Physical Security and Social Engineering With A Bonus PurpleSlog Story

Dark Reading has a great article on physical security and social engineering which it refers to as “Analog Hacking”.

One part made me chuckle:

Unlike house burglars, who prefer to work when no one is home, physical hackers usually operate in the middle of the day, taking advantage of slipshod door locks and gullible employees. “We had one job recently where we posed as IT consultants, and one of the staffers actually gave us her username and password, then helped us navigate the system so we could find what we were looking for,” Stasiukonis says.

An incident from my past flashed into my head.

About eight years ago my large employer (I was the Information Security lead in the 150 person IT organization at the time) was suffering many cases of theft. Many things were being stolen off people’s desks, such as: laptops, early flat screens, tennis rackets (we had a large tennis club), and personal electronics. It was a large fortress like complex with thousands of employees working during the day and smaller numbers off hours.

I was aware of these things going on. I was assumed that it was an inside job with possibly many different people involved – and I assumed the building security people thought so also.

One night the assholes stole my personal CD player. They unplugged it from the cables I had attached to it. They had to have touched the cables and the things I had around it. I called the head of security (Building Security, not an IT guy) to report it. I wanted him to call the police and have my area dusted for prints. He said something to the effect that it was just a $50 CD player and it wasn’t worth the effort. I tried to get it through his thick non-thinking brain that whoever stole my CD player most likely had been part of all of the other thefts going on. The guy seemed puzzled…like he assumed each theft was separate and unique and not connected in anyway. I was unable to convince him.

Well, that really pissed me off. In fact, nothing pisses me off at work more then people in authority positions that are apparently either incompetent or lazy. I’ll leave the full rant for Future PurpleSlog.

I was not a physical security guy but I was familiar with the field. I knew how social engineers worked. I was contemplating over a period of a few weeks how to set up a physical honey pot to catch the asshole thief(s) red-handed. It would have been legendary involving motion detectors, hidden cameras, other gadget stuff, and sacrificial items for the thief to go for. Let’s just say I was pretty worked up and in full alert mode looking for clues as to who were the assholes. I was a man with a mission (and I was a bit intense before being worked up).

One day I was with a network analyst and one of the network supervisors going over something. I don’t remember what. I noticed one of the building guards. It was about 3pm in the afternoon.

My brain clicked – new mode.

It was unusual to see guards patrolling our area that early in the day. He had a clipboard out and seemed to be taking notes and was looking around from side to side. That was not normal. I did not recognize him. I often worked after-hours and weekends and knew most of the guards (30 or so) by sight and many by name. This guy was not one of them. I noticed his uniform was wrong. Our guards were mostly Pinkerton types but they wore our insignias and had a different color uniform then the standard Pinkerton uniform. I mentioned to the other guys I was with that didn’t that guy look out of place? They hadn’t noticed. I decided it looked to me like this guy was doing recon on part of the 8th floor that was filled with more gadgets then normal work areas and that he had disguised himself with a Pinkerton uniform not realizing the Pinkertons did not were that uniform at our site. He saw me looking at him and pointing and started to move away.

I told the other two what I thought was happening and I went after him. He started to walk away but I boomed at him to stop (I am sure I used profanity like haltmotherfuckerdonotmove – as one word). I had bulk and righteous fury on my side.

He halted.

I demanded to know who he was and for ID. He said he was a new guard. I said wrong uniform. He said he didn’t have the new one yet. I said what’s up with the clipboard; he said he was taking notes before his first patrol later that evening. I told him I was not sure if I believed him and that he need to come to my cube for confirmation – I was going to call security. He hesitated and…well I think I threatened immediate bodily harm to force him to submission position. He came along. I called security from my cube. They did have a new guy with his name. The physical description did match. I left him go.

I had not caught a crook. My co-workers were very amused.

They never did break up the theft ring. Eventually the plant security manager was fired. Physical security was turned over to the ex-FBI guy who was the Corporate Security Director. He brought in plainclothes Pinkertons after-hours. I heard of some off-hours chases. The bad guys were never caught, but at least they were driven away.

I bought another $50 CD player.

Here is another Dark Reading article on Analog Hacking / Physical Security / Social Engineering.

Advertisements

5 Responses

  1. […] Links: Superdome, Micromanage, Outsourced, Gas Prices, Finance, Exit Interview, Fries with That, HP, SOX, Monopoly, Work Choices, Purple Slog, Work, Minimum Wage, Your Loan, Terrible Employees, Moocher, ul#related_posts { list-style: none; margin: -5px 0 0 0; padding: 0; } #related_posts li { margin: 0 0 4px 0; } […]

  2. Bush is forever saying that democracies do not invade other countries and start wars. Well, he did just that. He invaded Iraq, started a war, and killed people. What do you think? Why has bush turned our country from a country of hope and prosperity to a country of belligerence and fear.
    Our country is in debt until forever, we don’t have jobs, and we live in fear. We have invaded a country and been responsible for thousands of deaths.
    We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

  3. Hi Antibush…I’m not really interested in debating lefty trolls.

  4. […] presents Physical Security and Social Engineering With A Bonus PurpleSlog Story, saying, “My Failed Attempt To Fight Workplace Theft and My Interaction With Security […]

  5. […] presents Physical Security and Social Engineering With A Bonus PurpleSlog Story, saying, “My Failed Attempt To Fight Workplace Theft and My Interaction With Security […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: