The Shocking Ease of Breaching Corporate Security

This is going to blow your mind. It did mine.

Never mind the high-tech, hacker/computer slave, covert espionage like you see Chloe performing on the TV show “24”—it’s just not that clever, but just as effective. She puts way too much work into it, but she does it for speed.

Gone are the days of rummaging through corporate dumpsters all night long, looking for reams of documents that led to computer trash can access, or documents with that fatal UNIX code buried somewhere in the text.

Also gone are the uber-hackers who had many tricks up their sleeve for making a computer bend to his whims…they now work FOR security firms instead, meaning they get paid for defending corporations from the likes of them. Kevin Mitnik must be dying of boredom somewhere!

Enter the low-tech spy, someone who gains access with forged documents instead of shredded ones—he who puts the human touch in security breaches. As I mentioned in another blog article, gaining entry can be as simple as a business card in a “free lunch” bowl down at the local eatery, especially when everyone’s guard is down—especially those who are paid to be on guard, starting with gate security personnel. People are human, in that they’re going to become lazy, forgetful, and/or let their guard down in the face of familiarity, and this is what the information thief is counting on.

Another thing to consider is this: in the not-so-obvious lies the vulnerable. I’ll give you an example: a nuclear power plant staff had developed plans for “the next generation” plants, and made some of this information available to their graphics department for creating shareholder brochures and new investor information packets. On the surface, this seems harmless, because it’s still in-house, right? Wrong.

Enter said spy with the “free lunch” card that has now become a visitor pass—he just so happens to have knowledge of the NG plants through Wall Street chatter, and has assumed identity specifically for the purpose of acquiring information personally from the plant itself. At the front gate, he flashed the business card and told a story about an appointment. From there, he has turned that same business card into a visitor badge, and plays the part of a vendor representative. Pretending to be some sort of computer system/software repairman, he asks a cubicle dweller to perform some minor tasks like logging in and out--all the while watching over a shoulder for user name and password keystrokes. With his own laptop now plugged into the company’s system, he enters his newly-stolen name and password, then goes on the hunt for his real target: those NG plant plans. Finding a LAN password-protected area of the system, he gets up, goes to that department (in this case, the graphics department), and plays his charade all over again. With the new LAN information he got while shoulder-surfing, he again returns to his own laptop to retrieve the wanted files for himself.

All along the way, nobody bothered to make a call to verify this guy’s identification, or that he was indeed requested from an ailing department.

At the end of his little activity, he printed out the information and went straight to corporate security, and proceeded to tell them exactly how easily he was able to penetrate many layers of lax defense. This man was actually hired by the corporate HQ, who wanted to know precisely how their corporation and its files were vulnerable and could be penetrated—now they know, and so do you. But this man could’ve been anybody doing God-knows-what with those plans.

Another example: the same man went into a different corporation and managed to get himself hired as a computer security technician. Again, he easily obtained user names and passwords, but from a different source—the employee newsletters. The corporation was still using the old UNIX systems, and employee names (first initial, last name) were the user IDs. He still needed a password, though, and that wasn’t hard to get with his new designation as a security tech. All he had to do was walk into an office, introduce himself, and get the occupant to perform a few distracting computer operations that included logging out and back in. When the occupant logged out, he had to call the receptionist to “find out what the password was,” a strong tip-off that the company used one password for the entire system. Again, watching keystrokes, he obtained the password he needed to gain entry and fish around. While he had this occupant jumping through useless motions, he looked around and noticed a box on a shelf marked “backup disks” ripe for the taking.

Returning to his terminal, he used his new password along with a random name from the newsletter list, and gained access—so much access that he was able to download files on five new high-ticket product prototypes, and download a list of all employees’ payroll records from the HR department. He felt so bad about the ease of accessibility that again, he went to the head of corporate security and came clean about who he really was, and how easy it was for him to penetrate the whole system to obtain those prototypes and records—and again, God knows what a real spy would’ve done with them.

This time, he was NOT hired by anyone at HQ. He got hired on his own merits, and still serves as a security consultant to this day.

Nowhere along the line were any phone calls made, secret hacker tricks employed, dumpster contents scavenged, climbing through vents, or key people paid off—nothing used but good old-fashioned reliance on the human element.

Trust may as well be made of plastic wrap—a thing easily breached with not-so-obvious methods (say, heat, light, and air). Certain individuals have made it their life’s mission to be as permeable a force as heat, light, or air. All we can hope to do is develop and/or use enough layers of a thicker plastic to slow down and irritate individuals like these, especially through the use of bio-metrics, encryption, access restriction, and (last but not least) turning off the file-sharing option. Awareness of surroundings will also go a long way to limiting the possibilities of breach through left-out disks or overheard or overseen information. Everything imaginable may yield clues to access, and must be kept under lock and key.

Make your security mission one that insists the hacker whip out his best and brightest skills, because today’s hackers are mostly one-trick ponies. One trick does not fit all, but one trick is all it takes to access a completely lax system that was asking for trouble in the first place. Your security system should include control of the human element, through training of employees AND a couple of security systems for when they’re bypassed (and they will be bypassed—they’re human).

Are you ready for the day when someone arrives at your company and says, “Hi, I’m Joe (or Jane) Blow, and I’ve come to look under your computer system’s hood”?

If you’d like to read more about how an average Joe with malice on his mind can open just about any corporate door, read the book Spies Among Us by Ira Winkler.