I recently had the privilege of bring a special contributor, along with a few other brilliant security folks, of Johnny Long’s latest book: No Tech Hacking. All of us in the security profession are familiar with the concepts, and have used them from time to time without realizing it. So what exactly is no tech hacking? It is a combination of not using technology to circumvent security controls and using the powers of observation to find circumvention security controls.
Examples of no tech hacking involves the stuff we know about: dumpster diving, tailgating, shoulder surfing, social engineering and a few others. Some aspects that you may not be aware of are the ways this applies to physical security, people watching, surveillance and any more. How? Next time you’re at work, watch your employees at their smoke breaks. Do you see a threat to your organization? Look closer. Maybe hang out closer so that you can listen. Are they talking about work related items? Naming other company employees? Okay, so you don’t want to get that close to them, but they’re still divulging potential information about your company: their ID badges and procedures for building re-entry.
So, how about those pesky security doors, how would you circumvent them? Do you just walk up to yours and it unlocks for your exit? Yup, you’ve found it. All you need to pull off is the Macgyver hack to get around this one! Three items or fewer are all you need, and it’s all no tech related. No, I won’t say here what they are; I want you to think about them. And hotels? Oh yes, there’s a very serious security threat almost every hotel room and it isn’t the cleaning staff. Here’s a hint: the TV set. Figure it out yet? It’s in the integration of the TV set with the billing system for the hotel. Got it? Using another cable box, you can view other hotel tenets personal information quickly and easily.
By now you may be wondering how to protect your organization against no tech hacking, or have probably dismissed the threat all together. The answer to both of these thoughts is the same; observe your company, its employees and how other people interact with it. You may be shocked by what you see and hear. You need to start thinking like the people whom are interested in your organization or may become interested due to inadvertent exposure. Do a lot of your employees travel? Find out if employees are putting their names, company logo, and other identifying information on their luggage tags or laptops for plain view at the airport (pun not intended). Even from a glance at the screen of the users laptop display an attacker can learn a lot about your infrastructure. The task bar icons can identify VPN, instant messaging, and network authentication solutions that your organization uses.
Some companies are fighting back against these kinds of attacks. I’ve learned that one very large financial institution is reissuing thousands of employee ID badges that will only have the name of the employee and their picture: no company logo and no “if found please mail to” messages. Others have institute and enforce policies regarding having your ID badge visible in a public location. Educating employees about “loose lips sink ships” helps, but showing them may have more impact.
No Tech Hacking presentation : http://video.google.com/videoplay?docid=-2160824376898701015
The No Tech Hacking website : http://www.notechhacking.com/
Purchase the book : No Tech Hacking
Johnny’s website : http://johnny.ihackstuff.com/
Hackers for Charity : http://www.hackersforcharity.org/