There was a time that it thrilled me to breaking into buildings. I can already hear you think why would you want to break into buildings? Well, I have two good reasons for that. The first reason is Urbex Photography. The second reason is that companies paid me to check their security system by trying to bypass it. When you think about bypassing security systems it is easy to think about all the nice gadgets they have in the movies. Sure, there are some nice gadgets. But the real thing is climbing over walls, hopping over barbed wire and the always nice tool that is called lockpicking. However, the best tool that I use is social engineering.
But what is Social Engineering? When you use Social Engineering to access a building it basically means you will find a way to convince one or more of the employees to just let you in. This can be done in several ways, the most used ways are phone calls and e-mail. However, I normally prefer to approach the employees and just talk yourself into the facility. With the following blog, I would like to spread awareness about the risks of social engineering. Therefore I will give an example situation showing the methods I used in previous situations. This will show how easy it is to become a victim of social engineering.
Before you are able to test the security of a company, you’ll have to do some research. The best way to do this kind of research is Linkedin. And sure you can use your own account for this, however, please note that in a real situation you will get a request from a fake account specially created for this task. It’s much easier when the LinkedIn account we are using has some connections in the same industry and has some referrals (You can just buy them for a dollar…) With this account, I would try to connect with some people that just started working at the company. The new hires are the easiest victims as they normally don’t know a lot of people inside the company yet. I would try to connect with a few people and just wait until one accepts me as their friend.
After one or two days it seems that somebody accepted my friend request and we are now buddies on LinkedIn. For this example, I will name her Bella and since she decided that we are now friends on LinkedIn she is my now my victim. From the moment the friend request is accepted Linkedin will provide me with more information about that person. That way it was easy to find Bella’s Facebook account and her Twitter account. Just like a lot of people Bella has her Facebook on public mode giving us full access to her feed. This gives us all the basic information like schools she used to go to, names of her parents, names of her kids and the names of her pets. On her Twitter, I noticed that she was assigned to a project that was really getting behind of schedule.
Let’s read the above paragraph again slowly? Did you notice that with a simple search I found out the names of her parents, kids, and pets? Do you know those annoying security questions websites ask you need to answer in case you need a password reset? Yeah, those questions are normally things like your maiden name, the name of your pets or the name of your school. Please think twice before answering those questions with the real answers… It’s so easy to find the answer to those questions if you provide the real answer, just fake something… No one will know…
But let’s continue with our example. At this moment we have enough information about Bella to continue with the next step. Most of the people have their company phone number on their LinkedIn profile. However, when we would use that number as the entry point it’s too easy for Bella to find out that we are calling externally. Therefore I am just going to call the main number and most likely get the front desk. You could simply request to be forwarded to Bella from department X. This works 90 % of the time and the phone number Bella will see on her phone is the companies phone number, she will most likely trust this. People tend to trust phone numbers they know, and when it seems to be an internal number there is a big chance this works.
When we get Bella on the phone we will use the entry point we found on Twitter. I will tell her that I am assigned to the project team and there will be a contractor coming by. This contractor needs to do some things in the office, and since we are already really really behind on schedule maybe she can give the tour. When you did good research you will have enough information to convince her that this is a good plan. And you are calling with a company phone, why should she doubt you? Remember she is newly hired. She won’t know all the people on the project team. and most likely she will feel stupid if she is going to verify the request. There is a big chance she thinks she doesn’t need to verify the request since the call is made by an internal number.
The next day the contractor would come by, but instead of a contractor, it would be me. Here comes the tricky part since its easy to fuck up the situation when you are there in person. So always make sure you can play the part. This part starts with just going to the reception and ask for Bella to come down without giving them the feeling that something is wrong. When she gives the tour I would make sure I have a connection with her by using small talk. Maybe make a connection by stating that I would like to do whatever hobby she mentioned on Facebook. Yeah, I am such evil person sometimes I know. Just make sure she feels comfortable. At the moment Bella feels comfortable she is more likely to give you space, and when you play it well it will be easy after a while to walk around alone. If she doesn’t want to let you out of her sight then just say you need a bathroom break or something like that. Just remember here: When they trust you; You will get some space.
From that moment on the job is complete. When your supervision is gone you will be able to roam the building or at least the floor a little bit. The task companies normally give you is to get unaccompanied access to a secured and controlled area. Now you only need to proof this, so when you wander in the building it’s so easy to find an unlocked desktop PC and just check it a bit; copy some files to a USB drive. Every company I ever visited had classified files on the desk and when you are alone it’s easy to just take a picture of those files or even put them in your bag. At that moment the job is really done. I can prove to the company I have done my tasks, and if I was a criminal I already installed a backdoor into the computer system or stolen some blueprints and/or classified e-mails.
The example I just gave would only take about two weeks to complete. And this makes you wonder, what can we do to prevent it from happening. Everybody already knows how to prevent it; we just don’t use it. When computers are locked they are safe, when a desk is clean there is nothing to find. When there is full supervision there is no room for wandering, but people tend to trust the situation and let the guard down. If she double checked the phone call, this would have never happened. If her Facebook feed wouldn’t be open to everyone it wouldn’t be that easy to find information that could be used to make her trust me.
But the best way to protect your company is creating awareness. This awareness can be created by giving your employees stories that clearly mark how easy it is to become a victim. And Bella? Bella can be anyone. Anyone that let his or her guard down can be victimized.