I have wanted to do a series like this for some time. I frequently watch movies and point out social engineering and OSINT techniques or inaccuracies as well as OPSEC blunders. These blunders, in addition to the matrix style waterfall screens, are equally bad as the "hacking" you see in movies. So, let's level the playing field about the specific film at hand. "Home Alone" was Macaulay Culkin's breakout 1990 movie. It's written by John Hughes and also stars Joe Pesci, Daniel Stern, and Catherine O'Hara. The premise is that the McAllister family is vacationing in Paris for Christmas.
The night before they're set to leave, Kevin (Culkin) is provoked to misbehave by his older siblings and cousins (as youngsters often are) and is sent to sleep in the attic room. Through the night, the power goes out, resetting the alarm clocks to a flashing 12:00 time. The family oversleeps and rushes to get loaded into the airport shuttles. Meanwhile, a nosy neighbor kid is snooping and is counted as Kevin. (They didn't identify Kevin as missing because his boarding pass was thrown away the night before after he hit his brother Buzz and spilled milk on it.)
The family leaves, and then we are made aware of Kevin being excluded, even though the family isn't until later on the flight. Harry (Pesci) and Marv (Stern) are robbers (The Wet Bandits) that have been casing the seemingly affluent neighborhood. Kevin takes steps in innovative, childlike ways to protect his house and eventually land the "Wet Bandits" in jail.
The Social Engineering
In the beginning scenes of the movie, we see Harry posing as a police officer (highly illegal I might add, but he's a criminal and doesn't care). He's trying to identify who is the adult of the house. Repeated attempts of "Are your parents home? Do they live here?" to the children scrambling about the massive home lead him to eventually talk to Peter (Kevin's father, played by John Heard) and, later, Kate (Kevin's mother, played by O'Hara). From a social engineering perspective, Harry is using a police officer pretext to canvas the neighborhood in order to pick targets to rob.
From Dr. Cialdini's 6 Principles of Persuasion (2006), he is leveraging Authority, Commitment/Consistency, and to a degree (except to Kevin), Likeability. The canvasing is all done as part of Harry's ploy to have the families tell him what he wants to know so that he can expedite his burglaries. If Harry had wanted to implement the other 3 Principles, he could have offered a house key escrow service that all the successful families on Lincoln Blvd (the street where the McAllisters lived) were doing for Social Proof. Adding another family's last name as someone who had already opted in would have built even more rapport.
He could have sold "Police Bonds" for additional sweeps of the street or house with only so many available for scarcity and reciprocity. Moving forward through the movie, we repeatedly see Kevin use audio from "Angels with Filthy Souls" to foil people at the door, namely Harry, Marv, and the pizza delivery guy from Little Nero's. (They deliver in 20 minutes, or it is free.) The move is used to create the illusion that someone else is in the house. I do similar things when vishing. I typically play office sounds or store/cash register sounds from YouTube loudly in the background to sound like I am in these locations.
When Kevin is shopping and is asked where his parents are, he responds with the traditional, early 90s "Stranger Danger" answers. After Marv hears the audio from Angels with Filthy Souls and tells Harry, they decide to case out the house. When they come back after dark, Kevin has already engineered a way to make it look like a big party is going on using a toy train, lots of string/rope, and Buzz's Michael Jordan standup. Once the home invasions start, (Harry and Marv are maimed endlessly in things that outside of a movie would kill them.) Kevin shows ingenuity in devising his booby traps. Kevin cleverly attracts or tricks them into falling for more of his traps.
The OPSEC Angles
Per Peter, the McAllister family had door locks and light timers (That's as good as anyone can do) when they talked to "Officer Harry." Door locks, sure. Those are standard. The light timers are what gives the family away even if he didn't disclose it to Harry. While not particularly OSINT, Harry and Marv could've easily parked nearby for a week or so before the week that they planned to rob the houses and observed the times of lights coming on. If they were persistent, they could've started a couple of weeks earlier to see if any patterns changed closer to the holiday.
Other patterns that Harry and Marv could have observed easily (and not only after sunset) are trash days and cars. A simple drive through a neighborhood before 8 am daily would have told would-be attackers what day the trash runs occurred. Closer to the holiday, they could have observed whose trash cans were not by the curb on Wednesday. People don't typically miss trash day. With regards to the cars, Harry and Marv could have observed whether they were moved in a few days, whether they're generally backed in or pulled in forward, and whether the garage doors had been opened.
The McAllisters left their garage doors open the whole time they were gone, after all. I recognize that there are mitigations to prevent showing you're out of town on trash day or what-not, but I also want to educate readers about their trends and what people, criminals or not, can ascertain. Peter's message on the answering machine is what gave Kevin up. For the most part, that is not much of a problem today since people have moved to cell phones and email instead of answering machines. The 2019/2020 alternative that could have the same impact is an out-of-office response or irresponsible posting to social media without proper access controls or calling someone who is outside or in public when they have you on speakerphone. Regarding Harry and Marv, let's just say that Marv would not make a good OPSEC instructor.
He is too loose and constantly spills the beans about what he and Harry are planning, especially given what he tells us in Home Alone 2 (which will be covered in a later article.) The fact that the phone number on their van is JK5-1350 translates to 555-1350 should set off alarms for anyone outside Hollywood. To fit in better, Harry and Marv could have abandoned the van and walked a dog around the neighborhood. Given the perceived affluence of the community, they would have likely needed a purebred dog (This was before people were conscientious about mixed breeds and pound puppies) and altered their appearance to fit in. The van itself could've been used to their advantage after Marv started flooding houses to become the Wet Bandits.
Final Thoughts
In conclusion, criminals are not always smart, cunning, OSINT, aware of social engineering or OPSEC savvy, but neither are consumers and victims. Sometimes one can do everything "right" and still fall victim. My parting message to you is to be wary of police officers going door to door (especially without a car) asking for information, alter your patterns frequently to make an un-pattern of sorts, and take your entire family with you.
If you have to leave one behind, choose the one that is innovative with torturing intruders and leave them Micro Machines and breakable glass ornaments. If you have home IOT/automation devices, leverage them to the extent to which you're comfortable. I would be curious to see how the 1990 movie would translate into 2019 and 2020 with the new technologies and devices, including those we could use today for social engineering. Be safe.
About the Author:
Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior OSINT Specialist at Qomplx, Inc. and previously maintained his own blog and podcast called Advanced Persistent Security. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge.
As a member of the Password Inspection Agency, Joe has placed 2nd in the HackFest Quebec Missing Persons CTF powered by TraceLabs, 2nd in the BSides Atlanta OSINT CTF, and 3rd Place in the 2018 & 2019 NOLACon OSINT CTFs. Joe has independently placed 2nd in the HackFest Quebec SECTF, 4th Place in the DerbyCon OSINT CTF, and 2nd Place in Hacker Jeopardy at Hack in Paris. Joe has contributed material for the likes of Tripwire, AlienVault, ITSP Magazine, CSO Online, Forbes, and Dark Reading as well as his own platforms.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
