In-Depth

Dumb and Dumber

This veteran penetration tester has seen some stupid security lapses in his time. Here are six of the worst.

• By Ira Winkler
• 03/01/2005

I've been doing espionage simulations, also known as penetration testing, for more than 10 years. I go beyond the typical penetration tests of remotely hacking a computer or using social engineering techniques like calling people up to ask for passwords. I use actual espionage techniques to get people to divulge information and generally compromise secrets by any means necessary. This can include creating fake identities, getting a job with the target of my testing, and more. I've been known to sneak in and tell people inside the company I'm the new security manager, wanting to review their information.

The espionage simulations I manage are performed by trained and cleared former intelligence operatives. My clients consider this the only real way to safely examine their vulnerabilities and the potential loss associated with those vulnerabilities.

People think I do things like a movie spy—scale walls, put on disguises, pick locks and so on. Although I occasionally do those things, I typically don't need to go to such lengths. The methods I often use are so elementary that my clients are shocked by the ease with which I penetrate their companies. Quite honestly, my success is largely due to the failings of my victims, rather than my technical expertise.

In my work, I've encountered numerous examples of people who performed above and beyond when it comes to stupidity. Here are some of the most egregious examples of lax security I've encountered. While they may amaze you, they should also scare you. See if your own organization could be subject to these same failings.

1. Keys to the Kingdom
I was once asked to infiltrate a Fortune 500 company's marketing department and see what I could compromise within three days. I assumed the identity of a graduate student looking for temporary work during the day. I went through the company's usual temp agency, but was not subject to any detailed background check. As luck would have it, the secretary for the vice president of marketing had scheduled a vacation. I was made a clerical assistant, temporarily taking over her responsibilities.

The secretary told me she'd leave a note describing my duties. When I arrived on site, I went through the normal temp employee indoctrination and got directions to my office. I found the secretary's cubicle and a note sitting on the keyboard.

After reading the note, I called the security manager and told him, "I'm done." He asked me how I could have finished the three-day job in two hours. I told him I spent an hour and a half being processed and another 25 minutes getting to the desk. Then I read him the note:

I'm sorry I couldn't meet you in advance. There is a pile of documents on the floor. Please make 30 copies of each of them as time permits. If you need access to a computer, my user ID is XXXX and my password is XXXXX.

As a general background, you report to XXXX, who is the Vice President of Marketing. If she gives you any assignments, they have priority. She likes her e-mail printed up and placed in a folder on her desk every morning. Her user ID is XXXX and her password is XXXXX. So please go into her account first thing in the morning, and print up any new messages and place in one of the folders that I left for you on the left side of my desk. Then place the folder in her inbox on her desk.

"Just find something else to do for the next two-and-a-half days," was the security manager's dejected response.

2. To Boldly Go Where No One Should Have Gone Before
On another occasion, I was performing a physical walkthrough at a company. During a walkthrough, my team goes through a company's offices and looks for information either lying around in plain sight, or hidden but still available to a malicious party. The company in this case was a commodities trader. We did our walkthrough late at night so as to not disturb the traders. We found the office of the person we suspected was the manager, given the size and decor of the office.

I saw a sticky note on the wall behind the manager's computer terminal upon which he had written the innocuous phrase "wolf359." I turned to the other people on the team and said, "This must be his password."

One of my colleagues added that he must be a Star Trek fan. When I asked him what he was talking about, he said, "I thought you were a Star Trek fan?" When I told him I was, he said with a smirk on his face, "Don't you know that Wolf 359 are the coordinates where the Federation confronted the Borg in the episode where …"

We confirmed that it was indeed his password. What baffles me most about that case is how that manager could remember such an obscure fact from a television show, but had to write it down so he could remember that it was his password.

3. Loose Lips Sink Ships
During one of my espionage simulations, I pretended to be working on a special project for the CEO. I was told the corporate legal department had valuable information and I should see how securely it was held. I arranged a meeting with the group's system administrator, under the guise of wanting to help save the company money.

During the brief meeting, I asked the administrator if he had any recommendations. His response was, "We really need to do something about passwords. Everybody's password is generally their user ID. Sometimes it could be ‘winter,' ‘spring,' ‘summer' or ‘fall,' or sometimes the word ‘galaxy,' depending upon who created the account and when it was created." With these few words, the otherwise well-meaning admin gave me the ability to compromise just about every account in the company.

4. The Nuisance of Security
Once I took on the persona of a company's security manager in an attempt to steal as much information as possible. I simply introduced myself as the new head of information security and asked people questions. One of the people I met with was a business manager responsible for summarizing all new developments for the executive management team. The first thing he expressed was his belief that "Security stands in the way of innovation." He said that seven times during the course of our meeting. He didn't want to talk about security.

He also mentioned that he creates sensitive reports that he wouldn't show me. I looked up on a shelf above his desk and saw a box of floppy disks marked "Project Management Reports"—the same reports I was told summarized all critical information for senior executives. I also saw he had no lock on his door. Given those factors, it was easy to decide where I'd be going later that evening.

5. The Richest Person in the Company
After a commodities-trading company had an extremely large trade go bad, I was called in to investigate. Management thought that the trade couldn't have gone that bad without some industrial espionage involved.

Our team was performing a late-night walkthrough. The only other person around was an elderly cleaning woman. We walked into an executive meeting room and saw some papers sitting in front of every seat. I looked at the papers and saw that they listed the trades that were going to be performed the next day, down to the last detail. Armed with this information, anyone could make a fortune.

We found out the next day that standard practices dictated that daily trades are planned the previous evening. The information is printed out and left in the meeting room that night. The traders met every morning prior to the market openings to discuss the trades. We never did determine if the trade went bad because of insider trading, but if that little old cleaning woman had a clue as to what was in those documents, she could have been the richest person in the company.

6. You Guys Aren't Spies, Are You?
The most bizarre thing I've ever experienced happened after completing a formal espionage simulation. I basically raped and pillaged a Fortune 50 company, obtaining executive compensation figures, details of intended mergers and acquisitions, engineering diagrams of a new multi-billion dollar technology just a few years from release and more.

As we wrapped up our simulation, the security manager suggested we try to get some pictures he could put in his final presentation as proof of needed changes. Among the pictures I wanted to take was that of a fake bug I placed under the CEO's desk. A week earlier, I had broken into his office late at night and put a dummy bug under the desk. It was late in the day when we returned with a camera to take the picture. The secretary was talking on the phone at her desk outside the CEO's office. I told her that the "auditor" with me and I had performed a security assessment the week before and needed to check on something we saw. She waved us in.

I laid down on the floor under the desk to line up the picture. As I was doing this, the "auditor" was standing over the desk. In the middle of all this, I heard (but couldn't see, because I was under the desk) a woman's voice say, "Oh, for a minute I thought you two might have been spies." She laughed and walked out of the room to leave us alone. The secretary had become concerned and came in to check on us, but for some reason, she didn't think it looked suspicious that there were two guys fiddling around in the CEO's office—one of them under the CEO's desk.

Make It Hard for the Bad Guys
These are just a few of the things I've experienced in my years of performing penetration tests. I intentionally didn't mention any specific technical vulnerabilities that I found. Unfortunately, bad passwords and poor configurations are much too common to be noteworthy. I've seen primary domain controllers where the Administrator account password was simply "administrator." This highlights that although it's easy to laugh at naïve users, administrators can be just as bad.

You can prevent your company from falling prey to these vulnerabilities by imparting some common sense on your users. Remember though, that there is no common sense without common knowledge. A basic precaution against social engineering techniques would be to simply confirm the identity of any unknown employee, consultant or contractor. In the cases described above, no one asked to speak to my supervisor to confirm whether or not I needed to see what was obviously sensitive company information.

Here are some other preventive tips:

• Train workers about what information should never be divulged. For example, even though everyone might have the same password, that information should never be passed on.
• Visitors should be escorted through any building.
• Do your own security walkthroughs. The security staff should regularly search for passwords taped to monitors and other sensitive information scattered about.

The bad guys aren't geniuses, but they don't have to be: Most companies make it far too easy for the bad guys to get at their goods. Bad guys can often rely on very simple attacks. Learn from these stories, so your company doesn't appear in any future articles like this.