The art of social engineering is making people believe you are trustworthy.
Any good grifter will tell you most people are willing to believe you are more important than you are. All you have to do is watch The Sting or Fox News to see the concept in action, but having the techniques of a “professional” conman laid out before you is a little bit like peeking behind the curtain at a magic show. Once you see the process, it seems impossible that anyone would be fooled, but these techniques still work. Jim Stickley is a self-described “Professional social engineer” who is hired by institutions to find holes in their security, much like Robert Redford’s team in the movie Sneakers. Reading Stickley’s step-by-step process of how he and his team enter offices and banks to steal vital information and install key loggers is just eye-opening.
“Let’s say I am posing as a fire inspector,” Stickley said. “The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen.” Outside, the man in the car sends a recording of typical fireman radio chatter to Stickley’s walkie-talkie.
“We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention,” he said. “When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.”
The point of this is not quite misdirection, but to build an illusion of reality. After presenting his false credentials, Stickley conducts the fire inspection even though he has no idea what he is talking about. “I make stuff up and probably give the worst advice ever. I’ll pull out cords and say ‘This looks a little bit dangerous.’ I’ll comment on space heaters. I’m completely winging it.”
Effective use of props is key for any good grifter worth his salt and Stickley is no different. “A few years ago, I got a device at Home Depot. It’s like a measuring tape, but not a regular measuring tape. It has a laser pointer and makes a clicking noise. This device is like the Tricorder on Star Trek for me. I can do any magical thing with it as far as Im concerned. I’ll put it up to a socket and say ‘This looks like it has too much current running through it.’ And they just believe it.
“It’s amazing the stupid things I can do. It’s the bells and whistles that count and people want to see that you have products,” he said.
While Stickley is being escorted around, his partner wanders off, steals anything he can, and conducts inspections under people’s desks. All he is really doing is putting USB dongles in their computers that will log all of the keystrokes of the user. “By the time it’s over, we’ve stolen stuff, and gotten access to log-ins and passwords because we’ve been recording that information with the key-logging devices, whether it be online sites or local accounts on their system. We’ve been on their wireless network and have been able to hack into that as well.”
The whole process might take a few visits, but Stickley plants the seed of a return by being called away on his walkie-talkie so that it’s reasonable for the inspection to continue on a later day.
After Stickley and his team rob a place, they meet with the executives and employees to show them what they retrieved. “When we show up after the engagement to present what we found, there is often a total look of shock on the employees’ faces,” he said. “It’s stuff they never thought would happen. If you talked to them a week earlier, they never thought they’d fall for some of the stuff we pulled. But now they see it can happen, and it can happen to them.”
Let this be a lesson to all of you: Never let firemen search under your desk. That is all.
Source: CSO Online