Social Engineering at the White House and Your Enterprise

Sunday, February 28, 2010

Wayde York

00fd6160b9db2d91e663a578d87cbaf3

What does our enterprise information have in common with President Obama and Vice President Biden? The need for constant protection. Your enterprise data needs protection from the host of technical and human threats that seem to evolve daily. The President and Vice President require the same protection, albeit amplified due to their position in the world power scheme.

Recently, we've seen a near failure to protect the Vice President and a total failure to protect the President. The vast array of people and technologies protecting the two most powerful persons in the world were circumvented by human interaction. No cyber denial of service or highly technological devices was employed to compromise their security, only people with a certain skill.

As reported here , a man came within meters of the Vice President in Canada during the Olympics. He used a fake entry pass that was cleared by the very busy gate people, and passed through a metal detector. Since he was not carrying any metal weapons, the Royal Canadian Mounted Police (RCMP) declared him to be "no threat." Indeed, even the U.S. Secret Service agreed that the man was not a threat to the Vice President.

On November 24, 2009, at a White House dinner for the Prime Minister of India, two local socialites managed to get onto the White House grounds and into the party, without being on the invitation list. Arriving in a stretch limo, arrayed in highly fashionable clothing and looking like they belonged, this couple managed to get through three checkpoints with no prior vetting and not showing up on any list of authorized guests. Since they looked like they belonged and an "obvious" mistake had been made, they were helped along their way. The rainy evening, rush of people coming to the party, and lack of communication between the White House and Secret Service created the perfect path to the President.  While this failure of the world's best security system is bad enough, the picture of this couple shaking hands with President Obama, here, is simply amazing and frightening. Totally unknown individuals are able to get close enough to the President to actually make physical contact with him. The Secret Service said the President was never in danger since the couple went through metal detectors, but you be the judge.

The threat that was successful to varied degrees against the President and Vice President is the same threat that can be applied to our information protection efforts. That threat is Social Engineering. Social Engineering is quite simply convincing someone to do something, or give you something, that they normally would not. Human nature is helpful, so the Social Engineer need only to sound like they are in need, maybe even desperate, and the subject of the attack will jump in to help. Add a heavy workload and chaotic environment to the helpful nature, and the fruit of Social Engineering is ripe for the picking.

An associate of mine proved this by getting her email account and password, without any prior knowledge, from an overworked helpdesk. She was told she had a new assignment on a particular program, and there had been an email account set up for her.  She was not told what the account user name was, or the password. Upon contacting the helpdesk, she was given the information that all email accounts were set up as first name dot last name. However, they could give her no help on her password. My associate proceeded to purposely lock out her new email account that she figured out with helpdesk help, by using random passwords until the lockout occurred. She called the helpdesk and professed frustration in locking out her account. Helpfully, the helpdesk unlocked her account, and gave her a new password.  Knowing the construct of the email account names, and using the eagerness of the helpdesk to change passwords without any authentication, one could lock out anyone's account on that system, change the password and gain access.

Another associate has a favorite way to gain entry into buildings to which he has no authorization. He simply pretends to talk on his cell phone around the smokers who are outside the building on a break. When one of the smokers finish their break and go into the building, they usually hold the door for him since he is busy on the phone.  If you smoke and have a cell phone, your chances of being welcomed in are even greater.

Obviously, none of our information that we protect is as important as protecting the President and Vice President of the United States. None of the simple breaches of access noted are as important as an unauthorized person embracing the President. We can, however, learn from the those highly reported mistakes and redouble our training and safeguards against the lowest tech, highly successful threat of Social Engineering.

Possibly Related Articles:
17923
Impersonation Phishing Phreaking
Enterprise Security Social Engineering
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.