[ISN] Meet the computer criminals: they'll see you in your office

From: InfoSec News (isnat_private)
Date: Mon Oct 29 2001 - 00:49:46 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - October 26th 2001"

    14 October 2001
    It doesn't take technical wizardry or a cunning disguise to gain
    access to your confidential data, as Mark Halper discovers
    Visit the home of a computer security professional and you'd expect to
    see the usual trappings of the trade: a collection of keyboards,
    monitors, tangled phone wires and racks of anti-virus software.
    But for one IBM security consultant called Paul, there's something a
    bit more curious. Hanging in Paul's ward-robe is a collection of
    tradesmen's outfits including hard hats, boiler suits, phone equipment
    belts and meter-reader shirts.
    These are not the threads for some oddball clubbing scene. Rather,
    they help Paul do his job, which happens to include breaking into the
    office buildings of IBM's customers. There's nothing like a hard hat
    to convince the receptionist you're there to build the new cubicles
    As one of three "ethical hackers'' in the UK arm of IBM's Global
    Services division, Paul says that one of the biggest threats to
    computer security is the human trick of talking your way past
    barriers, because an intrepid prowler could easily gain access to
    computer systems.
    "Physically breaking in is just as much a threat as remote cyber
    hacking, and companies often overlook it," says Paul, who declines to
    provide his surname for fear of blowing his cover on the next job.
    In a series of ploys that seem part Mission Impossible and part
    slapstick, Prowling Paul routinely disguises himself to gain entry to
    his clients' premises. Clients ranging from financial firms to
    pharmaceutical companies have challenged Paul to slip past unwitting
    receptionists and security guards. His clients often give him the task
    of finding and entering the central computer room or gathering papers
    off employees' desks, simply to prove it can be done.
    If Paul is to be believed, corporate Britain has plenty to worry
    about, as he claims to have failed only once in almost 40 attempts to
    slip through swipe-card gates or goods entrances. On all but two
    occasions, he made it all the way around the game board to the
    computer room.
    These security breaches took place before 11 September, however, and
    Paul believes his job is likely to be more difficult now as business
    tightens security.
    He practises a finely tuned con game. This isn't sweet-talking the
    help desk into providing passwords. It's a little more daring. The
    trick to walking through corporate turnstiles, says Paul, is to win
    the confidence of the gatekeeper by convincingly playing your part.
    With that in mind, he shops for his tradesmen gear at car boot sales.
    "You can't have anything new, or it wouldn't look the part,'' he
    notes. "I carry a tatty old clipboard around.''
    Of course, the ploy goes beyond simply dressing the part. It entails
    acting it. Otherwise, Paul might stand out as a phoney. Perhaps taking
    inspiration from the National Theatre which neighbours his South Bank
    office, Paul has developed a knack for role playing. He usually works
    with a partner to lend banter, authenticity or even confusion to his
    He recalls one elaborate scheme when he arrived dressed as a phone
    technician requesting to see a "Mr Jones,'' only to be told by
    reception to see a "Mr Smith''. Smith just happened to be his partner,
    who had sneaked in earlier in a suit and a fake ID card and who had
    called down saying he would take Jones' meeting because Jones was
    stuck in traffic. Even though the plot worked and he could have
    waltzed straight in, Paul paused to complain to the receptionist about
    Jones' unavailability. "It's what they expected. It was like, 'bloody
    telecoms engineer, why can't he just get on with the job?' ''
    Not all his scams are so convoluted. He often just "tailgates" through
    swipe-card gates, trailing immediately behind a lunch trolley or an
    employee who has entered legitimately. Paul insists that if you engage
    in a mobile phone call while walking behind someone, courtesy dictates
    they do not question you. One of his favourite ploys is to enter a
    corporate lobby just before 9am on a Monday dressed in a business suit
    and encumbered with boxes and shoulder bags; "co-workers'' take pity
    and open doors for him.
    All of this takes advantage of non-confrontational human nature. As
    Paul puts it: "At most companies, if you turn up and say you're from
    the electricity board and there's a problem with the mains supply,
    they let you in.''
    One reason he concocts tradesmen schemes is they open the way to mains
    supplies, phone boxes and boiler rooms, which are often located near
    the computer server rooms or networking closets that Paul is hunting
    for. He has on occasion entered a building in a business suit, and
    subsequently peeled it off down to a layer of technician's clothing,
    which helps sanction his wanderings into computer central. To his
    astonishment, the nonchalance of employees lets him meander the
    corridors for hours, as "no one calls security". In the event of
    trouble, Paul has a get-out-of-jail-free card provided by the clients'
    top brass.
    So does he ever bumble? Paul admits to butterflies in the stomach, but
    tries to turn that to his advantage. "You always get nervous,
    especially in the first few minutes when your mouth is dry. So you say
    'I've had a long drive, could I have a cup of tea?'." This serves the
    dual purpose of calming him down and establishing a rapport with the
    Paul's prowling is low tech. The only gadget he routinely deploys is a
    camera, which he uses for mundane reasons. One is to take snapshots of
    employees' ID cards, to help him and his cohort make replicas. The
    other is to photograph himself in his crowning achievement of entering
    the server room. That photo goes in his report to the client as proof:
    mission accomplished.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 03:08:31 PST