Slashdot Mirror
Stealing Data? A Sniffer Shows it's Easy
museumpeace writes "Though its not exactly a How-To of cracking into financial institutions, a few intriguing details are mentioned in a New York Times article "the Sniffer vs the Cybercrooks" (it's worth the cookie). From the article: ""Tell me the things you most want to keep secret," Mr. Seiden challenged a top executive at the bank a few years back.....A week later, Mr. Seiden again sat in this man's office in Manhattan, in possession of both supposedly guarded secrets....""
I think that it's good that we see companies more involved and interested in tightening up their security. Most companies just buy expensive firewalls and other systems to protect their data, but ignore other obvious threats like someone just walking into their offices and sitting down at a unused workstation and browsing around the companies network. Security is multi-layered and a continuous process, that means even if they went through a security audit and everything was ok, they shouldn't stop to improve their security,..there's always a fast-paced race between those who protect and those who will try to pass that protection. Hope this story gives other companies which don't care about security a real reason to make an audit in the very near future.
During my career, I have worked as a tech break/fix. I have worked for a university, federal govt, and private sector.
;-) "Oh, ok. You look honest." He actually told me I looked honest, so it was ok! From there I found the office I wanted, no one was there. I was to swap out a couple of hard disks, so I did. Many people poked their head in, joking along the way, "Hey! You don't look like XXXXXXXX! Unless he's shrunk! hahaha!" One even to see "what does a hard disk look like?" No one questioned me from there.
Due to the nature of the job it is difficult to get passes or keys to move around immediately, especially into secure areas. So you put on your charm and off you go.
It is very easy to take things. Just look like you know what you are doing and where you are going.
Be presentable and nice, be friendly with the receptionists/secretaries/admin, and you can go anywhere.
I have been let into computer rooms that are supposedly secure, I have been assisted by security guards in loading computer gear into my car, I have had secretaries hold doors on elevators so I could get stuff in. I'm talking thousands upon thousands of $$$ worth of stuff. All of them took my word for it, never questioning or phoning to find out. I have never had to show ID.
I have actually had one employee of a major oil corporation watch me follow him in through the doors, ask me, "Where are you going? Who are you?"
This was going into their engineering areas, from which I'm sure numerous other oil companies would love to see the data.
I replied that I am a computer tech and visting XXXXXXX. "Who? Are they on this floor?" "Yeah, they are, around the corner." (I really only had an office number
Many, too many to count, I have just knocked on the door and asked for Mr. S.A.S. "Oh, I'm here to take a look at his computer, he said it wasn't working. Can I see it?" Then they lead me to the office, in which Mr. S.A.S. isn't there. "Well, I'll just start and he'll come back and I'll let him know. Thanks." Then they leave.
It doesn't matter how secure it is, like the article points out, being sociable gets you lots of open doors.
Crazy part is that I pride myself on this "talent." It's much simpler to talk your way through than to have to run all over getting ok's and escorts into areas.
...act as if you know what you're doing and you can walk out with the computers, too.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Just walk around the company with a clipboard.. anyone confronts you ask for the name.. look pissed off and scribble on the clipboard ;)
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
One time I was working as a temporary IT monkey at the company which had decided to change something to do with its email (I forget what exactly). It involved basically going around every computer on the site (which was big) and manually changing the settings on Outlook for each one. I was a temp and hadn't been there long so I didn't have an ID card or a door swipe card. Also, it was dress-down Friday so I wasn't wearing a smart shirt or tie - just jeans and a t-shirt. Eventually we got to the marketing department - which I'd never been to, nobody there would have a clue who I was - and the guy who was my partner on this particular excursion from the IT department said "You do that end of the corridor, I'll go down here and do these ones".
So there's me - I could basically have been any random guy off the street - asking these marketing ladies who didn't have the faintest clue who I was if I could temporarily use their computer to change their email settings. And they all happily obliged.
I'm told security's been tightened since.
qntm.org
In practice, almost no organization is going to install all of the above. Even the US Government, which is not short of ready cash, is getting far poorer grades on their network security audits than they should.
However, if you define the "target" or "ideal" security schema, then you have something you can compare against. IMHO, the above description is the "ideal", in that it is unlikely that anyone would be able to break in using technological methods.
The remaining problem - social engineering - is not something you can program against. The description I outlined, if implemented in full, would provide enough checks and counter-checks to require someone using social engineering to get past several people, which raises the bar a little but does not make it hard enough.
("Hard Enough" is defined here as making it an impractical method for typical IT situations.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
One of the main reasons that approaches like social engineering work is because of the overwhelming emphasis a lot of companies put on "customer service".
I worked for several years in corporate security (good money/awful job), and it was the cardinal sin to piss someone off. On one occasion, a white guy showed up on a weekend with a pass card with a Vietnamese woman's name on it that wasn't cleared for access to the floor he wanted to get onto, which was the executive floor of a bank nonetheless.
The ten minutes it took to verify this guy's identity were the cause of a major spat between him (he turned out to be a VP of some sort) and my employer (the building management) that took days to blow over.
Some of my colleagues would simply give in if someone was pushy enough. No one wants to be the person who said "No" to the wrong person, no matter what the circumstances.
That's right: I'm gumby dammit.
i hope that last line was a joke
using anti personel mines in the crawlspaces would make working down thier rather risky, would probablly be illegal in most civilised countries and would do a lot of damage to your network infrastructure if an intruder or employee set them off.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
That reminds me of the graphing calculator story:
http://www.pacifict.com/Story/
that says a lot about corporate security.
At any rate, the main point of the article is that there is a cost/benefit to security (security is expensive and can hamper productivity), but that most of the time people/corporations don't even bother looking for simple effective measures that would reduce the risk for little or no extra cost.
Heres a few stories from my consulting days.
Walked into this medium size firm at 7:00AM in the morning.
ME: Hi I'm here from XYZ consulting. I'm working on the network for >insert name of director of ITdirector is not here.
ME: Well can you let me into the room so I can do my taks?
RECPT: sure, I'll have someone let you in.
ME: Left alone for 2 hours in their main server room all alone until everyone else came on shift.
------------
Story 2:
Large datacenter company.
1: Drive up to shipping dock of large datacenter wearing t-shirt of company hosted at facility.
me: I'm here to deliver this to my cage (point at t-shirt).
Shipping clerk: "ok"
me: Has unlimited access to datacenter. Never badged or signed in.
Now this will get you through some of the security at some datacenters, as you still need a final key or badge to get to the final layer. (or you can try the old "pop the floor tile trick".
Other option could be:
"This hardware on the shipping dock was misshipped and I'm here to move it back to (other datacenter | corporate office)."
Depending upon affability you can get away with various expensive boxes that the company has sitting in the shipping area. (Cisco/Sun/dell etc.) (still never having badged in/out).