Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Tales of a Professional Social Engineer

    Written by

    Larry Seltzer
    Published April 7, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Jim Stickley robs banks, government offices and other allegedly secure locations. And he does it the unorthodox way.

      Stickley doesnt go in like Edward G. Robinson with a Tommy gun. He gets you to like him and trust him and leave him alone while he steals your confidential information and other assets that you should be guarding unceasingly. His is a field that has come to be known as social engineering.

      /zimages/7/28571.gifRead more here about social engineering.

      His firm, Trace Security Inc., is hired by organizations like banks to test the security of their offices the only right way there is, by challenging it. Faceless National Bank will hire him to see if the Podunk branch is paying attention to security policy. The bank may even say, “Go in and try to steal these specific corporate account records.”

      If you got an e-mail that appeared to be from your boss or from headquarters telling you to expect a visitor, an exterminator, for example, would you let them in the door? Of course you would. But its not too hard to fake a situation like that. Consider one way it might be done:

      • Its easy to determine who works in the branch. Sometimes its on the Internet, or you can just walk in and look at the names on the desks and badges. The names of people at headquarters are often as available on the Internet.
      • The social engineering team sends innocuous probe e-mails to some of these people in a variety of styles, like [email protected] and [email protected] and so on to determine what everyones address is.
      • Then the team registers a one-off domain name like facelessnationa1.com (notice the 1 at the end instead of an l).
      • When an e-mail comes in from the regional VP @facelessnationa1.com saying, for example, that an exterminator is coming, people are likely not to notice. And in fact, the “from” address of the message can actually say facelessnational.com with an “l” since thats easy to spoof, but if someone were suspicious enough to check headers they would quite possibly miss the “1.”

      Once the teams in the door and says they have to go around setting traps, the proper procedure should be to escort them anywhere and everywhere they go. Dont leave them out of your sight. When they crouch down under someones desk near the back of the computer, look at what they are doing, because if its Stickley hes probably installing a data-thieving dongle on the computer, which he intends to retrieve when he comes back to “check the traps.” Other favorite scams are air conditioning tech and fire marshal.

      Of course, Stickley really does leave some cheap glue traps, but he probably installs more pests than hell ever take away. And dont leave him alone in the computer center because hell probably walk out with the server backups tapes, the ultimate grand prize of such expeditions, since they contain mountains of sensitive data and are likely unencrypted.

      Next Page: Reminiscent of “Oceans Eleven.”

      Page 2

      This is just one of the schemes Stickley and his merry band will use. Its all very reminiscent of “Oceans Eleven” and requires the attacker to be a great liar and cool under pressure. And such attackers always carry an authorization document from someone in authority in case they arouse suspicion, which Stickley insists is not very often.

      When it happens its because someone was assiduous at following procedure, a trait that often goes unappreciated or even ridiculed in normal circumstances. If you were in charge, would you assign one of your people to follow the exterminator around?

      Its also worth mentioning that large financial institutions like banks usually have internal security groups that do audits to cover situations like this, but I dont think they often get as creative as Trace Security.

      Stickley also engages in the more common remote forms of social engineering of the Kevin Mitnick variety. If you got a call from the development group at headquarters and they asked you, for test purposes, to sign in to the new development Web site at dev-facelessnational.com, would you? You might, and then theyd have your log-in credentials. (Its in cases like this that two-factor authentication is useful, but its still not universal.)

      Stickley also will e-mail e-greeting cards to users that attempt to use Windows vulnerabilities to install malware that gives him a backdoor to the system.

      Do you want to worry about threats like Stickley every day while youre trying to get your job done? No, and neither do I. But unfortunately human failings are at the heart of most security breaches. In the end, the moral is that it can happen to you. Dont be complacent because youre in a big company that has security policies and even a budget for it. Dont think that because youre in a small company that you can fly under the radar. The Internet has made it too easy to attack anyone, and even small banks have money in them.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement— He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×