Social Engineering: The Biggest Risk to Internet Security

Covering Up The Break In

Let's take a slightly different angle on this, while staying with the central theme of security flaws.

Again, for the record, this is a figment of my imagination.

I got a call from a friend one evening, announcing with some glee that a client I had consulted for in the past was about to get creamed. I played the game and persuaded my buddy to let me see what he had obtained on this firm. So we go for a beer, and he pulls out his ultra small laptop (of which I'm envious) and brings up a file on screen that clearly should not have been available to him - or anyone else, for that matter.

It is a Microsoft Excel file that has been cracked through brute force attack using Elcomsoft's file cracker. This is the type of file that would typically be kept by a database administrator. In that file is the username and password of every Oracle database (DB) user in this organization, the OS systems passwords to all machines running the DBs, and usernames and passwords to all ancillary machines used for routing requests for credit card clearance payments gateways.

The Exposure Was Staggering

I had actually created some of these passwords myself during my efforts for the firm. It had connection details for every database account that you can think of, including external links to other sites through VPNs and so on.

And then, with a smile, he said: "there's more." He had the names of many files that appeared to belong to staff, many of whom I knew personally. I asked if he was completely nuts to be in possession of this stuff, as he is a security head with a reputation to protect.

It wasn't a big deal for him though, as quite simply, the files were available online. Someone had posted them to a site! So it wasn't a case that he had some form of unique access: everyone who had access to the web site where they were visible had access, and the ability to download and play with the stuff. What in the name of all that is holy had happened?

I immediately got on the phone to my IT managerial contact in that organization and brought the contents of the file to his attention. He was stunned, and not simply by the fact that the file had been exposed: he didn't realize that such a file existed at all! And worse, he knew well that only a small and very select few within his firm could have access to that level of data, and therefore it had to be one of them who was responsible for its existence in the first place.

That Horrible '0 Sh1t' Moment

Just when it seemed that things couldn't get any worse, my buddy in security calls and suggests something that was going to make this mess turn into a catastrophe: he had seen some stuff that indicated that these files were in fact from a backup tape. A backup tape? Why of course, now it all made sense. With so much material relating to user files in one place, the idea of a backup tape made perfect sense: a hacker entering the system though electronic means would be unlikely to waste time with low grade files when there is a possibility of hitting a root. Or in this case, every root!

Having gotten over the implications of the find, the IT manager now had to comprehend the extent of the damage. However, to do that, he had to rely completely on the expertise of the very people who had created the file in the first place. This act was a sackable offense on its own.

Now he was in a big jam; he couldn't proceed without the collaboration of his closest technical associates, yet he knew full well that both the file creator, and the source responsible for the backup tape leaving his IT building, were working inside his managerial domain.