Thursday, February 10, 2011

Social Engineering

When I lived in California, it was easy to get onto movie sets that were filming in public places. All you needed to do was look angry, wear a baseball cap and look like you belonged there. At the time, I also had a Nokia 100 cellphone, which looked like a giant walkie talkie.

Or even the NBC lot. I'd walk towards the gate purposefully, and then right before the gate, pull out my cell phone and pretend I'd just gotten a call. I'd gesture wildly and look a bit annoyed. I'd pause before the gate, continue my call. And then as someone was leaving, I'd end my fake call, grab the closing gate and walk through. The security guards were usually more interested in the cars. Hopefully by now they've firmed up security a little more.

But it's always been said that any security is only as good as the people. You can have a secured network, but if one guy can show up at the front desk, pretending to be from the phone company or exterminator, suggest that they're supposed to take a look at a problem in the security closet, usually that's all it takes. They are often even escorted back by someone trying to be helpful. Once inside, it's easy enough to plug in a small wireless device and tuck it among the cables and walk back out.

On Christmas eve, I got a bunch of emails suggesting I'd requested to reset my password with Facebook. Only I hadn't. And my existing password has continued to operate without fail ever since.

Clever. I think it was a hack attempt. And it almost worked.

Think of it... you could do this for any site. Just send people a bunch of password reset emails. Include a link in every one that says "If you believe you received this in error, or you did not request a password reset, click here."

Click through to a site that looks like the real site, asks people to sign-in to report the problem, and many, many would fall for it.

Moral of the story: Be careful. Be suspicious. Delete unknown emails with prejudice.
Post a Comment