Don’t Talk to Strangers – version 2.0

October 16th, 2013 by Garrett Baltezegar

One of the most interesting topics in the security field is social engineering.  It’s a type of attack that’s been around for years, and can defeat just about any form of security that can be implemented in a device.  A social engineering attack is not overly complicated to carry out: it largely relies on an attacker’s people skills!

Consider the following scenario…  A company I once worked for was contracted by an organization to redesign its network infrastructure.  During this process, I was tasked with going around to all of the computers (a few hundred) on site to manually install the latest version of an anti-virus program.  I wasn’t wearing a uniform or anything with a logo identifying myself while I was there.  I also didn’t have keys to the offices or rooms, which meant I had to either ask someone to open the door for me, or have a member of the organization’s IT department follow me around.  I chose to try my luck by asking.  As I went around to each office and room, I introduced myself by saying, “Hi, my name is Garrett, and I’m with the IT department.  Whenever it is convenient for you, I need to update your computer with the latest anti-virus.”  I never presented an ID or offered to prove who I said I was, yet I was given access to every computer I asked about.  That includes the “Admin” offices.  I was able to access the President’s and Accountants’ offices and computers without any opposition.  Had I been an attacker, this could have been a catastrophic incident for the organization!  Only twice did someone walk down the hall to call and check with the IT department because they didn’t recognize me.  This was an ineffective measure, because in less than a minute, I could have done everything I needed to initiate an attack on their systems.

The whole idea here is that it doesn’t take someone with any real knowledge of your computer system to get into it if you give them what they want when they ask for it!

How would you defend against social engineering?  First, make sure you know who is accessing your computer.  Often times with large organizations the employees in the IT department are unfamiliar to other employees.  It is very important to verify the identity of anyone asking for access your computer, even if they are in a hurry or seem to be bothered by your request.  It’s better to err on the side of caution here, and the head of the IT department should recognize that you have the company’s security in mind by doing so.  Second, don’t give out information to anyone on the phone if you aren’t 100% certain of their identity.  No matter how nice they sound, you must exercise caution in the information you give out, even if it seems innocuous.  Just last year, a Wal-Mart store manager was tricked into giving out information such as payroll schedules and the name of the contracted cleaning company in a demonstration by an ethical hacker – all over the phone without any previous interaction with the hacker!

Hopefully by now you see just how important it is to exercise caution when you are interacting with people you don’t know.  It’s just like mom always said (sort of), “don’t talk to strangers who want access to your computer or information.”