Beware of the Unknown IT Grunt
I decided to continue on with the same theme as Kevin’s post about the delivery guy. Secure Ideas was recently asked to do a couple of physical penetration tests and I was assigned to both. I must confess that physical penetration tests cause the adrenaline to kick in and my nerves were wound pretty tight. So to keep things simple, I decided to play a role that I know very well and unofficially represent the clients’ IT departments.
Getting Started with Facebook
One of the keys to these engagements was determining how I needed to appear to everyone. I had never been to any of the clients locations before, so I really had nothing to go on. But social media came to my rescue in a big way. It seems like every company out there needs to have a Facebook page and it turns out that our clients all had company pages setup. Now having these pages is not a bad thing at all. Secure Ideas has a Facebook page as well and you can check it out here
if you like. Our clients’ Facebook pages did not have anything particularly damaging in them. No leaks of sensitive information or anything like that. But they all had some photo albums included in them. 🙂
Since I was primarily interested in what things looked like on site, these albums were really useful to me. It didn’t take me long to figure out what the normal dress code was like. This was good, but I kept looking around to see if I could find something more. What I really wanted were shots of employee badges. Thanks to office parties I was able to find a number of pictures with employees wearing their badges. Some were very blurry and only marginally useful, while others were very clear. Using these pictures Tony DeLaGrange and I faked up something similar looking, glued them to some proximity cards that we had laying around and attached them to a lanyard. The cards wouldn’t open doors as we had them setup, but they looked ok at a casual glance.
Going On Site – Client #1
When it came time to actually walk into the office, my adrenaline was pumping at full blast. Our job was to walk in and “steal” computers, papers, or anything interesting in the middle of the day. A lot of questions ran through my mind as I made my first attempt. Would someone realize I didn’t belong here? What did the inside of this office look like and where would I go? The elevator doors opened and I stepped out onto my stage for the next 30 minutes.
When I got into the reception area I did a quick glance around and headed towards the receptionist’s desk like I was coming back from lunch. The person at the desk gave me a quick glance in the face, then looked down at my fake badge. I relaxed a bit as he went back to whatever he was doing on his computer and ignored me. Now I was in the employee area, but I had no idea where I was going. I was looking for likely areas to strike as I wandered around the office. It got so uncomfortable that I actually sat down on some couches and pretended to check something on my phone while I plotted my next attack. Finally, I got up and walked over to a set of cubicles that had a number of laptops, but no employees at them.
Rather than waiting for the nearby employees to ask me what I was doing, I walked up to the target laptop and asked a nearby employee if “John” would be back soon. I was from IT and “Jack” (a name I pulled from Linkedin) had asked me to pull this laptop because he wanted to check something out on it. The guy looked at me for a moment and asked, “Are you serious?”
Oh, crud. Here it comes. He is going to challenge me and I’m going to get caught. He went on to say that they were pulling a prank on the team whose laptops were unattended and they had switched them all around. The laptop I wanted was actually at a different desk and he pointed it out to me. I was hugely relieved and thanked him for the help. I grabbed the laptop and started walking towards where I had seen IT hanging out. Once out of sight, I took a different turn and walked to the elevator and out of the office. Mission accomplished.
Going On Site – Client #2
I was a lot more relaxed at this client, since I didn’t have to actually snag a laptop or take something out of the office. I decided to play the IT card here as well and tailgated into the employee areas. Once in, I wandered around looking for things to take pictures of (in a visibly posted no camera area), looked for unattended workstations, and to see if I found employees doing anything they shouldn’t be. I actually got challenged a couple of times as I wandered in and out of cubicle aisles, but I said I was from IT and was just seeing how things were going. Information about outages or performance issues were given to me and we used that as we contacted other people.
I struck a bit of gold when I found an unattended workstation that was logged into and had an employee badge sitting on the desk next to it. I walked up, pulled out my phone and took a picture of it. FLASH! Oops, I forgot I had my phone set to use the flash. However, no one said a thing as they looked up at me and went back to what they were doing. I took a couple more pictures and then started messing around with the system.
Before I got too far into it, the employee whose computer I was playing with came over and asked what I was doing. I explained about the outages and said that I wanted to see if her computer was doing ok. We chatted a bit as I explored a bit and then I thanked her and walked off.
Later, we found a locked office with something interesting visible from the windows. I wanted to see if I could get into this office in spite of the locked door. It was coming up on the Christmas season and the office was decorating for the holidays. A ladder was leaning nearby, so I grabbed it and set it up in front of the office door. I climbed up and removed the ceiling tile to see if I could get to the ceiling tiles inside the locked office. It was at this point, with my shoulders and head inside the ceiling that Kevin walked into the hallway and saw me on the ladder. He later told me that he was a bit surprised at seeing me up there and watching people’s reactions. Employees were walking by, but no one said a word to me. It turns out I could have gotten into the office, but the chance of damaging the ceiling in the office was pretty high. So we checked with the client and he said that was good enough. It turns out Kevin had taken a picture of me while I was half in the ceiling and some how that made it into the report. Not my best picture ever and it certainly wasn’t a subtle intrusion.
There were a lot of things that we suggested to our clients. The major recommendation was to use what we did in employee training and teach them to just ask questions when something looks odd. A person wandering around an office like he or she doesn’t have a particular place to be is unusual. Someone you don’t know asking to take a computer is also probably out of the norm. And it certainly is bizarre when someone in slacks and a dress shirt climbs up into the ceiling. So teach folks to stop and ask some questions. If the person stammers a bit much, gives lame reasons for their presence or gets a bit red faced, it’s time to call someone to check it out. They don’t have to really challenge the intruder. Just ask a few friendly questions and be curious. If the person is supposed to be there, then there is no harm done. If they aren’t, then they may not walk out with your data for “troubleshooting purposes.”
Jason Wood is a Senior Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.