How Do You Know?

I’ve got a non-technical one for you today.  If you’re paying attention to stuff around you, you’ll probably end up with a little paranoia after reading this.

We’re having another circuit installed, and the LEC came out to do their end-to-end testing.  The tech, Dan, calls me up on the phone and tells me who he was and what he needed to do; I agree to meet him in the lobby to escort him on his way.  Now, I’ve never met Dan and can’t really vouch for him.  He had the polo shirt and khakis that we all come to expect.  He had a pile of generic-looking badges on his belt with his picture and name on them.  He had a satchel full of fulls and equipment.  He looked the part, but how hard is it to get a shirt, print up & laminate a few badges, and put some tools in a bag?  Was Dan really who he said he was?  Should I really have let Dan in the telco room?

In this case, I would say Dan was legitimate; he called the right phone number and mentioned the correct circuit we were installing, but I cannot say beyond a shadow of a doubt that he was supposed to be messing with that equipment.

My wife’s in retail, and I asked her if she has any similar stories.  She had quite a few, actually, usually involving the building’s security.  Her store has security guards come in and out from time to time, and it’s always a different person.  They never identify themselves to anyone in the store, but their decked out in the shirt we all come to expect.  Around here, it’s illegal identify yourself as the police if you’re not, and that includes patches and badges.  You can, however, go to the local store and buy security patches and maybe even a badge — now the outfit is complete.  How can employees in the store be sure that the guy with the security patches is really who he says he is?  Will people even question his being there?

People are known to be trusting.  That’s just how people are, and there’s nothing you can do about it.  We assume that people who say they are an authority are that authority, which is a bad thing if you’re trying to be secure.  A coworker on the secuirty side loves to tell the story of the KFC in Manchester, New Hampshire, where a highly-skilled social engineer phoned in, told the employees that he was with the corporate office, and had them doing all sorts of things.  Let’s just say it ended with them all naked in the snow in the parking lot, urinating on each other, and lighting their clothes on fire — all just because someone on the phone told them to do so.  What would people do if you actually showed up looking the part?

The next time a vendor shows up, I think I’ll ask him to prove who he is just to see how he or she reacts.