informa
5 min read
article

People-Hacking

My firm was recently hired to perform a network assessment for a fairly large bank. The emphasis on this engagement was circumventing physical controls and gaining access to the bank's internal network infrastructure. As with most financial institutions, we were asked to compromise remote locations (bank branches) and then make an attempt on the main office.
My firm was recently hired to perform a network assessment for a fairly large bank. The emphasis on this engagement was circumventing physical controls and gaining access to the bank's internal network infrastructure. As with most financial institutions, we were asked to compromise remote locations (bank branches) and then make an attempt on the main office.Our first step was to case out the location from the parking lot, posing as copier repairmen. As usual, we rented a white-panel van for performing reconnaissance, which also served as our copy repair vehicle, donning a giant refrigerator magnet of whatever copier company we wish to pose as.

We noticed that this bank's main office lobby was very different. Rather than the customary reception desk greeter, it was staffed with security guards that scrutinized entry. If a visitor was granted access, a guard would remotely buzz open an adjacent door made of three-inch bulletproof glass. Three guards randomly rotated a shift at the door. We were concerned: Getting one person past any one of these guards was paramount, getting two people inside seemed impossible, and trying to repeat it over a period of days seemed absurd.

During our reconnaissance, we also positioned our van to observe an employee parking lot. I paid close attention to the location of parked cars and who was granted the best spots. As an employee retreated from his or her vehicle, I gauged who carried more company weight based on the guard's interaction. I also paid close attention to male employees, specifically making note of their apparel and behavior. Watching the building also provided us with some intelligence that indicated a management meeting was occurring the next day and parking would be an issue.

While planning the entry with my partner, Robert Clary, we decided that I would go in as a bank vice president, and then get Bob in as a visitor. To get past security, it was imperative we leveraged three vital elements: acceptance, trust, and confidence. Establishing these with the guards would create the appearance of belonging.

I realized my conservative suit, starched white shirt, and grandfather's tie might not match the fashion scene of this bank, so later that evening I purchased some pastel-colored shirts, ties that screamed power, and extremely uncomfortable Italian shoes.

Bob and I had coffee in the lobby of our hotel the next morning and noticed it had a fairly decent color laser printer for patrons. So we went ahead and crafted a cheap employee badge, using the bank's logo we grabbed off its Website, my picture from darkreading.com, and the words "vice president" printed under my face. We cut and pasted the output, slipped it into a plastic sleeve, and hung it from my neck with a lanyard.

Upon entering the bank headquarters, I stormed into the front door and immediately started ranting to the guard about the poor parking situation for the meeting I was attending. I watched his eyes look me over and then focus in on my pathetic badge. I indicated he was not a fault, but put into a bad situation. To reinforce my belonging and to help him relax, I shook his hand and asked his name. After some friendly chit-chat, I mentioned I was from a branch location, working at HQ for a day or two and would have some visitors. With just my looks, no name, and the poor makings of a badge, he buzzed me through the bulletproof door. I was now an "employee." I was accepted.

Once inside, I scouted a location that would give us the privacy to connect into the bank's network. I called Bob and told him to enter the front door of the building in 10 minutes. Prior to Bob's arrival, I made my way to the lobby, explaining to the guard that my visitor was soon to meet me after he parked his car. As Bob entered the lobby, we greeted each other as if we had not seen each other in years. Mentioning the guard's first name whenever possible, I then insisted Bob sign the building log and get a visitor badge. We had gained the guard's trust.

Within minutes, Bob was connected into the bank's network while I scoured the facility for anything that yielded network intelligence. Making my way through the building, I located pieces of helpful information. After two hours of traversing the building, I knew I would have to pass through the lobby to refill the parking meter for our vehicle.

I told the guard I was stepping out to fill the meter and asked if he needed anything; he declined. When I came back, two guards were posted, and I handed my newfound friends a bag of fresh donuts. They asked if I needed anything, so I asked them to refill the parking meter every two hours. They agreed. Confidence was established.

Bob and I spent several days inside the bank's location, walking away with a wealth of data from the internal network. Getting friendly with the guards and even having them perform some personal favors led others to believe we were of no threat. It was a valuable social engineering test for the bank, but it also proved a sad fact: Using people is easily achievable.

Steve Stasiukonis is vice president and founder of Secure Network Technologies.