Techs or Crooks: Can Your Clients Tell the Difference?
Steve Stasiukonis has what must be one of the coolest jobs on the planet. He gets paid to steal corporate secrets. No, he's not an accomplished white collar criminal. Quite the opposite. Banks, hospitals, even hush-hush government agencies pay him to conduct "penetration tests" against their firms, hacking in under controlled circumstances to identify vulnerabilities in their security defenses. And, boy, are there vulnerabilities—starting with the ubiquitous "copy repair guy."
You may think that network-related security breaches are largely perpetrated by malicious nerds hacking in via a remote computer. That's a real problem we'll be looking at in-depth in the July issue of The Imaging Channel magazine. But there's another, very real threat that probably never crossed your mind: the analog hacker. Also known as "physical hackers" or "social engineers," they're among the industry's most subtly dangerous. They don't hack in from afar. They march brazenly in the front door.
"If I was going to make a living as a white-collar criminal, I would't do it electronically," says Stasiukonis, whos managing partner of Syracuse, N.Y.-based penetration testing firm Secure Network Technologies. "I'd walk in the building. It's easier, the money's better, and there's no firewall log to trace you back to."
But isn't it hard to sneak in the front door? Nope—because Stasiukonis doesn't sneak. He's invited in the door, welcomed by his hapless victims, often given tours of the facility. Because very often, Stasiukonis is masquerading as "the copier repair guy."
"Over the years, I've found that the two most common and effective choices for getting into a building are to pose as the copy repair person or the heating/ventilation guy," Stasiukonis explains. "I learn who the printer or copier company is, and have shirts made up with a logo pulled from their website. I show up at the company with a fake ID and my tool kit, and in almost every instance, I get in without anybody giving me a second glance."
In fact, people are often delighted to see him. "Like heating and cooling, printers and copiers are a continual source of dissatisfaction," he says. "A printer could be printing works of art, functioning flawlessly, but there's always somebody who's complaining that the color's wrong, or it won't collate, or it won't staple. So when I show up to 'fix' it, I generally get a pretty warm welcome."
Or people yell at him—but not because he's there to steal corporate secrets. "Once I had an assignment to breach a very sensitive government database. My partner and I walked in as copier repair guys. We made it to the machine we wanted to access and a guy in a thousand dollar suit yells at us. We thought we were busted, but nope. He comes over and starts spouting about this 'piece of garbage' and how much he hates the machine because it won't staple. He tells us if we can't fix it, he wants a new machine in there the next morning," Stasiukonis recalls. "Of course, I tell him whatever he wants to hear, and he leaves us to do what he thinks is our job."
While his partner accessed the government database via the printer, Stasiukonis—who once worked for a leading printer OEM—downloaded the printer's repair manual and repaired the faulty stapling mechanism!
"We got the data we wanted, so I reassembled the printer and packed up to leave. All of a sudden, the same high-powered guy hollers, 'Hey, you guys get over here.' We thought we were dead. But instead of busting us, he apologized for yelling at us earlier, thanked us for fixing the stapler, and handed us a cake in appreciation for all we did. Priceless."
But did Stasiukonis and his partner get all the data they'd set out to steal? "Yup, we robbed 'em blind," he says with great satisfaction. "But the next fake copier repair guy won't!"
Funny, yes—but a wake-up call for our industry, too. What have you done to make sure that your clients' aren't compromised by a crook masquerading as one of your repair techs?
As Editorial Director of the Imaging Channel, Greer has more years' experience than she'd care to admit in journalism, marketing, and the print and imaging industry. Prior to joining The Imaging Channel, she operated a marketing and branding firm serving national and regional clients in technology, healthcare and consumer goods.
Posted on 04/27/2011