A pentester shares a story that shows how social engineering can get you anywhere.
Sophie is a physical penetration tester and information security consultant. She specializes in social engineering security assessments including physical, voice (vishing) and text (phishing). She consults in remediation and prevention of security incidents through creation of policy and procedures, as well as customized training for your individual office culture. Prior to working in infosec, Sophie was a journalist, photographer, and a mom.
Hello! My name is Sophie and I break into buildings. I get paid to think like a criminal.
Organizations hire me to evaluate their security, which I do by seeing if I can bypass it. During tests I get to do some lockpicking, climb over walls or hop barbed wire fences. I get to go dumpster diving and play with all sorts of cool gadgets that Q would be proud of.
But usually, I use what is called social engineering to convince the employees to let me in. Sometimes I use email or phone calls to pretend to be someone I am not. Most often I get to approach people in-person and give them the confidence to let me in.
My frequently asked questions include:
What break-in are you most proud of?
What have you done for a test that you were the most ashamed of?
What follows is the answer to both of these questions.
A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.
First step: open source intelligence, or OSINT. I look at maps, satellite images, study what I can of their delivery and supply schedules, and so on.
The manufacturing facility looked like a prison. No windows, heavy iron gates, no landscaping. Generally a monstrosity of architecture.
This facility had armed guards, badge readers, biometric security controls and turnstiles at every entrance.
I remember thinking, "It's got to be hell to work in there. I wonder if I can use that…"
One thing was for sure… The chances of tailgating (following behind an employee with valid credentials) into this building were next to non-existent.
I was going to have to get down and dirty with my social engineering.
First stop: LinkedIn. Your LinkedIn is my best friend. The more information you have on your LinkedIn, the more options I have.
I have several fake LinkedIn profiles that you are probably connected to.
I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites. And I find a lovely young woman who I'm going to call Mary.
Mary was a brand-new hire working as an assistant at the manufacturing facility. Mary had a public Facebook account too.
On Mary's public Facebook account, she documented all of her family's adventures.
Side note: Now I know where Mary went to high school, her mother's maiden name, the names of her pets, etc.
Answers to those "security questions" you use to reset your passwords are very easy to find if you aren't careful with that information.
Not to mention that now I know where Mary works, where her kids go to school, where they vacation…I could go on. Scary stuff.
This is not an advanced investigation. I'm not a private investigator and I don't have the resources of the NSA. But I can do a lot of damage with simple methods.
Most notably to me, there were photos Mary posted of her time volunteering with a certain maternity support center.
Her passion for children and caring new moms was very plain. So of course, I took advantage of it.
For this assessment I played two roles. For the first, I spoofed my phone number to make it look like it was coming from the company's headquarters.
I called the front desk of the manufacturing facility and was transferred to Mary. "Hi Mary!" I said, "My name is Barbara."
"I am a project coordinator with facilities management. We are renovating a few of our facilities. We are sending an interior designer out to you tomorrow so she can put together proposals to update your space!"
Mary replied, "Well that's great! But why the short notice?" I could feel her getting suspicious, so I pulled out my trump card…
*Sigh* "Well Mary… You really should have heard from me sooner. I've just been so overloaded at work…I feel like I can't catch up, and to top it off the baby is due in 6 weeks. If my boss finds out I messed this up he's going to flip."
I was really getting into this, voice shaking. (Yes, I know, I'm a terrible human being.)
She cut me off, "Oh hunny, hunny it's ok. We will work this out! Tell me about the baby! Is it your first? Boy or girl?!"
Our Mary was committed at this point. Not because she is stupid, but because she is a good person. She wanted to help me.
We talked babies and birth plans for a while (never pick a pretext you can't speak about at length.)
Mary took down the name of the "designer" who was coming by the next day and we said our goodbyes. Mary could have saved her company a lot of heartache by simply verifying that I was who I claimed to be. (Just to be clear here, I would never give out Mary's real identity. I'm not totally heartless. This could have happened to anyone. She has not been fired.)
I showed up the next day as "Claire" with a fictional architecture firm that I had made business cards and a website for. My alter-ego Barb had done most of the leg work for me. When I arrived, Mary and her boss were waiting for me with smiles. I shook hands all around and handed them the business card I printed out the night before. I was given a visitor badge and the red carpet was rolled out.
I gained rapport with the staff there by asking them to tell me what they wanted in an office space. They were so excited. I might have claimed to be on the team that put together the Google offices…(Yes, I am HORRIBLE. This is my inner demon child.)
"You want a standing desk? New chairs over here?! Ergonomic keyboards for everyone! Let's look at swatches!"
We became best buds. I was given complete and unaccompanied access to the facility where I stayed for several hours.
I gained network access and stole several thousands of dollars in physical primitives by picking my way through cheap locks (credit to Deviant Ollam for the rad lockpicking animations.)
This client had been pretty confident that I wouldn't get into either facility, much less be able to hit both in a short time span. So the timeline was left to my discretion, but it was assumed that I would need to fly to the area twice.
I didn't see the need in burdening them with two round-trip expenses.
I went back to Mary's office and said, "Well I think I have what I need from here. How do I get to the office center?"
She looked at her watch and said, "It's almost lunch time. I'll take you there!" A whole group of us piled into the parking lot, and they took me to a nearby taco shop. That's right. My Marks took me to get tacos… I love my job.
After lunch they drove me to the offices and a few of them came in with me to show me around.
I took FOREVER looking around this office space, and eventually they said their goodbyes because they had to go back to work. They had a strict policy of escorting visitors. But I had been seen walking around with trusted insiders so no one questioned me.
I was free to take my time. I made myself at home. My main objective at this site was to weasel my way into private corner offices.
When I accomplished my goals, I tracked down my point of contact's office. This is the man who hired me in the first place. This is the best part of every job.
Steve was there, hard at work when I disturbed his groove by knocking on the door. He glanced up, "Hi there, can I help you?"
I smiled. "Hi Steve! I'm Sophie from Sincerely Security. It's nice to meet you in-person!"
I will never forget the look on his face… Pure gold. "Who?.... Wait, what? How? How did you get in here?!"
We stayed in his office and talked for a long time. I went over exactly the steps that could have prevented my success. First of all, the desire to help others is human and natural. We don't want to discourage that.
Second, I'm sure they did have some sort of policy that required visitors to check in showing government issued identification, but they weren't following it.
We also need to post by every computer, phone and door: "TRUST, BUT VERIFY."
An employee who does their homework can ruin my day.
Third, if it seems too good to be true, it probably is.
Is your company going to hire the team who designed Google's offices? Magic 8 ball says no.
Lastly, the team who took me to the second location should have found someone else to escort me through the building.
I've been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.
There are ways to protect yourself and your company from attacks like this. I think it starts by sharing stories like these, and educating and empowering each other to be vigilant.
Please share your thoughts with me. Reach out on Twitter where you will find me @HydeNs33k.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.