Inadvertent leakage of data
Most people are either not aware, or blissfully ignorant that the data they carry, be it analog or digital, is significant or important to anyone in sense. If it’s not a contract, or other clearly classified document or file, people just don’t care. But for a social engineer, this speck of data could be all he needs to penetrate your corporate structure and network.
How many gigabytes do you have on you right now? Well, i can list the following:
- 30GB iPod Video
- Laptop with a 40GB disk
- 8 GB memory stick
- 8 GB microSD card in my phone
- Caselogic full of CD’s and DVD’s, plus a 250 GB mobile hard drive
That’s what i have on my person right now. Now, it should be noted, that the actual amount of data on these media is only a fraction of that, but as an example.
How about analog stuff? Most of us carry business-cards in their wallet (along with other cards, receipts, etc.). Some oldschool yahoos still have a bunch of papers in folders, binders and other assorted archiving methods, that they lug around town every day.
If you look at what you have, you could very quickly conclude that there isn’t anything crucial that you have on you. No contracts, no lists of people’s salaries or who’s getting fired next. No passwords on small post-it notes (and some of you do that too…). So what could be compromised if you lost one of these items, huh? Not a lot? Think again.
One man’s garbage is another man’s…
…fucking treasure-trove. What could an adept social engineer do with a business-card? Well, he could assume your personality for purposes of calling someone, or even staging a meeting. The information contained on a simple business card, is usually: name, title, address, telephone numbers(s), e-mail address. Let’s go through these and make up plausible scenarios for their usage.
If you’re just out trolling for a random target, a business card with these data could be all you need. Based on this, you can do additional network searches, and find out more about you, the company or what you do. Maybe you have a blog, or maybe your calendar is openly viewable on Google Calendar. You’re most certainly on facebook, and since you have a business card, you probably have an extensive “net-history” to begin with. All this is fuel for the flame of a social engineer. Using this data, they can get to friends, family, co-workers, ex-partners with a grudge, old school-buddies or teachers, etc. All ways of getting to the good stuff, of whatever data it is that the social engineer is looking for.
A telephone number will give you a lot of things. First, in certain cases, it can be used to deduce your mobile carrier. And through that, find out who your company deals with for telecommunications perhaps. Using that data, an attacker could assume your personality even better, because he knows something detailed about you. A good speaker could call up a secretary and with the proper words, get what they want, just because they know a little bit of “insider information”. A landline number (for those of us who still use those things), could give you an extension number, or a system of extension numbers. That way, you could exploit the company switchboard, operator or even voicemail. It’s unbelieavable, but in some cases, you can get to someone’s internal voicemail just by knowing their extension, name, and the “internal” phone number to call. Some systems are open to the outside world, because people may need to get to their voicemail from their hotel, mobile phone, home, etc.
The e-mail address will give you the method of naming. Is it firstname.lastname@example.org, or something else. This again is information you can exploit, while calling someone within the company, or perhaps the service desk, pretending to be a lost user without a password.
This is the core problem. People don’t view these things as risks. And neither do heads of corporations, or in the worst case, the security department (if you have one). How many buildings you work in actually have a method of making sure nobody unauthorized gets in to the office? How is physical security in general? How easy is tailgating?
I’ll give you a hypothetical example. A door has a codepad, which requires a magnetic keyfob, and a four digit pin-code to get in. Now, even without these, getting in is childsplay. Just tailgate. At any one time, betwen two and five people walk in with the same opening. There’s no reception desk at this door, but there is a camera. How often have you been confronted by someone asking you to show their ID? Not a single time. Most people don’t even carry their ID’s anywhere visible (which is a good thing on it’s own). Get to the elevator. Someone else uses their keyfob to activate the keypad. They hit their floornumber, and you hit your number right after, and you won’t need your own swipe to get to the floor you want. Get in to the actual offices without a key, again, tailgating. Pretend you’re from another office or something, based on the information you have gotten from a business card you found, or the company website. In most cases, you won’t be challenged. In most cases, people will open the door for you, and get you coffee if you’re nice and personable.
There have been cases where a hacker, impersonating a service representative, or helpdesk person, has actually carried out hardware from the front-door, and even had help with doors.
One of the greatest fallacies of all time is that “people won’t go through all that trouble to do that!”. You’d be amazed at what people are willing to do.
Treat every bit of data you carry on yourself as important. If you don’t, eventually someone smart enough is going to come along and exploit that. For fun, profit or something inbetween. Maybe just because he can.
And this is not even to mention what should be plainly obvious: Losing any bit of digital data might be really really bad. A hard disk might contain not only your files, but log-files that contain ip-adresses or in the worst case, passwords to internal or external systems. The next time you lose something, take it seriously. The next time someone asks you for something, be curious as to the reason of his inquiry. We already stream out copious amounts of data that used to be personal, using social networks such as Facebook, Friendster, Twitter, etc. Don’t make it too easy for the badguys, huh?