Case in point: today I was out and about in the City with Pat, one my network engineers. We were visiting the three new magnet schools that started up this fall to validate our inventory data and check for any outstanding work to be done. One of the schools is operating on the campus of a local university. The T1 line that connects the magnet school to the City network terminates in a building a couple buildings away from the one the school occupies. We walk in, find that the door to the basement (where our equipment is installed, along with the university's network gear) is locked, and go hunt down a random secretary.
We find someone working in a ground-floor office. I've never met her before, Pat's never met her before. She doesn't know us from Adam's off ox. Yet, we say "Hi, we're from the City public schools IT department, do you have a key for the basement?" and without even a glance at our IDs, she's off searching for someone in the building with a key. The man she finds who knows a back way into the basement never even asks who we are or why we're there. We could have been thieves, vandals, or FBI agents planting a wire tap. We just asked nicely and complete strangers were happy to let us into one of the inner sanctums of their network.
It's reassuring to know that we still live in a largely open, trusting society. It's also darn handy when we have to get into somewhere that we don't have keys to. But the part of me that's paid to think about infrastructure and physical and electronic security cringes when these things happen.
Back in the mid '90s there was a crew in New York running a scam where they showed up in a building just before five PM wearing AT&T polo shirts and carrying a clipboard. They'd say they were from AT&T, and were dispatched to fix a phone problem. Staff would let them in to their phone room and then leave for the night. In the morning they'd come in to find that the thieves had made off with all of the cards in their PBX.
I can, without exercising any imagination at all, see this happening in any number of the municipal buildings or schools in the City. In the schools at least we'd have a fake name on the visitor's sign-in sheet. Our desire to trust and to be helpful is the fundamental piece that makes social engineering such a powerful tool for intrusion.
I like being one of the technical ghosts of this world. I like being one of the people who knows where all of the back rooms and underground passages are. I would be inconvenienced (and somewhat put out) if secretaries started really checking IDs and making sure that you belonged where you say you belong. But, damn, why bother launching a 'cyber attack' when you can just walk right in the door?