CSO Online recently spoke to a person working in the security field with a rather unique job. He's paid to break into places, such as banks and research facilities (both private and government), in order to test their resistance to social engineering and physical attacks.
Rarely is he caught, but even when he is it doesn't matter, and the reason for his success is the same in each case – human nature.
Caught on film:
When the surveillance video starts playing, the images show a typical day at a bank somewhere in the world. Business is steady, but the lobby isn't overly packed with customers, so a single teller is working the window.
Soon, the bank supervisor walks to the left in greeting. At thirty-five seconds in, Jayson Street, the Infosec Ranger at Pwnie Express, a company that specializes in creating unique hacking tools for professionals, makes his first appearance.
Dressed in jeans, a DEF CON jacket and red ThunderCat high-tops, Street is taking a casual stroll behind the counter. Not only is he in the bank, he's in an area that's supposed to be secure and limited only to authorized personnel. Given the location of the bank, somewhere outside of the United States, Street is clearly not a local or a customer.
He's there to perform a penetration test; in this case he's testing both physical security as well as network security, but the staff don't know this. A few seconds later, the supervisor is on screen pointing to a computer that's currently being used by an employee.
Street nods his head in agreement, and moments later he's granted physical access to the system. He's plugging a USB drive into the computer's front port and running software, which requires the employee to stop working with a customer and relinquish his seat for a moment.
This level of access alone proves that the bank's security has been completely breached, and the fact that Street repeats his actions with several other computers compounds the problem.
He stands and starts moving through the teller line, accessing documents and items at each station. After that, he takes a few photographs. Later in the video he is seen sitting next to a large pile of cash as the teller continues their work, spinning in the seat in order to draw attention to himself.
Despite his actions so far, the staff at the bank seem at ease with his presence. Based on the video's timestamp, by the time he leaves Street has spent just over twenty minutes inside.
Why was he allowed such freedom? From the video's perspective, Street simply walked into the bank and went to work. It was as if he owned the place. This begs the question - how much of a role does confidence play in a social engineer's job?
"Ninety-nine-point-nine percent is looking like you know what you're doing. We think that there's all these techniques that social engineers are using, [but] it's not that the social engineers have all these wonderful mind powers or Jedi mind tricks," Street explained in an interview with CSO Online.
What about location? In a matter of moments, he was able to access the entire bank. In the video, the employees stand there and watch as he installs software and collects user IDs, passwords, and a smartcard (used for the teller's computer). Was his task made easier because he was a foreigner, and the staff were uncomfortable with the thought of being impolite?
"It's not a culture thing. It's not a country thing," Street said, pointing out that the human reactions are uniform for the most part no matter where he is in the world.