In mathematics, a missing link in a chain of evidence simply means that a proof is incomplete.
In stage magic, a missing link is what allows a magician to produce an illusion of actual magic, by demonstrating to the audience in 20 ways how he has no chance of manipulating something -- while he manipulates it in the 21st way. Indeed, stage magic is often just about providing so much proof that the audience doesn't notice any more that the chain of proof still didn't go from one end to the other. (Rest assured that whenever a stage magician says "Now I put this here so that you can make sure that I don't exchange it", he has already exchanged it long ago. And then proceeds to demonstrate in spectacular ways how he really does not exchange it again.)
What a social engineer does is not much different, and again, the crux is that somewhere in the chain of evidence there must be a missing link. Just think of a fake plumber in front of your door who can show you an ID with his photo and the name of "his" company. You can verify that the photo and his face match. You can verify that the name and his name tag match. You can verify that the hologram on the ID card is real. You can verify that the company exists. You can verify that the phone number on the ID card matches the real phone number of the company. You can phone the company and verify that they have an employee of that name. Maybe they can even confirm that he is supposed to come to you today. And still that man in front of your door has never ever worked for that company. Where's the missing link?
Anyways, I have a thing for finding such missing links, and obviously also a certain skill for it. And given that I'm planning to write about those more frequently now, I've decided to dedicate a blog to them.
Proudly presenting:
You can expect some presenting of basic principles, and a lot of ranting about the daily security lunacies. Posting frequency will vary and I'm not committing myself to any schedule, but there are some postings already in planning, and from experience I run across a post-worthy example every few weeks.
I'd also like to express my sincere apologies to those of you who are already reading my other blogs (plural) for adding another one to the list. On the upside, it's a public one so you can just add it to Google Reader and don't have to open yet another tab for it.
-- Birgit
P.S.: The missing link is the ID card. There's no way to prove that it's genuine, since you most probably have no idea how an ID card of that company is supposed to look like.
The company's confirmation that this employee is really scheduled to visit you can be achieved by calling the company beforehand, pretending to be you (i.e., the visited person) and really requesting the real employee of that name to come to you. When this appointment is then canceled last-minute, chances are high that the secretary at the company isn't notified about the cancellation yet when you call her, and will confirm the appointment.
No comments:
Post a Comment