Slashdot Mirror
Undercover Hacking, For Money
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
as if i'm not paranoid enough!
He doesn't mention in the article whether any of them use layered security. As you cannot expect humans to be infalliable, shouldn't layers be built up around critical infrastructure, so if they get past reception or the first security door, they still don't have full roam of the business. Extra security should be provided around critcal points such as server rooms, closets etc, and a limited number of people provide access, and know reason of letting the serviceperson have access.
At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.
For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.
Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.
The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
You'd be surprised how many large corporations employ folks in their security departments who's sole purpose in life is to break into company sites, or data, or their partner's sites. The guys who do Physical Security rely on Social Engineering like this guy is reported to do, or even simpler means like tailgating or even trying to pick the lock.
It's pretty cool, but there's a lot more time writing up reports about the intrusion than there is actually doing intrusions.
Never attribute to malice what can as easily be the result of incompetence...
would be if a company were to pay to sabotage a competitor's web site. I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security
I can imagine a scenario where two competitors that are on good terms with one another (or even two totally unrelated companies) might 'ritualize' assaults on one another's security. Set up rules, designate targets, award prizes to the team or individual that carries out the sneak, that sort of thing. It's fun and points out flaws in security. Much better than a lousy 'Employee of the Month' award.
Dyolf Knip
Two things, first one about Sneakers, or a real-life example of something like what they did:
At HoHoCon in Houston about 10 years ago, Erik Bloodaxe (formerly of LoD/H) talked about a deal ComSec (the company he and a couple of other former LoD guys started) did that involved breaking into a corporate network and printing themselves a check for $0.00 (and mailing it to themselves!), then presenting it to the company with a comment along the lines of "This could have been for 50 grand..."
I don't recall if they got the job.
Second, about Hackers:
I own Hackers on DVD for one reason only: The Hackers drinking game. Whenever you encounter something that trips the head-shake, drink.
I've never made it all the way through the movie on anything stronger than beer. Usually I'm done within 30-45 minutes. LOTS of "aw geez" in that one.
-l
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
the website is www.infiltration.org they haven't put out new issues for a well over a year now though. shame...great site.
If the Jargon File is anything to go by, this isn't exactly something IBM has only started doing recently.
The entry on Tiger Teams provides the definition; the entry on patches gives the example story:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Anyways, this building was almost totally insecure. They've got a bank of elevators with two entrances, north and south. In the day you can walk up to either, say that you're a consultant and forgot your page, sign a fake name and a random floor number and you're in. At night this isn't neccessary- they close one entrance and the sole guard is almost always napping. Reach over the desk to hit the door unlatch and there's a whole building full of computers awaiting you, with a loading dock you don't have to pass security to get to.
I'm sure they knew this when I worked there: I showed up one day to find my monitor moved from atop my PC and the case ajar. I opened it up, and found that someone had taken all my RAM.
It happens in Germany, at Siemens, the giant electrical engineering and electronics corporation. The über-boss, a member of the von Siemens familiy, an old man at the time, routinely used to test how easy was to enter his company facilities (most of the employees had seen photographs of him). Once, he tried to enter a factory where he meets this old-guard janitor, a typical case of prussian education. Von Siemens is denied entry, even when, having confirmed that the entrance was guarded well enough, he wanted to finally go into the factory. The old janitor kept on saying Yes, you are telling me you are von Siemens and you really look like him, but if you don't produce a valid ID, you are not entering this building
Von Siemens had to wait until the following day and the janitor was promoted.
A couple of years ago, I was working late in the office one night (maybe 5:30 or so) and this woman came up to me asking me where the copy room was. I asked her if I could see her ID, because the company has a policy of visible ID at all times. She kind of chuckled and said it was on her desk. I didn't know what to do next, as I was relatively new with this company, so I asked her if I could see it (Mine was clipped to my belt). She agreed, and walked me around to the other side of the office to her *office*. A big office. She shows me her ID, I apoligize for the inconvienience, but she says "no no...that's ok!"
;)
Monday, I show up at work and everyone is laughing at me. Turns out, I ID'd the new VP. Later that morning an email went around asking everyone to be more security conscious, and always ask someone you don't know for their ID.
It was sent out by the VP and corporate security.
People stopped laughing, and started asking for ID from those they didn't know.
Moral of the story: it doesn't hurt to ask someone to show their ID, and you never know who you'll be asking. (Plus, the brownie points are fabulous!)
My approach was to go late at night, find a janitor, and tell him I lost my key. It worked every time - no ID required. I would then have the computer to myself for hours. One time, about 3 AM, a researcher (I assume
During that same year, I also used the Stanford IBM 360/67 (an OS with a VMM while Bill Gates was in grade school) to do a bunch of personal programming. There, an ID from an out-of-town for the year gard student did th job.
Meanwhile, my friends at the University of Kansas (which had a rare GE-625), wanted source of the OS to improve their attacks on the OS. One of them found out the tape numbers by looking at printouts in a public place. He then ran jobs when times were busy to copy those tapes to his own... every once in a while so as to not draw suspicion. Then, he later printed out the whole thing, again in little bits. Thus when I later went there, we had source of the whole OS. We used that to find a number of holse, although GECOS-III was surprisingly well designed for security. In fact, the CIA used it for that reason, and it was chosen for the World Wide Military Command and Control System (WMMCS). As a result of our hacking, one of us later got a call, out of the blue, from a CIA recruiter who knew of the exploits and was looking to hire him for a white-hat hacking job. This was in 1970.
Social engineering works!
The only good weather is bad weather.
I remember once, in high school, I was trying to hack around into our Novell 3.11 network that was connected to a WAN that had 22 high schools and about 180 elementary schools hooked up to it. (It was pretty sweet back then!). I had done all of the hacking from the library in open sight (I mean, a hacker wouldn't possibly do that, right? So mustn't have been one... ;P) and I made friends with the librarians as well. One day (after I learned of the 'server debug mode') I realized that if I could just get physical access to the server (which was in one of the rear librarian's only rooms) I'd be all good. So I just got up courage, and walked straight in! Walked up to the server, did the deed, walked back to my machine, logged in, returned to the server, removed the deed, stopped to say hi to one of the librarians on the way out and back to the computer, now logged in as Supervisor. Of course, because of really really stupid network admins at the board office, it was rediculously easy to get access to the master network at the board office as well. I ended up using a brute force password hacker and got 320 of 540 passwords, including 5 supervisor-equiv accounts. I ended up phoning up the head of the network admin at the board (who was rumoured to be a cool guy), got his voicemail and said "Hey, I think we need to talk. I'm such and such from such and such high school and I wanted to talk to you about network security. Please call me back here, and by the way, I hear that Greece is wonderful this time of year" (His password, of course, was "Greece"). Needless to say I got a phone call back pretty quickly saying "Hi. Let's talk."
Ahhh, back to the good old days.
If God gave us curiosity