Social engineering, practical hacks, and the great unpatched security vulnerability that is real life.
I should give you some background on myself. Before starting Teletechnical, I worked for ten years in Enterprise IT, and wore a lot of hats. I started off administering Windows servers, specialized for awhile on Microsoft Exchange mail systems, discovered Linux and worked for a bit on that, and a few years ago, discovered the world of security, hacking, and security research. But before I ever had a paycheck with my name on it, I was tearing stuff apart to figure out how it worked. Not many household objects escaped the small stockpile of screwdrivers and electrical tools I had at my disposal, and I learned a lot. I also gained an appreciation for hardware, mechanisms, and practical devices this way.
Fairly recently I probed into the world of Bug bounties, security testing, and the general field of “think like a criminal for money”. For those unfamiliar, the role of a security researcher, or “Ethical Hacker” like myself may seem mysterious, daunting, or even terrifying, but it is pretty simple really. I am hired to test systems for critical security flaws that could cause systems to go down, or data to be stolen, write up a nice report with suggestions on how to fix it, and walk the client through what this all means to them. It is a fascinating field, and I get to go home every day knowing that maybe something I built will stop a bad guy.
There are many other professionals in this field, many of them with unique and interesting talents for software, Web work, and Internet security. As a community, we do a pretty good job. Most of the time, everything is okay, nothing gets stolen, and no-one is harmed. But the role of a hacker is to push boundaries, to think of the thing no-one else thought of. We have to be brutally honest with ourselves.
Are we doing enough?
As far as the software side goes, this answer would seem to be, unequivocally, “yes”. We already have a massive community of programmers and researchers across hundreds of bug bounty programs looking for mistakes. Those who find unusual, interesting, or crafty software bugs are showered with praise, and often money, as they should be. Finding and patching those bugs is essential.
It can be discouraging however, to a hardware hacker like myself to find there is no such program for the realm of the physical. All bug bounty postings make special points to include boundaries, “thou shalt not”. Social engineering of any kind is forbidden, as is physically showing up at the data centers, offices, or other company properties. Please do not talk to our employees. Do not interact. Do not test those facets of our security, for fear someone may take it too far.
I would posit with programs established the way they are, with hardware security, physical security measures, employee training, and site evaluations pushed to the side as “too troublesome to test” we have opened the door to the worlds largest, un-patched, security vulnerability. “The realm of the physical” has been overlooked, by both the public at large, as well as within our own community. We asked once or twice if we could evaluate it, the bean counters said “no”, and we dropped the issue from there.
We have to be insistent on this point. It needs to be tested! If yours is a company that processes credit cards, physical security measures are specified in the PCI security requirements. The buildings and structures, employee procedures, cameras, alarms, and hardware policy all need to be checked. Yes, it will cost money. But these measures are far from a flight of fancy.
“The realm of the physical” is one in which the level of talent ranges much, much farther than it does for software. To execute even a mediocre software or web attack, a criminal must be at least somewhat fluent with those concepts. Logs are left in place, evidence could be left behind, the level of difficulty escalates into infinity. But when probing a business’ physical security, someone with zero talent has a shot at getting something. It requires no esoteric knowledge, experience, or training to walk out the door with the CEO’s laptop, steal papers off of desks, or dump the contents of the paper shredder into a bag to be sifted through later.
Given my experience over many years with hardware, I approach many things from that angle. Getting into the circuits, from a fundamental level has its advantages in troubleshooting, and I see things. I tend to approach problems from a simpler, more practical approach. Many articles that end up posted as “exploits” are largely theoretical. Things of a nature such as data filtering out through sound cards, throttling power supplies up and down, or finding a way to blink the hard drive LED, are incredibly hard to pull off. They are not, inherently, practical.
What is Practical? Well, for starters, I shouldn’t have to keep telling people that “password” is a bad password. I see this one far, far too commonly, and it should make everyone in the tech community uncomfortable. Please, stop using dictionary words in your passwords. Yes, if you are a sysadmin with a busy schedule, and you don’t want to plead with another user about why they shouldn’t, it can be easy to bend to pressure. You still shouldn’t.
Hardware, and access to hardware, should be strictly controlled. Nobody should be able to walk out with a piece of it without a solid plan for what to do if it goes missing. Portable devices, nay, all devices should have hard disks encrypted. Mobile devices like phones and tablets should have their remote wipe features activated. Almost all vendors have this feature, for free. Use it! You need a good plan for what to do with your hardware when you are done with it. Just tossing it in the dumpster out back is not only bad for the environment, its also a huge risk to your security. A lot more people go through your garbage than you know about.
Old backup drives, machine drives, physical media of any kind, should be irreparably destroyed. My preferred method on this is several holes through the platter with a drill, and a powerful electromagnet. I have performed this service for many years, for all of my clients. It is something I insist upon.
Employees need to be trained, and have at least a cursory familiarity, with all of these security subjects. Social engineering is a massive, massive risk to your companies security, and it is a method which requires almost zero investment to pull off cleanly. You would be amazed what people will tell you if you either ask nicely, or act like an authority figure. For that matter, just showing up and looking like you belong is a tried and true technique. Uniform shirts are not terribly expensive, and no one looks twice at the air conditioning repair guy.
You would not believe, over the years how many employees of companies who were my clients, could not name their IT provider. They did not have any idea who fixed their computer, just so long as it was done. If I had not worked for who I said I had worked for, These people would have taken my word at face value. “I am here to fix your computer” is the only phrase you need, to get into ANYTHING.
I could expand on the myriad of ways hardware and procedure could be exploited, but that is not my intent at this time being. For now, I must leave security professionals with the message, that our demeanor must be one of insistence. We must check the security, and the security is important. For the business owners, invest. Invest in your technology, and invest in its security. There are a number of business people out there who do not spend any of their budget on security measures, despite the risks.
This is a problem we can work on together, but first we must be willing.