What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Everything You Wanted to Know about Social Engineering -- But Were Afraid to Ask...

Social Engineering Physical Access

Would a hacker be audacious enough to walk right into your home or office and compromise a computer from the console? You bet! And it can be amazingly easy to worm one's way into any facility.

Appeals to authority are an especially powerful social engineering tactic. George Koopman once told me how his Army Intelligence unit would test the security of US military bases in Korea. A sure fire tactic to get into restricted areas was to claim to be with the fire department. Who would stand in the way of a fire marshal's inspection team?

Ira Winkler reports that in another penetration test, "I decided that the best method for gathering information on-site was to pose as a supervisor for information security. Most people assume that security personnel require access to sensitive data."

Winkler started his penetration by simply enough. Because at this stage he had no company badge, he just wandered about the victim company's public, free access area. His goal - to find a company business card. He finally lifted one from a jar in the cafeteria where people had deposited them for a drawing. He took it to a print shop and requested copies of the card using a fake name and title.

He returned to the victim company and announced himself to the receptionist. She assumed his business card was valid, and gave him paperwork for a building pass. Winkler filled it out with fake everything. "Nobody… bothered to check the veracity of my form, which was typical when a temporary employee was involved."

Armed with his building pass and his business cards, he was able to go anywhere. And once you have physical access to a computer, you can always compromise it. It merely audacity - and the willingness of employees to assume that a stranger with a business card and building pass must be legitimate.

If you want to learn how to deflect social engineering penetrations of your company, I highly recommend Winkler's book.

In the meantime, here's a quick test for whether someone is legitimate: small talk. It's polite to do small talk, but it also serves a purpose. If you start chatting with some newcomer, and he or she doesn't want to talk, it's time to get suspicious. If you small talk long enough, the impostor will probably make a slip. Also, the longer you chat, the more anxious a criminal intruder will become.

This tip won't save you from a really good social engineer, so please read Winkler's book!

You think Winkler's corporate penetrations were complex? He typically needed only a few days of homework to pull them off. In cyberspace there are far more complex social engineering scams.

More on social engineering --->

Back to the index of "Everything You Wanted to Know About Social Engineering -- But Were Afraid to Ask --->

Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

 © 2013 Happy Hacker All rights reserved.