I was told this seemed like a better place to put this article so the only way I know how was to delete the old one and recreate it here.

Social Engineering: How to protect yourself and your office Volume 1

Ring….Ring….Ring….
It’s a cold late night, John has been at the office since 6 in the morning and the clock is just striking 11 PM.
Rii…. Hello?

Hi this Rob with Sonitrol (posted on all the windows of the building), I noticed on our security system that your alarm hasn’t been set yet tonight and I need you to tell me the password otherwise we will be sending a police car out immediately

John: yellow legos
Rob: Thank you have a nice night

One week later John comes into the office to find they have been robbed and the police still haven’t been alerted to this event. How can this happen you wonder?

What happened was most security companies make this call if it gets late to make sure their client didn’t forget their alarm or they haven’t been broken into. To foil this method Rob drove by the office and noticed the name of the security company on all the windows and came back a different day to see just one car in the parking lot late at night. Made this phone call from his cell phone and got the password so that when he broke into the office the next week and the real company called he gave them the password John so readily gave to him.
This is a prime example of social engineering and some of the creativity that goes behind it. What is one step that could help protect you against something like this?

Setup double sided passwords, one for you and one for the security company. Sure this is good practice but why not take it a step further, Have 7 different passwords for the security company one per day of the week. (ie Monday: purple, Tuesday: Infinity…) Change the password with the security company regularly and only give these codes to the select people that are going to be there late.

So what is Social Engineering? There are multiple definitions that define a hackers methods of gaining information or whatever. I will offer my own, Social Engineering in short and simple is a psychological con. You dupe people into believing that you are something you aren’t or coax them into saying things to you because you are a “nice person”.

We all know security is only as good as its weakest links. Yes, I know I made this a plural sentence because every employee, every piece of paper, everything that has to do with your company, has to do with security. You can gain valuable information from trashed documents, or by the above method, or say you work somewhere, call up the secretary to the CEO, CFO whatever. Tell him/her that you are from the IT department and need their password to install something and since he/she is their secretary that they get to have it first. Now you have access to almost everything the head hancho does.

The first step is to either send out a corporate wide email instructing people that they should never give out their personal information unless they are talking with someone they KNOW is authorized to have this information. To those of you that are security professionals and are just here to learn a little bit more about how not to look stupid. Never give out your passwords to anyone, those email programs that have one of those password recovery things, fill in the answer with gibberish so someone that knows you doesn’t guess the information. If someone calls you, the most popular form of social engineering, and wants information from you like credit card numbers or bank numbers or any personal information, tell them you will call them back, ask for their phone number, then compare it to one you find in your records, every bill a company sends you has their contact information on it, now use that number on the bill call them and ask them if they really need to talk to you. These are the simple things we never seem to think about.

There are other methods to gain information but I will supply those in a later tutorial. Below I included one of my sources, the rest is from security discussions and such I have been involved with.

Sources
http://online.securityfocus.com/infocus/1527