26 December, 2012

Don’t Trust the Replacement Delivery Guy

Don’t Trust the Replacement Delivery Guy
Kevin Johnson
Author: Kevin Johnson
Here at Secure Ideas we have had a ton of fun experiences during our work. When we teach or present, people often ask us to talk about the things we have been able to do, such as pulling credit cards out of a network via a Facebook application or tricking staff at a client into sharing the birthday cake with the consultant.  So we have decided that this blog could use some of these stories.  While we don’t have a schedule for how often we will be posting these, we will tag them with Professionally Evil® so that they are easier to find. 🙂
So let’s start with a fun little story we call….

Don’t Trust the Replacement Delivery Guy

Physical security is a commonly overlooked aspect to computer and network security, but it can be a serious problem.  While many organizations have locking doors and badges to gain access to the internal office space, the delivery person is trusted and expected to come in and pick up any packages that are being sent out.  If we can abuse that expectation, we can gain access to the internal systems hopefully.
So let’s go check out eBay. (Go ahead, click it, we will wait.)
As you can see, uniforms are available with just a bit of effort.  So we picked up a few and tried them out.  As you can see in the photo below, I look like a not so in shape delivery person. 🙂
In this outfit, I approached the door to a secured area of the client and as someone exited the area, I held the door and then wandered in.  Luckily for me this area was not set up with a reception area, so I poked around.  As I moved around, I found a number of open workstations but they were in pretty visible areas so I kept looking.
And then I saw it, a machine set up as a kiosk type system that was off to one side.  I walked over and sat down.  From what I could tell, this seemed to be a machine set up for people to register for benefits or deal with employee related stuff.  This is common in environments that have staff that do not use computers regularly.  I poked around on the desk and found the sticker that had the credentials to log in.
Woot! Now let’s see what they gave me.  I logged into the machine and realized that this account had domain privileges.  This means that I was able to access various systems using these shared credentials.  (We will talk about this stuff in a later post. I want to focus on the physical access right now.)
So the big thing to me was that while I was sitting there, logged into the organization’s network, a few different people actually walked up and talked to me.  Each time it happened, I was waiting for the person to say “What the heck are you doing on our computers?” but it never happened.  Each of the people would discuss the weather and the time, such as “so how are things going?” or “Good day?”  The basic idea was that my uniform subconsciously made them think that I belonged. (At least that’s my “I read a psychology book this one time at band camp” theory.) 
If the staff had been trained and paying attention to that training, they would have challenged me.  Once challenged, it would have been very simple for them to see that I was not where I was supposed to be (the pickup was normally done in the shipping area) and there was no reason for me to be using one of their machines. This doesn’t even get into the fact that I didn’t have any packages or other equipment a delivery guy normally has.  Another option for the staff, if they were not comfortable confronting me, is to go to a manager or security (if the organization has any security staff) and tell them about the “delivery” guy on their network.
So keep in mind that physical security is just as important as the firewalls and network security controls you have in place!
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at kevin@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.

Join the professionally evil newsletter

Related Resources