A week in the life of a Hacker: Day 2
By Steve Cox, Chief Operating Officer at TSG
My first day as a double agent hacker was about spotting the opportunity when carelessness becomes apparent. A lot of hackers are successful this way. However, some hacks are entirely planned - here's an example:
Day 2 - The Case of Mistaken Identity
I have to admit I stole this idea from James Lyne, Sophos' Chief Technology Strategist. Then again, I'm a hacker this week, so it's my duty to steal things.
At 9am I popped into Starbucks. I pulled out my pre-prepared piece of paper and proceeded to spill coffee all over it.
9:30am - entered the office building next door. Putting on my best Essex charm I exclaimed to the receptionist, "Please, please can you help me? I have an interview in 5 minutes and I've just spilt coffee all over my CV. If I give you this memory stick is there any chance you can print off another copy for me?"
The Essex charm worked a dream - 'Of course, no problem at all'. USB stick went in. Malware everywhere.
Seriously - even I was surprised at how quickly the whole system became infected.
I played the charm card, but the receptionist, doing their good deed for the day, still let a completely unknown device access the company's IT system.
To this day they might not have known that they were the person who caused a major breach of the entire network.
A similar scenario happened (on a larger scale) to Santander Bank when a hacker, pretending to be an engineer to fix an apparent problem, was allowed to set up a device within the building. This would have given his co-conspirators access to the bank's entire IT infrastructure from a remote location.
It didn't quite get that far, but you can take a look at the full story here.
If this type of situation were to happen to a Cloud provider, though highly unlikely, hackers would not only gain access to one company's data, but potentially many businesses - and to their hosted applications.
The Cloud is still relatively new to a lot of people, and a lot of mistakes are yet to be made - mainly because we haven't encountered all the scenarios that need covering, or the human errors that may cause them.
However, a fundamental of being a Cloud provider is making sure they have these types of scenarios covered by processes that would prevent them breaching security point number one - allowing an unknown device access. After all, their entire business is based on providing the most secure basis possible.
Day 3 involves me becoming a master of disguise to gain access to a company's entire network using just a wifi key.