When I Did Social Engineering without Recognizing It

I planned to read something about history this summer. Then I picked the history of hacking. My favorite was Kevin Mitnick’s autobiography – the very definition of a page-turner.

The book is free of hardcore technical jargon and written for geeks and lay audience alike. Readers are introduced to the spirit of a hacker in the older sense of the word: Mitnick’s hacks were motivated by the thrill of exploring systems but he never gained financially.

Kevin Mitnick successfully obtained the latest source code of cell phones, reports on security vulnerabilities in operating systems, and legitimately looking birth certificates of deceased children to setup new identity – due to his combination of technical skills and mastery of social engineering. He got people to reveal corporate information they should not. Pieces of information are seemingly innocuous in their own rights – a name of server, a corporate directory of employees – but it helps the social engineer to learn the lingo and pose as a trusted insider.

I often had been called way too honest – and thus not getting anywhere in life, professionally. So I was asking myself:

Could I con people into breaking rules? The intuitive answer was of course No.

But then the following anecdote emerged from a dark corner of my mind.

A long time ago I had worked as an IT Infrastructure Manager – responsible for quite a colorful IT environment run partly by subversive non-official admins. I actually transitioned into that role from supporting some of the latter. One of the less delightful duties was to keep those subversive elements from building rogue websites and circumventing the bureaucratic corporate content management system – by purchasing internet domains like super-fancy-product-name.com and hosting these services where they figured I would not find it.

I also had to clean up legacy mess.

One time we had to migrate an internet domain hosted on behalf of an Another Very Important Organization to one of their servers. Routine stuff, had the domain been under our control. But it was tied to a subversive website a department had once set up, working with an external marketing consultancy. The consulting company was – as per the whois records – the official owner of the domain.

Actually the owner listed was not even that company was a person employed by that company but not working for them anymore. I consulted with the corporate lawyers, and it would have been a legal knot hard to disentangle.

However, I had to transfer the stuff right now. Internet domains have a legal owner and an administrative and a technical contact. The person able to do the transfer is the latter but he or she must not do it unless instructed to do so.

I tracked down and the technical contact and called him up. The tech-c’s phone number is public information, very easy to find back then – nowadays you might need a tiny bit of social engineering to obtain it.

I explained the whole case to him – the whole truth in all details. He was a helpful network administrator working for a small internet provider. Having to deal with a typical network admin’s predicament immediately built a kind of bond. Meeting a fellow nerd makes working in IT infrastructure management somewhat enjoyable – in a job you are only noticed if something goes wrong. (The rest of the time you are scolded for needing too much money and employing too much personnel).

The result was that the domain was technically transferred to the intended target organization’s server immediately. But he said: If somebody asks you how this has been done – it wasn’t me!

Another admin at another telco said the same to me later – I had convinced him to provide me a password of a client. This inquiry of mine and reasons given were true and legitimate as I was doing it on behalf of a client – the password owner.

In both cases there was a third party, a client or colleague or employer, who was quite happy with the results.

But there weren’t any formal checks involved – people did not ask me for a verifiable phone number to call me back or wanted to talk to my boss or to the client. If I just had fabricated the stories I would have managed to get a domain transferred and obtain a hosting customer’s password.

The psychologically interesting part of my job was that I didn’t have real power to tell departments what they must or must not do. I could just persuade them.

I think this is an aspect very common to many corporate jobs today – jobs with with grand titles but just a bunch of feeble dotted lines to the rest of the corporate universe and its peripheral contractors’ satellites – some of which you never meet face-to-face.

Combine that with an intricate tangle of corporate guidelines and rules – many of them set up to enforce security and compliance. In some environments people hardly get their jobs done without breaking or bending a subset of those rules.

Social engineering in some sense is probably what makes companies still being able to function at all.

10 Comments Add yours

  1. bert0001 says:

    … domain transfers … or the pointing to a new DNS when the original agent has been eaten two times in the past 15 years by another company … When social engineering doesn’t work, registered mail takes 21 days to get the job done.

    1. elkement says:

      Interesting, thanks! I haven’t done a domain transfer in years now, and other people told me (in relation to this post) that this will never work work today as you need to have your domain password etc.

      1. bert0001 says:

        big ISP’s won’t risk anything, cold places of working according to the book,
        but some DNS gurus on the higher rungs still do miracles if you speak their language … even today :-)

  2. I think Dave is certainly on to something here nonetheless. Yes, similar work has been done but the difference here is that you did not set out to write a book. The material from the book is happening as you experience real life. I think that’s an important difference–specifically credibility. Too much of what is written today is done so by people who just want to write—something. They put some half-baked ideas on paper and combine them with a flair for writing. What comes out is mostly bull–brilliantly written bull, but still, bull.
    That said, I’m still perfectly content to read your thoughts for free :-)
    And as for getting through our careers, I feel that the rules are mainly for when you really don’t have a cue what to do. In such times, if you are in a hurry, yes, follow the rules. At all other times, gather the data and use your best professional judgement. If it does not fit in with some bureaucrat’s idea of the proper way to do things, don’t get unduly upset. Unlike hum/her you are getting things done.

    1. elkement says:

      Thanks, Maurice – that’s very kind but I really think I don’t have much to offer here in comparison to books like Mitnick’s ;-) But I enjoy his books for exactly the reason you mention – he is drawing from his own ample experience.

      Re corporate bureaucracy: I often say that I feel large companies (especially international ones) have trumped governmental agencies … which have become quite “customer-oriented”. Nowadays employees at the local subsidiaries of large companies often cannot decide on anything without corporate approval and often that approval has to come via an IT system so you hardly can circumvent it.

      1. I believe you are correct and I think time prove the larger corporations wrong in that an insistance in doing things one way will cause them to miss many opportunities – ones that smaller, more agile entities will not miss.

  3. So, there you have it, the thesis for your best-selling book … no matter how good the software …. no matter how good the hardware …. no matter how good the security strategy that is in place … the most vulnerable part of any and all IT infrastructures is …. wait for it, here it comes …. the people that run them! This should have been something that folks in your business have known for ever. People are always the weakest links and any system … political, environmental, legal, you name it. D

    1. elkement says:

      Absolutely – but those best-selling books making that point have all been written already :-), Mitnick’s books being among the best in that genre (He is working as a consultant today helping organizations to find these weak points).

      I believe the challenge is that spotting social engineering would require a permanent state of alertness and scrutinizing every interaction with a stranger – which runs quite against our nature as I understood from the interdisciplinary research in psychology / user experience. Peter Gutmann whose book draft I reviewed earlier this year makes the some points and provides lot of references.
      I think it is something “everybody knows” but that is hard to “implement” though.

      1. Right … implementation is the tough part … I don’t think we want to get to the point where every user or employee is viewed as a security risk … although that is, in reality, what they are! What a world! D

        1. elkement says:

          I fully agree – I think everybody has at times been very glad if an employee or contractor helped you out even if you couldn’t provide all required credentials, evidence or whatever was required in case of an emergency.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.