Check out the new USENIX Web site.

Information Security Technology?...Don't Rely on It
A Case Study in Social Engineering

Ira S. Winkler, <>
Brian Dealy, <>

Science Applications International Corporation
200 Harry S. Truman Parkway
Annapolis, Maryland 21401


Many companies spend hundreds of thousands of dollars to ensure corporate computer security. The security protects company secrets, assists in compliance with federal laws, and enforces privacy of company clients. Unfortunately, even the best security mechanisms can be bypassed through Social Engineering. Social Engineering uses very low cost and low technology means to overcome impediments posed by information security measures. This paper details a Social Engineering attack performed against a company with their permission. The attack yielded sensitive company information and numerous user passwords, from many areas within the company, giving the attackers the ability to cripple the company despite extremely good technical information security measures. The results would have been similar with almost any other company. The paper concludes with recommendations for minimizing the Social Engineering threat.

Download the full text of this paper in POSTSCRIPT (87,905 bytes) and PDF (141,038 bytes) form.

To Become a USENIX Member, please see our Membership Information.