Subscribe � EasyPay � e-paper
Reader Rewards � Customer Service

suntimes.com Member of the Sun-Times News Group

Traffic � Weather: BLESSED

Become a member of our community!

Business blogs

Bob Reed

Chicagoist

Economist Gary Becker and Judge Richard Posner

Business links

Crain's Chicago Business

Financial Times

Kiplinger

Morningstar

New York Times business

Autos

Homes

Business

Columnists

What's my line? :: printer friendly » email article »

What's my line? John Bingham

34 | ONE GUY YOU DON'T WANT TO HOLD THE DOOR OPEN FOR

November 22, 2007

BY HOWARD WOLINSKY hwolinsky@suntimes.com

Do you take advantage of the natural kindness of strangers?

Despite all your technical security measures, people can frequently be the weakest link. We figure out the way to attack that weakness, and play on people's normal intention to be helpful. By making the phone calls, we try to get people to disclose their user IDs and passwords.

What tricks do you use?

We do our share of research to make sure we use the same buzzwords used within a company. If we're pretending to be calling from the "help desk," and the company refers to it as "technology support," we make sure that we get that right.

You don't just test companies on the phone.

We look at physical access to facilities. A lot of times we'll be walking toward the front door, holding a box, looking encumbered. Nice Midwestern people hold doors open for people. We just walk down the hallway and turn the corner. We have a laptop in the box and can connect into their network and start probing to see what we can find.

How often are your team members stopped?

We still get in 20 to 25 percent of the time. Before Sept. 11, it would have been 80 percent.

You've got some new tricks in your bag.

We'll take a half a dozen USB drives and spread them out in an employee parking lot. People walking in from the parking lot will see them and pick them up. Seventy-five percent of the people who pick them up, plug them in.

We put the equivalent of a beacon in there that reaches back out to us and tells us, "Here's the computer that loaded this." We could have done something malicious.

We've also had a lot of success playing off e-mail phishing, which leverages the trust that you naturally have for things like large financial institutions. So we'll send a nice formatted e-mail to the customer service and the technology department to see if we can get them to disclose a password, which would give us direct access to a database.

It's usually something innocuous: "We've upgraded our security over the weekend and in order to make sure that our password file gets synchronized properly, please click on this link and enter your password." And (the bad guys) are off to the races with your password.

What's the message here?

The underlying behavior we're trying to enforce if you're the person who knows a piece of (sensitive) information, you're the one who should be initiating the contact. You should take some steps to figure out if this is authentic. So, if you got a call from the "help desk," why don't you just call the help desk back to be sure?

Every Thursday, the Sun-Times Business Section features a mystery occupation. See if you can guess the job before the end of the interview.

John Bingham is a director in the technology risk practice with Protiviti in Chicago, who aims to prevent security risks to clients presented by technology.