|
Live Social Engineering: The Camera Trick by Bernz Special Thanks to: Dumb security personel in corporation buildings everywhere. We live in a world where video and film cameras create a certain attitude. Watch the news one day. A camera and a reporter shoot a story. Everytime a pedestrian walks by, they turn to the camera, make a stupid face and grin. They are happy for those 3 seconds of background exposure. To me, this is an idiotic attitude, but it also represents a tear that can be converted into a chasm of a security hole. If someone told you sincerely, "I'm gonna put you in a movie", you'd be happy. You'd get your big dose of mass communication fame and fortune. Actually, we probably would think he's an undercover cop and move out of state. But we're a weird bunch and we can't assume everyone's a paranoid little fuck. What this brings me to is that almost everyone in the world loves the camera. This is a security flaw, believe it or not, that can be exploited to a great degree. What do you need? First thing's first. You need a camera. I would prefer Hi-8, but an old 8mm would do just fine. It must have sound and a realitively clear picture. Lots of videotape and batteries are good. You'll also want a boom mike and a friend to carry it for you. Like all social engineering, professional appearance is what matters most of all. Next, you need credentials. You can't just walk into your mark's office and say "I'm gonna take video." The fact that you have a camera and a sound guy is great and lends quite a bit to your appearance, but you need an edge. Hence, the film student. Almost every state has a college with film students in it. Finger accounts at these colleges. A great majority of colleges uses Student ID numbers for logins. Use a desktop publisher and whip up some fake IDs on cardstock. If you can't do this on your own, someday i'll get off my ass and make templates. Make sure the names correspond to your sex. If you've got a beard and your "name" is jennifer, I don't think you'll be taken seriously. Entrance You have your alibi for your appearance and your equipment. Go to the front office and talk to whoever it is that lets you in. Point the camera at the security guy. Tell him you're film students or even better, news interns, shooting documentary footage on local <fill in company or governmental position here>. Security guards are not noted for their intelligence, nor are they noted for good pay and fun lives. Any chance to be on america's or even <name a county or town here> television will make them cooperative. They'll probably give you clearance if they can. If you have to keep up subterfuge to get in, do it. I can't instruct that as it is a case to case situation. A boss might have to confirm this. Even if it is a government place, chances are it's a Dilbert-esque environment. The bosses are moronic and the workers are dim and without energy. The boss will let you in to promote his office (and himself). Anyone in any corporate structure desires to advance much furthur. A good report on local news can definately help that out. That one-eyed god on your shoulder can enlighten any environment though. Cameras bring an odd sense of wonderment to those being filmed. If they think youre legit, they'll wnat you around because you can only do them good. If you're going to use the news scam, wear your fake IDs on the outside, like a real press person. In! Post-It Note Salvation So they let you in for a tour. Idiots. First is first, aim your camera at everything. Most important is ask about their "Jump into the 21 century." Companies love the fact that they have the money for kick ass computers and have no compunctions about showing that to anyone who comes along. They'll start blabbing about their network and their T1 connections and all that shit. They'll log on for you. Aim the camera at the keyboard at the best angle you can and record the typing. It doesn't matter if you can see it right there or not. That's the beauty of video..check it out in slow mo at home. Next, as you pass any post-it notes, check em out on video. Those little yellow bastards are like water in deserts. Every office has idiots who write passwords on them. After that, just walk around. Get ANYTHING on tape you can. Videotape is cheap, don't be afraid to waste it. Check out security. Check out their UNIX server. Check out everything. Use your head and just look. That's all I can say. Clean-Up Throw your tape in your VCR and go over everything. Look for any lapses in security. Any passwords. Slo-mo through typing and post-it notes. The hard part is getting in. After that, it's pretty easy. Love and injuries, bernz (bernz@ix.netcom.com)