Social Engineering: The Biggest Risk to Internet Security

Nirvana

In the server room, I go to the KVM switch to access my servers. There I find all kinds of devices running, logged in - and completely unattended. Device #1 is a newly-built Win 2003 server in default state; device #2 is the mail server, and is logged in; devices 3, 4 and 5 are my servers, and other devices, one with a Cisco firewall dashboard on-screen, all open for business. One machine that was locked sat there like a magnet. For the fun of it I tried the administrator password from the servers that I was working on and would you believe it, I got in - with a common password! Absolute total hacking nirvana!

For my convenience, I needed to have remote command line access to my target servers to stop and start specific server processes. I'm not a lover of VNC so I put on Netcat and configured it to run as a remote command shell. Absolute complete hacking orgasm!!!

So here I am, an Average Joe consultant, and after a very short time, I have root access to everything that matters in that organization. I've essentially hacked nothing, in the electronic sense of the word.

Such trust is stunning, and very, very foolish. I'm a good guy and I took it to the IT manager who wasn't at all impressed that I raised the issue. Having completed my contract I went on to other things, returning to this firm several months later for a routine server health check.

I couldn't resist asking the obvious question: what had changed since my last visit? Well I found that all the servers were no longer left idly open as they had been before. But it didn't really matter, because they all still had the same administrator password.

Stop Being Polite, And Stop Worrying About Convenience!

The door that takes ten seconds to close is a gateway to any area that is subject to controlled access. Someone swipes their card and quickly swing the door open and walks through; this leaves an opportunity for illicit access by an intruder ghosting the door.

Worse, consider the polite employee who sees a beautiful girl coming up behind him, laden with a heavy briefcase, and holds the door open with a smile. Or how about the network that allows anyone to configure for DHCP and then lets them plug and play from any terminal?

How about the simple example of someone sitting at their desk and getting a call from "The IT department." The warm voice says, "Hi there, I just need your username and password" - that probably wouldn't work, right? Well, what if the person has scoped you out ahead of time, and perhaps knows something about you or your family, and starts off the conversation with "I was out with your wife at the book club last night, she was telling me all about such and such..." This goes on for three minutes and the person, too polite to say "Umm, sorry, but I don't actually know who the hell you are..." develops a sense of trust with this person. When the "IT person" then drops that request for a password or similar, they are much more likely to hand it over.