Print

Print


So a young fellow just showed up unannounced at my office and asked to 
plug some equipment into my telephone jack.  He looked all official, 
with various pieces of equipment hanging off his belt and carrying a 
clipboard.  It occurred to me that if someone wanted to do some social 
engineering to get me to allow them to plug in some equipment for an 
attack through my phone line, that would do it.  Just for kicks, I asked 
if he had any ID, and he said all he could show me was his student ID. 
So I let it pass.

It seems to me that we give a lot of lip service asking people to be 
vigilant about security, and then in practice ask them to drop their 
guard.  I myself often go into labs unannounced and start fiddling with 
equipment with no one questioning me -- often I bring to their attention 
that they should not just let me do that (which itself could be a good 
social engineering move).  I don't recall getting a memo ahead of time 
about this telephone line check, that would help.

Just passing on some info here.

-- dkm