Meet the computer criminals: they'll see you in your office

[InfoSec News <isn () c4i org>]

http://news.independent.co.uk/digital/features/story.jsp?story=99302

14 October 2001

It doesn't take technical wizardry or a cunning disguise to gain
access to your confidential data, as Mark Halper discovers

Visit the home of a computer security professional and you'd expect to
see the usual trappings of the trade: a collection of keyboards,
monitors, tangled phone wires and racks of anti-virus software.

But for one IBM security consultant called Paul, there's something a
bit more curious. Hanging in Paul's ward-robe is a collection of
tradesmen's outfits including hard hats, boiler suits, phone equipment
belts and meter-reader shirts.

These are not the threads for some oddball clubbing scene. Rather,
they help Paul do his job, which happens to include breaking into the
office buildings of IBM's customers. There's nothing like a hard hat
to convince the receptionist you're there to build the new cubicles
upstairs.

As one of three "ethical hackers'' in the UK arm of IBM's Global
Services division, Paul says that one of the biggest threats to
computer security is the human trick of talking your way past
barriers, because an intrepid prowler could easily gain access to
computer systems.

"Physically breaking in is just as much a threat as remote cyber
hacking, and companies often overlook it," says Paul, who declines to
provide his surname for fear of blowing his cover on the next job.

In a series of ploys that seem part Mission Impossible and part
slapstick, Prowling Paul routinely disguises himself to gain entry to
his clients' premises. Clients ranging from financial firms to
pharmaceutical companies have challenged Paul to slip past unwitting
receptionists and security guards. His clients often give him the task
of finding and entering the central computer room or gathering papers
off employees' desks, simply to prove it can be done.

If Paul is to be believed, corporate Britain has plenty to worry
about, as he claims to have failed only once in almost 40 attempts to
slip through swipe-card gates or goods entrances. On all but two
occasions, he made it all the way around the game board to the
computer room.

These security breaches took place before 11 September, however, and
Paul believes his job is likely to be more difficult now as business
tightens security.

He practises a finely tuned con game. This isn't sweet-talking the
help desk into providing passwords. It's a little more daring. The
trick to walking through corporate turnstiles, says Paul, is to win
the confidence of the gatekeeper by convincingly playing your part.
With that in mind, he shops for his tradesmen gear at car boot sales.
"You can't have anything new, or it wouldn't look the part,'' he
notes. "I carry a tatty old clipboard around.''

Of course, the ploy goes beyond simply dressing the part. It entails
acting it. Otherwise, Paul might stand out as a phoney. Perhaps taking
inspiration from the National Theatre which neighbours his South Bank
office, Paul has developed a knack for role playing. He usually works
with a partner to lend banter, authenticity or even confusion to his
ruses.

He recalls one elaborate scheme when he arrived dressed as a phone
technician requesting to see a "Mr Jones,'' only to be told by
reception to see a "Mr Smith''. Smith just happened to be his partner,
who had sneaked in earlier in a suit and a fake ID card and who had
called down saying he would take Jones' meeting because Jones was
stuck in traffic. Even though the plot worked and he could have
waltzed straight in, Paul paused to complain to the receptionist about
Jones' unavailability. "It's what they expected. It was like, 'bloody
telecoms engineer, why can't he just get on with the job?' ''

Not all his scams are so convoluted. He often just "tailgates" through
swipe-card gates, trailing immediately behind a lunch trolley or an
employee who has entered legitimately. Paul insists that if you engage
in a mobile phone call while walking behind someone, courtesy dictates
they do not question you. One of his favourite ploys is to enter a
corporate lobby just before 9am on a Monday dressed in a business suit
and encumbered with boxes and shoulder bags; "co-workers'' take pity
and open doors for him.

All of this takes advantage of non-confrontational human nature. As
Paul puts it: "At most companies, if you turn up and say you're from
the electricity board and there's a problem with the mains supply,
they let you in.''

One reason he concocts tradesmen schemes is they open the way to mains
supplies, phone boxes and boiler rooms, which are often located near
the computer server rooms or networking closets that Paul is hunting
for. He has on occasion entered a building in a business suit, and
subsequently peeled it off down to a layer of technician's clothing,
which helps sanction his wanderings into computer central. To his
astonishment, the nonchalance of employees lets him meander the
corridors for hours, as "no one calls security". In the event of
trouble, Paul has a get-out-of-jail-free card provided by the clients'
top brass.

So does he ever bumble? Paul admits to butterflies in the stomach, but
tries to turn that to his advantage. "You always get nervous,
especially in the first few minutes when your mouth is dry. So you say
'I've had a long drive, could I have a cup of tea?'." This serves the
dual purpose of calming him down and establishing a rapport with the
receptionist.

Paul's prowling is low tech. The only gadget he routinely deploys is a
camera, which he uses for mundane reasons. One is to take snapshots of
employees' ID cards, to help him and his cohort make replicas. The
other is to photograph himself in his crowning achievement of entering
the server room. That photo goes in his report to the client as proof:
mission accomplished.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.