A social engineering story

I'm surprised that the Internet security aspects of the Heartland Institute document leak haven't gotten more attention. There's a good lesson here.

The person who received the documents, Peter Gleick, an environmental scientist and MacArthur genius grant winner, used social engineering to get them. His technique was Kevin Mitnick 101.

Quick background: Gleick frequently speaks out on the dangers of climate change. The Heartland Institute is a center for climate change skepticism.

Last week, Heartland’s budget and its list of donors was released and published. The material includes a list of all of Heartland’s employees and their salaries over the years. More important to the climate change issue, was Heartland’s list of donors, which included many large companies. 

They had to be Heartland’s most confidential documents.

This week Gleick acknowledged that he was the one who got the documents. Of his role, he wrote: "In a serious lapse of my own and professional judgment and ethics, I solicited and received additional materials directly from the Heartland Institute under someone else's name."

Gleick got that material by reportedly creating an email account for a board member and then claiming it was a new email account. (See The Atlantic’s Megan McArdle.)

On the basis of this email, someone at Heartland emailed Gleick the organization's budget and its list of donors.

No one expects a group of Heartland's size to have stellar, financial services-level, security practices. It's a small business. But what Gleick accomplished, and so easily, is a good illustration of just how effective social engineering can be in gaining trust and breaching security.


Copyright © 2012 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon