In the December issue of Wired magazine there is a fascinating story written by Evan Ratliff. Evan wanted to see if he could disappear off the face of the earth for 1 month without anyone finding him. He also put up a $5,000.00 reward if anyone could find him. Wired covered the story from start to finish and also posted updates as people were tracking him down.
Wired Magazine also gave him small tasks to complete that would reveal his location but yielded a nice cash prize for Evan.
Its truly fascinating to hear how he socially engineered his way across the united states (and used our travel systems of railway and buses) without any form of government issued identification. Just some fake business cards and a pre-paid credit card/gift card made out to his fake name.
Now you probably know already I am not much of a reader but this 8 page 10,000 word story kept me on the edge of my seat like some Tom Clancey inspired movie (I would say novel but I don’t read).
I don’t want to ruin the story for you but trust me its WELL worth the read.
It also got me thinking back to the days when I did internet security for banks. A lot of people might not know that after I got my start with Internet Service Providers I fell into this “security” niche in the banking industry.
I would get paid to do a lot of attack and penetration testing and most of the time that involved a lot of social engineering. Being good at social engineering is a great skill to have. It sure came in handy last year when I was able to socially engineer my wife and I into a Madonna concert and even got front row $1200.00 seats for free.
Most of it boils down to just acting “as if”.
Its so much fun breaking into banks… and not having the risk of getting caught.
I remember going to branches far away… waiting for someone to leave the parking garage and asking if they could please let me in cause I forgot my badge… then sneaking into the bathroom and waiting until everyone left so I could go around to every computer and see what I could get into. Sometimes people left their computer unlocked… sometimes the IT guy accidentally left the cdrom/floppy on the computer and I could boot into admin mode and change the admin password then get in. It was fun.
Remotely trying to break into the computer system was just as fun… and a little more creative.
But the rules were that I could not use anything that was not publicly accessible on the companies website. I wont use the companies name but it would not be hard for you to figure out if you do a little bit of research on me.
First I would call a branch and act like a angry customer. I would not give out a name but insist on speaking to the branch manager. If they were not in I would ask for their name and cellphone number. Then when I got them on the line I would ask them for their district managers name and phone number. I would keep asking for peoples bosses bosses until I hit a end. Sometimes you could get as far as a regional manager or even a VP.
Every time I would record the calls so I could listen to them later and write down all the info. Its was important to have everyones name and phone rank and where they were from (branch numbers, region names, etc..).
Then I would visit the publicly accessible internet site and look up the phone number for their IT help desk.
When I called the help desk I would impersonate the branch manager. In a stern voice say something like, “This is Joe Johnson branch manager of branch 85. I am having a problem dialing into the mainframe from my laptop. I have a pissed off customer and I need to get in now.” When they would ask me for any information I would stop them in their tracks and say, “Listen kid I don’t have time for games. Understand my situation here. I been trying to get in all morning and am my wits end. I need you to walk me all the way through it.”
To my amazement often times the helpful IT person would walk me though the entire process of dialing into the network. Everything from providing the phone number to dial into to giving me my username & resetting my password to something new. He even would go so far as to tell me what url to access to get into account information.
This did not happen every time… I would say it had about a 10% chance of success actually.
And yes even though I was told I could not use anything that was not publicly accessible my knowledge of the system gave me an advantage over a hacker who was not familiar at all with the system.
But here is the scary thing… This company has hundreds of thousands if not millions of people who are familiar with their system.. actually way more familiar then me. All you had to do was be a basic $10 teller to know your way around the system. Pretty wild.
Now since this company like many others have outsourced their help desk overseas. I wonder if it would be harder or easier to social engineer your way in?