Wednesday, December 3, 2008

The Story of an Insider - Part 1. Shoulder Surfin Goodness

For a bit of background on this story you can read the intro here. This post details a low tech hack, primarily because its from the perspetive of a bog standard user. (If your reading this your probably not a bog standard user).

The Insiders story.

I've worked for this company for 2 years and all I get is crap from the boss. Those glory boys in design get all the praise for the GNUphone but if it weren't for people like me handling the suppliers and getting them down to rock bottom prices we couldn't even compete with the big boys in the market. It's launch day soon and all I see is the design lads getting party after party, rolling in late, taking long lunches and doing sod all. And to top it off I come in late once and I'm on a warning.

Well it just so happens that if I can just get the finished designs for the GNUphone to a guy I know over at MicroFone Magazine before the launch I'll be wiping the smile of those smug gits faces and I'll make a few quid too. I mean, it's not like i'm really hurting anyone, it justs means people get to see the phone a little early that's all.

I'll just have a poke around on the server and see what I can find...

Bugger! I can't get in the folder. I guess only the superstars in design are allowed access. Well I know the top guy down there is a football nut so it wouldn't take the brains of an astronaut to figure out his password.

Well none of that worked. But Mark did get really pissed at Carl the IT guy because his account was locked out. Then the boss had a go too, ranting that the security was an overkill and was preventing people from working. Yeah right! More like preventing people from getting to Facebook.

Well I better think about this because I have got to get the designs, i've told my mate I can get them and I don't want to look stupid. I need some of those hacking tools but our Internet access and email is monitored and were not allowed to bring software in. Were not even allowed USB devices for crying out loud! The Sys Admin is so paranoid he's got bloody policy after policy preventing anything and everything. He needs to get a life!

Well I know the boss has had it in the neck from everyone about the password policies so maybe I can push things over the edge. I have the usernames for everyone, I'll just lock out the accounts by accessing the webmail with my Iphone using the other employees usernames and the wrong passwords, either the policies will go or the crazy paranoid Admin will. At the very least I'll have great fun watching everyone get pissed off. Am I a genius or what!

Well that didn't take too long, a day of selectively locking out all the bosses accounts and the account lockout policy has been lifted, now I can just guess away till my hearts content.

1 day later...

Well this guessing game isn't as easy as it would seem, I've tried the all the names of the players in his beloved football team and I'm still not in. Hang on, here comes Mark now, typically back late from his extended lunch break. I think I'll have a chat with him as he walks back to his desk.

I can't believe it, after a days worth of guessing passwords and he goes and types it in right in front of me as I'm chatting to him. All I had to do was ask him if he'd checked out the news about “his team” and he went straight to the Sky Sports website. What a Sucker! And after all that the password was the star strikers name and number. I should have guessed that!

Right, so now I have the login name and password of the guy who designed the GNUphone, all I have to do is find a way of getting the designs out of the office once I have them. I can't email them out, that's to risky. Thumb drives are still strictly banned, but I do have my other at home and it has a 2GB memory card. There's nothing in the policy that mentions phones! It's risky but as long as I'm discreet I should be able to hook up the cable and download the files to my phone. Brilliant!

Well the next day I get in nice and early and I have plenty of time to copy the files. I'll just hook up my phone behind the PC, log in as Mark and have a search round for the designs. All being well i'll have the designs on my memory card before long and I can get them over to my mate at MicroFone Mag tonight.

Crap, the boss is on walkabouts. I better get rid of this cable and phone before he comes over here.

Coming up..........The Sys Admins story.


Mike said...

Great start to the story. Sounds like a very compelling reason to implement password complexity requirements. That, and check the logs of your web mail interface. :)

Anonymous said...

I hope the sysadmin checked the logs. Wouldn't waving with that particular log help convince the bosses?

SynJunkie said...

i'm sure our super keen sys admin will know exactly what to do ;-)

g3k said...

Loving these posts! keep it up

SynJunkie said...

Thanks g3k, I hope to have the next post up pretty soon.