Hacker Series - In Real Life
OR...5 Ways To Thwart Physical Hacks
Shawn Stewart
Mr. Stewart has 28 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
I am a hacker. Sure, I prefer to sit in my sweatpants at my computer and steal your data, but sometimes I have to get my hands dirty. Sometimes I have to find a way into your system that doesn’t just involve the Internet. Maybe, and this is usually a stretch, your IT staff or outsourced IT professional followed all the previous recommendations and has your public-facing Internet connections locked up tighter than the “no cameras” policy at the annual sales meeting in Vegas. I have to find another way in, and, oh boy, are there plenty of options! If you missed the first three (3) articles in this series, click here – Part 1 (Link), Part 2 (Link), and Part 3 (Link).
Hackers Love Your Oversharing
Most companies beg their employees to go out and tell the world who they work for on LinkedIn or other sites. You think it leads to free advertising or shows how big your company is and will lead to more sales and more money. You are wrong. LinkedIn is the hacker’s favorite website for finding information on companies who like to overshare. Would you post pictures of the whole family while in Cancun? LinkedIn, Facebook, Twitter, Instagram, all of them are windows into your company.
This is called Open Source Intelligence (OSINT). Read more about OSINT here (Link). I can create an organization chart full of targets of your employees, their titles, and direct reports. I can find out when your C-Levels are traveling to events for training and speaking engagements. You tell me all about your latest clients and industry wins. Sometimes I don’t even have to guess your email addresses because you post them with pictures on your websites! I love you trusting idgits! When the spearfishing campaign kicks off, it will be so believable because I’ll use real names and match your email signatures.
Hackers Love Loose Lips
But why bother trying to get you to click on something when all I have to do is call in and ask for a password? This works way too often. I call someone, anyone in your company and say, “Hi, Janice, this is Larry with IT. My boss, Curly, and your boss, Moe, were talking about the new password update and he asked me to call and update it for you as a courtesy.” Yeah, Janice knows Curly and Moe, so why wouldn’t she trust me, I mean, Larry? I now know her password and we can both log in.
What if I just want access and I have a wad of cash to hand out to get it? Meet Tyler. Tyler is a recent grad and new employee in the mail room at your company. Tyler knows he has to work his way up the corporate ladder from the bottom, but, man, are his student loans expensive! Tyler also likes to complain about his job on social media to anyone who will listen. I become Tyler’s friend online, pretending to be some obscure acquaintance he met at a party freshman year at State. Of course I know all about him. He posted his life history on the Internet.
Inside Job
I can be sneaky or I can be direct, but either way, Tyler gets cash and I either get information, access, or he plugs in a device for me. I can say I created this really cool tool to speed up his Internet. All he has to do is download the software or plug in my Raspberry Pi. I can feed him information as I find it on the network, like what everyone else in the company makes or that video from the office Christmas party. Sure, Tyler is an easy target, but it’s soooo much better when I can turn an IT guy.
I have to pay the IT guys more, but sometimes they can give me everything I want or need without typing a single line of code. How much would I pay for an old backup tape from, say, last month? How much can I sell it to your competitor? It’s still a hefty bonus for the IT guy. And it’s one of the easiest ways to get data because it typically includes local copies of Cloud data, passwords, logins, network maps, and more. It’s the gift that keeps on giving. Don’t think this happens? Read what the FBI says about corporate espionage here (Link).
Getting My Hands Dirty
What if I can’t convince anyone to take my money? You know, upright citizens? Then I have to show myself. Well, not exactly myself. I dress in a hat, fake glasses, fake beard, fake tattoos, baggy clothes, and, thank you terrified paranoia, a mask. I might throw on a hard hat, reflective vest, and carry a clipboard. I walk into your office with my fake ID and just say. “Hey, I’m Mike with AT&T, is your Internet slow?”
100 out of 100 people will psychologically believe their Internet is slower when asked. I don’t know why, but I love it! If I can get access to your server room, I can plug in my Raspberry Pi, which, by the way, has a sticker that says, “AT&T Internet Monitoring – Do Not Disconnect”. I also have my direct phone number on the box so when someone calls, I can quell their fears personally.
This one is a fun bit of role play, or cos play, if that’s how you roll. If I get spooked or someone won’t let me in, I can get rid of the fake stuff, park myself at a Starbucks, and wait for the heat to dissipate. Building security and cops aren’t looking for me. In fact, it will be pretty dang difficult to describe me. You probably couldn’t see my eye or hair color. The beard will definitely not be the same color. Once I ditch the get-up, I won’t look anything like the person the receptionist saw.
I even have a Raspberry Pi conveniently built into a wall jack cover. That means all I have to do is plug it in over an existing wall jack and it looks like nothing is there! Do you know how many people just leave every port in the network on? And nearly every switch has Power over Ethernet (PoE) these days.
Maybe I find a job posting online for your company, walk in dressed like a politician, and ask to about the position. While the receptionist and the cameras aren’t paying attention, I plug it in, right in the lobby! If your company has a courtesy lobby phone, odds are high my little invention will work without issue. I’ll bet no one ever finds it until you remodel. The little box gives me a direct line into your company and not even your best network guys will find it.
Whaling In America
Or maybe I’ll just come to you. Your CEO is giving a speech at that big industry conference in Miami. It’s worth a plane ticket and hotel to follow him around and snag his phone or laptop. I might even be able to copy his hotel key card and just copy all his stuff while he’s out singing Journey karaoke. If I really want to escalate, I might hire someone attractive to keep his attention while I pilfer his data. If a nation-state is paying the tab to get into the company, you might be surprised at the lengths they’ve gone. Even competitors are willing to drop cash as long as they can’t be implicated.
Hacking The Bottom Line
When are you clowns going to learn that data is the real currency in the world today? Sure, I’ll gladly wipe out your bank accounts but that leaves a trail. If I can get your data undetected, then I get paid and you’ll never know I did it. Will I turn on ransomware and ask for money? Why? I got what I came for. And you never had a clue I was there!
Five (5) ways to keep hackers hands off of your network:
1) OSINT Cleansing – For the love of all things Holy, STOP POSTING YOUR COMPANY INFORMATION ON LINKEDIN! Corporate policy should dictate that you CANNOT give your current title or responsibilities in the company. Salespeople can. They come and go so often they typically don’t have access to anything anyway. They’re the only ones who customers need to know actually work at your company.
2) Insider threats – Besides training, all employees must sign legally binding documents that hold them accountable for their actions with data. Managers should NEVER dissuade employees from taking security seriously. In fact, managers should lead the charge by reprimanding employees when necessary. Job rotation also ensures a single person never has sole and full control, especially in IT. Call monitoring and email spying may sound extreme, but who’s company is it?
3) TRAINING, TRAINING, TRAINING – I’m not talking about a module everyone puts the same answers into every year for HR requirements and a gold star. People at every level need to be trained to recognize and stop data theft. It starts at the TOP! C-Levels must take more intense training than everyone else, since they are the biggest and most sought after targets. Gatekeepers such as receptionist and physical security guards need additional and more detailed training, too.
4) Certificate-Based Authentication – Every device that connects into your network should be authorized to do so. The best way to verify is with certificate-based authentication. Every device today should have a built-in encryption certificate from the manufacturer. If the device cannot provide a trusted certificate, it doesn’t get access. Older devices incapable of this level of security must be segmented and kept away from the primary data network via a firewall.
5) Sensors and Physical Security – Video record every server room and network closet in your organization. You can start recording when an employee badges into the room or upon movement. All activity inside a room with direct data access should be monitored. Physical guard presence may be necessary. Further, locking cabinets and server racks ensures only necessary access is allowed. Place network connected sensors on all access doors, server rooms, server racks, and network racks. If someone can bypass access card security, you will still be alerted when the door opens.
Need Help?
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.