

How to steal corporate secrets in 20 minutes: Ask  - labboy
http://www.networkworld.com/news/2010/073110-how-to-steal-corporate-secrets.html

======
jonah
My experience just this afternoon: An unknown person approached me in the hall
of my office building and asked if I had a screwdriver. He said he'd just
moved in down the hall and had accidentally locked his keys and phone in when
he went to the rest room. He wanted to remove the cover on the mail slot so he
could reach in and open the door.

Being aware of social engineering hacks and having just read this article I
was slightly cautious as I'd never seen him around. I knew the stakes were
pretty low but I quickly came up with what I thought was a good enough way to
verify his story. Standing in front of the door, I asked for and dialed his
cellphone number. It rang inside and I handed him the screwdriver.

Once inside, he was able to positively confirm he should be there. Of course
this is a pretty silly example, but also illustrates that it's often not that
hard to counter social attacks.

~~~
jeffffff
it's amazing how many locked doors/gates/entrances can be defeated by simple
tools. who needs a key when a screwdriver or a wrench will do just fine? the
most common culprit is hinges on the outside.

------
chc
The corporate secrets are things anybody who's ever walked into the building
could determine. If your security is dependent on no one knowing what Web
browser you use or your SSID, the best course of action is to stock up on
Aspirin.

~~~
pbhjpbhj
"The corporate secrets are things anybody who's ever walked into the building
could determine."

If you work in a security conscious business then no unaccompanied persons
have access to computers; you can't walk in and sit at the desk and determine
what computer platforms are being used, say, in the finance section.

Also they're getting people to visit a particular site of their choosing -
allowing the "right" combination of software to be dropped some malware (eg
open the pdf coupon and print it).

Where do you work that someone can walk in and install software on your
computers without being challenged? ("things anybody who's ever walked into
the building could [do]").

~~~
patio11
Getting into the building is a simple matter of putting on a business suit and
tailgating after an employee. Every company who has ever had a security
meeting has a rule against tailgating... and it is observed precisely nowhere.

After you're in, just look like you're supposed to be there. "Excuse me, I'm
here to have a meeting with Tim and I'm in a bit of a rush. I really hate to
ask this but I left my presentation at home and I don't know if the
presentation laptop will have Internet: will you mind if I quick use your
computer to go to Gmail and download it to my USB key?"

Relatedly, a white man in a business suit could probably get about as far as
the door of the Japanese equivalent of the Oval Office before getting
questioned for the first time. I am not confident that he would be stopped.

~~~
pbhjpbhj
>Getting into the building is a simple matter of putting on a business suit
and tailgating after an employee.

Well I've only worked in one "corporate" environment, UK gov. There was no
chance to get in without a pass, despite seeing the same security guy every
day for 3 years one would still get stopped. All passes were checked, even
coming back from the canteen. Temporary passes required a manager to walk to
the entrance and sign you in on a day pass. Public access areas were separate
areas without connection to the IT network, leaving your computer unlocked
when you're away from your desk was not allowed - like I said this was the
lowest level security.

I still think that getting computer info via social engineering would be quite
easy over the phone (at least when I was there). But we did get new SIP style
phones just before I left and I think caller display would rule out a lot of
chances for attacks.

There was a 1st level clearance area with a daily-code door, clearance checks
for everyone (including the tea-trolley pusher) security cameras in and out
and a receptionist/security person on duty opposite the door.

What you're describing appears to be that places without security protocols
don't have security.

------
Groxx
People are your #1 security hole. That's been true since... forever? People
_want_ to help, especially when the person they're trying to help seems
stressed. It takes quite a bit of work to teach people that there should be
limits to this in a corporate environment.

I love the contest setup, though. That adds a fun wrinkle to social hacking.

------
julius_geezer
What version of web browser? Damn, some day some black hat will invent the
user-agent header and we'll all be toast.

------
code_duck
Sure, that's exactly what Mitnick, for one, has emphasized. Social hacking is
often way more efficient and effective than technological hacking.

------
ascuttlefish
If you like this sort of thing, Johnny Long wrote an interesting book called
No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder
Surfing ([http://www.amazon.com/No-Tech-Hacking-Engineering-
Dumpster/d...](http://www.amazon.com/No-Tech-Hacking-Engineering-
Dumpster/dp/1597492159)).

------
ori_b
The information that they are obtaining here isn't sensitive at all, in my
opinion.

Yes, I'll gladly tell people what browser I use at work, what my wireless
network name is, and so on. This is nothing critical to security. I won't
discuss _actual_ secrets, but these aren't them.

~~~
jacquesm
If this were a sales conversation you'd be on the 'yes' ladder already. The
real issue is that you don't have to tell them - and shouldn't tell them -
anything. What information is useful to an attacker is something you don't
know, but they do.

------
RiderOfGiraffes
Different site, same article from hours ago:

<http://news.ycombinator.com/item?id=1563769>

------
chipr
The winner of the contest claims he had 20 hours of prep time to complete this
task so efficiently.

In other words... the title is very misleading.

------
lurchpop
Aw man. Is there video of it??

