Entries Tagged "social engineering"

Page 8 of 13

Prison Escape Artist

Clever ruse:

When he went to court for hearings, he could see the system was flawed. He would arrive on the twelfth floor in handcuffs and attached at the waist to a dozen other inmates. A correction officer would lead them into the bull pen, an area where inmates wait for their lawyers. From the bull pen, the inmates would follow their lawyers or court officials either up a set of back stairs into a courtroom or down a set of stairs.

The more Tackmann went to court, the more he noticed that once the inmate at the head of the line would get uncuffed and turn into the bull pen, he would be out of view of the correction officer at the back of the line. He could then avoid the bull pen and dart down the rear stairs.

[…]

On the morning of September 30, Tackmann prepared for court in Manhattan. He dressed in a light-gray three-piece suit that he thinks was his stepfather’s. He wore two sets of dress socks. One around his feet, the other around the Rikers Island slippers he was ordered to wear (“to make them look like shoes; they looked like suede shoes”).

As he was bussed to the courthouse, he rehearsed the move in his mind.

When you come up to the twelfth floor, you’re handcuffed with like twelve people on a chain. The C.O. is right there with you.You have to be ready, so if the move is there…

That day, the move was there. “I was in the front of the line. The C.O.—it was some new guy. He un-handcuffed us in the hallway, and I was the first one around the corner.”

Tackmann raced down the stairwell and knocked on a courtroom door. A court officer opened it.

Tackmann had the shtick worked out—the lawyer in distress. “You know,” he said, “I was just with a client, and my mother is real sick in Bellevue. Could you tell me how to get to Bellevue? I gotta get over there fast; she is 80 years old.”

He wanted to sprint. The adrenaline was gushing. He calmly walked to the courtroom entrance as the sweat trickled around his neck. He raced down several flights of stairs and tried the door. It was locked. He walked down another flight. Locked. What is going on? Did they find out I was missing already? One more flight down. The door was open. He jumped in an elevator, got out on the ground floor, and walked into the street. Freedom. But not for long.

Posted on January 18, 2010 at 6:57 AMView Comments

David Dittrich on Criminal Malware

Good essay: “Malware to crimeware: How far have they gone, and how do we catch up?;login:, August 2009:

I have surveyed over a decade of advances in delivery of malware. Over this period, attackers have shifted to using complex, multi-phase attacks based on
subtle social engineering tactics, advanced cyptographic techniques to defeat takeover and analysis, and highly targeted attacks that are intended to fly below the radar of
current technical defenses. I will show how malicious technology combined with social manipulation is used against us and conclude that this understanding might even help us design our own combination of technical and social mechanisms to better protect us.

Posted on October 13, 2009 at 7:15 AMView Comments

The Kindness of Strangers

When I was growing up, children were commonly taught: “don’t talk to strangers.” Strangers might be bad, we were told, so it’s prudent to steer clear of them.

And yet most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest thing he can do is find a nice-looking stranger and talk to him.

These two pieces of advice may seem to contradict each other, but they don’t. The difference is that in the second instance, the child is choosing which stranger to talk to. Given that the overwhelming majority of people will help, the child is likely to get help if he chooses a random stranger. But if a stranger comes up to a child and talks to him or her, it’s not a random choice. It’s more likely, although still unlikely, that the stranger is up to no good.

As a species, we tend help each other, and a surprising amount of our security and safety comes from the kindness of strangers. During disasters: floods, earthquakes, hurricanes, bridge collapses. In times of personal tragedy. And even in normal times.

If you’re sitting in a café working on your laptop and need to get up for a minute, ask the person sitting next to you to watch your stuff. He’s very unlikely to steal anything. Or, if you’re nervous about that, ask the three people sitting around you. Those three people don’t know each other, and will not only watch your stuff, but they’ll also watch each other to make sure no one steals anything.

Again, this works because you’re selecting the people. If three people walk up to you in the café and offer to watch your computer while you go to the bathroom, don’t take them up on that offer. Your odds of getting three honest people are much lower.

Some computer systems rely on the kindness of strangers, too. The Internet works because nodes benevolently forward packets to each other without any recompense from either the sender or receiver of those packets. Wikipedia works because strangers are willing to write for, and edit, an encyclopedia—with no recompense.

Collaborative spam filtering is another example. Basically, once someone notices a particular e-mail is spam, he marks it, and everyone else in the network is alerted that it’s spam. Marking the e-mail is a completely altruistic task; the person doing it gets no benefit from the action. But he receives benefit from everyone else doing it for other e-mails.

Tor is a system for anonymous Web browsing. The details are complicated, but basically, a network of Tor servers passes Web traffic among each other in such a way as to anonymize where it came from. Think of it as a giant shell game. As a Web surfer, I put my Web query inside a shell and send it to a random Tor server. That server knows who I am but not what I am doing. It passes that shell to another Tor server, which passes it to a third. That third server—which knows what I am doing but not who I am—processes the Web query. When the Web page comes back to that third server, the process reverses itself and I get my Web page. Assuming enough Web surfers are sending enough shells through the system, even someone eavesdropping on the entire network can’t figure out what I’m doing.

It’s a very clever system, and it protects a lot of people, including journalists, human rights activists, whistleblowers, and ordinary people living in repressive regimes around the world. But it only works because of the kindness of strangers. No one gets any benefit from being a Tor server; it uses up bandwidth to forward other people’s packets around. It’s more efficient to be a Tor client and use the forwarding capabilities of others. But if there are no Tor servers, then there’s no Tor. Tor works because people are willing to set themselves up as servers, at no benefit to them.

Alibi clubs work along similar lines. You can find them on the Internet, and they’re loose collections of people willing to help each other out with alibis. Sign up, and you’re in. You can ask someone to pretend to be your doctor and call your boss. Or someone to pretend to be your boss and call your spouse. Or maybe someone to pretend to be your spouse and call your boss. Whatever you want, just ask and some anonymous stranger will come to your rescue. And because your accomplice is an anonymous stranger, it’s safer than asking a friend to participate in your ruse.

There are risks in these sorts of systems. Regularly, marketers and other people with agendas try to manipulate Wikipedia entries to suit their interests. Intelligence agencies can, and almost certainly have, set themselves up as Tor servers to better eavesdrop on traffic. And a do-gooder could join an alibi club just to expose other members. But for the most part, strangers are willing to help each other, and systems that harvest this kindness work very well on the Internet.

This essay originally appeared on the Wall Street Journal website.

Posted on March 13, 2009 at 7:41 AMView Comments

World War II Deception Story

Great security story from an obituary of former OSS agent Roger Hall:

One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.

The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, “Mail!”

The lid opened, and in went two grenades.

Hall’s book about his OSS days, You’re Stepping on My Cloak and Dagger, is a must-read.

Posted on July 29, 2008 at 1:50 PMView Comments

Clever Museum Theft

Some expensive and impressive stuff was stolen from the University of British Columbia’s Museum of Anthropology:

A dozen pieces of gold jewelry designed by prominent Canadian artist Bill Reid were stolen from the museum sometime on May 23, along with three pieces of gold-plated Mexican jewelry. The pieces that were taken are estimated to be worth close to $2 million.

Of course, it’s not the museum’s fault:

But museum director Anthony Shelton said that elaborate computer program printouts have determined that the museum’s security system did not fail during the heist and that the construction of the building’s layout did not compromise security.

Um, isn’t having stuff get stolen the very definition of security failing? And does anyone have any idea how “elaborate computer program printouts” can determine that security didn’t fail? What in the world is this guy talking about?

A few days later, we learned that security did indeed fail:

Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.

Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night.

Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them.

It’s a particular kind of security failure, but it’s definitely a failure.

Posted on June 6, 2008 at 5:04 AMView Comments

Social-Engineering Bank Robbery

Two of them:

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

It wasn’t until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they’d been had.

[…]

And on Thursday, about 9:30 a.m., a man dressed as an employee of the security company Brink’s walked into a Wachovia branch in downtown Washington and walked out with more than $350,000.

The man had a badge and a gun holster on his belt, said Debbie Weierman, a spokeswoman for the FBI’s Washington field office. He told officials at the bank, at 801 Pennsylvania Ave. NW, that he was filling in for the regular courier.

About 4 p.m., when the real guard showed up, a bank official told him that someone had picked up the cash, D.C. police said. The guard returned to his office and told a supervisor that he did not make the pickup at the bank. The supervisor called a Wachovia manager, who in turn notified authorities. Police were called nearly 11 hours after the heist.

Social engineering at its finest.

EDITED TO ADD (1/16): Seems to be an inside job.

Posted on January 16, 2008 at 6:36 AMView Comments

1 6 7 8 9 10 13

Sidebar photo of Bruce Schneier by Joe MacInnis.