Announcement

Collapse
No announcement yet.

The Art of Deception

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Art of Deception

    http://www.nypress.com/19/16/news&columns/feature.cfm

    Interesting take. Two intruders end up at the production line of a helicopter plant since they end up being convincing to the security guards at the facility. The moral of this is to know and follow your procedural requirements and think about everything said around you.
    "We appreciate all the hard work you've done, the dedicated hours you have worked, and the lives you have saved. However, since this is your third time being late to work, we are terminating your employment here."

  • #2
    My man Kevin Mitnick. Feared hacker, security consultant, ex felon. I routinely preach social engineering defense. I offer to train conventional security personnel in information warfare awareness and social engineering defense, as well as Joe Corporate.

    This article is the exact thing I preach about. Everyone from the secretary to the janitor needs to be aware of information security, social engineering attacks, and how they fit into the information battlesphere. (I love those big words.)

    I have penetrated office buildings at night, during the day, etc. Sometimes on purpose, sometimes accidently. With a little con and a little forethought, you can get deep. Passwords, names, contacts, etc....
    Some Kind of Commando Leader

    "Every time I see another crazy Florida post, I'm glad I don't work there." ~ Minneapolis Security on Florida Security Law

    Comment


    • #3
      We get criminals who flee from LE and jump our fence thinking their safe to hide out in our factory. They promptly learn that 1 we will slap the cuffs on you just as quick and 2 we will gladly allow pd in to hunt for you.

      Comment


      • #4
        Originally posted by 1stWatch
        .....
        Interesting take. Two intruders end up at the production line of a helicopter plant since they end up being convincing to the security guards at the facility. The moral of this is to know and follow your procedural requirements and think about everything said around you.
        Actually, this guard did exercise due diligence in trying to authenticate the "visitors." This is what he did right:

        *Observed the two w/o ID
        * Stopped them and asked for ID. Refused to be distracted by small talk.
        * Requested that they accompany him to the security office.
        * Verified that the contact information was on-file in the computer.
        * Actually contacted a company representative.

        His only mistake was letting the visitor take over the phone. The problem is that clients DO NOT want their employees and visitors to feel like they are in a level 4 correctional facility. There is a fine line between enforcing security rules to the letter of the law and not irritating the client.

        If the client REALLY wants a no exception policy and backs you up on it, then all well in good. Most put it in writing, but DO want you to be balanced and use common sense. It's a catch 22 sometimes.
        Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

        Comment


        • #5
          This is why social engineering works so well, nobody cares about security except the contract guard. "Oh, why are you bothering me, he obviously works here. Good night."

          Next morning: "Well, how am I supposed to know?! It was 4 AM. Don't you have some kind of book or log or something of who works here?"
          Some Kind of Commando Leader

          "Every time I see another crazy Florida post, I'm glad I don't work there." ~ Minneapolis Security on Florida Security Law

          Comment


          • #6
            Originally posted by N. A. Corbier
            This is why social engineering works so well, nobody cares about security except the contract guard. "Oh, why are you bothering me, he obviously works here. Good night."

            Next morning: "Well, how am I supposed to know?! It was 4 AM. Don't you have some kind of book or log or something of who works here?"
            I can tell you've been there before.
            Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

            Comment


            • #7
              Originally posted by N. A. Corbier
              My man Kevin Mitnick. Feared hacker, security consultant, ex felon. I routinely preach social engineering defense. I offer to train conventional security personnel in information warfare awareness and social engineering defense, as well as Joe Corporate.
              This article is the exact thing I preach about. Everyone from the secretary to the janitor needs to be aware of information security, social engineering attacks, and how they fit into the information battlesphere. (I love those big words.)
              I have penetrated office buildings at night, during the day, etc. Sometimes on purpose, sometimes accidently. With a little con and a little forethought, you can get deep. Passwords, names, contacts, etc....
              Like this?

              Comment


              • #8
                Originally posted by wilrobnson
                Sir, would you mind coming with us? We'd like your help in clearing up a few matters.
                Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

                Comment


                • #9
                  We have seen similiar cons to this. One that is going now, is that the security office's phone number for residents is public so people have been calling in pretending to be homeowners putting their visitors (really themeselves) on the guest list.
                  This changed because the homeowners association got word about it so a unique code number has now been assigned to each residence. If you don't know your code number then we won't allow you to add anyone to the guest list when you call in. Sad thing is this is being foiled now by the same cons, because certaing jerk homeowners have given out their pass codes to other people too! But at least I am aware that this is going on. I report suspicious cases to the homeowners association. And they warn the homeowners don't give out your pass code because your liable for the damage caused by your guests!

                  Comment


                  • #10
                    Originally posted by The_Mayor
                    ..... And they warn the homeowners don't give out your pass code because your liable for the damage caused by your guests!
                    It will be interesting to see if they ever enforce that. Sometimes, the association is just blowing smoke. At one condominium complex, non-residents are dumping trash and bulk items into the large dumpsters. They avoid paying refuse p/u charges that way.

                    The association put up huge signs warning that such areas are under CCTV surveillance, and violators would be prosecuted. Word soon got around that there isn't any CCTV and no one has ever been charged, let alone convicted. So, it's business as usual.
                    Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

                    Comment


                    • #11
                      I really do not know the fine particulars of the contracts homeowners sign, but I do recall that a homeowner had to pay for a light post to be repaired because a guest of hers (friend of her son) backed into it or hit it somehow. I don't know if it is enforceable, but it is good to blow smoke, and scare them into thinking they are liable, we got to be a little deceptive too.

                      Comment


                      • #12
                        Originally posted by The_Mayor
                        I really do not know the fine particulars of the contracts homeowners sign, but I do recall that a homeowner had to pay for a light post to be repaired because a guest of hers (friend of her son) backed into it or hit it somehow. I don't know if it is enforceable, but it is good to blow smoke, and scare them into thinking they are liable, we got to be a little deceptive too.
                        Absolutely. People are always trying to find some way to 'beat the system.'
                        Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

                        Comment


                        • #13
                          Originally posted by Mr. Security
                          Actually, this guard did exercise due diligence in trying to authenticate the "visitors." This is what he did right:

                          *Observed the two w/o ID
                          * Stopped them and asked for ID. Refused to be distracted by small talk.
                          * Requested that they accompany him to the security office.
                          * Verified that the contact information was on-file in the computer.
                          * Actually contacted a company representative.

                          His only mistake was letting the visitor take over the phone. The problem is that clients DO NOT want their employees and visitors to feel like they are in a level 4 correctional facility. There is a fine line between enforcing security rules to the letter of the law and not irritating the client.

                          If the client REALLY wants a no exception policy and backs you up on it, then all well in good. Most put it in writing, but DO want you to be balanced and use common sense. It's a catch 22 sometimes.
                          Here's what he did wrong:
                          * Did not speak initially to the company representative himself.
                          * Let the suspect hang up the phone.
                          * Let the suspect walk away with the assumption what was said on the phone was in his favor.
                          * Did he follow up on the location of the suspect?
                          * Was the suspect removed from the building?
                          * Was a trespass warning issued?
                          * Was the suspect arrested?

                          Given the facts presented in this case, this person very well may have been an arsonist or a bomber, not just someone there to steal trade secrets or company property.
                          "We appreciate all the hard work you've done, the dedicated hours you have worked, and the lives you have saved. However, since this is your third time being late to work, we are terminating your employment here."

                          Comment


                          • #14
                            Originally posted by wilrobnson
                            I love ezines like this. I think I've been here before. I remember the old BBS files on it, too.
                            Some Kind of Commando Leader

                            "Every time I see another crazy Florida post, I'm glad I don't work there." ~ Minneapolis Security on Florida Security Law

                            Comment


                            • #15
                              Originally posted by 1stWatch
                              Here's what he did wrong:
                              * Did not speak initially to the company representative himself.
                              That's not what the article said: "Leroy called
                              Originally posted by 1stWatch
                              * Let the suspect hang up the phone.
                              * Let the suspect walk away with the assumption what was said on the phone was in his favor.
                              Already included when I said: 'Let the visitor take over the phone.'

                              Originally posted by 1stWatch
                              * Was the suspect removed from the building?
                              * Was a trespass warning issued?
                              * Was the suspect arrested?
                              Not an option until he knew that the visitor was trespassing. Of course he didn't know because he let the visitor take over the phone, which was his mistake.
                              Security: Freedom from fear; danger; safe; a feeling of well-being. (Webster's)

                              Comment

                              Leaderboard

                              Collapse
                              Working...
                              X