Shades of Gray Security

I sat in the parking lot, trying to maintain my composure. “What the hell do I know about pest inspection?” My palms were sweating, My gear bag was sitting on the seat next to me. My outfit was complete with knee pads, safety goggles, work boots, cover alls. My nervousness certainly helped the disheveled look. I had forgotten to shave or clean my nails. I certainly looked to part, but “what the hell do I know about pest inspection?” The question repeated over and over in my head. It wasn’t like it was the first time I walked into a job I didn’t know much about. Just needed to walk in, look around, ask a few questions, maybe lay a few traps or something, then done. “Well, the client needs me to go take a look inside and see what I can find, maybe I can do this. Besides, what does any bank teller know about pest control?”

I walked in the front door and up to the first desk I saw. “Welcome to First National FCU, can I help you?”

“Yes ma’am, I’m here to do a walk through inspection. Is Ms. Doe available?” No way she is, why would she be?

“No sir, she’s out for lunch, but I can help you.” Oh perfect, the manager isn’t here, how did I know that was going to happen? Fortunately this lady, a loan officer perhaps, is going to help me. She proceeded to tell me she was in charge while the manager was out and told me of numerous locations reported to have ants. In my career, I have found that ants are a very big problem in filing rooms for some reason. Anyway, sure, let’s take a tour and look at those ants.

After taking me on an extensive tour of the facility showing me locations of reported problems, she excused herself and let me get after measuring rooms to get the cubic footage because my employer charges by that and all.

Rounding a corner, I walked into the filing room, again, the person at the computer in this room reported bad ant problems. “Do you need me to step out so you can work?” he asked. “If you don’t mind, I can go ahead and take care of this ant problem for ya right now,” I replied. He quickly excused himself and shut the door on the way out.

Did I mention, I’m not a pest inspector? “What do I know about pest control?”

“What do ya know, he left the computer unlocked. Looky here, account data.” A local printer and Ctrl-P, thanks for the help. Now let’s dig through these filing cabinets and look for some hot files to photograph. “Why it’s Ms. Doe’s account.” Click. “Here’s a few large business accounts, I’m sure these are worth some money.” Click click click. Oh, almost forgot, just for a nice touch, I brought canned air. Better make sure I spray it from time to time to sound like I’m spraying for bugs to avoid suspicion. I later learned the showboating wasn’t so important, but this was my first assignment as a pest inspector, and what do I know about pest control?

For grins, I opened all the filing cabinet drawers, stood on the desk, and took a few pictures of the room. Now let’s move on.

After packing back up, I slipped quickly out the door. My helpful evacuee was not to be seen but the ladies outside looked up at me. I had forgotten the goggles and dust mask I had donned in case someone busted in while I had those drawers open. “Oh, better tell him not to go back in there for at least 30 minutes, but that ant problem you have is solved.” Yeah that’s right, that would give the evilest of criminals a good thirty minutes to get away before the explosives go off. Scary, ain’t it?

That was one of several frighteningly similar social engineering engagements I have been on across the country over the past few years. I have been in several organizations such as this, too many to count. As I mentioned, I learned the extra touches were not needed. No one cares. If they do, they don’t question it anyway. I have never failed. Not once. I’m not bragging on my skills, it’s just that bad.

Even on an engagement where they set me up to fail, I won. Well, won is not appropriate. Let’s just say, they failed. The client had said a pest inspector wouldn’t work because they were in a shared space and that was controlled by the property management. That makes no sense, I had done plenty like that. In fact they are easier because the employees don’t care who the property management sends to do these jobs. Customer is always right of course so we decided on a phone guy. What do I know about phones? Perhaps, surprisingly little. I should know more, but I don’t. I could certainly mess up your lines with the equipment I bought at Home Depot though! I asked if they had their own phone guy, and was told no. They also wanted to test piggybacking and when asked if they had any sort of uniform or anything I was told no and they dress business casual. I show up and I’m escorted by, you guessed it, their internal phone guy. He wasn’t letting me do anything because they had so many problems with their phones. OK, FAIL. Now back to the hotel, a quick shave and fixing of my hair, the donning of a suit to dress over them and I returned. I was stopped by someone who I could have sworn was reading off a teleprompter with her speech about not letting me in. They did all wear the same company logo emblazoned golf shirts by the way. That was nice. So there was FAIL two. My first defeat. So I thought. I returned to the vehicle, got my computer gear bag and returned to do some pen testing. The receptionist had her head below the counter, I quickly turned into a different room. The mail room FTW. Oh look, a box full of accounts with socials and such was in there. Click click click. The client called foul, that the box wouldn’t be there normally. When I say given a long enough timeline you can get in anywhere, sometimes that timeline is much shorter than you would imagine.

I think it goes without saying that’s not the name of the bank and Ms. Doe did not manage it. Although, I’m sure I’ve been in a bank with a similar name. I don’t believe I’ve ever met a Doe though.

What can we learn from this? I’m not sure really. Invest in coffee cans? Certainly burying your money in the back yard would make it much harder for me to get a hold of your data. That’s not practical. What needs to be done is of course, awareness training. People are the weakest link in security. They always will be. You can’t firewall stupid. In my time in this field, I have found that it simply doesn’t matter what you as a security engineer does. Why come through the network and risk IDS sensors lighting me up when your employees give me the keys to your data center? No seriously, that DID happen. Come back for a future post with some tips on what to do. Or google it, I’m sure the Internet is ripe with tips on stopping this and you believe everything you see on the internets right? This article isn’t another social engineering attempt is it?

Sleep well kiddies.

-Twisted