How many times have you passed an unknown person in the hallway at work, held open a keycard-protected door for a stranger or let an office guest wander unaccompanied to the rest room?
It may seem harmless enough, but the staff of TraceSecurity is banking on this type of human error to help them gain access to your personal information.
TraceSecurity won't be opening up credit card accounts in your name, accessing your bank accounts or installing spyware on your computer any time soon, however. Companies hire TraceSecurity employees to test the security of their systems – operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation.
TraceSecurity made its debut in 2003 with the merger of two other firms, Blaze Technologies and security tools vendor PatchPortal. While the company's management team has a background in technology, acting skills play into the success of a TraceSecurity outing just as much as technical expertise. TraceSecurity will typically impersonate pest control workers or fire inspectors to gain entry to a building, talk their way into being left alone and gain access to the building's server room, surveillance system and client information.
Companies can hire TraceSecurity to simply enter their business and place stickers on equipment they could have controlled, remove the actual equipment from the building, or implant Trojan horses and other malware to control their systems and access data remotely.
If TraceSecurity is hired to physically remove material from a building, employees will meet company executives in the parking lot immediately after the operation and turn over whatever was recovered, according to Jim Stickley, the company's chief technical officer and vice president of engineering. If they remotely access files, TraceSecurity will take screen shots so none of the company data is ever actually stored on TraceSecurity systems, he said.
Casing the joint
PC Magazine was permitted to accompany Stickley and his co-worker Matthew Britton during a recent test of a client, an East Coast financial institution. The company hired TraceSecurity to place stickers on and take photographs of systems that could have been compromised.
Stickley and Britton suited up as pest control officials and successfully hit three of the company's six area branches over several hours.
TraceSecurity laid the groundwork for the operation days before the actual experiment, Stickley said. TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.
"People have become so reliant on e-mail" that it is easy to trick them electronically, Stickley said. Company policies for many regulated industries warn against scheduling certain things solely over e-mail, but people do it anyway, he said.
Stickley advised companies to have an internal code word for e-mail transactions or scheduling purposes so employees know they are dealing with a legitimate person.
If TraceSecurity does not receive any suspicious e-mail from the employees in response to the modified domain email, they will assume the coast is clear and plan for an in-person visit. The executive that hired the TraceSecurity team, meanwhile, is kept abreast of all activity throughout the operation via cell phone calls from the TraceSecurity team.
The hit
On the day of the operation, Stickley and Britton cased the offices to be tested to get a sense of their size. They then had a TraceSecurity employee call the first branch and remind a contact person that "pest control officials" would be coming in.
After pulling over and quickly affixing magnetic pest control signage to their rental car, Stickley and Britton entered the first location around 10 a.m. As PC Magazine had not been properly schooled on the art of pest control scamming – nor permitted to accompany TraceSecurity on its mission – this reporter remained in the car and awaited a report.
Britton was eventually escorted to an outside door that housed the branch's computer systems. The escort lingered momentarily but soon returned inside the building, leaving Britton with access to branch's entire network. He tagged the equipment with TraceSecurity stickers and photographed all the equipment.
"We could have easily put a wireless controller on the network rack" and accessed the entire system remotely, Stickley said later.
Meanwhile, Stickley had been left inside alone in a side room that housed the branch's surveillance and security systems. "I made an excuse about possible infestation to stay in that room while Matthew went outside. It would have been easy to disable the alarm system," Stickley said.
The branch housed about half a dozen employees, but they were occupied with customers during the TraceSecurity visit. "The escort also kept getting phone calls so that made it easier to sneak away," Stickley said.
Overall, the operation took about 20 minutes. Stickley and Britton returned to the car, notified the company executive of their findings and typed up a brief report of the operation. ("Otherwise things blur together," Stickley said.)
TraceSecurity hit two more of the company's branches that day, with similar results. Employees at the second, larger branch asked for ID from Stickley and Britton – both use their real names during operations to avoid the hassle of creating fake IDs, Stickley said – and trailed them more persistently, but Stickley said he eventually managed to wander away and gain "full control of the server room."
Cell phone pictures of the operation showed a server room littered with white stickers.
TraceSecurity also left blank CD-ROMs in system computers as "we were here" markers. Had it been requested, TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.
Stickley also encountered papers with client account information. "There was actually a stack of papers with account numbers on the floor, so I picked them up and handed them to an employee and asked, 'Are these important?'" he said.
Employees at the final branch proved to be the hardest to crack, Stickley said. The executive who hired TraceSecurity actually worked in that office, so Britton called him and requested that he take lunch or sequester himself in a conference room so as not to disturb the operation.
At issue was an employee who was reluctant to let Stickley or Britton from her sight. Eventually, however, Britton grabbed an existing mouse trap from the server room floor and pretended it contained the remains of a mouse. Britton correctly assumed the woman would be caught off guard by the rodent. She softened, and basically let both men have the lay of the land provided she didn't have to personally deal with any mice herself.
Lessons learned
TraceSecurity will typically return to the offices the following day – minus the pest control gear – to brief employees on how to avoid being duped in the future.
Executives can occasionally be miffed that TraceSecurity successfully infiltrated their business, but the IT guy is usually "pretty pumped because he's been complaining for the past year" that security is lacking. "Now he has someone to validate his concerns," Stickley said.
Bosses can tell their employees 100 times to escort guests at all times, but most do not actually do it. "Sometimes you have to get burned to make you really understand," Stickley said.
TraceSecurity has approximately thirty engineers on the road nationwide at any given time, Stickley said. Smaller operations might require only one TraceSecurity employee, but fifty percent of the experiments are done in two-man teams. For larger, government jobs, TraceSecurity could dispatch teams of up to five people, he said.
Stickley has "never been popped" during a job, though some of his colleagues have run into trouble. Usually when TraceSecurity officials are caught, however, it is due to inside information.
A TraceSecurity employee once tried to impersonate an Occupational Safety and Health Administration (OSHA) official, but the husband of a woman working at the office happened to be an OSHA inspector so she called the police, Stickley said.
Impersonating a fire inspector is the easiest way to access the far corners of any business because, by law, you can't deny them entry, according to Stickley.
"They're running to get you coffee" when you're in the fire inspector uniform, Stickley joked. "They want to date you."
While the fire inspector getup may command more respect – and access – using this tactic can be time consuming, Stickley said. It is against the law to impersonate a federal official, so TraceSecurity has to notify local police and fire officials before executing their operation.
Government jobs are similarly stressful, he said. Increased security in recent years means TraceSecurity personnel are trying to get past "guys with machine guns."
The only place TraceSecurity employees do not have free reign is in bank safes, Stickley said. "They rarely leave us alone in there," he said.
This is not a major issue, however, because "the real money is in Trojaning computers," he said. "Even with a million dollars in the safe, money is nothing. But 20,000 Social Security numbers [collected from company computers]? You can keep ripping them off for years."
Operating in such tense situations means TraceSecurity needs employees who can think on their feet. When hiring engineers, TraceSecurity never specifically advertises for people to conduct these site visits. Instead, they hire from the technology side and try to gauge during interviews whether or not a person is affable and engaging enough to talk their way into a client's office.
If a candidate is a real "booger eater", you know they're not going to be able to handle the job, Stickley said.
TraceSecurity shies away from hiring hackers. "They're very bad news," Stickley said. "What have they been hacking?"
Approximately 85 percent of TraceSecurity's clients are financial institutions. They used to be exclusively in the financial industry, but increased security and regulatory requirements have prompted companies in the healthcare, insurance and government sectors to also seek out TraceSecurity's expertise, Stickley said.
"ID theft has been around forever" but people are more aware of it now, Stickley said. "It's a good time to be in security."
0 komentar:
Post a Comment