Slashdot Mirror
Undercover Hacking, For Money
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..
Death and poverty like me so much, they've brought friends!
as if i'm not paranoid enough!
Sneakers was a way cool movie, still very watchable and re-watchable even as it approaches 10 years old. Very entertaining, and has a very low head-shake count (i.e. elements that make you shake your head in disgust because they are ridiculously unfeasible, or where the technology is insultingly dumbed-down so the unwashed masses will 'get' it). An example of a movie with a high head-shake count, BTW, would be Hackers-- because among many other things, I've never met a geek that looked like Angelina Jolie, and never seen a Macintosh PowerBook Duo with an Intel CPU.
~Philly
At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.
For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.
Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.
The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I say this man goes to too much trouble to infiltrate these offices. At my former office, a bum walked in off the street, went straight through reception and out the back door with a $3000 laptop full of somewhat confidential information. Just some smelly guy in a dirty trenchcoat. I wonder what the receptionist thought when he passed by; that he was a programmer?
Even as you read this, your pants are strangling your loins! Aaa!
There are a few ways to make a complex secure:
1: Require cardkeys to park a vehicle. This makes it more inconvenient for an attacker. Better yet, require an ID badge to bring a vehicle into all premises except for deliveries (restrict to a small area).
2: Think choke points and isolation levels. Always assume that at least one level of security will be broken and plan for it.
3: Keep the teams that have access to high security areas small and ensure that they know eachother. This helps there.
4: Electronically monitor server rooms. Cardkey and camera should be used for surveillance and there should not be a reason for maintenance workers to have access to the server rooms at all.
This means no garbage cans permanently stationed there. If janitors have access, then they become the weakest link...
I am actually surprised how many problems people have protecting their server rooms...
LedgerSMB: Open source Accounting/ERP
My neighbors pay me to do this as well. I check out their home security on a nightly basis. Usually they don't have the cash laying around to pay me, so I just grab TV's, VCR's, computers, etc, as payment. Of course, the way we play the game, if they catch me breaking in they call the police, but otherwise I get to keep the stuff. It's real fun, you guys should play with your neighbors..