Monday, August 4, 2008
Recalling an incident that happened to me recently while on a flight to Mumbai. I had just boarded the flight and we still had around 10-15 mins to takeoff and passengers were still getting into the flight slowly. A guy walked in with a laptop and a blackberry and sat next to me and he did look to me like a tech guy, I just ignored him and kept on doing my stuff but then in a few minutes he got a call from his office and there was some problem in their network and he started to inquire about the network like what error messages the guy at the other end was getting, he then talked about the network, load balancers, authentication, logs etc which surely made me curious and of course I shifted my focus on his talks but then all of a sudden he just said "Why can't you login, Don't you know how to do it?" then there was silence and he looked at me.
This guy was surely security conscious (it looked like that) and didn't want to talk about the machine details and passwords in front of me as i was the only guy nearby so there I played this trick, I just made him comfortable by moving out from my place and going to the lavatory but what I did while moving out was kept my wallet and my cellphone on my seat. My Cellphone has voice recorder software and I just had to press #9 to activate it which I did and kept my cellphone on the seat with the wallet and moved out.
I stayed away from my seat for 10 mins and went back as soon as he disconnected the call. He gave me a smile and started to read a magazine and I was just waiting to reach mumbai and quickly started to listen in what was recorded and wow, This smart guy said the Administrator's username and password to connect to their servers via internet, he also said his own username and password which was a part of admin's group. He then went on to explain how to view all customer's data, export customers details and import them to the other stand-by server.
Now about this guy, he was a Consultant for a large telecom company here in India and used to manage the "Value Added Services" network for them, he was surely security aware and didn't want to give out password or any login information when I was around but he still did that and to his badluck my cellphone did the trick where he failed so badly to this type of an attack and landed me with details like how to login to his network with admin credentials, view customer data, export customer data, etc
Now see how bad things can get and how social engineers can get critical information even while they are not around you, the reason he didn't raise any suspicion for me leaving my cellphone on my seat was because i even dropped my wallet with it(Ofcourse I risked my credit cards and some cash for the sake of information).
So it is very important to be alert when giving out any details about your network on phone because it is not necessary a social engineer has to be near you he can still get what he wants while being remote.