Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security

Undercover Hacking, For Money 246

Posted by timothy from the nice-work-if-you-can-get-it dept.
Dollyknot writes: "Amusing story of a guy employed by IBM to check companies security out by trying to con his way onto their premises." This sounds like a fun job, to say the least, and supplies at least two good reasons to own a digital camera.
This discussion has been archived. No new comments can be posted.

Undercover Hacking, For Money More

Undercover Hacking, For Money

Comments Filter:
  • Like some geek can compete with Robert Redford, Dan Akroyd, River Pheonix and Sidney Poitier. I mean, they took on Ghandi when he ran the mob!
  • The great movie Sneakers [imdb.com]. [imdb]

  • Kinda like Sneakers.... =-) (Score:3, Informative)

    by grape jelly ( 193168 ) on Saturday October 27, 2001 @10:39PM (#2488753)
    Does anybody here remember the movie Sneakers? It's a bit old (1992), but still very good. A team of guys normally hired to physically break into places to prove it can be done and find weaknesses in security are hired for a slightly more illegal mission than their usual fare -- to steal a mysterious black box from a famous mathematician. While screwing around with it, they find it is a mathematical wonder capable of bypassing any US encryption system. Great geek movie, and definitely underrated in this review [go.com]. =-)
    • Sneakers was a really good movie, especially since it tried hard to be authentic. Not quite perfect perhaps, but a lot better than most technology / computer movies out there.

      Even the math behind the black box was reasonable. Which is to say that it's conceivable that one could find the right group theory construction to rapidly factor numbers of arbitrary size, but no one's figured out how (nor have they shown it can't work). The movie happily tells you that he's done it without saying anything meaningful about how its done.

    • Re:Kinda like Sneakers.... =-) (Score:5, Insightful)

      by phillymjs ( 234426 ) <slashdot.stango@org> on Saturday October 27, 2001 @11:15PM (#2488823) Homepage Journal
      Sneakers was a way cool movie, still very watchable and re-watchable even as it approaches 10 years old. Very entertaining, and has a very low head-shake count (i.e. elements that make you shake your head in disgust because they are ridiculously unfeasible, or where the technology is insultingly dumbed-down so the unwashed masses will 'get' it). An example of a movie with a high head-shake count, BTW, would be Hackers [imdb.com]-- because among many other things, I've never met a geek that looked like Angelina Jolie, and never seen a Macintosh PowerBook Duo with an Intel CPU.

      ~Philly
      • Two things, first one about Sneakers, or a real-life example of something like what they did:

        At HoHoCon in Houston about 10 years ago, Erik Bloodaxe (formerly of LoD/H) talked about a deal ComSec (the company he and a couple of other former LoD guys started) did that involved breaking into a corporate network and printing themselves a check for $0.00 (and mailing it to themselves!), then presenting it to the company with a comment along the lines of "This could have been for 50 grand..."

        I don't recall if they got the job.

        Second, about Hackers:

        I own Hackers on DVD for one reason only: The Hackers drinking game. Whenever you encounter something that trips the head-shake, drink.

        I've never made it all the way through the movie on anything stronger than beer. Usually I'm done within 30-45 minutes. LOTS of "aw geez" in that one.

        -l
      • and never seen a Macintosh PowerBook Duo with an Intel CPU

        It's not just the chip. It has aPCI bus. But then, you already knew that.

        Risc architecture is going to change everything.
  • Dear Santa,
    I would like a digital camera for Christmas. It would really help me make those fake IDs.
  • Is most of the time the Human one. This story just proves it. I have plenty of times used talk my way into places I should not have. Either because I was just a familar face (but not one that should be where I am) or I just seem like I should be there. That would be a fun job to have. Well have fun ppl
  • Expecting ordinary employees, and even receptionists, to function as guards is absurd. There's no way to know who is supposed to belong in a big company, and who the hell has time to play company cop? give me a break. Put guards at the doors you don't want the wrong people going through.

    • The problem is that most guards will let you through if you seem to:
      A) fit in
      B) seem to be legit

      I have two customers that have fairly high security buildings. One, I went to the break room, and had yet to be informed the combo on the door, the gaurd just let me in when I told them that I got locked out.

      At another customers location, I just told the guard that I was delivering some software. The guard gave me a day pass to the entire complex.... The receptionist (who was new, and I did not know) voilated their own security policy by not stopping me when I walked bye. Keep in mind, I did not blend in, Policy there is slacks, and a tie. I was wearing blue jeans and a polar fleece sweater, plus I'm more or less a long haired hippy.

      Keep in mind that these are legit cases, but guard's jobs are very mundane, and locations such as server rooms should be protected by lock and key at the least.

      One customer broke through the back wall of their server room... why I don't know, but they have a combo door lock on the door... the only one in their entire office. but, you can just walk around to the other side of the room and enter from the back, where there is no door.

      *shrug*

      I guess its a property of the large corperate world, stupid decisions = bad security.

      • Tight security (Score:4, Informative)

        by einhverfr ( 238914 ) <chris DOT travers AT gmail DOT com> on Sunday October 28, 2001 @01:01AM (#2488985) Homepage Journal
        There are a few ways to make a complex secure:

        1: Require cardkeys to park a vehicle. This makes it more inconvenient for an attacker. Better yet, require an ID badge to bring a vehicle into all premises except for deliveries (restrict to a small area).

        2: Think choke points and isolation levels. Always assume that at least one level of security will be broken and plan for it.

        3: Keep the teams that have access to high security areas small and ensure that they know eachother. This helps there.

        4: Electronically monitor server rooms. Cardkey and camera should be used for surveillance and there should not be a reason for maintenance workers to have access to the server rooms at all.
        This means no garbage cans permanently stationed there. If janitors have access, then they become the weakest link...

        I am actually surprised how many problems people have protecting their server rooms...
        • I'd like to add:

          5: Make it company policy that *all* people that aren't paid full time be checked in. Have sometihng like a temp badge that signifies that they are. Require that they be escorted anywhere they go. At my company even contractors are escorted. They were slightly disturbed, but got used to it.

          6: Make it policy that any employee should stop and question anyone without an employee or temp badge plainly visible. Usually one guy who does it abit helps.

          This seems to help a bit by adding a little catchall in case people try to coerce their way places.
        • There is a company I am familiar with where letting someone 'tailgate' you through the card reader at the door is an automatic firing offense. You can believe that my escort while I was there made sure I swipped my 1-day visitor card every time.

    • Well, even though we are a small company, to get into the server room you need to go through me, or the other admin. In cases where this has happened we stand in there and watch you. You do something stupid and we have the big assed axehandle hanging from a rack to show you the error of your ways.

      I'm paranoid enough already, and if someone starts tossing the mains breakers, I won't hesitate to stomp said persons ass....

    • I have worked in a couple of secure defense facilities, and it worked there. In one case, I was awaiting a higher level clearance to come through - a clearance required for access to the building without an escort. But (these were the good old days) I frequently needed to go to the computer shop to submit a job or pick up output. ONE TIME I went without an escort, and subsequently found myself in a security office because of an alert employee.


      The key to security in places like this (other than perimeter guard checking) is badges which clearly show one's access privileges. Of course, today it is a bit easier to fake a badge :-(
      So it can work - but only in places where security is high on peoples' minds.

  • god save us all if they send a pretty woman into a programming house full of single geeks.

    Might as well just change all the screen savers to "We 0\/\/ /\/ 3d J00!" for kicks.

    Not that it has ever happened to me, mind you.
    (ok, ok, the escorting a pretty girl part, but not the screensaver part. I did get griped at and rightfully so)

  • Is to look like you belong in the place and your in. And if you are lucky you can get on theyre payroll and get yourself a job ;D

  • Always Get Past Security (Score:4, Funny)

    by feydakin ( 161035 ) on Saturday October 27, 2001 @10:55PM (#2488782) Homepage
    Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..

    • Immitating a pizza delivery person also means that you can ask for someone who may or may not work there, and pretend it was a prank order all along, leaving completely annoyed. When you come later, you can complain you were fired from the pizza place, "no thanks to the pranks from this place", if anyone recognizes you.

      The danger would be if you couldn't get ahold of a real pizza delivery outfit for some reason, and used a do-it-yourself outfit with a made-up company name. Many geeks know every joint in town, and would immediatly start asking questions if they didn't recognize the name.

      :^)

      Ryan Fenton
      • The danger would be if you couldn't get ahold of a real pizza delivery outfit for some reason

        Easy. I worked at Papa Johns for quite a while and they always had old shirts and hats sitting around. You could sneak in and grab some or just get a job for a week and never take yours back. I still have mine, for instance. The hot bags and car tops would be a tougher deal, though you could steal some from a delivery car when the driver's not looking. They really hate that, lemme tell you.
      • One word: Goodwill

        Uniforms from everywhere can be found there. Just wash em to get that "cap'n crunch" smelling laundry detergent out of 'em (no reference to 2600 man, but to the cereal)
        I've seen security uniforms there...
    • Just wear a pizza delivery shirt and carry a big red bag.. Never fails, everyone trusts the pizza guy..

      Nope, this trick won't work everywhere. At a bank where I used to work, standard procedures for such a case would be that the pizza guy left the pizza at the security guy, who then called the guy who ordered it to come down and pick it up.

      Same drill if you had a visitor. You'd have to come down physically to meet him.

      And all this was even before September 11th, but the place was so paranoid that they chose to build their underground parking lot below the garden rather than below the building, for fear of February 26th, 1993 type events... ;-)

  • A cousin of a friend of mine has worked for two different financial houses in a role similar to this. His job was to randomly walk into empty offices, sit down at the employee's computer and try to crack his way into their system/files. He sure seemed to like this job a lot better than his former admin role.

  • See also... (Score:5, Interesting)

    by gmaestro ( 316742 ) <jason.guidry@3.14gmail.com minus pi> on Saturday October 27, 2001 @10:55PM (#2488785)
    The Happy Hacker [happyhacker.org] has a cool account of a social engineering break-in on the website. I believe this is from Meinel's book Uberhacker in the chapter on Social engineering [happyhacker.org], including an actual break in to a fortune 500 company [happyhacker.org].

    as if i'm not paranoid enough!

  • ye olde art of Dumpster diving ;D
    • Everyone owns shreders(not the Ninja Turtle kind) nowadays...Even I don't let potentially important info go into the trash without being shreded. It's *very* difficult to get information off of a sheet of paper that's been through a crosscut shreder.

  • Layered Security (Score:2, Interesting)

    by rediguana ( 104664 )

    He doesn't mention in the article whether any of them use layered security. As you cannot expect humans to be infalliable, shouldn't layers be built up around critical infrastructure, so if they get past reception or the first security door, they still don't have full roam of the business. Extra security should be provided around critcal points such as server rooms, closets etc, and a limited number of people provide access, and know reason of letting the serviceperson have access.

  • the company in question depended on contractors, then there are no regular employees as such...

    Theyre used to seeing new faces often and may think nothing of another new face.

    Just dont pretend to be the CEO or Chief Software Architect or anything ;D

  • Frightening thought.... (Score:3, Funny)

    by ZaneMcAuley ( 266747 ) on Saturday October 27, 2001 @11:03PM (#2488802) Homepage Journal
    What if they suddenly tell you "Oh, there you are. You have a company presentation in 5 mins... come with me..." erm oO(OH SHIT) :)
  • If I was Paul (from the article) and I really wanted to be bad, I'd replicate the 'get out of jail free card' and then look for work in corporate espionage for competitors. I'd go and break in to the same company again, and if I got caught, I'd just use the card to walk away.

  • Some of his tactics aren't hard to employ at all. (Score:5, Interesting)

    by thesolo ( 131008 ) <slap@fighttheriaa.org> on Saturday October 27, 2001 @11:18PM (#2488827) Homepage
    At my last job, my boss was very slow in getting me an ID badge, even a temporary guest pass, so that I could swipe myself in. Employees should have one immediately, but it took him over 3 weeks to get me a temporary badge. So what did I do in the mean time? I snuck my way into the building, every day.

    For the first few days, I had security let me in, but they got real frustrated with checking me in. So every morning, I would park my car, get out, and start towards the side door, which happened to be closest to the IT department. I would then try to find someone who was walking towards that door and high-tail it behind them.
    If no one was going into the building at that time, I'd stop, pretend to take a phone call on my cell, or tie my shoes repeatedly, until someone walked past me, and then I'd just walk quickly behind them so they would hold the door for me.

    Not once during those 3 weeks did I ever get questioned by anybody, which surprised me greatly, especially considering I was about 20 years younger than anyone else at the company, and I have facial piercings.

    The moral of the story is that the overall trusting nature of humans is very easy to exploit, and this guy obviously shows off that point on a daily basis. Maybe we all should be a little more wary...
    • Probably applies to college dorms everywhere, but it was the same at Georgia Tech. Getting into someone else's building was easy as pie. The exception of course is guys getting into the girl's dorm buildings. Other way around, we'd roll out the red carpet for the lovely ladies...
    • I've had fun getting into the main computer lab after hours at UC Berkeley. After it's dark, 7pm or so, everyone going in is supposed to have a key card. The elevators and stair shafts also need them. I don't even attend UCB but was wondering if my friend was in there that night when he wasn't at his apartment. The comp lab is on the second floor which is underground and has no cell phone reception. After I tailed in following a guy with a card. I wend to the elevator and went in. Going in is no problem, but to get it to move to your floor requires a card. I stood around for a minute, and then it moved. Although I hadn't usea a card, because some one else called the elevator, it went to their floor. All I had to do was act as though I was going to a different floor and wait until someone called the elevator to the second floor. With security like this, I don't think anyone malevolent will have the slightest problem getting in there anytime soon.

      • Back in 1968, I used to "borrow" Stanford Universities IBM 1620. At the time, I wasn't a student - in fact I was an active duty Navy flyer at nearby Moffett Field. But I wanted to hack and the base had a book on 1620 machine language.


        My approach was to go late at night, find a janitor, and tell him I lost my key. It worked every time - no ID required. I would then have the computer to myself for hours. One time, about 3 AM, a researcher (I assume :-) came in, saw me, apologized, and said he would come back when the machine was not in use. Being a nice guy, I told him I was done and let him have it.


        During that same year, I also used the Stanford IBM 360/67 (an OS with a VMM while Bill Gates was in grade school) to do a bunch of personal programming. There, an ID from an out-of-town for the year gard student did th job.


        Meanwhile, my friends at the University of Kansas (which had a rare GE-625), wanted source of the OS to improve their attacks on the OS. One of them found out the tape numbers by looking at printouts in a public place. He then ran jobs when times were busy to copy those tapes to his own... every once in a while so as to not draw suspicion. Then, he later printed out the whole thing, again in little bits. Thus when I later went there, we had source of the whole OS. We used that to find a number of holse, although GECOS-III was surprisingly well designed for security. In fact, the CIA used it for that reason, and it was chosen for the World Wide Military Command and Control System (WMMCS). As a result of our hacking, one of us later got a call, out of the blue, from a CIA recruiter who knew of the exploits and was looking to hire him for a white-hat hacking job. This was in 1970.
        Social engineering works!

  • Similar to this....... (Score:3, Informative)

    by whanau ( 315267 ) on Saturday October 27, 2001 @11:20PM (#2488829)
    If you liked this story on physical hacking I suggest a trip to infiltration.com. It contains guides and how-to like articles for sneaking into hotels, exploring hospital, derelict buildings and the like. Excellent reading for the armchair sneaker

  • Practice intrusions... (Score:2, Interesting)

    by Bagheera ( 71311 )
    You'd be surprised how many large corporations employ folks in their security departments who's sole purpose in life is to break into company sites, or data, or their partner's sites. The guys who do Physical Security rely on Social Engineering like this guy is reported to do, or even simpler means like tailgating or even trying to pick the lock.

    It's pretty cool, but there's a lot more time writing up reports about the intrusion than there is actually doing intrusions.

    • but there's a lot more time writing up reports about the intrusion than there is actually doing intrusions

      I assume you mean their own company's sites. I don't imagine there's that much paperwork to do when conducting industrial espionage...
  • How about carrying a small UPS with you and tell the receptionist you're there to replace the UPS on the mainframe? A bit more direct, and that would REALLY show how weak security can be.

    I almost wouldn't doubt it could be done.

  • ..would be if a company were to pay to sabotage a competitor's web site.

    I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security.

    • would be if a company were to pay to sabotage a competitor's web site. I suppose that whole illegal thing gets in the way. Alternatively, it sure would be nice to be paid to test a company's security

      I can imagine a scenario where two competitors that are on good terms with one another (or even two totally unrelated companies) might 'ritualize' assaults on one another's security. Set up rules, designate targets, award prizes to the team or individual that carries out the sneak, that sort of thing. It's fun and points out flaws in security. Much better than a lousy 'Employee of the Month' award.
      • ...designate targets...

        I can just see that going too damned far...

        The competing company's CIO settles into the limo for the early-morning ride to the airport to catch his flight to that trade show. Quickly becoming engrossed in some reports on his laptop, he doesn't notice anything amiss until the driver doesn't take the airport exit. As the CIO starts to protest, the door locks slam home and the partition goes up. Then the knockout gas starts coming out of the air vents...

        ~Philly
      • Note a slightly obfuscated point in the article.

        IBM doesn't send him in, the client requests it.

        IBM probably sells the idea, but the guy isn't unauthorized, he's just not known by the security apparatus to be authorized.

        Two companies that interact on terms that would allow them to set up this game would not be called competitors.

        I mean, if you got in, and got out, and showed the other guy his "flag", should you also show him the draft 5-year plan you ran off on his mopier?

        --Blair
  • (From KFI 640 [kfi640.com], I mean)

    Any good hacker knows the way into secure systems is through the weakest link: humans.

    So, of course the US Gov't spent the past 10+ years evisserating the hum-int in favor of carnivore-type el-int. No wonder we didn't have a clue.

  • Double Standards (Score:3, Insightful)

    by purduephotog ( 218304 ) <hirsch@inorb[ ]com ['it.' in gap]> on Sunday October 28, 2001 @12:03AM (#2488909) Homepage Journal
    I work for Corporate America

    In one sentance our values dictate respect for our fellow employees.

    In another, we are to firmly question anyone that 'does not belong' or is unexpected

    Recently our company hired a new diversity 'expert', and she was 'aghast' at the way fellow employees treated each other in the hallways

    Now I ask all of you sentinent people... how should we react when confronted with someone we neither recognize nor know, and how do we fullfill both of the philosophies?

    I used to work in a secure area, where if someone knocked I'd let them in but question and deliver them to the person they wanted... but now it's an open area- thus I don't exactly know the 250 people I now work with. Frankly the stress isn't worth it- any single one of them could be an auditor waiting to 'sneak up' and get you reported to upper management- it isn't fair.

  • My experiences in the Canadian Gov't (Score:5, Interesting)

    by illusion_2K ( 187951 ) <slashdot&dissolve,ca> on Sunday October 28, 2001 @12:04AM (#2488913) Homepage
    Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.

    Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.

    Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.

    Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
    • Interesting. My brother works in a department of the Canadian Gov't, which shall also remain nameless, though it's quite mundane.

      Security is pretty good. There is exactly one access point. (Alarms on the emergency exits, etc.). The guard is quite thorough. By now, he knows me, but he won't let me in. Someone who will vouch for me must physically come out and get me. Even then, I need a badge, and it only permits me access to the sections it's colour-coded to. I am told that people have been escorted out quickly when going into an area that doesn't match their badge. I'm also told that I get in relatively easily, since I'm a close relative.

      Even though the guard knows the employees, he still has to check their badges on the way in, and he's not lax about it. When they had a substitute guard at one point, he *didn't* know me, and he was extremely suspicious, even after I was cleared.

      Delivery people are simply not allowed in. They leave stuff in front of the guard kiosk, and someone comes down to fetch it. I'm sure there are ways to get through, but it's not bad.

      I haven't been there since Sept. 11, so I don't know if they've tightened things at all. I do know that the next security level up requires people to use their access cards just to get to the guard kiosk (i.e. they lock the outside doors).

  • who needs a disguise? (Score:5, Funny)

    by bigmaddog ( 184845 ) on Sunday October 28, 2001 @12:06AM (#2488917)
    I say this man goes to too much trouble to infiltrate these offices. At my former office, a bum walked in off the street, went straight through reception and out the back door with a $3000 laptop full of somewhat confidential information. Just some smelly guy in a dirty trenchcoat. I wonder what the receptionist thought when he passed by; that he was a programmer?

  • Tiger Teams (Score:3, Interesting)

    by Repton ( 60818 ) on Sunday October 28, 2001 @12:29AM (#2488955) Homepage

    If the Jargon File [jargon.org] is anything to go by, this isn't exactly something IBM has only started doing recently.

    The entry on Tiger Teams [tuxedo.org] provides the definition; the entry on patches [tuxedo.org] gives the example story:

    There is a classic story of a tiger team penetrating a secure military computer that illustrates the danger inherent in binary patches (or, indeed, any patches that you can't -- or don't -- inspect and examine before installing). They couldn't find any trap doors or any way to penetrate security of IBM's OS, so they made a site visit to an IBM office (remember, these were official military types who were purportedly on official business), swiped some IBM stationery, and created a fake patch. The patch was actually the trapdoor they needed. The patch was distributed at about the right time for an IBM patch, had official stationery and all accompanying documentation, and was dutifully installed. The installation manager very shortly thereafter learned something about proper procedures.
  • But for all the hopefuls out there, I wouldn't expect a lot of jobs like this popping up in America anytime soon. I think lawsuits would slap a person doing this kind of work down quick. People don't like to be embarassed, and Americans like to sue.

  • Funny that it's IBM (Score:3, Interesting)

    by joenobody ( 72202 ) on Sunday October 28, 2001 @01:01AM (#2488986)
    I worked at IBM in Schaumburg, IL a year or so ago. They've got a huge data center called "IBM Global Services" or "AT&T Global Services" depending who you asked. Anyways, it was nice working there: light work and an internet connection that loaded pages about as fast as I could click links.

    Anyways, this building was almost totally insecure. They've got a bank of elevators with two entrances, north and south. In the day you can walk up to either, say that you're a consultant and forgot your page, sign a fake name and a random floor number and you're in. At night this isn't neccessary- they close one entrance and the sole guard is almost always napping. Reach over the desk to hit the door unlatch and there's a whole building full of computers awaiting you, with a loading dock you don't have to pass security to get to.

    I'm sure they knew this when I worked there: I showed up one day to find my monitor moved from atop my PC and the case ajar. I opened it up, and found that someone had taken all my RAM.

  • check this 'zine out: Infiltration [209.157.133.147] It's about different ways to break into and explore urban areas ... pretty f*g cool
  • This is just too easy to accomplish most places. One place I worked you had to have a keycard to get in, dude stands around the door, as people come back from lunch, he walks in, grabs a laptop out of a conference room (they were gone for lunch) and just walks out.

    Of course we all got the "security simply must be better" but no one really did much about it after a few days it was all as it was before.

    • Same things happened at my former employer. Before I started there, a dude posed as a delivery person, carrying a large box. He got someone to open the door for him who then went back to their business without a thought. This guy picked up a few laptops from empty offices (this was at lunchtime one day) and presumably put them in the box and took it back out with him. He also ransacked one woman's purse. He made off with several PowerBooks, and went on a spree at the shopping center across the highway from the corporate park, using that woman's credit cards. This resulted in the company spending thousands on strong magnetic locks for the doors, controlled by numeric keypads that logged our codes.

      Fat lot of good those did. While I was still working for that company, someone made off with a brand new combination TV/VCR, probably by waiting until the evening cleaning crew left the door unlocked. After that theft, my boss and I put in a passable security camera system consisting of some dinky yet highly visible cameras trained on the office doors, and one watching the door to our equipment storage and server room, from inside the room. We ran the camera inputs into a 4-way combiner, and then into a spare Mac with a video capture card and running webcam software that snapped a picture when movement was detected during non-business hours. Nothing further disappeared, though the system did catch some amusing photos of me staggering around the halls the morning after my 27th birthday party, when I crashed in my office.

      I've been gone from that company for almost a year but I still talk to friends there. I heard that a month or so ago, employees of a different location of the same company (without security cameras) came in one morning to find about 10 Dell laptops were gone, ripped out of their docks by a guy who waited for the cleaning crew to start working and slipped into the offices. The company's solution to that one: All laptops must now be taken home at night.

      ~Philly
  • it's thing like this that make me want to be a repo man [imdb.com].


  • Having worked at IBM SSD here in Tucson, I can tell you for a fact that Big Blue takes their security very, very seriously.

    I worked out on the floor -- Your typical raised-floor temperature controlled room, except on a very large scale. [uatechpark.org] Without going into specifics, getting to work was always fun when it came to security. You have to go through a human checkpoint, then one card-access doorway, then another combination human/card-access doorway with a tailgate alarm.. At each point along the way you're monitored on cameras mounted in the ceiling Occasionally, if your badge doesn't work, a voice comes over the loudspeaker where you are and asks you to hold up your photo badge so they can confirm who you are before continuing. :) Beyond that, there are very, very tight controls on leaving confidential materials out in the lab overnight. We were told that janitors and off-hours maintenance crews have been busted flipping through test plans and selling off information outside the company.

    My favorite story comes from one of my old floor bosses at IBM. He used to work for a defense contractor out east in New Jersey, right off the turnpike. He claims someone got busted sitting on a highway overpass with a camera and telescopic lens attachment, photographing the blackboards inside the plant. "Thats why all the exterior windows have reflective tint nowadays. Its a safety measure."

    Fun stuff.. I miss IBM like you wouldn't believe. Friggin awesome company to work for.

    Cheers,

    • Though it was back in the mid-80's, I can attest to IBM's security policies. Especially when I broke into a secured server room at IBM which had one of the two prototypes for the biggest, newest mainframe they were developing. (It's not quite THAT amazing, as I had the proper clearances for access to it, but the point is that others could have done what I did.)

      Background: This was only a few years after an IBM competitor (Hitachi?) was found to have stolen plans for one of their still under development mainframes (IIRC it was the 3081). So, there was intense security throughout the site.

      There were badge locks everywhere; to get into the parking lot, to get into the building, to get into the server room, and then another to get into the specially-constructed section of the server room where the prototype was located. I was working 3rd shift doing some testing on this new box. (Sweet! It could support hundreds of concurrent users, and I had it all to myself!) Anyway, at one point, I realized I needed some more blank mag tapes and stepped out to the main computer room to get them. Went back to the secured room and realized I had left my badge next to my terminal and I was locked out. What to do? (At that time of night, there was nobody around at all.) Yes, I could have called security at another building and waited about 30 minutes to an hour for them to let me in. But I had way too much to do and couldn't adfford the loss of time on the machine.

      Then it hit me. There was raised floor here, and also in the secured area. Popped up one of the raised floor tiles on this side of the badge lock, crawled underneath, and pushed up a floor tile on the other side. Took about a minute to get in.

      Told my boss about it the next day, and they soon had a construction crew extending the walls through the raised floor down to the concrete floor below it. And, up beyond the ceiling tiles, too. I was thanked for revealing the security hole, but was also strongly advised to follow proper procedures about calling for help from Security in the future.

      So, I'd suggest taking a look at the physical security in YOUR area to see if someone could gain access by climbing over ceiling tiles or under raised floors.

  • I wonder if small companies (30 people) are more secure than large companies. A common theme between the article and posts are that no one knows who works in their own company. But in a small office, everyone knows everyone, and a stranger is obvious. It's also usually known by when someone is expecting a visitor, so an unexpected drop-in would also be obvious.

    Are small companies less resistant to social engineering, because of greater employee "intimacy"? If so, how can this be utilized at larger companies to increase security?


  • From the "Beyond Hope" Hacker Conference:
    (streaming real audio)

    Social Engineering [2600.com]

    It was quite entertaining as well as educational.


    Another Soc Eng panel from the "Hope 2000" Conference:

    Social Engineering Panel [h2k.net]

  • I'm not surprised that it's this easy.

    One cause is companies, despite security policies, routinely violate them themselves. You may say that a receptionist/guard/etc. is to challenge all vistors and ask for ID, but the first time they do that to a senior executive or VIP from out of town and get smacked down for it, they'll never question anyone again.

    OTOH, I worked for an organization that took security seriously. You were to challenge anyone without a badge, and escort them to sercurity if tehy didn't have one. I challenged teh CEO once - he pulled out his badge, showed it to me, and clipped it to his collar, where it should have been. No "don't you know who I am?", no nasty note to my boss; just a simple "thanks" and doing what he expects everyone else to do. Of course, that also takes a leader, not a manager.

  • Legendary story (Score:2, Interesting)

    by atomico ( 162710 )
    I once heard a nice story, I don't know if it's true but I think it is worth telling:


    It happens in Germany, at Siemens, the giant electrical engineering and electronics corporation. The über-boss, a member of the von Siemens familiy, an old man at the time, routinely used to test how easy was to enter his company facilities (most of the employees had seen photographs of him). Once, he tried to enter a factory where he meets this old-guard janitor, a typical case of prussian education. Von Siemens is denied entry, even when, having confirmed that the entrance was guarded well enough, he wanted to finally go into the factory. The old janitor kept on saying Yes, you are telling me you are von Siemens and you really look like him, but if you don't produce a valid ID, you are not entering this building


    Von Siemens had to wait until the following day and the janitor was promoted.

  • ID Story... (Score:2, Interesting)

    by big_groo ( 237634 )
    A couple of years ago, I was working late in the office one night (maybe 5:30 or so) and this woman came up to me asking me where the copy room was. I asked her if I could see her ID, because the company has a policy of visible ID at all times. She kind of chuckled and said it was on her desk. I didn't know what to do next, as I was relatively new with this company, so I asked her if I could see it (Mine was clipped to my belt). She agreed, and walked me around to the other side of the office to her *office*. A big office. She shows me her ID, I apoligize for the inconvienience, but she says "no no...that's ok!"

    Monday, I show up at work and everyone is laughing at me. Turns out, I ID'd the new VP. Later that morning an email went around asking everyone to be more security conscious, and always ask someone you don't know for their ID.

    It was sent out by the VP and corporate security.
    People stopped laughing, and started asking for ID from those they didn't know.

    Moral of the story: it doesn't hurt to ask someone to show their ID, and you never know who you'll be asking. (Plus, the brownie points are fabulous!) ;)

  • ...for getting passwords. I have one that can record about six minutes of video. It's so easy to set it running, then have it surreptitiously pointing at a keyboard when someone logs on. Then you can down load the MPEG, and go through it frame by frame.

    (Not that I'd ever do something like that, but as I do a bit of 'ethical hacking' as part of my job, I have developed a deviously cunning mind ;-) ).

  • I do this for a living too. (Score:5, Funny)

    by kemster ( 532022 ) <kem327@m[ ]com ['sn.' in gap]> on Sunday October 28, 2001 @11:02AM (#2489651) Homepage
    My neighbors pay me to do this as well. I check out their home security on a nightly basis. Usually they don't have the cash laying around to pay me, so I just grab TV's, VCR's, computers, etc, as payment. Of course, the way we play the game, if they catch me breaking in they call the police, but otherwise I get to keep the stuff. It's real fun, you guys should play with your neighbors..
  • You know, we should have a unit basically dedicated to
    thinking up terrorist attacks to the united states, and
    trying to "implement" them. Just more war games. So
    we get a couple of agents trying what the Sep 11 hijackers
    tried on July 13th, and we shore up weaknesses before they're
    really exploited (we would, of course, have our gamers stop
    short of say, actually killing or even threatening anyone. Wouldn't
    do to have people saying "Oh, this isn't a REAL terrorist attack...
    it's just the gamers. Sit back, everything's going to be OK.").

    Actually, I know this is done to some extent. A couple of
    weeks ago, for example, I heard a guy on the radio who
    used to work out at Dugway Proving grounds in the Utah
    west desert. His job for a while was to come up with
    anthrax delivery scenarios.... from city wide to single
    building to single person. I don't know if they actually
    disseminated a "marker" substance to test their theories
    and come up with security techniques, but I'd be happy
    to some portion of my taxes spent on such a thing.

  • Is it really that difficult or costly for companies to implement things like retinal/iris scan, voice printing, etc. for highly secure areas? I've always felt we can have no true security based on things like ID cards (lendable and counterfeitable), passwords (crackable, write-down-able, storable), and human security guards (con-able). It would be rather intrusive and expensive, I'm sure, to implement biometric scanning for every person entering a public building, but if the critical security areas of that building were restricted to root users via biometrically automated door locks, breaches of mundane perimeter security would be less threatening.

    OTOH, I'm sure someone will reply that biometrics has a weakest link as well. E.g., intruder could corrupt a root user and get their retina authorized into the system illegitimately, figure out some kind of black box to hold up to the scanner, crash it to its embedded version of shell prompt, and send it "unlock door" command, etc. But from my perspective, biometrics kicks the ass of any other solution, and I'd feel a lot safer if airports, highrises, and public utilities were using it for critical areas.

    * * *
    • There are three types of authentication mechanisms: somthing you know (password or combination), somthing you have (key or token), or somthing you are (biometrics). Relying on any one single mechanism is failure prone. You get a lot better security if you combine two or more mechanisms.


      For example, an ATM requires you to have a specific object (your card) and special knowledge (your PIN). Either of these elements can be compromised without compromising the entire system.


      Relying exclusivly on biometrics is as big a mistake as relying on any other single authentication mechnaism.

  • I used to work for a defense contractor, and our lab was a restricted area. We were instructed to challenge ANYONE we didn't recognize as being on the access list, even if their badges showed the proper clearance...

    One of my co-workers challenged the company president (he was not on the list, and he was unescorted). She got atta-boyed!

    Wish I'd been there to bust the pres...
  • Quite a few years ago I recall seeing a documentary on security guys. One used to get into the buildings, usually dressed as phone tech or similar, and just leave a biz card on their patch panel "If you find this you need me." or somesuch. Very cool way to advertise (although some ahole would slap a charge eventually).
  • The article mentions tailgating in passing. This strategy is so effective, one wonders why anybody bothers with any other approach. Most receptionists will insist on seeing credentials, no matter how many packages or clipboards you have.

    I once contracted at a large company that was so paranoid, contractors had to be re-badged every six months, the firewall only passed http and email, and there were even rules about leaving your workstation logged in and sending sensitive info via text page! Yet they had a serious tailgating problem. Headhunters would routinely sneak in to make the rounds. Nothing was done until valuable personal items started disappearing from people's desks at several locations, and security decided that the thief was a tailgater. They had the receptionists crack down, and launched an educational campaign. So it became much harder to sneak in -- for a while. Don't work there anymore, but once the thefts stopped, I doubt if people remained careful.

  • Damn reminds me of the good old days! (Score:3, Interesting)

    by Telek ( 410366 ) on Sunday October 28, 2001 @06:07PM (#2490641) Homepage
    I remember once, in high school, I was trying to hack around into our Novell 3.11 network that was connected to a WAN that had 22 high schools and about 180 elementary schools hooked up to it. (It was pretty sweet back then!). I had done all of the hacking from the library in open sight (I mean, a hacker wouldn't possibly do that, right? So mustn't have been one... ;P) and I made friends with the librarians as well. One day (after I learned of the 'server debug mode') I realized that if I could just get physical access to the server (which was in one of the rear librarian's only rooms) I'd be all good. So I just got up courage, and walked straight in! Walked up to the server, did the deed, walked back to my machine, logged in, returned to the server, removed the deed, stopped to say hi to one of the librarians on the way out and back to the computer, now logged in as Supervisor. Of course, because of really really stupid network admins at the board office, it was rediculously easy to get access to the master network at the board office as well. I ended up using a brute force password hacker and got 320 of 540 passwords, including 5 supervisor-equiv accounts. I ended up phoning up the head of the network admin at the board (who was rumoured to be a cool guy), got his voicemail and said "Hey, I think we need to talk. I'm such and such from such and such high school and I wanted to talk to you about network security. Please call me back here, and by the way, I hear that Greece is wonderful this time of year" (His password, of course, was "Greece"). Needless to say I got a phone call back pretty quickly saying "Hi. Let's talk."

    Ahhh, back to the good old days.

  • Very appropriate comic... (Score:3, Funny)

    by Loligo ( 12021 ) on Sunday October 28, 2001 @06:31PM (#2490684) Homepage

    Nodwick [gamespy.com] from a few days ago.

    -l

  • False security... (Score:3, Insightful)

    by Talkischeap ( 306364 ) on Sunday October 28, 2001 @09:18PM (#2491139) Homepage


    Heh... what a great job!

    Back in '77 after the first "break-up" of Pacific Bell, I was a telecommunications tech at a small interconnect in Santa Clara, CA (i.e. Silicon Valley), one of three troubleshooters in the company, so I usually worked alone. We had no company uniforms or other identifying paraphernalia, but my tool belt was my "badge".

    We sold state of the art (for the time. eh?) NEC microprocessor controlled, time division multiplex phone switches, and smaller office sized systems. Our switches kicked Pac Bell's ass, they ruled because the telcos in the USA we still in the dark ages.

    Anyhow, my territorry was from San Francisco (and the rest of the Bay Area) to Montery, we had phone systems in many high tech companies, so I was steeped in the culture.

    It didn't take me long to observe that I could go virtually anywhere in most of these companies, without question. Often even without a visitors security badge, company employees, and even security guards would open doors for me if my hands were full.

    It seemed that my tool belt and butt set (Linemans test set) hanging off of it, was all I needed to have the run of the place. I started to play a "game", to see just how good their "security" was.

    So here I am, this spikey haired punk rocker, in street clothes, but with my tool belt, butt set, and a professional attitude, walking up to a security guard and saying to him, "Hey, I need to look in that locked room over there to see if there is any phone equipment in there.".

    They allways walked over and opened it for me without question, and then walked away reminding me to lock it when I was done. I did this just for grins at many of the companies I visited.

    In those days, computers were still refrigerator sized, and filled large, lead lined, air conditioned rooms with raised floors, with lots of cabling under them, tended to, by clean-cut guys in long white lab coats (no kidding). And every company had a security guard at the door of these special rooms.

    One day I screwed up my courage and decided to see if I could gain access to one, I had zero reasons to go in there, since there was never phone equipment in these rooms. I nervously walked up to the door, looked the security guard in the eye, and he glanced at my tool belt and test set, and opened the door for me without a word between us!

    Next thing you know, I'm wandering around this large computer room, pretending to look like I know what I'm doing. None of the guys in there even pretended to notice me, I could have done what ever I wanterd, and nobody would have questioned what I was doing.

    At work, I started to brag about how people were so easily manipulated by "normal" circumstances. None of my coworkers believed me, they were just like the people in these companies, they were non-observent.

    One day, I needed some help, so I brought my boss along. We finished up our job and as we were walking out, I reminded him of my discovery, he said "bullshit!" . So I said "follow me", and walked toward the big computer room.

    The security guard didn't bat an eye, and unlocked the door for us without a word. I was the only one with a tool belt, my boss was also in street clothes, we could have been anybody, but the magic tool belt, butt set combo got me through again.

    My boss was blown away, and was also very nervous about being in this formerlly taboo computer room, so we exited. On the way out of the building, I couldn't resist, and stopped at random and asked the closest security guard to please open "that closet, over there", he of course, complied.

    My boss was very impressed, but wasn't at all happy that I was doing this for "fun", and the next morning at work, I was admonished to never do "that" again.

    I guess my point is, that people are easily fooled by normal seeming circumstances, and that security is often a Paper Tiger.

  • A while back Microsoft was in town running a conference. One of the gigs they had was a little party out at a local theme park. I copied my mate's ID card, and we waltzed up to the gate. We were let through without even being asked for ID, and we were free to enjoy the food and rides all night. :-)

    Complete story [kimihia.org.nz].

Slashdot Top Deals

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Close