventional security personnel in information warfare awareness and social engineering defense, as well as Joe Corporate.
This article is the exact thing I preach about. Everyone from the secretary to the janitor needs to be aware of information security, social engineering attacks, and how they fit into the information battlesphere. (I love those big words.)
I have penetrated office buildings at night, during the day, etc. Sometimes on purpose, sometimes accidently. With a little con and a little forethought, you can get deep. Passwords, names, contacts, etc....

Like this?

Mr. Security · 04-22-2006, 12:13 PM

Originally posted by wilrobnson

Like this?

Sir, would you mind coming with us? We'd like your help in clearing up a few matters.

Guest · 04-22-2006, 03:43 PM

We have seen similiar cons to this. One that is going now, is that the security office's phone number for residents is public so people have been calling in pretending to be homeowners putting their visitors (really themeselves) on the guest list.
This changed because the homeowners association got word about it so a unique code number has now been assigned to each residence. If you don't know your code number then we won't allow you to add anyone to the guest list when you call in. Sad thing is this is being foiled now by the same cons, because certaing jerk homeowners have given out their pass codes to other people too!

But at least I am aware that this is going on. I report suspicious cases to the homeowners association. And they warn the homeowners don't give out your pass code because your liable for the damage caused by your guests!

Mr. Security · 04-22-2006, 03:59 PM

Originally posted by The_Mayor

..... And they warn the homeowners don't give out your pass code because your liable for the damage caused by your guests!

It will be interesting to see if they ever enforce that. Sometimes, the association is just blowing smoke. At one condominium complex, non-residents are dumping trash and bulk items into the large dumpsters. They avoid paying refuse p/u charges that way.

The association put up huge signs warning that such areas are under CCTV surveillance, and violators would be prosecuted. Word soon got around that there isn't any CCTV and no one has ever been charged, let alone convicted. So, it's business as usual.

Guest · 04-22-2006, 04:26 PM

I really do not know the fine particulars of the contracts homeowners sign, but I do recall that a homeowner had to pay for a light post to be repaired because a guest of hers (friend of her son) backed into it or hit it somehow. I don't know if it is enforceable, but it is good to blow smoke, and scare them into thinking they are liable, we got to be a little deceptive too.

Mr. Security · 04-22-2006, 04:31 PM

Originally posted by The_Mayor

I really do not know the fine particulars of the contracts homeowners sign, but I do recall that a homeowner had to pay for a light post to be repaired because a guest of hers (friend of her son) backed into it or hit it somehow. I don't know if it is enforceable, but it is good to blow smoke, and scare them into thinking they are liable, we got to be a little deceptive too.

Absolutely.

People are always trying to find some way to 'beat the system.'

1stWatch · 04-22-2006, 07:47 PM

Originally posted by Mr. Security

Actually, this guard did exercise due diligence in trying to authenticate the "visitors." This is what he did right:

*Observed the two w/o ID
* Stopped them and asked for ID. Refused to be distracted by small talk.
* Requested that they accompany him to the security office.
* Verified that the contact information was on-file in the computer.
* Actually contacted a company representative.

His only mistake was letting the visitor take over the phone. The problem is that clients DO NOT want their employees and visitors to feel like they are in a level 4 correctional facility. There is a fine line between enforcing security rules to the letter of the law and not irritating the client.

If the client REALLY wants a no exception policy and backs you up on it, then all well in good. Most put it in writing, but DO want you to be balanced and use common sense. It's a catch 22 sometimes.

Here's what he did wrong:
* Did not speak initially to the company representative himself.
* Let the suspect hang up the phone.
* Let the suspect walk away with the assumption what was said on the phone was in his favor.
* Did he follow up on the location of the suspect?
* Was the suspect removed from the building?
* Was a trespass warning issued?
* Was the suspect arrested?

Given the facts presented in this case, this person very well may have been an arsonist or a bomber, not just someone there to steal trade secrets or company property.

N. A. Corbier · 04-22-2006, 07:47 PM

Originally posted by wilrobnson

Like this?

I love ezines like this. I think I've been here before. I remember the old BBS files on it, too.

Mr. Security · 04-22-2006, 08:39 PM

Originally posted by 1stWatch

Here's what he did wrong:
* Did not speak initially to the company representative himself.

That's not what the article said: "Leroy called

Originally posted by 1stWatch

* Let the suspect hang up the phone.
* Let the suspect walk away with the assumption what was said on the phone was in his favor.

Already included when I said: 'Let the visitor take over the phone.'

Originally posted by 1stWatch

* Was the suspect removed from the building?
* Was a trespass warning issued?
* Was the suspect arrested?

Not an option until he knew that the visitor was trespassing. Of course he didn't know because he let the visitor take over the phone, which was his mistake.

Announcement

The Art of Deception

The Art of Deception

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

300x250

Channels

Mid 300x250

Leaderboard