
Socially Engineering Myself into High Security Facilities - anarbadalov
https://motherboard.vice.com/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities
======
madmax108
In my office complex, we have a bunch of security guards who _check_ badges of
people who enter the building (My building houses about 8-9 companies). If you
don't have a badge then the guard calls the office you claim to be part of to
ensure you have access, and then issues a temp badge.

A couple months ago, I forgot my badge at home, but didn't want to go through
the hassle of getting a temp badge, so I flashed my driver's license at the
guard (which is roughly the same size as my ID badge) and he simply waved me
through.

I told my colleagues this, and since then we have a silly game where we try to
get in using ridiculous cards. Most recently, we have people who have flashed
blood donation cards (a card that acknowledges that you donated blood on so
and so date), a credit card and a folded bookmark and successfully gotten into
the complex.

While this is a running joke, really goes to show how lax manual security can
be (Especially because once you are on my floor, you can easily tailgate your
way into my office).

TL;DR Most of our security systems work on implicit trust more than anything
else.

~~~
sharkweek
I wonder if the security guards probably notice but are more interested in
avoiding confrontation. I'd hate harassing someone who _probably_ won't cause
any trouble, and having to potentially get into an argument, where they'll
likely belittle my position and make me feel like a shitty person for doing my
job.

I was a bank teller during college, and would be occasionally berated by
people when I'd ask to check their ID when they were withdrawing money. I
always asked if they'd prefer I let anyone trying to take money out of their
account do so w/o checking photo ID. One guy swore he was going to get me
fired for not letting him take money out of his account because he forgot his
wallet at his desk.

~~~
lightbyte
Is that not the entire purpose of having the security guard though? If they
are uncomfortable doing their job maybe they need to find a new one.

~~~
andai
I was annoyed that security people are low in agreeableness, until I realized
_that 's exactly the point._

~~~
blusterXY
Someone knows their Big-Five! :D

------
chx
The most secure building I've ever been was one of the Giro buildings in
Budapest. All visitors must show id and it is checked by professional guards,
doesn't matter who you are are. They will call whoever you claim to be
visiting and verify. Next you get your visitors badge. You can't get anywhere
with it but the given office. Where corridors cross, you have man traps and
your badge will only open the one direction you are allowed to go. This was a
converted building so they added sliding glass doors to the existing doors and
guess what, you need a badge to open any of those. To enter from the elevator
to a corridor again you have a man trap. Tailgate that. Visitor's bathroom is
outside of the secure area.

~~~
bostik
This sounds quite a lot like the setup at Bank of Finland.

It's been nearly 20 years since I visited, but they had access pass only doors
everywhere, and all visitors needed an escort at all time. (Helps that they
can't get anywhere without badges.)

In addition to all of the above, they had one final gem. Everywhere throughout
the offices, there is _always_ one route that gets you through one-way doors.
Open them from the inside, get through. Try going back, you need the badge.
All of these one-way routes eventually led to a single room. No furniture.
Always lit. And every square centimeter monitored with CCTV.

Essentially, if you ever found yourself inside the bank's office, all open
paths led to what was essentially a holding cell.

My host was understandably proud.

~~~
fmj
Is a setup like that legal in Finland? Although highly effective from a
security standpoint, I can't see a setup like that ever being allowed under US
fire codes.

~~~
buzer
I found following note in document titled "Turvalliset oven avausratkaisut
poistumisreiteillä" (roughly translates to "Safe door opening solutions in
exit routes"):

> Tiloja, joiden toiminnan luonne edellyttää henkilöiden eristämistä, ei
> käsitellä tässä. Nämä kohteet käsitellään tapauskohtaisesti
> pelastusviranomaisten kanssa.

Roughly that means that the document doesn't cover areas which require
isolating people and their safety should be discussed case-by-case with safety
officials, so it's likely they would require some similar measurements as
there are in places like prisons.

------
interfixus
This was quite some years ago, I wonder how much has changed: As an employee
of a private company, I was asked to do some work at one of the major data
facilities of the Danish state. The place was - and still is - a huge,
sprawling mass of concrete, steel and glass, and was internally partitioned
into four concentric zones of supposedly escalating security, all fancy with
locked doors and card readers. I was expected to present myself at the front
desk in the reception area, but somehow, with my equipment on a trolley, and
sort of looking for directions, I slipped in behind someone back at a delivery
bay. And then just followed signs and color codes and various people through
various doorways. In no time at all my trolley and I were at our destination:
The holiest of holies, the central tape archive room (yes, it's that many
years ago). Got to work for probably about half an hour, not another soul in
sight, but in the end was interrupted by the chief of security himself,
bursting in with the grimmest of looks and the strangest of colors on his
face. Now, this fellow knew me, so no alarm sounded, but I _was_ urgently
desired to shut the fuck up and follow him out to reception, where I was
registered, issued my proper guest card and authorization, and solemnly
escorted back to the archive vault, deepest security, zone four.

~~~
andai
That's funny, usually once you're in, people assume you're supposed to be
there.

~~~
interfixus
Security chief very clearly knew I _wasn 't_ supposed to be there. And that
making sure I wasn't, was a major part of his job description.

------
pjungwir
When I read Kevin Mitnick's _Ghost in the Wires_ , what impressed me was how
he'd _combine_ social engineering with technical hacks. For example even if
people _did_ call their boss or Kevin's alleged employer (the utility company,
a partner company, whatever), he would have set up their phone system to send
the call to himself. I'm sure that social engineering alone gets you a long
way, and I'm sure that Kevin was good at it, but when your electronic
communications aren't trustworthy you can really do a number on people! How
are you even supposed to defend against that?

~~~
001spartan
This is exactly why penetration testers and red teams do these types of
engagements. We like to emphasize that organizations need to assume they've
been compromised by someone, and they need to constantly keep that in mind
when they build security policies and technical controls. You can never keep a
determined attacker out, but you can limit the damage that they can do, and
make them spend more time getting in.

------
nopcode
Social engineering is easier as a woman than a man, at least that is what I
believe.

I know companies that perform social engineering tests like this and they try
to use their female colleagues for voice-based attacks as much as possible.

~~~
Jemmeh
From my personal experienced I agree with this -- generally people are not as
threatened from how I look/sound and are not as quick to be suspicious. Same
goes for children, people think they are innocent, but in many places they are
used as part of scams for exactly that reason.

------
baursak
I wonder how much different the whole thing is just because pen-testers get
paid to do this by the same company, from somebody actually trying to do this
for real.

Getting caught for pen-testers means something completely different, I wonder
how that affects tactics.

~~~
fhood
Yeah, I was surprised by the picking locks part. That tends to be either loud
or slow, and either way nearly as incriminating if caught as it is possible to
be.

~~~
JshWright
Depends on the lock... A rake isn't that loud (could easily be covered by a
cough), and will defeat a lot of cheap interior locks pretty quickly.

~~~
DarronWyke
And if you straight up loid the lock, forget about noise. It's not all loud
noises from bumps or popping hinge pins out.

~~~
surge
Picking locks isn't like on TV. They aren't talking about bumping locks. Those
of use that do it as a hobby do it during meetings and barely anyone notices.
If you're making a lot of noise or voiding locks, you're almost certainly
doing it wrong. You're supposed to be gentle, with very little pressure, you
don't force it.

Most standard door and office locks, I've been able to pop in under 2 minutes.
they generally only have 4-5 pins, sometimes less, especially on the interior
office locks (maybe 3 in some cases). The whole reason my lock pick group does
tables at security conferences is to make people aware the locks are generally
not great and you want a lock that will slow someone down long enough that
even if they can pick it or bypass it, doing so would get someone's attention
or take so long that even after hours a security guard on routine scheduled
patrols would notice.

~~~
DarronWyke
I know all of this, I know how to pick locks.

Bumping is the most common attack as it requires relatively little skill and
the least amount of time (short of dynamic entry). And most common locks are
vulnerable to it, so that would include many office locks since they cheap out
on them.

Picking takes time, but if I can loid the latch or otherwise bypass the lock,
I can get through the door a lot faster than picking it. An Abloy or S&G lock
does you no good if your lock fitment is shit with your dead latch not
engaging.

------
scrumper
A very good lesson for the company, via a red-faced Mary. She'll share the
lessons from this experience widely I'm sure. Excellent that she wasn't fired.

Not to say that this is anything less than completely believable, but I wonder
why Mary's boss didn't check up on the cover story? I get that Sophie was able
to hack the usual social proof with Mary with her pregnancy sob-story, but
wouldn't her boss have asked who sent her?

~~~
Thriptic
A lot of large orgs have a very distributed decision making process where
decisions are made far outside of a specific chain of command. Frequently it's
unclear who you are even supposed to call to verify the identity of someone
that just shows up. It may take awhile to even reach the right person and
while you are making those calls you aren't doing your work and you are
delaying the service this unknown person is theoretically there to provide.
What if this person is there legitimately, you piss them off or deny them
access, and then you get an angry call from someone several levels of
hierarchy above you blaming you for slowing down their project? No bueno

You also can easily end up with a version of the bystander effect; if someone
is here than SOMEONE in the company must have validated them etc. In orgs I
have worked for in the past it would have been trivial for me to show up with
tools, claim to be from IT, and be given access to whatever I wanted
immediately.

~~~
scrumper
Thanks, that's a clear and plausible explanation.

------
sverige
The most fun I've had using social engineering was to get access to a database
that the pukes in the home office had locked up. Our boss' boss wanted access
to the raw data, but they wouldn't give it to us. My colleague and I tag
teamed them to figure out which server it was on and the names of the files,
then he was able to break into it. The boss was very pleased to be able to
provide the data as real-time on his boss' dashboard. Christmas bonuses all
around.

~~~
walshemj
Bit dangerous I have worked for one telco where you had better hope that the
police get you first rather than our feared internal security team.

------
zitterbewegung
Good article about physical security and a intro to social engineering.

As an aside I think the easiest way to get into buildings which are associated
with a technology company like this would be to apply for a job there. At
worst you will be there for an hour. At best it would be eight hours. Also,
there is a lot of downtime in between interview(s) or even just plain waiting
on someone. You can get "lost" and if you get caught you could say "where is
the bathroom".

~~~
KGIII
We worked with other people's data and were contractually obligated to keep it
reasonably secure. You could get inside a building, but probably not one with
anything good in it.

To get into the server room you had to badge and code in and be visually
verified before exiting the man trap. Computers that were able to access any
of that were locked down and had no Internet. The network itself was locked
down, with multiple separate networks.

Entry into the building itself required badging and visual verification.

Notably, this was only one facility. You could walk right into the other
offices. I doubt anyone would have noticed. But, the secure office was pretty
secure. You could get in, but not by social engineering. That office was
pretty strict. Not even I could get in without my badge and visual
verification.

Well, you could but it would take a lot of work and money. You'd have had to
set yourself up as a potential client and we vetted client contacts and it
required approval for each guest. We'd call headquarters and verify you were
supposed to be coming, who you were, and things like that. We took no
unscheduled, unvetted, unknown guests. Not even my kids.

~~~
amorphid
I once worked for a hosting company. Getting in through the front of the data
center felt like going through an airlock on a spaceship with someone having
to verify your identity with 100% certainty at each gate. Going in the
backdoor just required waving an electronic key in front of a sensor with no
verification you were key's assigned user, and tailgating was definitely a
possibility. Needless to say, a break in would likely have targeted the
backdoor. I think the front door was a performance put on for customers
getting a tour.

~~~
KGIII
You can physically break into any facility, if you have enough force. Social
engineering is a different problem.

In your case, no exiting the alarmed back doors for break. Breaks are taken by
exiting the front doors or in designated break areas.

There were no security doors that weren't manned. Positive identification was
required, as was approval. No exceptions.

We worked with proprietary data at that facility. Sometimes, we'd even have to
put a team at the customer's site. Once, I had to personally do all of it as
there were only two of us with government security clearances. For that, I had
to be on a military facility.

The latter being really, really silly. I can't be specific but it is fairly
well known that I modeled traffic. Yup... That's what I did and the USG
determined the data was marked at a higher level that FOUO.

------
archagon
My goodness, how does someone get into a job like this in the first place?
Start breaking into secure facilities until somebody notices you and gives you
a job?

~~~
tambienben
This is conjecture, but I imagine you need to be good at other skills in order
to gain attention from that kind of employer. The social engineering training
may come after.

------
EGreg
I find that casually yawning while walking by security guards has a great
effect. It communicates comfort and at the same time increases the cost of
interrupting your yawn. Having a card that looks like the badge they're
looking for casually in your hand helps also.

For getting into expensive clubs, I used a technique similar to this article.
I say that I want to check out the club for a birthday party, then the red
carpet gets rolled out.

Another way is to say that you left your credit card in there by the bartender
an hour ago, and if they can call someone... or you can just go and get it
yourself. And you are flying out or something. Never did this one though :)

------
bjacokes
Did she bother changing her voice on the phone vs. when she met Mary in
person? For familiar voices, it's often pretty easy to know who's speaking
even when they change their pitch or accent, but maybe it was practical to
assume that Mary wouldn't be able to notice a voice she'd only heard once on
the phone. Obviously this isn't a key part of the exploit since she could've
always gotten someone else to do the phone conversation, just wondering how
careful she needs to be with those sorts of details to avoid something going
wrong.

~~~
phailhaus
People can barely tell the difference between two pictures if you pause for a
second between showing each one. Being able to tell that two voices are the
same after hearing them days apart, once on a phone? I doubt she has to worry,
unless she has a distinct accent.

~~~
EGreg
Finding minute differences between pictures is a much harder problem than
matching voices to those you've heard before. In the second one there are lots
of possible heuristics you could use, and the attacker would have to prevent
all the most common ones at least.

~~~
phailhaus
They're not even minute differences. One example toggles between two pictures
of an airplane, with the second having the engines photoshopped out. Just a
one-second delay is enough to make it difficult to notice what changed.

Now of course it's easy if the two pictures (or voices) are completely
different. But who would be suspicious if the two voices sounded similar?

------
bllguo
A de-cluttered version:

[https://outline.com/saPHcb](https://outline.com/saPHcb)

~~~
fmx
Thanks for this! The animated GIFs all over the original page are really
distracting.

~~~
sogen
uh? gifs? it seems Safari blocked them

------
mythrwy
This story reads like a social engineering attempt itself.

As in, fully made up, never happened.

I realize the person is a pentest consultant. And before that they were a
journalist. As the story says, "trust but verify"? Which in this case I guess
it doesn't make enough difference to verify and the events "could" have
happened which is enough for the story. It just feels made up to me though.

------
erikb
Sorry, but this story didn't convince me. It was too straight forward and too
much focused on professional sounding keywords and representing stuff as
serious security risk that actually isn't.

What I can agree with is that in most companies you probably get in without
having files/id cards checked and that this may become a problem to that
company at some point.

~~~
walshemj
She doesn't say who the target was but high security with armed guards sounds
like its what I would call a List X company in the UK. That is one that has
dealings with sensitive info.

------
fnord77
"Third, if it seems too good to be true, it probably is."

This story was mostly or all fictional.

------
munin
It often seems like the biggest con that physical pen testers pull on their
clients is convincing them to hire them in the first place. What's the threat,
exactly?

Let's say you do something like BeyondCorp. Gaining "network access" doesn't
mean anything any more, because you can "gain" "network access" from anywhere
in the world since it's all on the internet. Physical access shouldn't be the
perimeter, identity should be.

Is that a tall bar? Sure, but it's basically the bar. Instead of wasting money
on fancy pen-tests, put that money into the IT budget to get identity
management up to that point.

Next, is the risk really that someone will gamble a physical snoop into a
secure compound, where the possible negative outcomes are police custody and
prison time, for a score of a few thousand dollars, as Sophie mentions in the
article? Sure, that's a risk, hobos would cruise in and swipe a laptop off
someones desk to sell it on ebay for booze money. Do you need to pay a
pentesting shop $80k to know that? No. And, the risk is basically the same as
if an employee takes home a laptop and their car is broken into. The fix is
the same too: encrypt everything at rest.

These are all basic lessons that you can learn by downloading a CISSP study
guide.

However, I think that there will always be failure points because what you
want to defend against this is a culture of security, and it's difficult to
instill that even when you work in an environment that is rightfully charged
with maintaining high security. It's boring and generates friction. If someone
shows up for an important meeting at a high security building and they forgot
their ID, the guards will not accept any amount of "do you know who I am"
because they know that when their supervisor is called in, they'll be backed
up. Everyone else knows this too, on some level, so there's much more of a
culture of "why didn't X happen?" "oh, there was a paperwork SNAFU somewhere
and security stopped us at the front door" "lol! typical! we'll try again next
week." That just wouldn't fly in the private sector: because the risk doesn't
weigh anywhere near as much as the reward for just cutting the corner and
doing it without the I's dotted and T's crossed.

So, sure. You can fast-talk your way past the rent-a-cop at the front desk of
the offices of an aluminum siding manufacturing plant and swipe some coffee
cups and staplers out of the supply closet, and you'll always be able to do
this...

~~~
salamancara
You’re testing a process end-to-end and identifying places where the policy is
either too cumbersome or ineffective. Sometimes it’s a training issue,
sometimes their processes just suck and need to be changed.

Physical access is enough to do a lot of damage. You could drop a 4G wireless
sniffer hidden in a wall wart. You can grab someone’s password off a post-it
note and then fish the RSA token out of their purse when they go to the
bathroom. Now you’ve defeated 2FA and have network access from the outside.
Just metasploit/nmap scan, find a vulnerable system and you’re in business.

Check out the Bash Bunny — it’s a quad core attack platform running Linux. It
looks like a USB drive, but emulates a whole bunch of different USB devices
(keyboards, cameras, displays, etc) paired with attack tools to break into the
system.

Basically, if you get network access, there are almost certainly
vulnerabilities somewhere. Imagine someone like the CIA who buys 0-day
exploits by the hundreds — physical access makes total pwnage inevitable.

~~~
walshemj
I got asked to do this for a FTSE 100 client (Rank) of ours and I managed to
from a standing start with physical access and to extract the secrets and
crack them.

------
callesgg
I see the entrance security as a deterant rather than a foolproof security
system.

------
emodendroket
Maybe it's just me, but I find the presentation here quite distracting.

------
make3
every human can be a psychopath with the right incentive / motivation

~~~
jackweirdy
> Security in this office park is a joke. Last year I came to work with my
> spud-gun in a duffel bag. I sat at my desk all day with a rifle that shoots
> potatoes at 60 pounds per square inch. Can you imagine if I was deranged?

\- Dwight Schrute

------
indigodaddy
So... Is this the job she's most proud of AND most ashamed of? I'm not sure if
that was elucidated, or just implicitly evident there...

~~~
jmagoon
> My frequently asked questions include:

> What break-in are you most proud of?

> What have you done for a test that you were the most ashamed of?

> What follows is the answer to both of these questions.

~~~
indigodaddy
Ah yes you're right of course. For some reason my mind immediately jumped to
assuming that two separate stories would follow.. should have re-read, thanks.

------
fapjacks
Well, you can buy Fedex, UPS, DHL, or AT&T employee shirts right off eBay
still in the packaging in basically any size you might need.

~~~
notyourday
Long time ago I worked in an interesting place that considered this attack. We
would not accept packages that we did not know about.

------
azaydak
I'm an engineer at my company but when people come to visit I always give them
an ocular patdown. It has never failed me.

------
amelius
So how do you deal with strangers who walk behind you when you enter the
building with your security card?

~~~
pbhjpbhj
Probably it should be dealt with structurally, a very small anteroom that only
allows access to one person and can't be entered (without obvious
force/misbehaviour) until the security door is locked again, like a turnstile
before the door. That makes it far more uncomfortable not to challenge someone
as they'd have to severely encroach your personal space to gain access.

------
jandrese
Hit pulled up the back button on that page and it had a dozen copies of the
article in the back buffer.

------
dsnuh
Oooh, try SwitchNAP in Las Vegas!

------
randyrand
the gifs are annoying, imo.

------
AdmiralAsshat
PLEASE let this godforsaken phase of gifs after every other paragraph come to
an end already. It makes yet another fascinating article basically unreadable.

~~~
yosyp
Safari "Show Reader View" gets rid of all those annoying gifs and makes the
formatting nice. Now I practically use it to read all web-based content.

~~~
justacat
My works IT department also gets rid of those annoying gifs
automagically...along with less annoying images often related to my job

------
SEJeff
The original version of this story was posted by Jek Hyde on twitter:

[https://twitter.com/HydeNS33k/status/920323236176556037](https://twitter.com/HydeNS33k/status/920323236176556037)

Her exact story with the same gifs was posted on the 17th.

Update: Thanks internet peeps for letting me know this is the same person.

~~~
rainwolf
The last line in the article refers to that very twitter account.

~~~
SEJeff
Updated, thanks!

------
codazoda
Great story. Those animated gif's, every paragraph, were killing me.

~~~
pwg
I have NoScript running in default deny mode, I saw blank white boxes where
these animated gifs should have been. The rest of the article was fully
readable, with no animation distractions.

~~~
mwrouse
Why would noscript block a gif...? I'm going to have to take a closer look at
how this website places the gifs there.

~~~
PhasmaFelis
There's quite a lot of news sites whose in-line static JPGs all vanish with
NoScript. I really have no idea what people think they're doing these days.

~~~
qkls
They use a static thumbnail image that is changed to a gif/webm when it loads.

------
pirocks
Story copy-pasted without the gifs:

Hello! My name is Sophie and I break into buildings. I get paid to think like
a criminal.

Organizations hire me to evaluate their security, which I do by seeing if I
can bypass it. During tests I get to do some lockpicking, climb over walls or
hop barbed wire fences. I get to go dumpster diving and play with all sorts of
cool gadgets that Q would be proud of.

But usually, I use what is called social engineering to convince the employees
to let me in. Sometimes I use email or phone calls to pretend to be someone I
am not. Most often I get to approach people in-person and give them the
confidence to let me in.

My frequently asked questions include: What break-in are you most proud of?
What have you done for a test that you were the most ashamed of?

What follows is the answer to both of these questions.

A few months ago, a client had hired me to test two of their facilities. A
manufacturing plant, plus data center and office building nearby.

First step: open source intelligence, or OSINT. I look at maps, satellite
images, study what I can of their delivery and supply schedules, and so on.

The manufacturing facility looked like a prison. No windows, heavy iron gates,
no landscaping. Generally a monstrosity of architecture.

This facility had armed guards, badge readers, biometric security controls and
turnstiles at every entrance.

I remember thinking, "It's got to be hell to work in there. I wonder if I can
use that…"

One thing was for sure… The chances of tailgating (following behind an
employee with valid credentials) into this building were next to non-existent.

I was going to have to get down and dirty with my social engineering.

First stop: LinkedIn. Your LinkedIn is my best friend. The more information
you have on your LinkedIn, the more options I have.

I have several fake LinkedIn profiles that you are probably connected to.

I scour profiles of employees who work at these facilities, and cross-
reference them to other social media sites. And I find a lovely young woman
who I'm going to call Mary.

Mary was a brand-new hire working as an assistant at the manufacturing
facility. Mary had a public Facebook account too.

On Mary's public Facebook account, she documented all of her family's
adventures.

Side note: Now I know where Mary went to high school, her mother's maiden
name, the names of her pets, etc.

Answers to those "security questions" you use to reset your passwords are very
easy to find if you aren't careful with that information.

Not to mention that now I know where Mary works, where her kids go to school,
where they vacation…I could go on. Scary stuff.

This is not an advanced investigation. I'm not a private investigator and I
don't have the resources of the NSA. But I can do a lot of damage with simple
methods.

Most notably to me, there were photos Mary posted of her time volunteering
with a certain maternity support center.

Her passion for children and caring new moms was very plain. So of course, I
took advantage of it.

For this assessment I played two roles. For the first, I spoofed my phone
number to make it look like it was coming from the company's headquarters.

I called the front desk of the manufacturing facility and was transferred to
Mary. "Hi Mary!" I said, "My name is Barbara."

"I am a project coordinator with facilities management. We are renovating a
few of our facilities. We are sending an interior designer out to you tomorrow
so she can put together proposals to update your space!"

Mary replied, "Well that's great! But why the short notice?" I could feel her
getting suspicious, so I pulled out my trump card…

 _Sigh_ "Well Mary… You really should have heard from me sooner. I've just
been so overloaded at work…I feel like I can't catch up, and to top it off the
baby is due in 6 weeks. If my boss finds out I messed this up he's going to
flip."

I was really getting into this, voice shaking. (Yes, I know, I'm a terrible
human being.)

She cut me off, "Oh hunny, hunny it's ok. We will work this out! Tell me about
the baby! Is it your first? Boy or girl?!"

Our Mary was committed at this point. Not because she is stupid, but because
she is a good person. She wanted to help me.

We talked babies and birth plans for a while (never pick a pretext you can't
speak about at length.)

Mary took down the name of the "designer" who was coming by the next day and
we said our goodbyes. Mary could have saved her company a lot of heartache by
simply verifying that I was who I claimed to be. (Just to be clear here, I
would never give out Mary's real identity. I'm not totally heartless. This
could have happened to anyone. She has not been fired.)

I showed up the next day as "Claire" with a fictional architecture firm that I
had made business cards and a website for. My alter-ego Barb had done most of
the leg work for me. When I arrived, Mary and her boss were waiting for me
with smiles. I shook hands all around and handed them the business card I
printed out the night before. I was given a visitor badge and the red carpet
was rolled out.

I gained rapport with the staff there by asking them to tell me what they
wanted in an office space. They were so excited. I might have claimed to be on
the team that put together the Google offices…(Yes, I am HORRIBLE. This is my
inner demon child.)

"You want a standing desk? New chairs over here?! Ergonomic keyboards for
everyone! Let's look at swatches!"

We became best buds. I was given complete and unaccompanied access to the
facility where I stayed for several hours.

I gained network access and stole several thousands of dollars in physical
primitives by picking my way through cheap locks (credit to Deviant Ollam for
the rad lockpicking animations.)

This client had been pretty confident that I wouldn't get into either
facility, much less be able to hit both in a short time span. So the timeline
was left to my discretion, but it was assumed that I would need to fly to the
area twice.

I didn't see the need in burdening them with two round-trip expenses.

I went back to Mary's office and said, "Well I think I have what I need from
here. How do I get to the office center?"

She looked at her watch and said, "It's almost lunch time. I'll take you
there!" A whole group of us piled into the parking lot, and they took me to a
nearby taco shop. That's right. My Marks took me to get tacos… I love my job.

After lunch they drove me to the offices and a few of them came in with me to
show me around.

I took FOREVER looking around this office space, and eventually they said
their goodbyes because they had to go back to work. They had a strict policy
of escorting visitors. But I had been seen walking around with trusted
insiders so no one questioned me.

I was free to take my time. I made myself at home. My main objective at this
site was to weasel my way into private corner offices.

When I accomplished my goals, I tracked down my point of contact's office.
This is the man who hired me in the first place. This is the best part of
every job.

Steve was there, hard at work when I disturbed his groove by knocking on the
door. He glanced up, "Hi there, can I help you?"

I smiled. "Hi Steve! I'm Sophie from Sincerely Security. It's nice to meet you
in-person!"

I will never forget the look on his face… Pure gold. "Who?.... Wait, what?
How? How did you get in here?!"

We stayed in his office and talked for a long time. I went over exactly the
steps that could have prevented my success. First of all, the desire to help
others is human and natural. We don't want to discourage that.

Second, I'm sure they did have some sort of policy that required visitors to
check in showing government issued identification, but they weren't following
it.

We also need to post by every computer, phone and door: "TRUST, BUT VERIFY."

An employee who does their homework can ruin my day.

Third, if it seems too good to be true, it probably is.

Is your company going to hire the team who designed Google's offices? Magic 8
ball says no.

Lastly, the team who took me to the second location should have found someone
else to escort me through the building.

I've been doing this job for a couple years now, and almost every job is a
variant of this story. Very rarely do I go through an entire assessment
without some sort of social engineering.

There are ways to protect yourself and your company from attacks like this. I
think it starts by sharing stories like these, and educating and empowering
each other to be vigilant.

~~~
flashdance
You're an all-star. Thanks for this, the GIFS took up half my screen.

~~~
nkozyra
Do people enjoy reading in this format? Beyond being a bit passé at this
point, are these things ever even amusing. I know they interrupted the flow of
an interesting story here, but why are people still doing this?

~~~
rnhmjoj
Judging by the number of commenters here complaining or providing the cleared
text this format has definitely got old.

~~~
icebraining
Complainers always make more noise. I personally find it cute, a bit like
listening in person to a very expressive story teller.

I sympathize with the critics, by the way - I have gripes with plenty of
online content, even if not with this one. A button to enable the GIFs would
probably be best for everyone.

------
thearn4
The reaction gifs were a bit too distracting for me to finish the article.

~~~
tmm
I don't find them super distracting, but I do miss the days when you could hit
the ESC key and stop the animation loop.

That ability seems to have disappeared from browsers sometime between when the
spinning skulls and under-construction gifs stopped being popular and these
12-frame silent movies appeared.

~~~
shabble
I'm still using [https://addons.mozilla.org/en-
US/firefox/addon/superstop/?sr...](https://addons.mozilla.org/en-
US/firefox/addon/superstop/?src=api) although it's not multiprocess-compat,
which is a shame.

I can't remember if the FF webextension apocalypse will allow anything similar
in future.

------
stuxnet79
Not to add to the complaints but can somebody extract the text and post it
vanilla elsewhere without the gifs? Seems like a very interesting article
otherwise.

~~~
pwg
With NoScript installed in default deny JS mode, the gifs do not appear at
all, only blank white boxes where they would have been. In this case NoScript
made for a distraction free reading experience.

------
jaclaz
Hmmm, to me it sounds far too good/easy to be true.

~~~
emodendroket
The fact that it's easy is kind of the point.

~~~
jaclaz
>The fact that it's easy is kind of the point.

Still there are IMHO limits, this story appears to me "too easy".

From the article:

>The manufacturing facility looked like a prison. No windows, heavy iron
gates, no landscaping. Generally a monstrosity of architecture.

>This facility had armed guards, badge readers, biometric security controls
and turnstiles at every entrance.

The above implies that the firm is attempting to have a higher level of
security than most offices/factories.

I would have expected that the pentester had to do something more than what
she wrote.

I mean, you first put up some basic security/access policies, and later you
hire someone to test them.

And I cannot believe that:

>I gained network access and stole several thousands of dollars in physical
primitives by picking my way through cheap locks.

One thing is getting access to the premises, another one is managing to be
left alone and allowed to have network access, start lockpicking locks, etc.

~~~
001spartan
If you did this job, you would not be surprised by the ease with which you can
pull off these sorts of things. I've been doing this for a couple years now,
and it's terrifyingly easy to compromise data or physical security for
organizations that really should know better.

~~~
logfromblammo
You can pick office furniture locks with a binder clip and a paper clip, which
you can often find in the unlocked portions of the office furniture. The paper
clip is permanently disfigured in the process, but the binder clip can be put
back unharmed.

I know, because I have actually done this occasionally, to remind myself to
never leave anything valuable at the office. It can take less than 60 seconds
to go from empty-handed to an opened lock. A few more seconds to re-lock it
with your makeshift pick.

Cheap locks might as well not exist to a professional attacker. They barely
exist for an amateur motivated by curiosity or boredom.

Door locks are a bit more difficult, and may require more sophisticated tools,
but those are left unlocked more often, for the extremely ironic reason that
the employees that have greatest use for them typically don't have the keys.
The only keyed doors that ever get locked are upper management offices, the
office supply closet, and wherever it is they keep the sodas and snacks for
visiting customers.

As with online security, companies are only willing to pay for the _illusion_
of security. Genuine physical security is difficult, expensive, and wears
heavily on employee morale.

~~~
001spartan
That's very true. In many cases, that's even _perfectly fine_. Not every
organization needs enough physical security to deter a determined attacker.
The ones that do hire people like Sophie (or me), and take the lessons to
heart. Even if the organization doesn't make changes to their physical
security posture as a result, they know what to be aware of, and they know
where their weaknesses are.

A lot of our security--both network and physical--is based on the illusion of
security. One of the most important things that penetration testing does is to
make organizations aware of the issues, to put the bug in their ear to remind
them that security is important, and shouldn't be an afterthought. We see lots
of organizations make material improvements to their security as a result of
red team exercises. We also see a lot of organizations that don't. It's
disheartening when that happens, but I like to think I help make a difference.
The next data breach might be mitigated by our recommendations, or even
prevented entirely.

------
kylehotchkiss
I think the term "Social Engineering" is making this seem so fun and
technical, if we started using the words "fraud" or "identity theft", or
"impersonation", maybe companies and lawmakers can give it the legal and
enforcement attention this issue desperately needs.

Not a judgement of the article or Sophie, more just terminology which makes it
difficult for non-technical people to understand the gravity of these attacks

~~~
shliachtx
She was hired to do this. As explained in the article, the company wanted to
test their own security. She is able to revel in her deception because it's
exactly what the company wanted from her.

~~~
jaclaz
>She was hired to do this.

To be fair, she _claims_ to have been hired ...

~~~
jwilk
If you don't believe her that she was hired, why believe the rest of her
story?

~~~
jaclaz
>If you don't believe her that she was hired, why believe the rest of her
story?

As a matter of fact I don't believe most of the rest of the story, and - for
some reasons - I have been downvoted for expressing my doubt of it sounding
"too good/easy to be true":

[https://news.ycombinator.com/item?id=15517630](https://news.ycombinator.com/item?id=15517630)

Maybe I should have called it "not very plausible overall", as there is IMHO
too much contrast between the described "high security" context and the
extents of what the pentester has reportedly been allowed to do once gained
access.

