Slashdot Mirror
Undercover Hacking, For Money
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
Does anybody here remember the movie Sneakers? It's a bit old (1992), but still very good. A team of guys normally hired to physically break into places to prove it can be done and find weaknesses in security are hired for a slightly more illegal mission than their usual fare -- to steal a mysterious black box from a famous mathematician. While screwing around with it, they find it is a mathematical wonder capable of bypassing any US encryption system. Great geek movie, and definitely underrated in this review. =-)
Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..
Death and poverty like me so much, they've brought friends!
as if i'm not paranoid enough!
What if they suddenly tell you "Oh, there you are. You have a company presentation in 5 mins... come with me..." erm oO(OH SHIT) :)
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.
For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.
Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.
The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
If you liked this story on physical hacking I suggest a trip to infiltration.com. It contains guides and how-to like articles for sneaking into hotels, exploring hospital, derelict buildings and the like. Excellent reading for the armchair sneaker
would be if a company were to pay to sabotage a competitor's web site. I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security
I can imagine a scenario where two competitors that are on good terms with one another (or even two totally unrelated companies) might 'ritualize' assaults on one another's security. Set up rules, designate targets, award prizes to the team or individual that carries out the sneak, that sort of thing. It's fun and points out flaws in security. Much better than a lousy 'Employee of the Month' award.
Dyolf Knip
I work for Corporate America
In one sentance our values dictate respect for our fellow employees.
In another, we are to firmly question anyone that 'does not belong' or is unexpected
Recently our company hired a new diversity 'expert', and she was 'aghast' at the way fellow employees treated each other in the hallways
Now I ask all of you sentinent people... how should we react when confronted with someone we neither recognize nor know, and how do we fullfill both of the philosophies?
I used to work in a secure area, where if someone knocked I'd let them in but question and deliver them to the person they wanted... but now it's an open area- thus I don't exactly know the 250 people I now work with. Frankly the stress isn't worth it- any single one of them could be an auditor waiting to 'sneak up' and get you reported to upper management- it isn't fair.
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I say this man goes to too much trouble to infiltrate these offices. At my former office, a bum walked in off the street, went straight through reception and out the back door with a $3000 laptop full of somewhat confidential information. Just some smelly guy in a dirty trenchcoat. I wonder what the receptionist thought when he passed by; that he was a programmer?
Even as you read this, your pants are strangling your loins! Aaa!
the website is www.infiltration.org they haven't put out new issues for a well over a year now though. shame...great site.
If the Jargon File is anything to go by, this isn't exactly something IBM has only started doing recently.
The entry on Tiger Teams provides the definition; the entry on patches gives the example story:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
There are a few ways to make a complex secure:
1: Require cardkeys to park a vehicle. This makes it more inconvenient for an attacker. Better yet, require an ID badge to bring a vehicle into all premises except for deliveries (restrict to a small area).
2: Think choke points and isolation levels. Always assume that at least one level of security will be broken and plan for it.
3: Keep the teams that have access to high security areas small and ensure that they know eachother. This helps there.
4: Electronically monitor server rooms. Cardkey and camera should be used for surveillance and there should not be a reason for maintenance workers to have access to the server rooms at all.
This means no garbage cans permanently stationed there. If janitors have access, then they become the weakest link...
I am actually surprised how many problems people have protecting their server rooms...
LedgerSMB: Open source Accounting/ERP
Anyways, this building was almost totally insecure. They've got a bank of elevators with two entrances, north and south. In the day you can walk up to either, say that you're a consultant and forgot your page, sign a fake name and a random floor number and you're in. At night this isn't neccessary- they close one entrance and the sole guard is almost always napping. Reach over the desk to hit the door unlatch and there's a whole building full of computers awaiting you, with a loading dock you don't have to pass security to get to.
I'm sure they knew this when I worked there: I showed up one day to find my monitor moved from atop my PC and the case ajar. I opened it up, and found that someone had taken all my RAM.
...designate targets...
I can just see that going too damned far...
The competing company's CIO settles into the limo for the early-morning ride to the airport to catch his flight to that trade show. Quickly becoming engrossed in some reports on his laptop, he doesn't notice anything amiss until the driver doesn't take the airport exit. As the CIO starts to protest, the door locks slam home and the partition goes up. Then the knockout gas starts coming out of the air vents...
~Philly
My neighbors pay me to do this as well. I check out their home security on a nightly basis. Usually they don't have the cash laying around to pay me, so I just grab TV's, VCR's, computers, etc, as payment. Of course, the way we play the game, if they catch me breaking in they call the police, but otherwise I get to keep the stuff. It's real fun, you guys should play with your neighbors..
My approach was to go late at night, find a janitor, and tell him I lost my key. It worked every time - no ID required. I would then have the computer to myself for hours. One time, about 3 AM, a researcher (I assume
During that same year, I also used the Stanford IBM 360/67 (an OS with a VMM while Bill Gates was in grade school) to do a bunch of personal programming. There, an ID from an out-of-town for the year gard student did th job.
Meanwhile, my friends at the University of Kansas (which had a rare GE-625), wanted source of the OS to improve their attacks on the OS. One of them found out the tape numbers by looking at printouts in a public place. He then ran jobs when times were busy to copy those tapes to his own... every once in a while so as to not draw suspicion. Then, he later printed out the whole thing, again in little bits. Thus when I later went there, we had source of the whole OS. We used that to find a number of holse, although GECOS-III was surprisingly well designed for security. In fact, the CIA used it for that reason, and it was chosen for the World Wide Military Command and Control System (WMMCS). As a result of our hacking, one of us later got a call, out of the blue, from a CIA recruiter who knew of the exploits and was looking to hire him for a white-hat hacking job. This was in 1970.
Social engineering works!
The only good weather is bad weather.
I remember once, in high school, I was trying to hack around into our Novell 3.11 network that was connected to a WAN that had 22 high schools and about 180 elementary schools hooked up to it. (It was pretty sweet back then!). I had done all of the hacking from the library in open sight (I mean, a hacker wouldn't possibly do that, right? So mustn't have been one... ;P) and I made friends with the librarians as well. One day (after I learned of the 'server debug mode') I realized that if I could just get physical access to the server (which was in one of the rear librarian's only rooms) I'd be all good. So I just got up courage, and walked straight in! Walked up to the server, did the deed, walked back to my machine, logged in, returned to the server, removed the deed, stopped to say hi to one of the librarians on the way out and back to the computer, now logged in as Supervisor. Of course, because of really really stupid network admins at the board office, it was rediculously easy to get access to the master network at the board office as well. I ended up using a brute force password hacker and got 320 of 540 passwords, including 5 supervisor-equiv accounts. I ended up phoning up the head of the network admin at the board (who was rumoured to be a cool guy), got his voicemail and said "Hey, I think we need to talk. I'm such and such from such and such high school and I wanted to talk to you about network security. Please call me back here, and by the way, I hear that Greece is wonderful this time of year" (His password, of course, was "Greece"). Needless to say I got a phone call back pretty quickly saying "Hi. Let's talk."
Ahhh, back to the good old days.
If God gave us curiosity
Nodwick from a few days ago.
-l
Heh... what a great job!
Back in '77 after the first "break-up" of Pacific Bell, I was a telecommunications tech at a small interconnect in Santa Clara, CA (i.e. Silicon Valley), one of three troubleshooters in the company, so I usually worked alone. We had no company uniforms or other identifying paraphernalia, but my tool belt was my "badge".
We sold state of the art (for the time. eh?) NEC microprocessor controlled, time division multiplex phone switches, and smaller office sized systems. Our switches kicked Pac Bell's ass, they ruled because the telcos in the USA we still in the dark ages.
Anyhow, my territorry was from San Francisco (and the rest of the Bay Area) to Montery, we had phone systems in many high tech companies, so I was steeped in the culture.
It didn't take me long to observe that I could go virtually anywhere in most of these companies, without question. Often even without a visitors security badge, company employees, and even security guards would open doors for me if my hands were full.
It seemed that my tool belt and butt set (Linemans test set) hanging off of it, was all I needed to have the run of the place. I started to play a "game", to see just how good their "security" was.
So here I am, this spikey haired punk rocker, in street clothes, but with my tool belt, butt set, and a professional attitude, walking up to a security guard and saying to him, "Hey, I need to look in that locked room over there to see if there is any phone equipment in there.".
They allways walked over and opened it for me without question, and then walked away reminding me to lock it when I was done. I did this just for grins at many of the companies I visited.
In those days, computers were still refrigerator sized, and filled large, lead lined, air conditioned rooms with raised floors, with lots of cabling under them, tended to, by clean-cut guys in long white lab coats (no kidding). And every company had a security guard at the door of these special rooms.
One day I screwed up my courage and decided to see if I could gain access to one, I had zero reasons to go in there, since there was never phone equipment in these rooms. I nervously walked up to the door, looked the security guard in the eye, and he glanced at my tool belt and test set, and opened the door for me without a word between us!
Next thing you know, I'm wandering around this large computer room, pretending to look like I know what I'm doing. None of the guys in there even pretended to notice me, I could have done what ever I wanterd, and nobody would have questioned what I was doing.
At work, I started to brag about how people were so easily manipulated by "normal" circumstances. None of my coworkers believed me, they were just like the people in these companies, they were non-observent.
One day, I needed some help, so I brought my boss along. We finished up our job and as we were walking out, I reminded him of my discovery, he said "bullshit!" . So I said "follow me", and walked toward the big computer room.
The security guard didn't bat an eye, and unlocked the door for us without a word. I was the only one with a tool belt, my boss was also in street clothes, we could have been anybody, but the magic tool belt, butt set combo got me through again.
My boss was blown away, and was also very nervous about being in this formerlly taboo computer room, so we exited. On the way out of the building, I couldn't resist, and stopped at random and asked the closest security guard to please open "that closet, over there", he of course, complied.
My boss was very impressed, but wasn't at all happy that I was doing this for "fun", and the next morning at work, I was admonished to never do "that" again.
I guess my point is, that people are easily fooled by normal seeming circumstances, and that security is often a Paper Tiger.
If it don't GO... chrome it. ~ Frank Banks