keystroke loggers – I'm getting pretty good at it – in and out of their cubical really fast. They aren't
ever in the cubicles – they have celebrations to go to! Then I wander around to all the buildings and
eat all day on the trays of food people have out. Most people leave early on Halloween – got to take
their kids Trick-or-Treating or be at home to hand out candy. That's when I go back and collect
those keystroke loggers and head home. Well, not home really – I just need to find that insecure
wireless network in a suburb and use it to access the Company Y's VPN – their VPN endpoints are
in DNS which makes it easy. They use SSL, but only do server authentication. Their firewall has a
cut-through-proxy feature that allows them to enter their username and password, and I have plenty
Confessions of an Unethical Hacker – Part 3
X was the head of the finance department and lived in the hills, at least according to the white pages.
The bad news for him was that he lived in an area with no broadband connectivity. I expected to see
him a lot at the company's main site, about an hour from his house. But, after a few days of
watching, I only spotted him once. Looking at the yellow pages, I saw that Company Y had a
remote office about 20 minutes from his house. I decided to investigate. Sure enough, it looked like
X was stopping in there and doing his work and only coming into the main site once a week or so. I
could see his office from a local café which had free Internet access. Looking at the wireless access
point in the cafe, I could see that the café was on a cable broadband modem. Teasing a tech-savvy
clerk a bit about cable modems and load sharing, she responded that DSL wasn't out there yet and
cable was their only option.
I looked a bit silly in overalls, with my name tag "Jon", and my toolbox, but I figured it would be
effective. At lunchtime on a day that X was at the main site, I stopped by after disconnecting the
outside cable line. "Networking problems – dispatch told me to check it out – luckily I was right
next door". Cool! "Can it get to your networking equipment?" – Yep – right over here. In a small
wiring closet, I connected my access point to a mirrored port on the switch I configured. I verified I
could connect (securely – I don't want anyone else to do that!) and went back outside and connected
the cable. Everything was fine and I was a genius, at least according to an employee that was
working over lunch on a critical issue. I had fixed it so fast they didn't even have to report the
problem to their IT department! Yea! Back at the café, I connected my laptop wirelessly to the
access point I placed on their network and verified I could capture packets. I'll be doing the same
thing tomorrow when X shows up.
People and Technology: An Analysis for Part 1
Did our imaginary unethical hacker seem to posses a lot of technical knowledge? Not really. He
was an exploiter of people and used that to gain unauthorized access. Once access was gained,
there was simply no security to block him.
We started our discussion of Security as a Holistic Enterprise by knowingly making a category
mistake. We said Security is about people. In fact, to repeat from the introduction:
People are the problem
People are the solution
Security technology can help people make good decisions about security
Security technology can help when people do not make good decisions about security
Decisions made by people can render security technology ineffective
Let's look at our imaginary unethical hacker's first confession. This confession had an unauthorized
person digitally sending documents to a competitor. Someone technology focused may say: "We
require domain credentials to be entered in order for digital sending to take place. Problem solved!"
What would someone people focused say? Let's start with some observations about people printing
in the workplace:
People print documents and then get distracted – a phone call, a meeting, and so on and
forget to pick up those documents.