by Joan Goodchild
November 18, 2010 —
Chris Roberts, founder of One World Labs, too often meets people who assume they have nothing worth stealing. His Colorado-based consultancy assists businesses with security assessments, including what Roberts calls “the human side of pen testing.” In other words, he helps organizations find out which employees pose a security risk because they’re likely to fall prey to social engineering traps and other cons.
“So many people look at themselves or the companies they work for and think, ‘Why would somebody want something from me? I don’t have any money or anything anyone would want,’?” he said. “While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal.”
As part of his penetration testing services, Roberts is sometimes called on to penetrate the identity of an individual to find out just how easy it is to get sensitive information. He explains how quickly it can be done by detailing a recent assignment.
Chris Roberts: We conducted a test on a high-net-worth individual. We were engaged to see what their profile was like online and what we could find out about them. We were asked to do it by the physical security guards looking after that person.
This person traveled a lot in Hollywood circles, so there was a lot of media data out there about him, but it was well-controlled and well-looked-after data. We started looking for more. Fairly quickly we found an e-mail address. It was a somewhat obscured address, but not very well obscured. So we searched for the e-mail address online were able to find a telephone number because he had posted in a public forum using both. On this forum, he was looking for concert tickets and had posted his telephone number on there to be contacted about buying tickets from a potential seller.
The phone number turned out to be an office number. Now we have the office number and an e-mail. We easily figured out where the office was located and phoned up and used a bit of social engineering. We posed as a publicist and said we needed to get a hold of him. Using some information we got on the Web, we got the office to give us his personal cell phone number.
Now I have a cell phone number, an office number, and an e-mail address. I managed to do some more research and got an address which corresponded to a very nice house. Now I know the house, so I can pull public records on the property. I found out who the mortgage was with and now I have some of the mortgage data. I call the mortgage company and, using some of the information I have, I get them to give me even more information.
We then ran a LexisNexis report, and a few other reports, on this person and fairly quickly we had their Social Security number. He is married and has kids. So we then did a lot of digging around at a few of the local schools pretending to be this person’s secretary. We found out where the kids went to school.
From there we had one of our guys go around and do a Bluetooth assessment and see if you we could pick up any other information. We were able to pull a Bluetooth signal from the residence. Now we can drop some software on it, monitor where he is, match the GPS tracking, listen to his calls and conversations.
Now we know his e-mail, his office and cell number, his home address, his mortgage information, his Social Security number, where his kids go to school and how to monitor his calls and comings and goings. It took us half a day to do this work and I essentially own this person. I own him and can do whatever I want with him. I could go open up bank account in his name, assume his identity or act on his behalf, say to reserve a suite at a hotel.
Once we had their information, identity and bank account, we realized we could go on a spending spree. However, both of us working on this account realized not only that we didn’t look like the person, but we also were aware that his own security team knew us and where we were. We spent about 20 minutes laughing about buying an island somewhere in the middle of nowhere, having the Ferraris shipped out and getting a large stash of weaponry to defend our ill-gotten-gains!
If I think back, the first time I ‘became an instant millionaire’ by doing an assessment, it was a total rush, a cool feeling. But the honesty chip cuts in and the “yay!” feeling is short-lived, because you then spend 30 minutes debating how you could get away with it. That’s when you realize there’s others out there like me who are equally good at finding me. But it’s always fun to work out how you could get away with it!
For more social engineering awareness stories, read 9 dirty tricks: Social engineers’ favorite pickup lines
The reaction from him and his team? Surprised, of course. Surprised, angry, annoyed. All of the reactions one might go through when you realize you are naked. There is an expectation of privacy with these kinds of people. This is an executive of a company who has put many layers between himself and his staff to get a level of protection and anonymity. When some guy in a pair of Life Is Good pants passed him on the street and handed him a laptop that said “I own you,” it gave him a definite feeling of shock and horror.