January 1st, 2013Real Life and the Application of Social Engineering Part IV
First off, after the last portion, I can hear the cries of “B.S.” from my desk all the way down here in San Antonio. Never fear doubters, I kept everything.. Check stubs, awards, bank statements, and even customer character statements for a situation that you will hear more about in this part of the series. Enjoy this second to last installment of the story.
As I worked on being everyone’s trusted bartender, people would have long conversations with me on various topics, mostly what was on the news at the time. These initial conversations always led to ‘off topic’ conversations, which led to other ‘off topic’ conversations, and so on. I remember one conversation, specifically, where I was commenting about a better way to keep track of undercover officers/spies that wouldn’t get them ‘popped’ as would be the case if they were caught wearing a wire. I was told that the military/spy agencies had the ability to turn your phone on and then, turn on your phone’s built-in microphone/camera. The phones could record all this audio and video without your knowledge. At the time, it was illegal to conduct this activity Stateside, although, according to what I have read on “Stellar Wind”, it seems these spy agencies are still doing this anyways.
It is a well known fact that this type of ‘hack’ is possible currently, but when I first heard about it, it was seven or eight years ago. I was horrified and I will admit that my paranoia was really kicking in about this time. (Hell, when I first found out about the N.S.A. coming into my bar, I almost quit and was even more scared). “I wasn’t stateside; I was fair game. These a-holes had put me at risk just by coming into the bar”, so my paranoia screamed, but then nothing happened. I wasn’t busted, and again, I became use to the pressure. In the back of my mind though, I was always keeping my eyes and ears open for anything that would tip off my status or help me keep a step ahead of the law. I was also in shock that I was able to find out such sensitive information while the guys were just blowing off steam while waiting for traffic to die down. This example is just one of many I was able to ferret out without even trying and nowhere near the most sensitive information I gathered either.
Now, the Spooks aren’t stupid. They would regularly (about once a year or so) have someone come in and pretend to be a new hire over at the “facility” without any of my customer’s knowledge (usually during daytime business hours when they were still at work). They would start asking me questions about who hung out at the bar and other ‘off character’ questions for the situation. It became pretty easy to spot a security sweep when these guys came in. These guys would always ask the wrong questions of a “bartender” and only one of them ever ordered a beer (big knock off in a bar). He only ordered the one and then only drank a third of it.
Every time, after these visits, I would tell my customers that I met a new hire. They had no idea who I was talking about and that is when they would find out themselves that someone had ordered a sweep. I always covered for my customers: first, the less they looked at the bar the better, and second, I didn’t want to lose them as customers (as shallow as this is, the tips were good)!
I remember on one of these security sweeps that one of the security guys came in with his “wife” who was supposed to be a new hire with the squirrels. He was asking all sorts of ‘off’ questions about the rest of my customers, even though his “wife” was the new hire. One of the questions he kept pestering me about was the bus schedule outside the back gate. After the fourth time telling him that I didn’t know anything about the schedule because I never caught the bus outside the back gate, I just started hitting on his “wife” in front of him just to get him out of my bar. I knew that there was a stop outside the gate because every once in awhile, I would go to a restaurant for lunch right next to the bus stop.
I was used to people that were new to the area stopping by and asking questions about the local situation, soldiers and civilians alike. It was actually kind of normal for that to happen a few times a week during the troop rotation time of year. None of them ever identified themselves as working with the “secret squirrels” even by the proxy name they used on base, except for those security guys trying to pump me for information.
EXPLOIT USED: The trust in someone they thought they knew to open up and reveal sensitive information; alcohol being an important factor in this scenario. When they talk to each other and have clearance to talk amongst themselves, it is easy to forget the server who jokes with them all the time isn’t cleared for such sensitive information. It’s also all too easy to walk up on conversations and overhear things that were not meant to be heard.
Being able to spot an ‘under the radar’ security check on my customers and derail their attempt at information gathering. Mostly to cover my own ass, but it didn’t hurt to cover my customers’ butts as well (as long as I was able to let them know I had done it and strengthen the bond between us). Having friends in those kinds of places never hurt.
VULNERABILITY EXPOSED: Inability to stop letting sensitive information leak out from many different sources and then be able to ‘jigsaw’ together the pieces to see the larger picture. Also, the poor training of investigative personnel, in information gathering techniques/methods used in a social setting while trying to remain under the radar.
PATCH: More comprehensive background check process for base personnel. The Security Investigators need better training in undercover solicitation of information or Social Engineering.
Fast forward a few more years, right about a year and a half to 2 years before I came back to the States. I had a new boss, who was an idiot. He couldn’t even spell Idiot (seriously), but he had been in the system for 20 plus years and it was his turn to move up. I wasn’t a happy camper, mostly because I was promised the job by his backstabbing boss. So I kind of became an a-hole, but they couldn’t really touch me because I was smarter than they were (this isn’t bragging, they were just amateurs).
They tried to set me up and catch me ‘drinking and gambling’. When it was my bosses day off, a ‘customer’ had a slot machine stop working, called me over to reset the machine (which I did, while the customer went on to play another machine), when the big boss just ‘happened’ to walk through, he saw me sitting at the slot machine. I was joking with the patrons, but the ‘customer’s beer’ was also sitting right there by me. Nothing happened for about two weeks after the incident, but then I found out (outside the chain of command, which could have gotten my bosses in trouble because it meant that they were gossiping about me ) that I was being written up for “drinking on the job and gambling during working hours”. I NEVER drank while working (at least by this time in my life, anyways) and I never gamble (for money), so I asked my regular customers to write some character statements for me.
You may have guessed it by now, but yes, I even got some N.S.A. folks to write character statements for me as well. I didn’t need them, as it turned out, because my boss’s boss didn’t know that the slot machines keep track of every single transaction including down time because of a malfunction. I asked the A.R.M.P. slot techs, who I had long since befriended, to print me up a copy of the logs and used those to clear my name. Since it was the big boss who initiated the write up, I went to the big boss to challenge my write up before going “up the chain” to his boss. I showed the big boss a picture of the machine and had him verify that it was the machine he saw me at. Then I showed him a picture of the serial number for the machine and the log for that serial number. I also asked him why, if he thought that I was drinking and gambling he didn’t immediately confront me. I also asked him why he had my direct boss write me up who wasn’t there at the time of the incident and had no direct knowledge about it as well. I then showed him the write up, which he hadn’t even seen yet and which looked like it was written by a 3rd grader (I still have it too). The expression on his face was priceless, he had to drop the write up… This next part is pure conjecture on my part, but one night, not long after this happened, one of the Air Force guys and one of the “Secret Squirrel” guys let it slip (after a few beers) that “they had a plan” to deal with my boss’s boss. About a week later, he got busted for a DWI off post and was fired. That was some pure Karma and I think a little help from them, but I have never found out if it was them or not. (In all fairness my M.P. friends could have been just as culpable or I could have just gotten really lucky… again).
EXPLOIT USED: Trust in the person that they thought they knew and gaining their help by writing a character statement for a wanted fugitive, who anyone with a security clearance is not supposed to associate with.
VULNERABILITY EXPOSED: This is a hard one to say, because my friends, through no fault of their own, were put into a potentially compromising position by providing me a character statement. I guess this goes back to a reliance on the Army’s background check process to clear base employees.
PATCH: Secondary background checks for all personnel on bases where there are ‘Secret Squirrels’. Definitely for places that they socialize at after work hours because they are a very tight knit group. Once in, their guard is down, so to speak, it becomes easier to overhear what is being said between them. Especially, when alcohol is involved; inhibitions drop and the volume of voices rise. This is also an example of the inability to stop letting low priority information leak out from many different sources and to then be able to ‘jig-saw’ together the pieces to see the larger picture. This is about as much as I’m going to say about what I was able to “figure out” about the ‘secret squirrels’. As nice as they were and I’m sure they still are, I am terrified of whom they work for.
Again, that really happened. Infact, I left out; “a ton” of stuff from this story so as not to incriminate anyone specifically or reveal the locations involved. Last thing I want to go down for is revealing the location of a spy factory or burning a spy outright. Tune in next for the thrilling conclusion to this saga that was my life on the run and how I got out of it, how I came into controlling ¼ of a million dollars before I came back to the States, under cover cops, and what I’m doing now.
Edited by: Jay Trinckes, Jr.