http://news.independent.co.uk/digital/features/story.jsp?story=99302 14 October 2001 It doesn't take technical wizardry or a cunning disguise to gain access to your confidential data, as Mark Halper discovers Visit the home of a computer security professional and you'd expect to see the usual trappings of the trade: a collection of keyboards, monitors, tangled phone wires and racks of anti-virus software. But for one IBM security consultant called Paul, there's something a bit more curious. Hanging in Paul's ward-robe is a collection of tradesmen's outfits including hard hats, boiler suits, phone equipment belts and meter-reader shirts. These are not the threads for some oddball clubbing scene. Rather, they help Paul do his job, which happens to include breaking into the office buildings of IBM's customers. There's nothing like a hard hat to convince the receptionist you're there to build the new cubicles upstairs. As one of three "ethical hackers'' in the UK arm of IBM's Global Services division, Paul says that one of the biggest threats to computer security is the human trick of talking your way past barriers, because an intrepid prowler could easily gain access to computer systems. "Physically breaking in is just as much a threat as remote cyber hacking, and companies often overlook it," says Paul, who declines to provide his surname for fear of blowing his cover on the next job. In a series of ploys that seem part Mission Impossible and part slapstick, Prowling Paul routinely disguises himself to gain entry to his clients' premises. Clients ranging from financial firms to pharmaceutical companies have challenged Paul to slip past unwitting receptionists and security guards. His clients often give him the task of finding and entering the central computer room or gathering papers off employees' desks, simply to prove it can be done. If Paul is to be believed, corporate Britain has plenty to worry about, as he claims to have failed only once in almost 40 attempts to slip through swipe-card gates or goods entrances. On all but two occasions, he made it all the way around the game board to the computer room. These security breaches took place before 11 September, however, and Paul believes his job is likely to be more difficult now as business tightens security. He practises a finely tuned con game. This isn't sweet-talking the help desk into providing passwords. It's a little more daring. The trick to walking through corporate turnstiles, says Paul, is to win the confidence of the gatekeeper by convincingly playing your part. With that in mind, he shops for his tradesmen gear at car boot sales. "You can't have anything new, or it wouldn't look the part,'' he notes. "I carry a tatty old clipboard around.'' Of course, the ploy goes beyond simply dressing the part. It entails acting it. Otherwise, Paul might stand out as a phoney. Perhaps taking inspiration from the National Theatre which neighbours his South Bank office, Paul has developed a knack for role playing. He usually works with a partner to lend banter, authenticity or even confusion to his ruses. He recalls one elaborate scheme when he arrived dressed as a phone technician requesting to see a "Mr Jones,'' only to be told by reception to see a "Mr Smith''. Smith just happened to be his partner, who had sneaked in earlier in a suit and a fake ID card and who had called down saying he would take Jones' meeting because Jones was stuck in traffic. Even though the plot worked and he could have waltzed straight in, Paul paused to complain to the receptionist about Jones' unavailability. "It's what they expected. It was like, 'bloody telecoms engineer, why can't he just get on with the job?' '' Not all his scams are so convoluted. He often just "tailgates" through swipe-card gates, trailing immediately behind a lunch trolley or an employee who has entered legitimately. Paul insists that if you engage in a mobile phone call while walking behind someone, courtesy dictates they do not question you. One of his favourite ploys is to enter a corporate lobby just before 9am on a Monday dressed in a business suit and encumbered with boxes and shoulder bags; "co-workers'' take pity and open doors for him. All of this takes advantage of non-confrontational human nature. As Paul puts it: "At most companies, if you turn up and say you're from the electricity board and there's a problem with the mains supply, they let you in.'' One reason he concocts tradesmen schemes is they open the way to mains supplies, phone boxes and boiler rooms, which are often located near the computer server rooms or networking closets that Paul is hunting for. He has on occasion entered a building in a business suit, and subsequently peeled it off down to a layer of technician's clothing, which helps sanction his wanderings into computer central. To his astonishment, the nonchalance of employees lets him meander the corridors for hours, as "no one calls security". In the event of trouble, Paul has a get-out-of-jail-free card provided by the clients' top brass. So does he ever bumble? Paul admits to butterflies in the stomach, but tries to turn that to his advantage. "You always get nervous, especially in the first few minutes when your mouth is dry. So you say 'I've had a long drive, could I have a cup of tea?'." This serves the dual purpose of calming him down and establishing a rapport with the receptionist. Paul's prowling is low tech. The only gadget he routinely deploys is a camera, which he uses for mundane reasons. One is to take snapshots of employees' ID cards, to help him and his cohort make replicas. The other is to photograph himself in his crowning achievement of entering the server room. That photo goes in his report to the client as proof: mission accomplished. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 03:08:31 PST