How to break a firm's secrets

Employees warned not to give away details over the web.

Powered by automated translation

DUBAI // Setting up fake Facebook profiles is just the start to any common penetration test.

David Michaux, a director of the Dubai security company Whispering Bell, said the next step was to spam selected employees with links to phishing websites.

The carefully designed websites ask for personal information such as an employee number, for the chance to win an iPad or tickets to a sporting event.

That employee number would later be used to design fake entrance passes to the office, where the team could drop USBs infected with trojan viruses.

"You'd be surprised how many people just pick them up, take them inside and plug them into their computers," said Mr Michaux. "Suddenly you've got remote access to their computer."

He said other tactics to get into the office would be to pose as a job applicant or cleaner, then photocopy any sensitive documents left lying on desks.

Another method was what he called "dumpster diving", which involved going through rubbish to find shredded documents and piecing them together.

* Martin Croucher