Don’t Trust the Replacement Delivery Guy

Here at Secure Ideas we have had a ton of fun experiences
during our work. When we teach or
present, people often ask us to talk about the things we have been able to do,
such as pulling credit cards out of a network via a Facebook application or tricking
staff at a client into sharing the birthday cake with the consultant.  So we have decided that this blog could use
some of these stories.  While we don’t
have a schedule for how often we will be posting these, we will tag them with
Professionally Evil® so that they are easier to find. 🙂
So let’s start with a fun little story we call….

Don’t Trust the Replacement Delivery Guy

Physical security is a commonly overlooked aspect to
computer and network security, but it can be a serious problem.  While many organizations have locking doors
and badges to gain access to the internal office space, the delivery person is
trusted and expected to come in and pick up any packages that are being sent
out.  If we can abuse that expectation,
we can gain access to the internal systems hopefully.
So let’s go check out eBay. (Go ahead, click it, we will wait.)
As you can see, uniforms are available with just a bit of
effort.  So we picked up a few and tried
them out.  As you can see in the photo
below, I look like a not so in shape delivery person. 🙂
In this outfit, I approached the door to a secured area of
the client and as someone exited the area, I held the door and then wandered
in.  Luckily for me this area was not set
up with a reception area, so I poked around. 
As I moved around, I found a number of open workstations but they were
in pretty visible areas so I kept looking.
And then I saw it, a machine set up as a kiosk type
system that was off to one side.  I
walked over and sat down.  From what I
could tell, this seemed to be a machine set up for people to register for
benefits or deal with employee related stuff. 
This is common in environments that have staff that do not use computers
regularly.  I poked around on the desk
and found the sticker that had the credentials to log in.
Woot! Now let’s see what they gave me.  I logged into the machine and realized that
this account had domain privileges.  This
means that I was able to access various systems using these shared
credentials.  (We will talk about this
stuff in a later post. I want to focus on the physical access right now.)
So the big thing to me was that while I was sitting there,
logged into the organization’s network, a few different people actually walked
up and talked to me.  Each time it
happened, I was waiting for the person to say “What the heck are you doing on
our computers?” but it never happened. 
Each of the people would discuss the weather and the time, such as “so
how are things going?” or “Good day?” 
The basic idea was that my uniform subconsciously made them think that I
belonged. (At least that’s my “I read a psychology book this one time at band
camp” theory.) 
If the staff had been trained and paying attention to that
training, they would have challenged me. 
Once challenged, it would have been very simple for them to see that I
was not where I was supposed to be (the pickup was normally done in the
shipping area) and there was no reason for me to be using one of their
machines. This doesn’t even get into the fact that I didn’t have any packages
or other equipment a delivery guy normally has.  
Another option for the staff, if they were not comfortable confronting me,
is to go to a manager or security (if the organization has any security staff)
and tell them about the “delivery” guy on their network.
So keep in mind that physical security is just as important
as the firewalls and network security controls you have in place!
Kevin
Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or
other security consulting services you can contact him at kevin@secureideas.com
or visit the Secure Ideas – Professionally Evil site for services provided.

1 thought on “Don’t Trust the Replacement Delivery Guy”

  1. That's fantastic Kevin! (I should get one of those. Then if I don't make it as a "fake delivery guy", I'll have something to fall back on.)
    I'm looking forward to many more in this series.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top