[iwar] [fc:Meet.the.computer.criminals:.they'll.see.you.in.your.office]

From: Fred Cohen (fc@all.net)
Date: 2001-10-30 06:10:04
Next message: Fred Cohen: "[iwar] [fc:Government.Clamps.Down.on.Agency.Web.Sites]"
Previous message: Fred Cohen: "[iwar] [fc:Alleged.Hacker.Attacks.U..Wisconsin.Student.Web.Sites]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110301410.f9UEA4Z14421@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Tue, 30 Oct 2001 06:10:04 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Meet.the.computer.criminals:.they'll.see.you.in.your.office]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Meet the computer criminals: they'll see you in your office 
Independent (UK), 10/29/2001
<a href="http://news.independent.co.uk/digital/features/story.jsp?story=99302">http://news.independent.co.uk/digital/features/story.jsp?story=99302>

It doesn't take technical wizardry or a cunning disguise to gain access
to your confidential data, as Mark Halper discovers

Visit the home of a computer security professional and you'd expect to
see the usual trappings of the trade: a collection of keyboards,
monitors, tangled phone wires and racks of anti-virus software.

But for one IBM security consultant called Paul, there's something a bit
more curious. Hanging in Paul's ward-robe is a collection of tradesmen's
outfits including hard hats, boiler suits, phone equipment belts and
meter-reader shirts.

These are not the threads for some oddball clubbing scene. Rather, they
help Paul do his job, which happens to include breaking into the office
buildings of IBM's customers. There's nothing like a hard hat to
convince the receptionist you're there to build the new cubicles
upstairs.

As one of three "ethical hackers'' in the UK arm of IBM's Global
Services division, Paul says that one of the biggest threats to computer
security is the human trick of talking your way past barriers, because
an intrepid prowler could easily gain access to computer systems.

"Physically breaking in is just as much a threat as remote cyber
hacking, and companies often overlook it," says Paul, who declines to
provide his surname for fear of blowing his cover on the next job.

In a series of ploys that seem part Mission Impossible and part
slapstick, Prowling Paul routinely disguises himself to gain entry to
his clients' premises. Clients ranging from financial firms to
pharmaceutical companies have challenged Paul to slip past unwitting
receptionists and security guards. His clients often give him the task
of finding and entering the central computer room or gathering papers
off employees' desks, simply to prove it can be done.

If Paul is to be believed, corporate Britain has plenty to worry about,
as he claims to have failed only once in almost 40 attempts to slip
through swipe-card gates or goods entrances. On all but two occasions,
he made it all the way around the game board to the computer room.

These security breaches took place before 11 September, however, and
Paul believes his job is likely to be more difficult now as business
tightens security.

He practises a finely tuned con game. This isn't sweet-talking the help
desk into providing passwords. It's a little more daring. The trick to
walking through corporate turnstiles, says Paul, is to win the
confidence of the gatekeeper by convincingly playing your part. With
that in mind, he shops for his tradesmen gear at car boot sales. "You
can't have anything new, or it wouldn't look the part,'' he notes. "I
carry a tatty old clipboard around.''

Of course, the ploy goes beyond simply dressing the part. It entails
acting it. Otherwise, Paul might stand out as a phoney. Perhaps taking
inspiration from the National Theatre which neighbours his South Bank
office, Paul has developed a knack for role playing. He usually works
with a partner to lend banter, authenticity or even confusion to his
ruses.

He recalls one elaborate scheme when he arrived dressed as a phone
technician requesting to see a "Mr Jones,'' only to be told by reception
to see a "Mr Smith''. Smith just happened to be his partner, who had
sneaked in earlier in a suit and a fake ID card and who had called down
saying he would take Jones' meeting because Jones was stuck in traffic.
Even though the plot worked and he could have waltzed straight in, Paul
paused to complain to the receptionist about Jones' unavailability.
"It's what they expected. It was like, 'bloody telecoms engineer, why
can't he just get on with the job?' ''

Not all his scams are so convoluted. He often just "tailgates" through
swipe-card gates, trailing immediately behind a lunch trolley or an
employee who has entered legitimately. Paul insists that if you engage
in a mobile phone call while walking behind someone, courtesy dictates
they do not question you. One of his favourite ploys is to enter a
corporate lobby just before 9am on a Monday dressed in a business suit
and encumbered with boxes and shoulder bags; "co-workers'' take pity and
open doors for him.

All of this takes advantage of non-confrontational human nature. As Paul
puts it: "At most companies, if you turn up and say you're from the
electricity board and there's a problem with the mains supply, they let
you in.''

One reason he concocts tradesmen schemes is they open the way to mains
supplies, phone boxes and boiler rooms, which are often located near the
computer server rooms or networking closets that Paul is hunting for. He
has on occasion entered a building in a business suit, and subsequently
peeled it off down to a layer of technician's clothing, which helps
sanction his wanderings into computer central. To his astonishment, the
nonchalance of employees lets him meander the corridors for hours, as
"no one calls security". In the event of trouble, Paul has a
get-out-of-jail-free card provided by the clients' top brass.

So does he ever bumble? Paul admits to butterflies in the stomach, but
tries to turn that to his advantage. "You always get nervous, especially
in the first few minutes when your mouth is dry. So you say 'I've had a
long drive, could I have a cup of tea?'." This serves the dual purpose
of calming him down and establishing a rapport with the receptionist.

Paul's prowling is low tech. The only gadget he routinely deploys is a
camera, which he uses for mundane reasons. One is to take snapshots of
employees' ID cards, to help him and his cohort make replicas. The other
is to photograph himself in his crowning achievement of entering the
server room. That photo goes in his report to the client as proof:
mission accomplished.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:Government.Clamps.Down.on.Agency.Web.Sites]"
Previous message: Fred Cohen: "[iwar] [fc:Alleged.Hacker.Attacks.U..Wisconsin.Student.Web.Sites]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST