Way back in 1988, I was a part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went on when a “black hat” (in this case malicious) group targeted victims by calling them on the phone. They were using social engineering skills to gain access to proprietary information including passwords. I'll never forget what I heard one of the experienced black hats say to another black hat in training: “Social engineering is the easiest way to break into a system.” He then followed up that comment by saying, “The stupidity of the average system administrator amazes me.”

That was almost 25 years ago, and that was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any bad guy from a black hat hacker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider–insider threat to any security plan.

In the first three chapters of this book, I will be talking about social engineering, physical security, and a little bit more about locks. If we look at physical security as the target of an attack and locks as the gatekeeper for the entrance into the target, social engineering is often the way that we are able to gain access to the keys that open those locks and possibly the rest of the building. It is often the people who have those keys who become the victims of social engineering. We'll take a much closer look at that as we progress through the book.

Although I've been using and teaching social engineering for almost two decades now, the true extent of the impact of social engineering really became clear to me about 9 years ago. When I was out in L.A. for a meeting on financial crimes security (what else?), I purchased a very interesting book titled The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick and William L. Simon.

Just above the title on the cover of the book in red letters are the words Controlling the Human Element of Security. I found the book to be very well written and full of a lot of good examples of how social engineering works and how companies can try to defend against its use. I also learned quite a bit about a few approaches to targeting a potential victim than I had ever thought of before. A social engineer will continuously learn more clever ways to take advantage of how our minds work in order to perform the illusion or deception. The more that I used social engineering as one of my tools during my penetration testing days, the bolder I became in its use during those tests. After years of success in pretending to be something or someone that I wasn't, I just KNEW that whatever I said to the people that I encountered during the tests would be believed, and it was!

Any one of us, at any time, could easily become the victim of some form of social engineering. I personally believe that it is not possible to completely eliminate the risk. There are some things that can and should be done to reduce the risk as much as possible and I'll address some of them in the rest of this chapter. Without some form of training (and practice) in learning how to prevent being a victim of social engineering, you could easily become a victim and not even know it.

Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might not ever be considered. This is what social engineers count on. Without awareness of the problem and without an understanding of how our minds can be fooled, there is little defense against social engineering. For this awareness training to be of any benefit for an organization, it must include every employee of every organization.

We see things all day long and we don't pay close attention to certain details because they are too familiar to us. That's exactly how the illusions that magicians call magic work and also why so many magic tricks are related to simple everyday things like a deck of cards. I use magic in much of my training and it really adds a lot to the attention span of the people in front of me. They are all so used to seeing those 52 cards that they don't even begin to think about how the different card gimmicks being used in most card tricks work. Most of these illusions are self-working yet almost mind boggling to the unsuspecting mind.

If you would join me in taking a look at Figure 1.1, you will see a picture of the social engineering bag that I used for roughly 10 years. It was a pretty expensive bag to purchase. I spent around $200 for it, but it was money well spent. I often thought of it as something similar to those clown cars that you see in the circus. It is very deceptive how much will fit in that bag. Not only could I put all of my social engineering tools in the bag, but also there was a lot of room left over for the things I was able to take out of the buildings once my penetration test was successful. On the outside it simply looks like a briefcase that pretty much anyone within that organization would be carrying to and from work. On the inside were some slightly different items from what you would normally see someone bringing to work.

I took the time to put the contents of the bag on the table for you to see in Figure 1.2. This is the first time that I've ever done that. Not that what I have in the bag is anything special; it's just that I've never shared the contents with anyone in quite this way, especially in a book.

I wish that I had taken a picture of the bag as I was leaving some of these buildings with everything in it. It even amazed me how much that bag could expand and still look comparatively normal. Some of these things are tools that I have had for more than 40 years. Each has its own purpose and I'll explain some of that as we progress through the book. I know what you're thinking. There's no way that he has a pair of bolt cutters in that bag. Well, they were in there, and I had them with me everywhere I went. On most of our penetration tests the only limitation that was imposed on us by the company hiring us was that we were not allowed to use forced entry. We never used the bolt cutters as a part of our attack, but we did show how easy it would be to bring bolt cutters into the building if someone intended to use them. Most of the items you see were designed to get past various locks we encountered as our team attempted to get into a client's building or to use after we were in there. All right, here's a little quiz just to see if anyone is actually reading this. Anyone who sends me an e-mail listing all of the items that are shown in that picture will be sent a special gift. We will be revisiting some of these tools in Chapter 3.

Most of my social engineering tools come from yard sales, thrift stores, flea markets, pawn shops, and eBay. I highly encourage all of you to take up the hobby of going out to these places and looking for things. As I describe some of these tools, I'll tell you how much I paid for them and where I got them. These are all tools that I used in one way or another for my social engineering exploits. Figure 1.3 is a picture of the front cover of the manual for a key machine that I purchased a number of years ago at a yard sale for $10.00. What was so nice about this key machine was that it was very small and very accurate, and it had a code micrometer as a part of the machine. This will allow keys to be cut by code if you know the code for that key or the depth of the bitings (sometimes called cuts by senior locksmiths). Machines of this size are available new for around $395. I frequently see them for sale on the Internet for anywhere between $95 and $250. If I could borrow a master key for a few minutes and had some of the key blanks that fit the keyway of a given lock, I could duplicate the key (as described in Chapter 3) and get it back to the person that I borrowed it from (typically using a little social engineering) very quickly. I know what you are thinking. How did I know what the correct key blank was for that lock? I knew because I was in that building once before and also managed to borrow the key briefly during my first visit. I learned over the years that social engineering attacks work best (at least they did for me) when they were two-part attacks. During the first visit our team mostly probed the target just to see how trusted we would be if we were able to gain entry. Normally we were never questioned about anything once we were inside. It was just assumed that if we were in the building, we belonged there. That was not a good assumption.

It's time for my first war story. After you read the following description of this social engineering attack, ask yourself if you think you would have fallen for this. This is a perfect example of how a two-part attack can seem so innocent yet be so deadly.

That's what a close friend of mine said one afternoon when we were talking about overall security and the threat of social engineering. This was 14 years ago, but social engineering was already a hot topic that most people were at least a little bit aware of. “We have good security and our employees wouldn't fall for anyone calling on the phone trying to get information from them,” he said. I said, “Give me 90 days so that you won't know when I'm going to call, and I'll test your theory about your employees' awareness of this problem.”

I made the call a few weeks later. “Good afternoon,” a friendly voice answered. “Medical Group, this is Mary, can I help you?” I immediately put on my doctor hat, “Yes, this is Doctor Wiles,” I began. (It's fun saying that even if it is totally fake). “I'm calling to ask a favor,” I continued. “We have a practice similar to yours in Richmond and we're considering purchasing a new medical billing system. Do you use a fully automated system for your accounting, and if so, do you like it?” My friendly voice and simple question didn't raise any suspicion on her part. It was a simple and apparently innocent question.

“Yes we do,” she said. “It's called Doctors Database and I believe that they are located in Denver, Colorado.”

So far, so good. She seemed willing to talk a little more, so I started asking a few more questions. “Do they offer support when you have problems? We've heard some nightmares from friends who purchased medical billing systems and couldn't get support once they paid for it.”

“Yes, we've been very happy with their support,” she answered.

I asked a couple more quick questions. “How about upgrades and things that need to be fixed? Do they have someone locally they send to work on the billing system?”

“No, they do everything over a modem attached to the system. We've never had a problem with their needing to be here,” she said.

I needed a bit more information, so I pressed on. “Before we make such a big decision, I'd like to speak with someone from Doctors Database to be sure that this would be the right billing system for us. Could you give me the name and number of the tech support person that you work with when you call them for support? I always feel more comfortable after I've had a chance to speak with the people that our administrator will be working with when problems develop. Some of those technical people are very hard to understand.”

She apparently had a good working relationship with Doctors Database because she seemed happy to give me a name. “Yes, we work with Jerry Johnson and he's really easy to talk to. He should be in the office this afternoon if you call before 6 PM east coast time. Their phone number is XXX-555-1234 and they have someone available for support by phone 24 hours a day.”

Little did she know that I now had almost everything I needed. Just one more question, and I could politely say thanks and goodbye. “I really appreciate your taking the time to help me with this, Mary. Would you mind if someone from my office called your database administrator if our administrator has any user questions after we get the new billing system? It's always easier to ask someone who actually uses the system rather than trying to get the Doctors Database technical people to answer simple questions. I promise that we won't be a pest.”

She said that she was the administrator of the database and that she would be happy to answer a few questions for us. (It's wonderful living in the friendly sunny south.) “Thanks so much for helping me with this, Mary,” I politely said. “I'll be sure to only have our administrator call you if he really gets stuck. Have a great week and thanks again.”

This apparently innocent phone call gave me everything that I needed for my final attack. Here's what I got:

To the casual observer, that's not a lot of dangerous information. Most of it seems to be pretty common knowledge that most people would have been willing to share. I didn't ask much about her computer, and I certainly didn't ask anything about login IDs or passwords.

It was 4:40 PM when the phone rang at the Medical Group. John reluctantly answered, knowing that someone calling in that late with a problem could cause him to delay some of his plans for the 3-day weekend. On the third ring, he picked up the phone, “Good afternoon, the Medical Group, John speaking, may I help you.”

I immediately assumed my best social engineering voice and started my attack. “Hello John. This is Bill Jenkins from Doctors Database in Denver. We're calling all of our customers about a serious problem with our medical billing system. It seems that our last update had a virus we were unaware of until this afternoon. It's causing all of the accounts receivable records to be corrupted. Our entire tech support team is calling our clients as quickly as possible to let them know about the problem. I know that Mary normally works with Jerry Johnson, but he is currently working with another client and has asked me to handle the fix for your system. Can I speak with Mary?”

There was a brief silence as I could feel John thinking about his 3-day weekend slipping away as we approached 5 PM. He finally answered. “With the holiday weekend coming up, Mary is off today. I act as her backup on the database work when she's off, and I'll try to help if I can.”

Things were looking up as I began to spring the trap. “John, I'm going to need to log in to your system to fix this and I don't have Jerry's information in front of me with your modem dial-in number, login ID, and password. If that's something we're going to need to get from Mary, I think that we may have a problem if she's not there.” I wanted him to feel a little of the panic that I was trying to convey.

Fortunately, it worked. I could hear him flipping through some papers as we talked. He quickly came back on the line. “I found it here in her notebook. The phone number is (555-867-5309), the login ID is doctor, and the password is also doctor.”

I then went into my good job routine to make him feel completely at ease. “John, you've been a great help, and I can take it from here. It's been taking about 4 hours to clean this up and I know that it's Friday afternoon. I don't see any need for you to hang around. I'll install the fix, and things will be back to normal when you get back on Tuesday. Thanks again for your help and enjoy the weekend.”

I have tried to put into words (changing the names and phone numbers to protect the innocent) a two-part attack that I conducted about 14 years ago at the request of a friend. My friend knew that when the attack happened, it would be recorded on audio tape and given to her as a training aid for her to share with her employees. Without a little bit of awareness training, and a little bit of ongoing suspicion when speaking with strangers on the phone, ANYONE could fall for this kind of an attack.

Many of the hundreds (perhaps thousands) of people who have heard the audio version of this two-part attack have told me that they would have fallen for it as well. That first innocent phone call set the stage for a very believable second phone call where the keys to the kingdom were given away. A lot could have happened to that computer from Friday afternoon until Tuesday morning. Did the real Doctors Database (again, name changed—this is not their real name) know anything about this incident? Absolutely not! They would have had no idea that this was going on. Was Jerry Johnson a real person who worked tech support for Doctors Database? Absolutely, that's who Mary worked with on a regular basis. But Bill Jenkins was a figment of my imagination, carefully placed into the believable tale I had spun.

On top of the social engineering attack vector, the Medical Group's passwords were also extremely insecure. I'm not a big fan of static passwords, but that is a topic for another chapter in another book.

You will probably hear me say this many times throughout this book, but I continued to be amazed at how many great social engineering tools are available at your yard sales, flea markets, pawnshops, and thrift stores. This ranges from hats (like the one in Figure 1.4), jackets with corporate logos, tool belts, tools, listening devices, briefcases (like the one in Figure 1.1), spyware, and locks that can be used quite effectively for social engineering. I think it's a great idea to spend some time looking for these kinds of tools. For one thing you learn a whole lot more about social engineering while you are out there thinking about new ways to use it. I also think it's a very good idea for any company to do their own assessment of their vulnerabilities to social engineering attacks. If the company or organization is big enough to have a security team, that team can begin the process of seeing just how vulnerable their personnel are to this threat and others.

Why is the hard hat shown in Figure 1.4 so effective? The main reason that common everyday objects like that are so effective is that we're used to seeing them, and when we do we automatically assume that the person wearing it is really who they seem to be. The real con men of the world know how to take advantage of that.

I have never worked as an installer or a phone company repairman at a telephone company. I have seen many phone company employees around town, and at my home as I have had my phones worked on, and I certainly do remember what they look like. There are many other people we see every day in our offices and homes that social engineers often imitate while using social engineering to gain access or information. Some of these are delivery people for various firms. Others are people that wear the same types of uniforms or other clothing items that allow them to look and act like they belong wherever they are.

Figure 1.5 is a picture of me wearing a few of the tools that I picked up along the way from many of my favorite hunting grounds. I suspect that you already have many of these tools in your possession just from things that you have around the house.

In addition to the cool tool belt that I picked up for three bucks at a local flea market, there were a few other interesting finds on that tool belt:

If you're keeping track, I have about $40 in this entire social engineering outfit, and much of it is very usable around the house as well. All that I would need to do is wear a different hat, and I could be most any type of repairman or contractor. I think all of us have watched something on TV or in the movies that shows someone masquerading as someone else trying to get into a building. This is a very well-known threat, but it is still one that can be difficult to prevent. This seems to be especially true down here in the sunny South where I live. It seems that everyone is so friendly and helpful that some people really don't stop to think that the person that they are facing is someone who's trying to gain information, entry into a place where they shouldn't be allowed to go, or possibly do someone harm. Throughout the book I will mention various countermeasures. The only countermeasure for threats like social engineering is always being just a little bit more suspicious. You will hear me say that several more times as I mention more countermeasures. Believe it or not, this is something that people can be trained to do in security awareness training classes. As an absolute minimum, it is very important for every employee to have some sort of chain of command for reporting potential security threats. My decades of dealing with people regarding security and awareness have taught me that people really do care, and do want to do something to help protect their work environment.

The interesting little gadget shown in Figure 1.10 has been on my want-to-find list for over 20 years. I finally found one at a local flea market where they only wanted $25 for it. Using my “I want to pay less for everything” skills, I was able to get it for a mere $20. This $250 tool has many uses in the social engineering world. One of its primary uses, which you probably saw in Figure 1.5, is to help me look like a telephone dude. Even if it were never used for anything but letting me look like a telephone dude it is an invaluable social engineering tool for making someone look like someone that they aren't.

For some of its more technical uses, I'm going to introduce you to our first expert interview. One of my long-time friends, Phil Drake, is a telecommunications expert. You may have seen some of his disaster recovery chapters in my former books. He has a tremendous amount of experience in many fields that impact the security world as well as the disaster recovery world. Let's ask him a few questions about this nifty tool.

I wanted to start something a little different with this book. Throughout my decades of working and living in the worlds of physical security, computer security, and disaster recovery, I have met and become friends with many true experts. The first of these that I introduce in this book is a long-time friend named Phil Drake. Many of you may recognize Phil as being a contributing author in two of our other books. In each of them I had him author a chapter that we titled Personal, Workforce, and Family Preparedness. Phil is one of the best in the world at helping people deal with those issues. I felt that these topics were so important that I wanted them included in both our first book, Techno Security's Guide to Managing Risks for IT Managers, Auditors, and Investigators (ISBN: 978-1-59749-138-9, Syngress), and our fourth book, Techno Security's Guide to Securing SCADA: A Comprehensive Handbook on Protecting the Critical Infrastructure (ISBN: 978-1-59749-282-9, Syngress).

In addition to being an expert in the fields of disaster preparedness and recovery, Phil is an expert in the field of telecommunications. It's that area of expertise that I want to ask him a few things about in this interview with the experts. Let's get on with our first interview:

Jack: Tell me a little about how a low tech hacker could use the butt-in set (Figure 1.10) that I purchased at a flea market.

Phil: My first concern about the butt-in set is not technology related at all. It's a social engineering concern as you have already mentioned. Just having the butt-in set (or butt-set) hanging on a tool belt or in your hand and wearing a hard hat make you the “telephone technician,” and in most workplaces, that makes you practically invisible. We are so dependent on telecommunications today that service technicians carrying tools and replacement equipment are as common as express delivery drivers. We are conditioned not to challenge these people especially if they are in a rush. We don't want to slow down the “repair” process and cost the company extra money or downtime.

If we see technicians working in or around telecommunications equipment outside a facility (manholes or those light green or tan boxes), we assume they belong there and if they need to check inside the building for a problem, human nature is to help out.

It's looking the part. Of course a fake ID, work clothes, and tool belt are all important to the ruse, but the butt-set is the icing on the cake. It's like a stethoscope: you would never challenge someone with a stethoscope around their neck as you assume they are legitimate medical practitioners, especially if you need one in a hurry.

Technically speaking, the butt-set can use phone lines to make or receive calls without the legitimate subscriber's knowledge. Need to call an uncle in Korea? Find an unlocked access point (those green or tan boxes) in the neighborhood, hunt for dial tone, and make that call for absolutely free—for you. The legitimate subscriber will have a surprise when the bill comes.

These sets also have a “monitor” setting that allows someone to listen to all calls on the line with no interference whatsoever. This is probably the easiest form of low tech phone tapping.

The majority of the butt-sets found in yard sales and flea markets are older analog technology. The race is on to VoIP and the majority of telephone service to large businesses is digital, but there are still many millions of analog lines in use in business and residential locations for someone to play with.

Jack: Do you have any good social engineering stories of how people have used it to gain information about public branch exchanges (PBXs)?

Phil: There have been a number of incidents where “phone technicians” have appeared to try to gain unauthorized access at business locations. This ruse usually takes the form of “we have alarms from your phone equipment” or “we need to replace some of our equipment in your telephone equipment room.” Sometimes these “technicians” are challenged; sometimes after hours when the security team is busy, they are not.

Once these people have access to the PBX equipment room they own you. I've seen many logins and passwords written on the administration terminals in equipment rooms. After all, it's a secure area, right? If the information isn't written on the admin terminal, it's more than likely under the keyboard or in a drawer close by.

Once individuals have access to the PBX they can easily allow calls from the outside to access long distance lines for “free” long distance. More importantly, these calls made from a company's PBX are traceable back to the PBX and in many cases not to the outside phone line that originated the call. It's a perfect way for criminals to cover their tracks.

A really interesting case a number of years ago involved a supposed phone company technician showing up to replace a bad circuit pack. The individual was allowed access and shortly thereafter telephone extensions around the building stopped working. Thinking this was just part of the “repair” process, security wasn't overly concerned. An hour later a security guard was dispatched to ask when the repairs would be completed. It was then discovered that a number of expensive PBX circuit packs and related equipment had been stolen.

It took several days and thousands of dollars to put the system back together and restore service. Missed customer calls and lost employee productivity added to the loss.

Of course these individuals may not be interested in phone equipment at all. They may be trying to gain access to the facility to gather information on someone or steal money, property, or confidential information.

Jack: Do these individuals need to be on site or can they do harm from the outside?

Phil: In a recent incident, a large company with a small regional office had a very large surprise. The regional office has a small “key” phone system. This is a simple five-line system and each phone has a button for each of the five outside lines.

The surprise came in the form of an $8,000+ phone bill with long distance calls to North Korea, Yemen, and Somalia. Of course the calls were not made by the office personnel. They were made remotely with the criminals billing phone calls to the regional office with two long distance companies. (They didn't even need to use the butt-in set we were just talking about.)

After a few dozen suspicious calls, one long distance carrier called the regional office to inquire if the calls were authorized. The individual answering the call took the message but took no action; they didn't alert anyone or raise the alarm that something might be wrong.

There was no unauthorized access or system penetration, just criminals knowing what to do and that many companies are too busy to catch them. Complacency scored a win for the bad guys in this example. The company had to pay since they were alerted but took no action. Based on the known criminal activities from some of the countries involved, you can bet that the individuals making the calls weren't making vacation plans or checking the weather forecast.

In addition to having some help on the inside, as in the example above, almost all large PBX systems can be remotely administered. This remote administration can be done through a modem (yes, they are still in use) or more likely via VPN access more recently.

The modems are the problem. They are often forgotten but, if still connected, can be used. Yes, someone needs the phone number, login, and password (hopefully) but that information can be obtained with some investigation and time.

Jack: How about lists of default maintenance passwords for systems like PBX's? Are these lists which make excellent social engineering tools still readily available?

Phil: Yes, there are lists of default passwords and user names delivered with new PBX and VoIP phone systems on a number of hacker sites. Many customers never change these defaults even though every manufacturer strongly recommends an immediate change.

Jack: You mentioned IP phone systems. Are they better secured than their older PBX cousins?

Phil: Of course they are much harder to access remotely for administration and most are being located in data centers instead of an out-of-the-way room in the basement. However, security can still be circumvented by social engineering. That individual posing as a phone technician can now have access to the phone system and the highly secured corporate data center as well. In addition, I wonder how many companies actually check the equipment being carried by contractors and service technicians entering company facilities.

The use of VoIP systems is growing; however, the majority of phone systems in use today rely on technology basically unchanged over the past 20 years.

My second expert interview for this chapter will be with another of my long-time friends and colleagues, Mr. Paul Henry. Paul has spent decades on the cutting edge of technology with a specialty in technical security issues. When I need to know the absolute latest information available regarding security threats Paul is always the first person I call. He provides some interesting answers to my questions as shown below:

Jack: When I last met with you, you were explaining a low tech hacking way of masking the actual cell phone number that you were calling from. To me that's an excellent example of low tech social engineering using a high tech application that anyone can easily use. Can you explain that application to our readers?

Mr. Henry: There are a number of Internet-based services that provide free or low cost caller ID spoofing services. You know something is popular when a web-site dedicated to it arrives—and yes there is one now dedicated to caller ID spoofing—http://www.calleridspoofing.info/. The subject has been a hot topic in the press lately as a large media organization has been accused of hacking in to people's voice mail accounts using caller ID spoofing. Many people don't realize it but still today if someone calls your cell phone number and can cause your caller ID to be sent to the provider's server using one of the many caller ID spoofing services, they are granted unobstructed access to your voice mail. It is important to note that here in the United States a bill has been passed that makes the spoofing of caller ID illegal—the U.S. House of Representatives passed HR 1258, also known as the infamous Truth In Caller ID Act. The FCC has now adopted rules implementing the Truth In Caller ID Act—http://www.dwt.com/LearningCenter/Advisories?find=424483.

With that being said those that offer these caller ID spoofing services simply offer the services from outside the United States to literally get around the law. It is another example of how legislation can perhaps convince a good person not to do bad things but does nothing to prevent a malicious person from doing bad things.

Jack: Do you think that the bad guys such as foreign spies and possible terrorists use many low tech social engineering tools for gaining access to critical information or locations? Please explain a few that you have come across that you found particularly threatening.

Mr. Henry: The mining of data from social web sites like Facebook has become the number one tool in the arsenal of the bad guys. We place way too much work-related information on our social media pages and a simple search of Facebook or LinkedIn can reveal very useful information for a would-be bad guy. Just do a search using Google for Facebook SCADA or LinkedIn SCADA. You might be surprised by the results.

Many SCADA systems are foolishly connected to the Internet and a quick search with Google for some fairly easy-to-guess search terms could have a potential bad guy controlling a SCADA system in minutes — turning pumps on and off or turning off circuit breakers.

Jack: You are considered by many to be one of the top security minds in the world. What is your feeling about how much social engineering is being used to gain physical access to critical information? Can you give us a few examples of some of the things that you have seen?

Mr. Henry: Social engineering has played a major role in every headline-grabbing hack that we hear about today. Simply put, it has become an all too common and in most cases easy path into the very core of an otherwise protected network environment. Why take the time to directly penetrate a network's fortified gateway when you can easily bypass an organization's perimeter defense with a little social engineering trickery?

Jack: I always like to ask security professionals about their thoughts on an countermeasures that companies can employ to help prevent becoming a victim of social engineering. Can we get your opinion of countermeasures that you have recommended?

Mr. Henry: We have fallen in to the crowd mentality trap in network security. What I mean by that is we as a community know very well that our current defenses such as traditional antivirus, signature-based IDS/IPS, portcentric firewalls, and flaw remediation programs such as Microsoft's WSUS are easily penetrated/bypassed and rendered useless against a relatively low skilled adversary. Yet we continue to use them simply because they are what everyone else is using. After all, if that is what everyone else is doing it must be right….

Here's another flea market treasure that I found really interesting. The credit card reader shown in Figure 1.12 is capable of storing up to 300 credit card numbers. It's roughly the size of a telephone handset. Finding things like this at flea markets, yard sales, thrift stores, and pawn shops is to me a perfect example of how much expensive high end technology is out there for the taking for a determined social engineer or potential bad guy. This one was most likely replaced by something just a little more modern. It wound up out there in the surplus world and eventually at a flea market. A device of this size wouldn't work well as a concealed skimmer, but it certainly would be small enough to keep concealed somewhere where the bad guy could get to it and quickly swipe your card when given the opportunity. If you think about your last meal at any restaurant, how did you pay for it? You most likely enjoyed the great meal and then handed your credit card to someone to pay for it. Probably 999 times out of 1000 everything is fine. If that one time the person that you handed your card to was looking to steal credit card numbers, there could be an opportunity to scan your card into a reader similar to this before scanning it a second time into the restaurant's credit card reader to pay the bill. Your credit card number stored in the illegal scanner might not be used any time in the immediate future. It may also be quickly sold to people who want to commit credit card fraud. At the time of the theft of your credit card number in this scenario, neither you nor the restaurant would know that it happened. The restaurant would probably never know it, and you wouldn't know it until the card was eventually used to charge things to your account.

Regarding the use of these fairly technical electronic devices, all that using them requires is very low tech hacking and a little social engineering. This seems to be the trend with fairly complex technical pieces of equipment. It seems that the more high tech a piece of equipment is, the more the developers tried to make it easy to use.

When we consider the risks, threats, vulnerabilities, and countermeasures associated with social engineering, the countermeasures are things that need to be considered by all employees. The overall sneakiness of the threats associated with social engineering make it very easy for social engineers to catch anyone off guard. We just don't like to think that what appear to be kind and caring people are possibly people who are looking to do things to cause harm. Our human nature just doesn't like to consider these things.

The threat of the bad guys of the world using social engineering is most likely here to stay. Hopefully some of my experiences with social engineering will raise your interest level and have you dive a little more into learning how it works and why it works. If you are a penetration team leader, social engineering will become one of your primary tools if it isn't already. If you're a security manager you will want to know how social engineering can be used against your employees and how vulnerable they are to these kinds of attacks. If you're a risk manager or an internal auditor, you will want to know a little more about the potential threat of social engineering and how these kinds of threats can be mitigated through countermeasures and employee awareness training. The con that we call social engineering is an age-old behind-the-scenes threat that we all need to continue to learn about as the bad guys of the world find more and more ways to use it.