do you log today...?
Introducing social engineering to the workplace
A while back I decided that I wanted to speak to the Loss Prevention District Manager about social engineering. I was a bit nervous about how it would make me look in the company's eyes if I showed them what I could do. I asked for suggestions in the bbs on how I should approach the company with my concerns. This is the story of what happened.
(As usual I have changed names, places, terminology, etc....)
I spent two weeks pondering every scenario of the conversation I wanted to have with the Loss Prevention District Manager (Charles). I mainly focused on the downside of how I thought the conversation would go. i.e. "Have you done this to the company before?", "Thanks for the info Isreal, I'll be keeping my eyes on you from now on you conspicious bastard." (That one may have been a bit over the top, but I just couldn't get it out of my head)
I called Charles from work one morning and asked if he could stop by the store before I left for the day. I told him that I wanted to discuss a possible security threat to the employees and he agreed to come in and speak to me. He arrived an hour later and we went to the security office to talk. Here's how the conversation went...
(I'm leaving out the beginning of the conversation which consisted of the usual "How have you been?" and other general conversation)
Charles: "So what is this security problem you wanted to talk about?"
Isreal: "Well to start, have you ever heard of something called social engineering?"
Charles: "It sounds somewhat familiar." (He seemed to be thinking hard about the term so I gave him a few seconds before I continued)
Isreal: "Social Engineering is a means by which a person can gain information by use of tricking an individual into freely giving it to them."
Charles still looked a bit puzzled
Isreal: "Let me give you an example. A social engineer could call this store and gain any information they wanted without much trouble. And I'm not talking about hours of operation or anything that is freely given, I'm talking about personal information about the employees of this company. (I said that last part in a very dramatic way)
Charles: "So you're saying that one of these "social engineers" could talk anyone here into telling them anything they wanted to know?"
Isreal: "Yes, and I'd be willing to show you how it's done if you are interested."
Charles: "Even though we are not supposed to give out a person's schedule over the phone, it does occasionally happen. I don't think that it's enough of a problem to get overly worked up about."
Isreal: "Charles, I'm talking about phone numbers, addresses, social security numbers, anything I wanted to know about someone. Would you like it if I called and got all that information on you? I doubt it, and I'm sure you'd be really upset if I used that info to get a credit card and have myself a shopping spree."
(Charles now looked concerned)
Charles: "That doesn't sound too good, but I really don't see how it could be done."
Isreal: "I'll show you in a minute, but first I'll point out that gaining an employees name is extremely easy considering the fact that we all wear name badges. Getting a last name is just as easy by asking another employee the last name of someone you point to and saying "I think I know her, what's her last name?".
He agreed that getting a full name would be fairly easy.
Isreal: "I also want you to not fire anyone I call for giving out the information. (He wasn't very agreeable to that) They are not trained for the tactics I'm about to use on them so it's technically your fault, and I'm pretty sure that I can call any personnel manager and get the information.
That one got his attention fully and he got a determined look on his face.
Charles: "You really think you can do this to anyone?"
Isreal: "The odds are in my favor."
Charles: "Fine, call Mary at 3220 (store number) and see if she passes the test.
I was guessing that Mary has been with the company a LONG time and has probably spent most or all of it in personnel. I smiled a bit at the challenge.
Isreal: "Ok, I'll need you to give me the first and last name of an overnight employee there."
Charles: "Why an overnighter?"
I didn't want to tell him that I have a bit of a fixation with overnight employees.
Isreal: (shrugging) "I don't know... Just the first thing I thought of."
He gave me the name Jackie McGeath. I dialed store #3220. When the girl answered, I told her I was Mark from "home office" and I needed to speak to Mary in personnel. She said "Right away sir" and put me on hold. I thought that was pretty funny and told Charles about it while I waited. He laughed a bit, but looked like he was processing everything at a very slow rate.
Mary: "Personnel, this is Mary. How can I help you?"
She sounded as thought she could be and older woman. I held the phone out so Charles could listen in as well.
Isreal: "Hi Mary, this is Mark in home office. How are you today?"
Mary: "Hi Mark, I'm doing great. We have a warm sunny day for a change so it's pretty nice. What's it like down your way?"
Isreal: "Well, the weathers pretty good today, but things here in the office are not in good shape at all. I'm gonna need your help for a few minutes."
Mary: "What's wrong?"
Isreal: "The guys that take care of the computers are saying that we got one of those viruses that tears up your computer."
Mary: (sounding worried) "OH NO"
Isreal: "I don't really know much about computer viruses, but I do know that some of the words coming out of that office would make a sailor blush."
I laughed and she joined in
Mary: "That sounds awful. I don't know anything about viruses either, but I hear about them on the news all the time. They sound terrible. So how can I help with it?"
Isreal: "Well from what the computer guys are telling me, the virus got in our personnel computers and erased some of the information we had on company employees. They gave me a list of names, and I have to call all these stores and get the information back in our computers. So I'm gonna need you to pull up a Jackie McGeath's information and get ready to answer a few questions. OK?"
Mary: "Sure Mark, anything I can do to help. Is her information still gonna be in my computer or will I need to get out her file?"
Isreal: "I don't have any idea, but just to be safe, you'd better go ahead and get her file to save some time. I still have to call 146 other stores today so my time is a bit limited."
Mary: "OK, I'll put you on hold and hurry up and get the file. I'll be right back."
She put me on hold and I rolled my chair away from Charles to get a good look at his face. He seemed to be in a state of shock. When Mary got back on the line, she gave me Jackie's home address, phone number (with alternate number), social security number, employee ID number, rate of pay, hire date, and number of dependants for tax purposes. I thanked her and hung up the phone.
Charles: "I can't believe that just happened."
Isreal: "That's why I brought it to your attention. I don't want my information getting out just like Jackie's did." (I tapped on the notebook that I had written the information down in)
Charles got a phone call on his cell and wound up having to leave. He said he would be having a meeting with all of the store managers in his district to discuss with them the best way to handle the situation. I told him I would be more than happy to help explain it to the managers if he needed me to. He said I would definitely be at that meeting and he thanked me again for pointing it out to him.
This just goes to show you that your information is not safe anywhere. Most people never think about their personal info being obtained through their jobs, but it can happen. Is information safe anywhere? I'd have to say no.
05/12/2002 - 05/19/2002
05/02/2004 - 05/09/2004
05/09/2004 - 05/16/2004
05/16/2004 - 05/23/2004
08/08/2004 - 08/15/2004