How I Socially Engineer Myself into High Security Facilities(motherboard.vice.com)
motherboard.vice.com
How I Socially Engineer Myself into High Security Facilities
https://motherboard.vice.com/amp/en_us/article/qv34zb/how-i-socially-engineer-myself-into-high-security-facilities
17 comments
This was discussed 8 months ago (221 comments): https://news.ycombinator.com/item?id=15516526
I think they went a little overboard on gifs for this article.
Today's equivalent of meaningless clipart? But a whole order of magnitude more annoying.
High Security? I suppose it depends on context. But for real high security facilities, a visitor is not getting past the first guard desk without an ID check with the visitor's name being on a list that is maintained via secure communication channels - facility to facility. And there are often multiple levels of guard stations to pass through where this is repeated.
This reads like some bootleg Mr. Robot episode.
2017 blog post.
Gross. The author explicitly brags about being "a terrible human being."
Aside from the sociopathy and embellishment, I get unease about the legality of the means used, considering the agent was contracted.
I could've audited the security controls and arrived at the same deficiencies without abusing people.
Gross. The author explicitly brags about being "a terrible human being."
Aside from the sociopathy and embellishment, I get unease about the legality of the means used, considering the agent was contracted.
I could've audited the security controls and arrived at the same deficiencies without abusing people.
I mean, the company pays them to do this. Thats the whole point of pen testing.
Nobody is going to pay attention to a 10 page report. They are instead going to pay attention to the fact that the person successfully got into the building.
Nobody is going to pay attention to a 10 page report. They are instead going to pay attention to the fact that the person successfully got into the building.
You're assuming that a "10 page report" will not elicit a response? Are you addressing a hypothetical or the situation as described in the post?
If so, then that's mismanagement. Poor managers suddenly "paying attention" are unlikely capable of implementing proper controls.
Also, you're assuming these poor managers can contract well.
If so, then that's mismanagement. Poor managers suddenly "paying attention" are unlikely capable of implementing proper controls.
Also, you're assuming these poor managers can contract well.
Yes, that's what would happen. People would not take a report as seriously as if someone actually went and broke into the system.
You can call it mismanagement, but humans aren't perfect. Humans are emotional being who, in many cases (but not all) will not take a threat seriously unless someone goes and does it.
It is not even necessarily mismanagement either. It could just be ignorance. IE, someone can talk all they want about hypothetical vulnerabilities, but if you aren't a security expert, you have no idea how realistic those threats are, no matter what the pen tester tells you.
Who knows, maybe the pen tester really is being paranoid.
It is much easier to actually convince someone that something is a problem by actually exploiting it. That's just an obvious fact.
And it seems like the pen tester in question agrees with me. Because she didn't right a report. She instead broke into the system, and what do you know it worked in their goal of convincing the company that their was a problem.
If you will noticez the company in question really did think that everything was secure. The pen tester really did need to do something extrodinary in order to convince them. So she did, and it worked.
You can call it mismanagement, but humans aren't perfect. Humans are emotional being who, in many cases (but not all) will not take a threat seriously unless someone goes and does it.
It is not even necessarily mismanagement either. It could just be ignorance. IE, someone can talk all they want about hypothetical vulnerabilities, but if you aren't a security expert, you have no idea how realistic those threats are, no matter what the pen tester tells you.
Who knows, maybe the pen tester really is being paranoid.
It is much easier to actually convince someone that something is a problem by actually exploiting it. That's just an obvious fact.
And it seems like the pen tester in question agrees with me. Because she didn't right a report. She instead broke into the system, and what do you know it worked in their goal of convincing the company that their was a problem.
If you will noticez the company in question really did think that everything was secure. The pen tester really did need to do something extrodinary in order to convince them. So she did, and it worked.
Nothing get attention faster than showing up in the office of the person who hired you to do the pen test!
Kevin Mitnick said that too.