16th May 2008

Posted in

Blog :: Social Engineering at Google

I just saw an awesome display of social engineering at Google in San Francisco (I'm waiting for the Google App Engine event to start). This might have been white hat - an authorized person just getting what they needed - but there's no way to tell.

A guy walked up to the receptionist desk, backpack in hand and asked "Hey are there any hotdesks open?"

The receptionist didn't seem to know what he meant so the "attacker" babbled on for a moment about meeting up with some people who might be moving to San Francisco google and who were "squatting" here. The receptionist offered to call somebody to check it out and the attacker quickly assured her that they were here unofficially so far and only X (didn't catch the name) knew they were here. "They said 4th floor though - are there any empty cubes back that way?" (pointing towards a secured entrance and walking towards it...)

"Yeah I think so..." responds the receptionist and buzzes him through.

As he's headed he calls back "Hey is there a microkitchen down here?" And the receptionist gives him instructions.

No ID. No name even given that I caught. And based on what knowledge did the attacker gain access to the googleplex? Just lingua franca - not all of it successful even! Say "hotdesk", "squatting", "microkitchen" and a mid level googlers name confidently enough and you either A) don't have to wait for your unofficial arrangement to be approved or B) score the google lifestyle (kitchen, cube, wifi) without actually working for them! Very nicely done...

Posted on May 16th 2008, 10:35 AM