 |
 |
So a young fellow just showed up unannounced at my office and asked to plug some equipment into my telephone jack. He looked all official, with various pieces of equipment hanging off his belt and carrying a clipboard. It occurred to me that if someone wanted to do some social engineering to get me to allow them to plug in some equipment for an attack through my phone line, that would do it. Just for kicks, I asked if he had any ID, and he said all he could show me was his student ID. So I let it pass. It seems to me that we give a lot of lip service asking people to be vigilant about security, and then in practice ask them to drop their guard. I myself often go into labs unannounced and start fiddling with equipment with no one questioning me -- often I bring to their attention that they should not just let me do that (which itself could be a good social engineering move). I don't recall getting a memo ahead of time about this telephone line check, that would help. Just passing on some info here. -- dkm