TUCoPS :: Wetware Hacking :: Others :: camera.txt

Live Social Engineering: The Camera Trick

Live Social Engineering: The Camera Trick

by Bernz

Special Thanks to: Dumb security personel in corporation buildings
everywhere.

     We live in a world where video and film cameras create a certain
attitude. Watch the news one day. A camera and a reporter shoot a story.
Everytime a pedestrian walks by, they turn to the camera, make a stupid
face and grin. They are happy for those 3 seconds of background
exposure. To me, this is an idiotic attitude, but it also represents a
tear that can be converted into a chasm of a security hole.

     If someone told you sincerely, "I'm gonna put you in a movie",
you'd be happy. You'd get your big dose of mass communication fame and
fortune. Actually, we probably would think he's an undercover cop and
move out of state. But we're a weird bunch and we can't assume
everyone's a paranoid little fuck.

     What this brings me to is that almost everyone in the world loves
the camera. This is a security flaw, believe it or not, that can be
exploited to a great degree.

                       What do you need?

     First thing's first. You need a camera. I would prefer Hi-8, but an
old 8mm would do just fine. It must have sound and a realitively clear
picture. Lots of videotape and batteries are good. You'll also want a
boom mike and a friend to carry it for you. Like all social engineering,
professional appearance is what matters most of all.

     Next, you need credentials. You can't just walk into your mark's
office and say "I'm gonna take video." The fact that you have a camera
and a sound guy is great and lends quite a bit to your appearance, but
you need an edge. Hence, the film student. Almost every state has a
college with film students in it. Finger accounts at these colleges. A
great majority of colleges uses Student ID numbers for logins. Use a
desktop publisher and whip up some fake IDs on cardstock. If you can't
do this on your own, someday i'll get off my ass and make templates.
Make sure the names correspond to your sex. If you've got a beard and
your "name" is jennifer, I don't think you'll be taken seriously.

                            Entrance

     You have your alibi for your appearance and your equipment. Go to
the front office and talk to whoever it is that lets you in. Point the
camera at the security guy. Tell him you're film students or even
better, news interns, shooting documentary footage on local <fill in
company or governmental position here>. Security guards are not noted
for their intelligence, nor are they noted for good pay and fun lives.
Any chance to be on america's or even <name a county or town here>
television will make them cooperative. They'll probably give you
clearance if they can. If you have to keep up subterfuge to get in, do
it. I can't instruct that as it is a case to case situation.

     A boss might have to confirm this. Even if it is a government
place, chances are it's a Dilbert-esque environment. The bosses are
moronic and the workers are dim and without energy. The boss will let
you in to promote his office (and himself). Anyone in any corporate
structure desires to advance much furthur. A good report on local news
can definately help that out. That one-eyed god on your shoulder can
enlighten any environment though. Cameras bring an odd sense of
wonderment to those being filmed. If they think youre legit, they'll
wnat you around because you can only do them good.

     If you're going to use the news scam, wear your fake IDs on the
outside, like a real press person.

                   In! Post-It Note Salvation

     So they let you in for a tour. Idiots.

     First is first, aim your camera at everything. Most important is
ask about their "Jump into the 21 century." Companies love the fact that
they have the money for kick ass computers and have no compunctions
about showing that to anyone who comes along. They'll start blabbing
about their network and their T1 connections and all that shit. They'll
log on for you. Aim the camera at the keyboard at the best angle you can
and record the typing. It doesn't matter if you can see it right there
or not. That's the beauty of video..check it out in slow mo at home.

     Next, as you pass any post-it notes, check em out on video. Those
little yellow bastards are like water in deserts. Every office has
idiots who write passwords on them.

     After that, just walk around. Get ANYTHING on tape you can.
Videotape is cheap, don't be afraid to waste it. Check out security.
Check out their UNIX server. Check out everything. Use your head and
just look. That's all I can say.

     Clean-Up

     Throw your tape in your VCR and go over everything. Look for any
lapses in security. Any passwords. Slo-mo through typing and post-it
notes.

     The hard part is getting in. After that, it's pretty easy.

Love and injuries,
bernz (bernz@ix.netcom.com)


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH