Slashdot Mirror
Undercover Hacking, For Money
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
Like some geek can compete with Robert Redford, Dan Akroyd, River Pheonix and Sidney Poitier. I mean, they took on Ghandi when he ran the mob!
Getting diabetes AND salmonella would be a bad weekend.
The great movie Sneakers. [imdb]
Does anybody here remember the movie Sneakers? It's a bit old (1992), but still very good. A team of guys normally hired to physically break into places to prove it can be done and find weaknesses in security are hired for a slightly more illegal mission than their usual fare -- to steal a mysterious black box from a famous mathematician. While screwing around with it, they find it is a mathematical wonder capable of bypassing any US encryption system. Great geek movie, and definitely underrated in this review. =-)
Dear Santa,
I would like a digital camera for Christmas. It would really help me make those fake IDs.
Is most of the time the Human one. This story just proves it. I have plenty of times used talk my way into places I should not have. Either because I was just a familar face (but not one that should be where I am) or I just seem like I should be there. That would be a fun job to have. Well have fun ppl
Expecting ordinary employees, and even receptionists, to function as guards is absurd. There's no way to know who is supposed to belong in a big company, and who the hell has time to play company cop? give me a break. Put guards at the doors you don't want the wrong people going through.
---
SCO is weenies
Gator is Spyware
Microsoft is thugs
god save us all if they send a pretty woman into a programming house full of single geeks.
/\/ 3d J00!" for kicks.
Might as well just change all the screen savers to "We 0\/\/
Not that it has ever happened to me, mind you.
(ok, ok, the escorting a pretty girl part, but not the screensaver part. I did get griped at and rightfully so)
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Is to look like you belong in the place and your in. And if you are lucky you can get on theyre payroll and get yourself a job ;D
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..
Death and poverty like me so much, they've brought friends!
A cousin of a friend of mine has worked for two different financial houses in a role similar to this. His job was to randomly walk into empty offices, sit down at the employee's computer and try to crack his way into their system/files. He sure seemed to like this job a lot better than his former admin role.
as if i'm not paranoid enough!
ye olde art of Dumpster diving ;D
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
He doesn't mention in the article whether any of them use layered security. As you cannot expect humans to be infalliable, shouldn't layers be built up around critical infrastructure, so if they get past reception or the first security door, they still don't have full roam of the business. Extra security should be provided around critcal points such as server rooms, closets etc, and a limited number of people provide access, and know reason of letting the serviceperson have access.
the company in question depended on contractors, then there are no regular employees as such...
;D
Theyre used to seeing new faces often and may think nothing of another new face.
Just dont pretend to be the CEO or Chief Software Architect or anything
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
What if they suddenly tell you "Oh, there you are. You have a company presentation in 5 mins... come with me..." erm oO(OH SHIT) :)
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
how does one even become such a "security consultant"... do you get a degree for it? i'm a CS major but have always thought it would be cool to do something like this.
i... um... know people that do do stuff like this, but for personal pleasure. they never cause harm to person or property, and i would assume that their hobby lends them more toward a career like this than sitting in an assembly class. Any ideas?
sig
If I was Paul (from the article) and I really wanted to be bad, I'd replicate the 'get out of jail free card' and then look for work in corporate espionage for competitors. I'd go and break in to the same company again, and if I got caught, I'd just use the card to walk away.
Sneakers was a really good movie, especially since it tried hard to be authentic. Not quite perfect perhaps, but a lot better than most technology / computer movies out there.
Even the math behind the black box was reasonable. Which is to say that it's conceivable that one could find the right group theory construction to rapidly factor numbers of arbitrary size, but no one's figured out how (nor have they shown it can't work). The movie happily tells you that he's done it without saying anything meaningful about how its done.
At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.
For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.
Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.
The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
If you liked this story on physical hacking I suggest a trip to infiltration.com. It contains guides and how-to like articles for sneaking into hotels, exploring hospital, derelict buildings and the like. Excellent reading for the armchair sneaker
You'd be surprised how many large corporations employ folks in their security departments who's sole purpose in life is to break into company sites, or data, or their partner's sites. The guys who do Physical Security rely on Social Engineering like this guy is reported to do, or even simpler means like tailgating or even trying to pick the lock.
It's pretty cool, but there's a lot more time writing up reports about the intrusion than there is actually doing intrusions.
Never attribute to malice what can as easily be the result of incompetence...
Visit www.megapixel.net.
How about carrying a small UPS with you and tell the receptionist you're there to replace the UPS on the mainframe? A bit more direct, and that would REALLY show how weak security can be.
I almost wouldn't doubt it could be done.
Probably applies to college dorms everywhere, but it was the same at Georgia Tech. Getting into someone else's building was easy as pie. The exception of course is guys getting into the girl's dorm buildings. Other way around, we'd roll out the red carpet for the lovely ladies...
Dyolf Knip
..would be if a company were to pay to sabotage a competitor's web site.
I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security.
It-a-not-a-worka-for-some reason
I think there's a glitch in their DNS registration. Try here.
Dyolf Knip
Immitating a pizza delivery person also means that you can ask for someone who may or may not work there, and pretend it was a prank order all along, leaving completely annoyed. When you come later, you can complain you were fired from the pizza place, "no thanks to the pranks from this place", if anyone recognizes you.
The danger would be if you couldn't get ahold of a real pizza delivery outfit for some reason, and used a do-it-yourself outfit with a made-up company name. Many geeks know every joint in town, and would immediatly start asking questions if they didn't recognize the name.
:^)
Ryan Fenton
"You can get into almost anywhere if you look serious and carry a clipboard". Wish I knew who said it. Seems it's true....
Any good hacker knows the way into secure systems is through the weakest link: humans.
So, of course the US Gov't spent the past 10+ years evisserating the hum-int in favor of carnivore-type el-int. No wonder we didn't have a clue.
-- @rjamestaylor on Ello
I work for Corporate America
In one sentance our values dictate respect for our fellow employees.
In another, we are to firmly question anyone that 'does not belong' or is unexpected
Recently our company hired a new diversity 'expert', and she was 'aghast' at the way fellow employees treated each other in the hallways
Now I ask all of you sentinent people... how should we react when confronted with someone we neither recognize nor know, and how do we fullfill both of the philosophies?
I used to work in a secure area, where if someone knocked I'd let them in but question and deliver them to the person they wanted... but now it's an open area- thus I don't exactly know the 250 people I now work with. Frankly the stress isn't worth it- any single one of them could be an auditor waiting to 'sneak up' and get you reported to upper management- it isn't fair.
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I say this man goes to too much trouble to infiltrate these offices. At my former office, a bum walked in off the street, went straight through reception and out the back door with a $3000 laptop full of somewhat confidential information. Just some smelly guy in a dirty trenchcoat. I wonder what the receptionist thought when he passed by; that he was a programmer?
Even as you read this, your pants are strangling your loins! Aaa!
The moral of the story is that one should have the right facial piercings.
Ctec Astronomy?
Setac Astronomy
This is not off topic either... it's in the movie...
the website is www.infiltration.org they haven't put out new issues for a well over a year now though. shame...great site.
haha check this shiat out. hahaha.
That shits funny.
someone must have infiltrated their DNS servers
Sooo True..... Most dorms these days are CO-Ed anyway....
If the Jargon File is anything to go by, this isn't exactly something IBM has only started doing recently.
The entry on Tiger Teams provides the definition; the entry on patches gives the example story:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
You just have to disguise yourself as the pizza.
But for all the hopefuls out there, I wouldn't expect a lot of jobs like this popping up in America anytime soon. I think lawsuits would slap a person doing this kind of work down quick. People don't like to be embarassed, and Americans like to sue.
There are a few ways to make a complex secure:
1: Require cardkeys to park a vehicle. This makes it more inconvenient for an attacker. Better yet, require an ID badge to bring a vehicle into all premises except for deliveries (restrict to a small area).
2: Think choke points and isolation levels. Always assume that at least one level of security will be broken and plan for it.
3: Keep the teams that have access to high security areas small and ensure that they know eachother. This helps there.
4: Electronically monitor server rooms. Cardkey and camera should be used for surveillance and there should not be a reason for maintenance workers to have access to the server rooms at all.
This means no garbage cans permanently stationed there. If janitors have access, then they become the weakest link...
I am actually surprised how many problems people have protecting their server rooms...
LedgerSMB: Open source Accounting/ERP
Anyways, this building was almost totally insecure. They've got a bank of elevators with two entrances, north and south. In the day you can walk up to either, say that you're a consultant and forgot your page, sign a fake name and a random floor number and you're in. At night this isn't neccessary- they close one entrance and the sole guard is almost always napping. Reach over the desk to hit the door unlatch and there's a whole building full of computers awaiting you, with a loading dock you don't have to pass security to get to.
I'm sure they knew this when I worked there: I showed up one day to find my monitor moved from atop my PC and the case ajar. I opened it up, and found that someone had taken all my RAM.
Goodbye
Kenny Bräck did unfortunately not win the Cart Championship:
http://www.cart.com/
SURFERS PARADISE, Australia--Cristiano da Matta won the battle and Gil de Ferran won the war as da Matta captured the Honda Indy 300 today and the reigning CART champion finished fourth to clinch thetitle for a second straight year.
I have 1 Gbps Internet access@home
And those "ladies" looked like they needed a shave, right?
check this 'zine out: Infiltration It's about different ways to break into and explore urban areas ... pretty f*g cool
This is just too easy to accomplish most places. One place I worked you had to have a keycard to get in, dude stands around the door, as people come back from lunch, he walks in, grabs a laptop out of a conference room (they were gone for lunch) and just walks out.
Of course we all got the "security simply must be better" but no one really did much about it after a few days it was all as it was before.
--- www.f-theocean.com
Comment removed based on user account deletion
Whats the difference bewteen this and working as a PI ? Your doing the same job, and it doesn't matter what type of company its at. Sometimes its secret shopping, to walking into a store to "test there security and cameras", to finding out how easy you can get into the CEOs office.
... long story) This is what I did just about every day. Besides boring survalance jobs. No one I have met has found it as intresting as this article put it. Don't get me wrong, I have been on some VERY intresting jobs. But, just becuase his tring to gain access to a computer lab doesn't really make it all that special.
I worked as a PI for 7 years, (Which is why I am posting anonymous
Just my $0.02
Same things happened at my former employer. Before I started there, a dude posed as a delivery person, carrying a large box. He got someone to open the door for him who then went back to their business without a thought. This guy picked up a few laptops from empty offices (this was at lunchtime one day) and presumably put them in the box and took it back out with him. He also ransacked one woman's purse. He made off with several PowerBooks, and went on a spree at the shopping center across the highway from the corporate park, using that woman's credit cards. This resulted in the company spending thousands on strong magnetic locks for the doors, controlled by numeric keypads that logged our codes.
Fat lot of good those did. While I was still working for that company, someone made off with a brand new combination TV/VCR, probably by waiting until the evening cleaning crew left the door unlocked. After that theft, my boss and I put in a passable security camera system consisting of some dinky yet highly visible cameras trained on the office doors, and one watching the door to our equipment storage and server room, from inside the room. We ran the camera inputs into a 4-way combiner, and then into a spare Mac with a video capture card and running webcam software that snapped a picture when movement was detected during non-business hours. Nothing further disappeared, though the system did catch some amusing photos of me staggering around the halls the morning after my 27th birthday party, when I crashed in my office.
I've been gone from that company for almost a year but I still talk to friends there. I heard that a month or so ago, employees of a different location of the same company (without security cameras) came in one morning to find about 10 Dell laptops were gone, ripped out of their docks by a guy who waited for the cleaning crew to start working and slipped into the offices. The company's solution to that one: All laptops must now be taken home at night.
~Philly
...and he licks llama's ass too!
Did you know if you click on a puffy fishtank you can unlock the secrets to deodorant? Neither did I, until Fred McMurray from My Three Sons showed my about Buckets.
I robbed a black Christian Rapper for his yellow Sony Sports Walkman. He was an international wussbag.
DURRRRRRRRRRRRRRRRP!
(-1, Raw and Uncut is the only way to read)
we'd roll out the red carpet for the lovely ladies...
:) Having lived in Atlanta for 20 years and now living (and attending UVA in) Charlottesville, you can do MUCH better than GaTech. Sorry man :)
At Georgia Tech?? That one won't fly
beware the jabberwock, my son! the jaws that bite, the claws that catch!
it's thing like this that make me want to be a repo man.
Having worked at IBM SSD here in Tucson, I can tell you for a fact that Big Blue takes their security very, very seriously.
I worked out on the floor -- Your typical raised-floor temperature controlled room, except on a very large scale. Without going into specifics, getting to work was always fun when it came to security. You have to go through a human checkpoint, then one card-access doorway, then another combination human/card-access doorway with a tailgate alarm.. At each point along the way you're monitored on cameras mounted in the ceiling Occasionally, if your badge doesn't work, a voice comes over the loudspeaker where you are and asks you to hold up your photo badge so they can confirm who you are before continuing.
My favorite story comes from one of my old floor bosses at IBM. He used to work for a defense contractor out east in New Jersey, right off the turnpike. He claims someone got busted sitting on a highway overpass with a camera and telescopic lens attachment, photographing the blackboards inside the plant. "Thats why all the exterior windows have reflective tint nowadays. Its a safety measure."
Fun stuff.. I miss IBM like you wouldn't believe. Friggin awesome company to work for.
Cheers,
Bowie J. Poag
Why not make a foolproof entrance with REAL security guards and make *everyone* show their ID cards. If they have none, contact someone to check them out.
As if an ordinary Joe Schmoe who works there should give a fuck about the million plus one people who wonder in and around the office...
I wonder if small companies (30 people) are more secure than large companies. A common theme between the article and posts are that no one knows who works in their own company. But in a small office, everyone knows everyone, and a stranger is obvious. It's also usually known by when someone is expecting a visitor, so an unexpected drop-in would also be obvious.
Are small companies less resistant to social engineering, because of greater employee "intimacy"? If so, how can this be utilized at larger companies to increase security?
ShoutingMan.com
From the "Beyond Hope" Hacker Conference:
(streaming real audio)
Social Engineering
It was quite entertaining as well as educational.
Another Soc Eng panel from the "Hope 2000" Conference:
Social Engineering Panel
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Mabee these companys should implement retinal scans like in half-life. Then you`ll need to find
scientists or security guards to gain access to areas.
... just carry two cups of coffee.
We had a talk at university given by someone who worked as a security auditor. One of the things they did was try to gain physical access to the computer room (crawling through airvents to get into roof cavities etc.). They also had some fake Telstra (main telco in Australia) uniforms, they would just walk up to reception with a bag of stuff and a modem and ask to get access to the comms room because they had to install something. Apparently it works most of the time, they hardly ever get asked to show a Telstra staff card.
The security of your information is only ever as good as your procedures and staff.
If all you have to get past are other students, then carrying anything that looks like a present works pretty well for getting into girl's dorms. Assumming you are trying to meet up with someone in particular, and you know where in the building they are, it's not hard to get complete strangers to escort you.
;-)
Thankfully most dorms are becoming coed which only makes things easier.
The Market Post Tower (mae-west) building in San Jose I work at houses multipe tennants and government agencies... they requires people to sign in and out if their accessing the building after normal business hours.
:P
:P
While someone likely wouldnt even beable to get in after hours the outer door to the signin station without being escorted... I found it funny to see people recently signing in as "John Doe" and nobody stopped them.
Also related... For months I used to visit friends at a large colocation facility in downtown san jose after hours... I dont think their physical security guy liked me very much... As he'd often stop me and ask how I got in that time. Took them several months and me showing a couple of the employees that tho they had card readers they installed the locks on the doors backwards and without any blocking plate, so that you could just pull open the door with a simple credit card/drivers license swipe down the lock.
So I guess i've done some things in the past to get into places to visit friends where I didnt want to bother with dealing with security people to escort me... but it did bother me recently to see someone signing in as visiting the company I work for, but signing in under "John Doe".
Simple suggestions...
If you have a "sign in" sheet, require a person check their id, and fill in the info for them.
If your installing a card reader on a door, make sure you cant just bypass the cardreader by letting them have access to the lock.
I'm not surprised that it's this easy.
One cause is companies, despite security policies, routinely violate them themselves. You may say that a receptionist/guard/etc. is to challenge all vistors and ask for ID, but the first time they do that to a senior executive or VIP from out of town and get smacked down for it, they'll never question anyone again.
OTOH, I worked for an organization that took security seriously. You were to challenge anyone without a badge, and escort them to sercurity if tehy didn't have one. I challenged teh CEO once - he pulled out his badge, showed it to me, and clipped it to his collar, where it should have been. No "don't you know who I am?", no nasty note to my boss; just a simple "thanks" and doing what he expects everyone else to do. Of course, that also takes a leader, not a manager.
I'm a consultant - I convert gibberish into cash-flow.
Urging children to think creatively about the future, Dr. Erika Landau, of Museum Haaretz, Tel Aviv, asked, "What makes a good joke?"
-------------------------------------
Technically, we are beyond survival.
How could he work without a shootgun? is the digital camera a james bond hipnosis device? I could not trust this 40 successes
I did exactly the same for around 4 weeks. The only difference: I was working in a major irish airline company. (Now which on could that be ?)
I would have thought that they had increased security lately. - But obivously didn't.
To error is human, to forgive, beyond the scope of the OS.
Ha! I did this when I was working in Nortel INM/Optical Verification at the Skypark facility in Ottawa, Canada. It tokk then 3 months to get an ID badge, and I worked off hours, which meant the getting into the building was a 15 minute chore. UGH.
:P
But it's scary how easy it is to get into a top security level R&D facility. Again, I was like you- teen with piercings... and no badge.
Urban Detail
It happens in Germany, at Siemens, the giant electrical engineering and electronics corporation. The über-boss, a member of the von Siemens familiy, an old man at the time, routinely used to test how easy was to enter his company facilities (most of the employees had seen photographs of him). Once, he tried to enter a factory where he meets this old-guard janitor, a typical case of prussian education. Von Siemens is denied entry, even when, having confirmed that the entrance was guarded well enough, he wanted to finally go into the factory. The old janitor kept on saying Yes, you are telling me you are von Siemens and you really look like him, but if you don't produce a valid ID, you are not entering this building
Von Siemens had to wait until the following day and the janitor was promoted.
...working security at a certain Canadian bank. Started out as a security guard and then was 'promoted' to testing security at various obscure branches and property locations. His job was to sneak, cajole, threaten or trick his way into the building. Once inside, unless someone immediately confronted him, he'd call up his supervisor and the entire security staff at the place would be fired or transferred.
He really enjoyed it at first but you get tired of ruining people's lives for $14/hour.
A couple of years ago, I was working late in the office one night (maybe 5:30 or so) and this woman came up to me asking me where the copy room was. I asked her if I could see her ID, because the company has a policy of visible ID at all times. She kind of chuckled and said it was on her desk. I didn't know what to do next, as I was relatively new with this company, so I asked her if I could see it (Mine was clipped to my belt). She agreed, and walked me around to the other side of the office to her *office*. A big office. She shows me her ID, I apoligize for the inconvienience, but she says "no no...that's ok!"
;)
Monday, I show up at work and everyone is laughing at me. Turns out, I ID'd the new VP. Later that morning an email went around asking everyone to be more security conscious, and always ask someone you don't know for their ID.
It was sent out by the VP and corporate security.
People stopped laughing, and started asking for ID from those they didn't know.
Moral of the story: it doesn't hurt to ask someone to show their ID, and you never know who you'll be asking. (Plus, the brownie points are fabulous!)
Just remeber it aint jsut physical access and untrusted people that you should watch out for. Our server room is very secure, with proximity card access and time locks, but it was circumvented in two ways. An employee who dealt in web developement decided to try and get out of his contract, so he telentted into the webserver (he was trusted, had been there 4 years) and deleted the companies website, then proceeded to delete the backup archives, and physically destroy the tapes. When he required access to the server room all he had to do was ask one of us sys admins to let him in, nop problem. We ended up with lots of damage because of that. So peeps, remeber it aint just outsiders that can cause u damage, its the people around u as well.
what do they have at UGA? not only do they have a card to swipe, but they also have handprint recognition! every time I'm there I try my hand to see if the handprint system does anything....and I never get through. I made the comment that UGA shouldn't have cooler toys than us...
you really have separate dorm buildings for boys/girls in the states ???
...for getting passwords. I have one that can record about six minutes of video. It's so easy to set it running, then have it surreptitiously pointing at a keyboard when someone logs on. Then you can down load the MPEG, and go through it frame by frame.
;-) ).
(Not that I'd ever do something like that, but as I do a bit of 'ethical hacking' as part of my job, I have developed a deviously cunning mind
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
When I worked at a job that used dangerous chemicals and highkly sensitive cvorporate info and government stuff foer NASA and the like and I forgot my badge, I just hopped through the receptionist's window.
My neighbors pay me to do this as well. I check out their home security on a nightly basis. Usually they don't have the cash laying around to pay me, so I just grab TV's, VCR's, computers, etc, as payment. Of course, the way we play the game, if they catch me breaking in they call the police, but otherwise I get to keep the stuff. It's real fun, you guys should play with your neighbors..
Why play "Cloak and Dagger" when you can just root their web/database server thanks to it's unpatched telnetd?
I think it's really funny how companies spend millions each year hiring goons in dark suits and glasses who'd rather wow them with ghost stories and spy-crap than recommend patching their friggin' OS!
My approach was to go late at night, find a janitor, and tell him I lost my key. It worked every time - no ID required. I would then have the computer to myself for hours. One time, about 3 AM, a researcher (I assume
During that same year, I also used the Stanford IBM 360/67 (an OS with a VMM while Bill Gates was in grade school) to do a bunch of personal programming. There, an ID from an out-of-town for the year gard student did th job.
Meanwhile, my friends at the University of Kansas (which had a rare GE-625), wanted source of the OS to improve their attacks on the OS. One of them found out the tape numbers by looking at printouts in a public place. He then ran jobs when times were busy to copy those tapes to his own... every once in a while so as to not draw suspicion. Then, he later printed out the whole thing, again in little bits. Thus when I later went there, we had source of the whole OS. We used that to find a number of holse, although GECOS-III was surprisingly well designed for security. In fact, the CIA used it for that reason, and it was chosen for the World Wide Military Command and Control System (WMMCS). As a result of our hacking, one of us later got a call, out of the blue, from a CIA recruiter who knew of the exploits and was looking to hire him for a white-hat hacking job. This was in 1970.
Social engineering works!
The only good weather is bad weather.
You know, we should have a unit basically dedicated to
thinking up terrorist attacks to the united states, and
trying to "implement" them. Just more war games. So
we get a couple of agents trying what the Sep 11 hijackers
tried on July 13th, and we shore up weaknesses before they're
really exploited (we would, of course, have our gamers stop
short of say, actually killing or even threatening anyone. Wouldn't
do to have people saying "Oh, this isn't a REAL terrorist attack...
it's just the gamers. Sit back, everything's going to be OK.").
Actually, I know this is done to some extent. A couple of
weeks ago, for example, I heard a guy on the radio who
used to work out at Dugway Proving grounds in the Utah
west desert. His job for a while was to come up with
anthrax delivery scenarios.... from city wide to single
building to single person. I don't know if they actually
disseminated a "marker" substance to test their theories
and come up with security techniques, but I'd be happy
to some portion of my taxes spent on such a thing.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
due to obvious reasons, i will have to post anonymous... but, fwiw, i'm the person hired to observe paul.
the real world sux.
Is it really that difficult or costly for companies to implement things like retinal/iris scan, voice printing, etc. for highly secure areas? I've always felt we can have no true security based on things like ID cards (lendable and counterfeitable), passwords (crackable, write-down-able, storable), and human security guards (con-able). It would be rather intrusive and expensive, I'm sure, to implement biometric scanning for every person entering a public building, but if the critical security areas of that building were restricted to root users via biometrically automated door locks, breaches of mundane perimeter security would be less threatening.
OTOH, I'm sure someone will reply that biometrics has a weakest link as well. E.g., intruder could corrupt a root user and get their retina authorized into the system illegitimately, figure out some kind of black box to hold up to the scanner, crash it to its embedded version of shell prompt, and send it "unlock door" command, etc. But from my perspective, biometrics kicks the ass of any other solution, and I'd feel a lot safer if airports, highrises, and public utilities were using it for critical areas.
* * *
No, no, no. This is not a sig.
At the company I used to work for, we did a security consulting gig where the client asked us to try to gain physical access to their cage at Exodus' facility. If any of you have ever been to an Exodus data center, it is (supposedly) extremely secure. No one gets in without an access card, and there are security guards at the entrance. Even inside all cages are locked, and there are several other secure access points to get through.
Here's how we got in: We called Exodus posing as an employee of our client and said that a phone tech needed access to our cage to fix a phone line. We then set up a dummy voice mailbox with a fake message as if it was that employee's phone. That is the number we gave Exodus. Exodus did call and leave a message on that line, but never spoke to anyone. We sent a guy to Exodus the next day saying he was the phone tech. He got full access to our client's cage.
It was that easy.
What I'm holding out for is the Olympus D-40. It's a freaking piece of genius. Check out a review of it here. Too bad dpreview hasn't reviewed it yet.
Our school hired a security analysist to break into our Res Halls and Main Building...and he got in every wing of the building. So much for our keycards :-D (Anonymous for a reason)
The finding of primes is an NP complete problem isn't it? - So in theory such a black box *could* exist (well, no one's proved that there can't be yet :)
I used to work for a defense contractor, and our lab was a restricted area. We were instructed to challenge ANYONE we didn't recognize as being on the access list, even if their badges showed the proper clearance...
One of my co-workers challenged the company president (he was not on the list, and he was unescorted). She got atta-boyed!
Wish I'd been there to bust the pres...
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Quite a few years ago I recall seeing a documentary on security guys. One used to get into the buildings, usually dressed as phone tech or similar, and just leave a biz card on their patch panel "If you find this you need me." or somesuch. Very cool way to advertise (although some ahole would slap a charge eventually).
At Ford's Wixom Assembly Plant in Michigan, the supplier quality guys couldn't be bothered to let us (their suppliers) into the plant to do our work. But since there was a phone right next to the slow-closing security door, it was extremely simple to hold the phone to your ear, pretend to talk to someone, then slip in the door after someone left. This was the same plant that had a shooting back in '96. That nut got past security with a large gun, though -- not so useful for espionage.
[damned internet explorer posted my last (empty) message when I hit return in this text box. Bleah]
Anyway, this is all pretty standard stuff. I get asked to do this kind of stuff occasionally by my clients. It's highly fun work.
One of my buddies once hacked into his client by discovering that one of the employees at the client's ISP was running a warez site at the ISP, and got the employee into letting him install a sniffer on the client's line.
The trick with doing tiger team work is that you have to uncover weaknesses. No one hires a tiger team unless they suspect that they have a problem, and if you don't uncover a problem, they presume that you suck rather than that their security is actually good. Luckily, that's not a problem, because everyone has terrible security. Some are less terrible than others, but even when technical means fail, creative social engineering never does.
The basic problem is the existance of people who are, by nature, trusting. These people are the bane of good security. If you have a single one of these people, even in a lowly position like a janitor (who're great because they have almost unlimited physical access) or receptionist, the company's premises are left wide open. Optimists ensure that security professionals will forever be employable.
Some of you will recall that I'm CSO of an advertising company. We have servers at an ISP who pretends to good security. They've got palm-print scanners on all their doors, code keypads, badges, security guards, locked cages, the whole 9 yards. But since they have all this technical hoohaw, the people have gotten lazy. So the technical stuff doesn't mean a damn. One day, I accidentally locked myself out of my cage. So I pulled out my lockpicks (which I always have on hand) and just picked the lock. Now I'm not particularly good with lockpicks, just being at the level of hobbiest. I can get most locks open, but it can sometimes take me an hour of uninterrupted work when I'm on a difficult lock. But I was able to get that cage open in about 20 seconds. A camera was looking right at me the whole time, and no one came to investigate. And here I am, a shabby looking character with long hair, bushy beard, and a leather jacket. And a handy set of lockpicks on hand. That should've raised a bunch of eyebrows back at the security desk. But, no.
-- Nolite audere delere orbiculum rigidum meum.
I once contracted at a large company that was so paranoid, contractors had to be re-badged every six months, the firewall only passed http and email, and there were even rules about leaving your workstation logged in and sending sensitive info via text page! Yet they had a serious tailgating problem. Headhunters would routinely sneak in to make the rounds. Nothing was done until valuable personal items started disappearing from people's desks at several locations, and security decided that the thief was a tailgater. They had the receptionists crack down, and launched an educational campaign. So it became much harder to sneak in -- for a while. Don't work there anymore, but once the thefts stopped, I doubt if people remained careful.
I remember once, in high school, I was trying to hack around into our Novell 3.11 network that was connected to a WAN that had 22 high schools and about 180 elementary schools hooked up to it. (It was pretty sweet back then!). I had done all of the hacking from the library in open sight (I mean, a hacker wouldn't possibly do that, right? So mustn't have been one... ;P) and I made friends with the librarians as well. One day (after I learned of the 'server debug mode') I realized that if I could just get physical access to the server (which was in one of the rear librarian's only rooms) I'd be all good. So I just got up courage, and walked straight in! Walked up to the server, did the deed, walked back to my machine, logged in, returned to the server, removed the deed, stopped to say hi to one of the librarians on the way out and back to the computer, now logged in as Supervisor. Of course, because of really really stupid network admins at the board office, it was rediculously easy to get access to the master network at the board office as well. I ended up using a brute force password hacker and got 320 of 540 passwords, including 5 supervisor-equiv accounts. I ended up phoning up the head of the network admin at the board (who was rumoured to be a cool guy), got his voicemail and said "Hey, I think we need to talk. I'm such and such from such and such high school and I wanted to talk to you about network security. Please call me back here, and by the way, I hear that Greece is wonderful this time of year" (His password, of course, was "Greece"). Needless to say I got a phone call back pretty quickly saying "Hi. Let's talk."
Ahhh, back to the good old days.
If God gave us curiosity
i got tailgated a few months ago on a saturday morning. he was a workman, rebuilding an office. he was sitting on a lounge in reception, and watched me as i entered the building with my swipe card. he snuck in behind me just as the door was closing.
i was incredibly paranoid about it (i'm a 22 year old female, and very few people were in the building at the time) and was going to call security until about a half hour later when i saw security running around trying to find the guy.
he turned out to be just a builder but it's scary how long the response took.
Nodwick from a few days ago.
-l
For obvious reasons, I can't say where I am... but a couple days ago a picture of a guy carrying a HUMONGOUS CAT in the lunch room of this secure installation was found... Brass hasn't come down with final regs yet, but we're locking up tight!
Posting anonymously for fear of ... well, nobody there reads /. but some of them use search engines :)
If that's the place you're talking about, I worked there very recently, and things have gotten even worse. The guards in the main lobby no longer look for a split second, and the network & information security is mostly dealt with by stupid and incapable people (although there are good people there, but by-and-large they're not in charge).
People can still get access passes by saying they're going to the library, and they're told they have to hang the passes around their necks. This is of course untrue; many people stick the passes in their pockets and can go anywhere. What's more, of course, you can wander around the building, possibly collecting valuable computer equipment from random people's offices (they lose laptops on a reasonably regular basis), without getting a pass at all, so long as you go in in regular business hours. :)
But I digress. At least they're not as bad as my first government job, working as a ship cleaner. anybody with a hardhat could get past that post: which after all was the main gate of a military base. take a left instead of walking straight, find yourself in the ammo dump. man, I am amazed the IRA never raided that place :)
Heh... what a great job!
Back in '77 after the first "break-up" of Pacific Bell, I was a telecommunications tech at a small interconnect in Santa Clara, CA (i.e. Silicon Valley), one of three troubleshooters in the company, so I usually worked alone. We had no company uniforms or other identifying paraphernalia, but my tool belt was my "badge".
We sold state of the art (for the time. eh?) NEC microprocessor controlled, time division multiplex phone switches, and smaller office sized systems. Our switches kicked Pac Bell's ass, they ruled because the telcos in the USA we still in the dark ages.
Anyhow, my territorry was from San Francisco (and the rest of the Bay Area) to Montery, we had phone systems in many high tech companies, so I was steeped in the culture.
It didn't take me long to observe that I could go virtually anywhere in most of these companies, without question. Often even without a visitors security badge, company employees, and even security guards would open doors for me if my hands were full.
It seemed that my tool belt and butt set (Linemans test set) hanging off of it, was all I needed to have the run of the place. I started to play a "game", to see just how good their "security" was.
So here I am, this spikey haired punk rocker, in street clothes, but with my tool belt, butt set, and a professional attitude, walking up to a security guard and saying to him, "Hey, I need to look in that locked room over there to see if there is any phone equipment in there.".
They allways walked over and opened it for me without question, and then walked away reminding me to lock it when I was done. I did this just for grins at many of the companies I visited.
In those days, computers were still refrigerator sized, and filled large, lead lined, air conditioned rooms with raised floors, with lots of cabling under them, tended to, by clean-cut guys in long white lab coats (no kidding). And every company had a security guard at the door of these special rooms.
One day I screwed up my courage and decided to see if I could gain access to one, I had zero reasons to go in there, since there was never phone equipment in these rooms. I nervously walked up to the door, looked the security guard in the eye, and he glanced at my tool belt and test set, and opened the door for me without a word between us!
Next thing you know, I'm wandering around this large computer room, pretending to look like I know what I'm doing. None of the guys in there even pretended to notice me, I could have done what ever I wanterd, and nobody would have questioned what I was doing.
At work, I started to brag about how people were so easily manipulated by "normal" circumstances. None of my coworkers believed me, they were just like the people in these companies, they were non-observent.
One day, I needed some help, so I brought my boss along. We finished up our job and as we were walking out, I reminded him of my discovery, he said "bullshit!" . So I said "follow me", and walked toward the big computer room.
The security guard didn't bat an eye, and unlocked the door for us without a word. I was the only one with a tool belt, my boss was also in street clothes, we could have been anybody, but the magic tool belt, butt set combo got me through again.
My boss was blown away, and was also very nervous about being in this formerlly taboo computer room, so we exited. On the way out of the building, I couldn't resist, and stopped at random and asked the closest security guard to please open "that closet, over there", he of course, complied.
My boss was very impressed, but wasn't at all happy that I was doing this for "fun", and the next morning at work, I was admonished to never do "that" again.
I guess my point is, that people are easily fooled by normal seeming circumstances, and that security is often a Paper Tiger.
If it don't GO... chrome it. ~ Frank Banks
A while back Microsoft was in town running a conference. One of the gigs they had was a little party out at a local theme park. I copied my mate's ID card, and we waltzed up to the gate. We were let through without even being asked for ID, and we were free to enjoy the food and rides all night. :-)
Complete story.
Umm. so how about fastening them down to the desktop? There are locks for that purpose, you know.
How about cleaning off the keytops. Then coming back the following day to dust for prints. Works on password keypads.
It could also get grusome. Retina scan..is that eye attached to anything? Fingerprint/handprints...is that hand attached to a person?
Cute. Retina scans read blood vessel patterns in the back of the eye - the old Demolition Man trick wouldn't work. Handprints are another story.
As for the biometrics thing: It's a whole lot easier for me to change my PIN than my fingerprints.
Magius_AR
Until recently, I was a network admin consultant. Part of the services I provided was securing the network systems. I would test their physical security and find the holes as well as the digital security. You would be amazed at how easy it is to walk in and out of manufacturing centers, and data centers. I even took my wife in once, just to prove that it could be done. Of course, things are a little tighter now, but not impossible.
We now return you to your regularly scheduled moment of insanity...
It's the introduction to a true story. :)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Funny, funny. But really, you couldn't accomplish a continuing intrusion that way. Chopping people up is rather noticable, bodies laying about and all. The real value for an intruder of rooting a system is keeping it rooted for an extended period, while undetected. Seems the same would be true of rooting a secure area. Like, even in a nuclear power plant where gaining entry to the area would theoretically allow the intruder to accomplish a one-shot destructive act, don't you figure that repeated access to the area would be necessary for the intruder to learn the proper procedures and codes? He/she'd want to plant cameras, bugs, etc., then come back. That severed arm is not going to be re-usable for that purpose, as poor Joe who turned up armless and dead is off the access list immediately.
* * *
No, no, no. This is not a sig.