Ross Shaw asks you to trust him. He asks you to believe him when he sends you an email, calls you on the phone, or stops by the front desk. If you’d be so kind as to click on that link, download that program, spell out your computer password and allow him access to your server room, he can get out of your hair.
The problem is that he’s lying. He’s not a thief trying to steal data — it’s trickier than that. He’s hired by banks, credit unions and hospitals to test their security by attempting to scam his way into their system.
Most of the time, he succeeds.
In the basement of a Spokane Valley home, where talk radio buzzes in the background and Star Wars figurines sit on the shelves, business co-owner Mike Leach says he started E3 Technology, Inc., back in 2002, after the Financial Services Modernization Act of 1999 began to require banks to undergo information security audits. Businesses bring in E3 to analyze their network, spot the flaws and then help them fix them.
“The unfortunate truth is that hackers are always a step ahead,” Leach says.
When it comes to ones and zeroes, massive strides have been made. Today, firewalls are tougher and anti-virus scanners are smarter. But there’s almost always a weak link: people.
“Just asking someone their password turned out to be a lot more effective,” Shaw says.
That’s where Shaw comes in. Shaw sits down with management first and gets permission to test the employees using a number of different scenarios, based on real hacking attacks.
In April, the Associated Press Twitter account spat out a shocking tweet: “Breaking: Two Explosions in the White House and Barack Obama is injured.” The stock market dove. The tweet was false. The AP had been hacked by the Syrian Electronic Army. When the same group seized control of the satirical newspaper The Onion, the paper revealed it had received an email with the phrase “Please read the following article for its importance” and an apparent Washington Post link. All it took was one staff member clicking the link, and logging into their Google Apps account when requested, to give the Syrian Electronic Army control.
Shaw says that tactic, called “phishing,” has been one of their most successful. E3 customizes emails to specifically target the companies they test. They may design an email with the company’s logo, signed by the company’s president, asking for a password.
“We’ll imply that their job is on the line, and they really screwed up, and the only way to make right is to respond to us,” Shaw says.
PRANK PHONE CALL
It’s always been easy to find the names of those in an IT department. Search-by-occupation features on social media sites like LinkedIn and Facebook make it even easier. Shaw calls employees, pretending to be part of their IT group, asking them to reveal important, confidential information.
Only occasionally do they question the sound of his voice. But he’s prepared for that, too. “Oh, I’m on a cellphone, or I have a bad connection, or I have a cold,” he’ll tell them. “I’ll hold the fan up to the phone or pretend I’m in a data center.”
He’ll use the same sort of cold-reading technique as a carnival psychic. “If it’s a guy your own age, you may want to talk about their favorite football team, cars or jet skis,” Shaw says. “An older individual, you may want to talk about their grandkids. … Once you trust me, you are more inclined to believe what I’m telling you.”
On rare occasions, he’ll even show up in person, trying to gain access, unescorted, to sensitive areas. “We come up with a story,” Shaw says. “I’m there to work on printers. I work with the building manager. I have an alarm going off.”
Occasionally, the team will mock up a fake badge or business card. But most of the time they don’t need to. “Because I was in IT, I tend to look like an IT person,” Shaw says. “Slacks and a collar, that’s usually just enough.”
If he can get them to make that first leap — and believe he is who he says he is — convincing them to hand over sensitive information gets a lot easier.
“One of the first engagements I was on … I spent 45 minutes,” Shaw says. “In that time, I [was given] my own office, the domain administrator password and access to the vault.”
The good news, Shaw says, is employees have grown more skeptical over time. Sometimes he gets the chance to meet with the people he fooled, explaining to them where they went wrong. Most of the time, they knew something was up.
After he helps them, next time they’re much harder to fool. Ultimately, he says, stopping him or an actual hacker boils down to a few simple principles: Trust your doubts. Verify the facts. Ask for ID. Don’t give anyone your password.
“The problem with information security is that I only have to succeed once,” Shaw says. “They have to succeed 100 percent of the time.”