Archive for October 2009

Social Engineering: high tech crimes require low tech legwork.

October 29, 2009

This is a true story. It happened in one of America’s most technically literate cities. A municipal employee was on the street, tinkering with a “smart” parking meter. This meter accepts credit and debit cards, and recognizes pre-paid parking cards.  A young man approached the technician and gushed about the gadget. He said he’s fascinated with technology, and wants to work in the field some day.  He asked numerous questions about the meter’s functions, answered generously by the city employee, who clearly relished the role of the expert.

The “kid” then returned to his lab, where he and several other researchers were exploring ways to hack the smart meter system. For instance, if parking is free on Sunday, why not make the meters think every day is Sunday? Better yet, what if, instead of deducting money from pre-paid parking cards, the meters added money? Unlimited free parking for our friends, that’s what.

Hackers have a very twenty-first century name for the street-level part of this research.  They call it “social engineering.” That’s because “working a patsy” would sound tired, not wired.

The Reasonable Reporter will now present a meditation on social engineering, prompted by a weekend excursion to a movie called Law Abiding Citizen. The film is an imaginative story of high tech murder and mayhem by an accomplished social engineer.  Go see it, despite the reviews, which are astonishingly tepid. Especially since the film could be described as a melding of two legendary predecessors. Death Wish meets Enemy of the State.

Everyone from the estimable Roger Ebert to the gang at Rotten Tomatoes finds the movie’s plot implausible. This is troubling evidence that Americans have a distorted notion of technical crime. Learn this, damn it: There is no high tech crime without low tech legwork. In other words, social engineering.

The Reasonable Reporter does not wish to sound snotty, but for all your Tweeting and Skyping and YouTubing, you people are remarkably unhip when it comes to the ordinary scam artists all around you. You are so technically evolved, apparently, that you no longer fear a good old-fashioned con job – involving, you know, a guy chatting you up, pretending to be something he’s not, in order to make a rube of you.

But it’s happening every day to technically sophisticated people. The office assistant who quits her job to make thousands of dollars working at home! It doesn’t occur to her that she’s facilitating crime, even when the boss, whom she’s met only online, instructs her to receive large cash transfers from important clients, deduct her own pay, and then send the rest of the money to offshore accounts.

Right here in Nevada, a business hires an independent contractor to help with the marketing effort.  The contractor gains unrestricted access to the client data and is able to email to himself as much of it as he wants. Down the road, he opens a competing business, using those valuable contacts, as well as financial data he gathered with the cooperation of the business owner.

God forbid the Reasonable Reporter bring up voting machines again. But seriously folks, one of the most-discussed polling place attacks is simply an old-fashioned two-man con. One guy creates a diversion at the check-in table while the other guy reaches around to the reset button on the back of the machine – some models have one – and wreaks election-day havoc.

We really must lose this outdated image we have of cybercriminals as social misfits in dark apartments who gain system access magically by tapping away at their keyboards all night. Watch some old movies to reintroduce yourself to the art of the con. Remember Psycho? Janet Leigh wouldn’t have been at the Bates Motel if she hadn’t pulled off a spectacularly successful feat of social engineering.