Schneier on Security
A blog covering security and security technology.
« Sonic Weapon |
| Benevolent Worms »
February 18, 2008
Fascinating Social Engineering Story
Petty crime and identity theft, but both fascinating and impressive. Social engineering works even in places that take security seriously.
Posted on February 18, 2008 at 1:55 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If you look like a cleaner, security or maintenance you're basically in. No matter what kind of building of bureaucracy you're facing, you're invsible and have total access.
Yeah, just in case anyone out there is wondering - the hiding place behind all the files in your bottom-most file drawer is the FIRST place the thieves search...
Fifteen years ago I caught a fellow in a U of Mn campus office doing exactly what the perp in the story was doing: the whole "I was looking for a post-it" etc., etc.
Two days after I handed him over to the police I spotted him moving rapidly through the student union, his eyes scanning for open and unattended purses and backpacks. His crime was too small to warrant doing more than setting a court date and releasing him.
Somethings never change.
She was smart, but not smart enough to keep getting pregnant when she had no money?
“I’m very, very intelligent,��?
uhhh huh, suuuure you are.
I'm reminded of a story I heard Don Parker tell a DP professionals group in the early 80s. He told of wearing his visitors badge on his outer coat, which would be shed during the course of the day. Eventually, he would find himself alone in the mainframe operating room at the end of the day.
Between six and 18 months later, he visited my company as a vendor representative. He'd just arrived and had already put his visitors badge out of sight -- only a one floor elevator trip from the lobby. As we were introducing ourselves, I mentioned seeing his security presentation and noting in front of the operations managers that Don should always show his visitors badge and that I didn't want our company to be one of his future 'security failure' stories.
I hope he realized I'd learned my lessons well from him.
'“I’m very, very intelligent,��?
uhhh huh, suuuure you are.'
Whether she's 'very intelligent' or not, she's obviously brimming with self confidence, which is probably more important than intelligence for social engineering attacks like this.
The day that not getting pregnant is a sign of better-than-average intelligence is the day that the world's population rate actually slows down.
The two are /not/ linked, I assure you. Mostly because people do not think with their respective genitalia, and those parts of the brain (you know, where "intelligence" resides) that are massaged when respective genitalia are massaged.
Plainly: finding yourself pregnant is no indication /at all/ of any measure of intelligence, positive or negative.
The article clearly takes a few jabs at her 'vast' intelligence. Some of it simple statement of fact, like the regular references to not being able to keep a job, to getting pregnant again and again even a she struggles to feed the kids she has, to dropping out of school, etc.
But that line "Countenance is one of the words Franks uses a lot." is quite telling. Having a stable of half a dozen 'big words' one uses as much as possible is the sign of someone who's trying to fake being smart.
My diagnosis? She's not smart, but she's confident and can spin a line of BS even when under scrutiny. With that talent, she really missed out - she could've made a great politician.
"Plainly: finding yourself pregnant is no indication /at all/ of any measure of intelligence, positive or negative."
You don't one day wake and "find yourself pregnant". There is a thing called sex that takes numerous decisions and at least several minutes of action.
If you get prego once -- perhaps forgivable. But in her situation having kid after kid with the same loser = Stupid.
This is probably when people should agree on some "different kinds of intelligence" theories. Even now, she could probably make good money writing books about social engineering and security, and giving talks at corporate seminars. But the mentality that it takes to work within the system, not against it (also, not to physically assault cab drivers who try to overcharge you a couple of bucks), probably doesn't count as intelligence, but more as a cultural trait.
Intelligent, yes, absolutely. Not necessarily the kind of intelligence that wins on Jeopardy, but you can't be dim-witted yet still be able to think fast enough on your feet to tell convincing lies.
Also, getting pregnant multiple times has nothing to do with intelligence. Maybe she or her husband are religious, and that's part of their faith. Maybe that was how she developed a sense of worth as a person. It's perhaps a question for her pastor or shrink, but using it as an excuse to refute her claims of intelligence?
She was smart and confident enough to fool dozens, maybe hundreds of people, get into secure buildings and know where to look for unsecured loot and get out, most of the time. So, whether her decision making process is broken or absent, she's displayed an inarguable amount of competence and shown how insecure some of these places are.
I personally thought her decisions were uniformly bad. That said, isn't discussing her intelligence potential a bit beyond the point?
Keeping this a little bit on topic, I was hoping there would be a picture of the young woman with the article. Pretty young women can get away with murder, and I think it's worth reminding security staff not to get themselves all aflutter just because some chippy bats her eyes at them. My guess is that her schtick wouldn't have worked too well on the few *female* security guards in those office buildings.
Today, I refused to show a picture ID to get into my own office. I had left my badge at home. The rules say they need a photo ID in this case. I refused to give one, because I think it is silly.
So instead, they asked for my phone extension, looked it up and then asked "You're Michael?" Apparently, that's all you need to get into my building -- a plausible phone extension.
This happened the same day that corporate released a memo describing how important security was, and how photo IDs were going to provide that security.
Bruce, you're turning me into a terrible cynic...
In some ostensibly security-conscious settings, most of the clip-on IDs that I see are backward. Is there a technical solution?
Same info on back and front.
>> I had left my badge at home.
Then go home and get it.
>> I refused to give [a photo ID], because I think it is silly.
So sad. I'd be happy to call your manager for you so that your boss knows you're an idiot. :) We saw on camera that you drove to work today, so I'm sure you have a photo ID with you.
In English bureaucrat-speak: "I'm sorry for the delay, sir, but showing photo ID is required." "I'm just doing my job. I need to see a photo ID before I can issue a temporary badge." "I can see that you're getting frustrated. I don't have the authority to make exceptions. I'd be happy to call your manager for you and ask him to help us resolve this issue."
>> So instead, they asked for my phone extension, looked it up and then asked "You're Michael?"
Now, if I have a nice high quality picture of you on the database, I might do this. Then again, I might not.
>> Apparently, that's all you need to get into my building -- a plausible phone extension.
(The extension is a low-level check that you're you, and it's HOW you say it. Automatic as breathing if it's yours. A slight hesitation if it's someone else's.)
>> This happened the same day that corporate released a memo describing how important security was, and how photo IDs were going to provide that security.
Too bad nobody told the guards to start being hard-nosed. We are usually last to be CC'd on memos of this type.
"(The extension is a low-level check that you're you, and it's HOW you say it. Automatic as breathing if it's yours. A slight hesitation if it's someone else's.)"
Well, I commonly hesitate if asked for my phone extension... I happen to call my own phone rather seldomly...
@Sedgequill: "In some ostensibly security-conscious settings, most of the clip-on IDs that I see are backward. Is there a technical solution?"
Yes. The problem here is that the ID badge contains personal information (name and job title) which shouldn't be displayed to just anyone. The result of wearing the badge backwards, of course, is that only someone who stops you and asks you to reverse your pass can see whether it's really yours. Or really a pass at all. So you might as well carry the pass in your pocket as wear it backward.
The important thing displayed passes are supposed to achieve, is to provide evidence at a glance that you're entitled to be in the building. They create a hostile environment for people without a pass, since anyone they meet will notice and treat them as suspect.
So, the solution is to remove the confidential information from the badge. All that is needed is a photo (for authentication), an indicator of the building(s) the badge permits access to (for authorisation) and an expiry date (the best revocation you can hope for under the circumstances). Your name (identification) is simply not necessary, so if it's undesirable it should be removed.
If you need security staff (as opposed to random passers-by) to be able to easily find out the name/job title information that's currently on the concealed "front" of the backward passes, then either have a second concealed card, or put a serial number on the reverse of the pass, which can be use as an index into a list of employees. The serial number can then be used for a second level of revocation beyond expiry date: when a pass is lost, you cancel the old serial number and issue a new one.
RFID can have a very similar effect to a serial number on the back of the pass which authorised staff can look up, but is more easily automated, and hence can be used by door entry systems etc. Of course any such automated system loses the benefit of photo identification checked by a human. And if you're not very careful, RFID allows the serial number to be read (if not looked up) by an attacker. So you pick your favourite, basically.
The remaining piece of information that in some cases might be confidential, is the list of authorisations on the pass. So, if you don't want people in Building A to see at a glance who is also authorised in Building B, then you have to issue different passes for the two buildings, and have the door staff force people to display the correct one on entry. If your building is really top secret, the door staff should force people to remove their badges on exit, too.
That's inconvenient, but personally I think it's preferable to torpedoing the entire point of displaying passes at all, by turning them around and thereby allowing an attacker the chance to use a pass that doesn't even have his photo on it.
As a final note, there is one advantage that reversed passes have over concealed ID cards, which is that it helps remind you to bring yours to work if you know you can't get into the building without it. So if you think of reversed passes as "cards you can tell you're carrying" rather than "displayed passes flipped around", they might make sense.
Is there an American Freedom of Information act?
"According to incident reports obtained through the Freedom of Information Act, most of the crimes took place between 11:30 a.m. and 2:30 p.m. on Aug. 16 in two heavily secured buildings occupied by the commission on Rockville Pike."
@Paul (if the post wasn't intended as irony.)
The is US Freedom of Information Act (FOIA). How "free" is the information is soetimes debated, but it's still a useful tool. Quick overview on FOIA at
If looking for information for a particular US *federal* agency, usually a Google search for FOIA and the agency name/acronym will lead you to the agency's FOIA page. US states vary as to to their equivalents of FOIA. This site for reporters has info for the states: http://www.rcfp.org/ogg/
No, it is an absolute. Once may be a mistake; but a girl who gets pregnant FOUR times by a bum is not intelligent. When I was in 9th grade pretty much every one there knew that if you had sex, you could get pregnant.
And yes, the Navy pays enough for a father (even an E-1) to support a (small) family if they do not live extravagantly. However, you do have to SHOW UP for work; if you spontaneously take a month or two off you are a DESERTER and (deservedly) go to jail.
Whether or not getting pregnant shows intelligence is not really the point. The actual point of the comment is to have an excuse to dismiss someone's problems by blaming them. People who wish to ignore other people's problems will look for any excuse, loophole, or reason in order to excuse themselves for not caring. For example: http://tinyurl.com/yutdd5
This actually plays into security from the point of view of risk assessment. It has already been established that humans stink at assessing risk. When we see something bad happen, we don't accurately assess the risk: instead we try to find some criteria that exempts us from facing the risk.
When yet another crazy person shoots up an innocent crowd, we find reasons to say "Well I wouldn't have been in that crowd because..." Or in the case of the nitwit at the link above, we assure ourselves that we would have reacted differently.
When a woman gets pregnant four times, we assure ourselves that we would have been smarter than to let that happen, rather than accepting that the whole definition of risk is that despite precaution the bad thing will eventually happen.
Millions of people are living in flood, tornado, and earthquake zones right now, many of whom get through each day with the rationalizations "My house is on higher ground/My trailer is tied down/I'm not THAT close to the fault." Remember when New Orlean's substandard levees were only a problem in the event of "the rare chance of a direct hit" by a hurricane?
So when someone dismisses a woman for a reproductive strategy with which he disagrees, it's not because he cares whether she got pregnant - he just wants to be able to place her outside of his personal community of risk in order to calm his own fears.
"So when someone dismisses a woman for a reproductive strategy with which he disagrees, it's not because he cares whether she got pregnant - he just wants to be able to place her outside of his personal community of risk in order to calm his own fears."
That I "care" if she gets pregnant or not has nothing to do with it. Having 4 kids when you don't have a job and are committing hundreds ( possibly thousands ) of crimes is not smart. She's not smart. She may be "clever" but in my book that's not the same thing.
And to state that I said what I said because am *in fear* of her is beyond contempt.
At my company, if an employee forgets his or her badge, giving a name is all that is required. That's because the front desk receptionist can enter the name into the company database and immediate get a photo of the employee. No ID required.
The passage that leaps out to me is this one:
"She could have asked for help, but that would have meant compromising with her mom. That would have meant living without her boyfriend.
“I thought I was 30 at that age,��? Franks says. “You couldn’t tell me I was 16.��? Plus, she says, her mom had all but kicked her out."
It must take a lot of indignant parental righteousness to prefer your daughter sleep in the cold rather than put up with her boyfriend. It must also take a lot of stubbornness and immaturity to prefer theft to compromise with your parents.
I may be naive, but I feel like security doesn't start with more ID badges, guns or jailtime; I think it starts with taking care of the people around you. Change your own behavior instead of getting into standoffs while everyone waits, expecting someone else to behave better.
Disregard the repeated pregnancies if you like--for all her intelligence, she's gotten busted four times in a handful of years and still probably got away with less than a decent full time job could have made. To me, that displays a lack of reasoning skills, regardless of how clever she might be at talking her way out of trouble.
@Anonymous 12:58: $200/day is over $50,000/year, without taxes. That is well beyond what the hourly jobs she could get pay. So those $600-$1000 dollar hauls would only need to happen once a week or so for her to hit that level of income.
I'd say she'd looked at the math.
Why is the person's "intelligence" important anyway? She was good at breaking into places that society has deemed important and worthy of security. It's even more disturbing if she was able to do that while not being "intelligent."
thanks - it was a genuine question. A quick google-search just gave me info on the UK FOI . I'll have to start using wikipedia again :-)
It wasn't meant ironically - but re-reading my comment, I can see why people might think I was trying to be :-)
"@Anonymous 12:58: $200/day is over $50,000/year, without taxes. That is well beyond what the hourly jobs she could get pay. So those $600-$1000 dollar hauls would only need to happen once a week or so for her to hit that level of income.
I'd say she'd looked at the math."
If you really think she was doing this every week, with this kind of success, you must be out of your mind.
If you really think she was doing this every week, with this kind of success, you must be out of your mind.
To those who said "why didnt she or her husband get an (fulltime) job" I want to ask you this: How much would that job give in cash (after taxes)? How much of that would go into basic living expenses, that is food and shelter?
And to those who are berating her inteligence:
she had demostrated that her social interaction inteligence is pretty high.
However she or her mother arent wise enough to compromise to each other.
And at last: who the heck leave their wallet around in an unlocked/open office?
Four babies with a bum reflects upon her lack of common sense and impulse control, not her intelligence. These depend mainly upon upbringing (although some people probably also have genetic limitations in these areas). It doesn't say much for her mother's common sense that she thought "Ameenah" is a name...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.