Where an organisation's cybersecurity proves impenetrable, the physical security of its systems may be a great deal easier to breach, as the following case will show.
I was part of a team contracted by an organisation to identify the weak links in its security, using any method we wished to gain access to its systems. Our first hacker attack on its Internet-connected machines was totally unsuccessful: the servers were well maintained and properly configured.
So we decided to do some 'social engineering,' visiting the company in person and trying to find some passwords or other useful facts by walking around the offices. In the past we've found passwords under keyboards, on whiteboards and even stuck to monitors on Post-It notes.
Getting through the front gate wasn't going to be easy, as the reception was occupied by a receptionist. To get past him, we needed to flourish an invitation to visit from a member of staff. Only thing was, we didn't know the name of any employee.
We surfed the company Website searching for any clues or hints. We were lucky: there was a discussion area where the Internet community could exchange opinions on the company's products.
In one of the newsgroups there was an interesting message from someone, let's call him John, who was sorry to respond so late but he'd been very busy with organising first-aid training in the company.
By pretending to be a friend of John's who was very interested in adopting the first-aid training, we thought one of us might be able to get past the receptionist. Usually, I'm not the one who plays the social engineer: I'm too nervous to act naturally.
This time, however, we needed someone who had a reasonable knowledge of first-aid, which meant me.
I put on my suit and got to the main entrance looking as relaxed as possible. I was prepared for my first-aid discussion and was convinced that John would subsequently let me find my own way out, which would be a perfect opportunity for sneaking around before leaving.
I was in luck. The receptionist wasn't at his post! I walked quickly past the desk and decided to spend a few minutes in the toilet to calm down as I was just too excited. Opening the door, I virtually fell over the receptionist, which explained his absence from his desk.
A few minutes later I was walking alone through the building. I found an empty room. As it was holiday time, many employees weren't at work. I attached my laptop to the company network and fired up a sniffer - a handy tool which shows all network traffic. While the sniffer was busy, I checked the walls of the room and all the usual places where passwords can be found, but without success.
After half an hour, though, the sniffer had collected several passwords from the network, allowing me to install a Trojan that would make contact with my computer every hour. This got around the company firewall, which was screening incoming network traffic, but not the outgoing connections. I logged off and left the company smiling politely at everybody I met. Back home I switched on my computer and waited. Once the hacked computer established the connection, I could do anything from my home that a bona fide company employee could do from inside the building. Proof, should any more be needed, that security is only as strong as the weakest link in the chain.
Sten 's10' Kalenda is security manager at security specialist PinkRoccade
This was first published in January 2001