Humans Are the Weakest Link: Tales of a Social Engineer

Computer hacking isn’t the only way companies stand to lose sensitive data. Physical security is equally important. There’s really no need to break into a network remotely if you can through the front door and grab what you need.

Without proper physical security, a hacker or corporate spy can work his way into the heart of a building and collect passwords, private communications, and other sensitive details about a business using a handful of relatively cheap wireless tools. Employees, even those with the lowest levels of access, can be duped into surrendering privileged access—a starting point from which an experienced hacker can work his way until eventually acquiring closely guarded secrets from the highest levels of a corporation.

In the information security chain, humans will always be the weakest link. The best security system in the world can be undermined by a single employee plugging a malicious component into their office computer—or even just holding a door open for a stranger that normally requires a pass.

Earlier this year, Gizmodo spoke with several employees at Netragard, a leading penetration testing company, about security industry snake oil. We also checked out various hacking tools used by testers to clone security badges, bypass server room locks, and wiretap fiber-optic cables. The company’s founder, Adriel Desautels, also shared a few stories about physical pentesters, a special type of hacker hired by his company.

In one story, a on-site tester managed to gain access to a secured building by begging a maid to use the bathroom and slipping her $50. Big mistake. After leaving the bathroom, with no one watching, the tester was able to gain access to a server room. He then slipped out a back door and over a wall with “stolen” equipment under his arm. If the attack had been real, the company would’ve been, simply put, totally fucked.

But things don’t always go according to plan, either. In another case, a tester was able to covertly gain access to a CEO’s office—only, he didn’t know the CEO had his own private security. It was only after he had been tackled and hogtied that the security staff learned that he’d actually been hired to burglarize the office.