I don’t know why, but I just find a good social engineering story riveting. Maybe I actually enjoy the human aspect of security more than the technical aspect, or maybe it’s the whole secret agent thing of sneaking into places that you’re not supposed to be. Either way, I like it. And I just heard a good one in a letter to Steve Gibson on the Security Now! podcast.

Basically, a security penetration testing firm used a commercially available radio scanner to listen in on employees talking on wireless hands-free headsets. They sat across the street and could get good enough signal to hear and record the conversations. They then used what they heard to pose as a remote employee who came into town:

“I put on my best suit and then went to work. When I entered the building, I was greeted by security. I indicated I was an employee and was in town to work. I handed the security guard a business card and was welcomed with a smile. After escorting me to a cubicle, the guard showed me where the restroom was, where I could get a cup of coffee, and how to go about getting a building access card.”

It was just that easy. He goes on to tell about how he spent three whole days going into and out of the building, getting an access card, and getting into plenty of rooms he shouldn’t have been able to.

So what’s the problem here?

Was it that security guards didn’t check for a valid state issued ID instead of a simple business card? Was it that the security department didn’t investigate him further before issuing a key? Was it that the wireless headsets were being used in the first place? Probably every single one.

You should read (or preferably listen to) the whole story in episode 130. It really is fascinating. I’m also reading a book in the same vein called “The Art of Intrusion” by Kevin Mitnick of hacker fame. It documents a handful of real stories of hackers (or crackers depending on how you look at them) who used various techniques including social engineering to get into what they wanted. There’s stories about phreaking and getting Internet access from prison, being hired by terrorists, and cheating casinos out of a lot of money. Every story in there would make a great movie.

There’s countless other stories where social engineering is no harder than wearing the right clothes and saying the right things. Here’s a story of people sneaking almost a hundreds boxes of materials into the Super Bowl. Here’s one of a guy sneaking into a bank posing as a pest control inspector. And another of people easily getting through the security at the APEC Conference.

Why is this so easy?

Is it because we’re lazy, untrained or just plain stupid? Again, it’s probably every single one.