The weakest link

For all your firewalls, intrusion detection systems, passwords and password policies it just takes one uninformed and well intentioned employee to bring you down.

It’s called social engineering and it is the most effective “hacking” tool available. I had my first experience being on the receiving end of a concerted social engineering hack and emerged victorious.

Yesterday around 3:30 pm I was at my desk when the receptionist put through a call from one of our senior VP’s. I was rather distracted with a few things going on so I was caught a little off guard. The VP in question is someone I know fairly well and have a bit of a rapport with. He asked how my holiday weekend was and we exchanged brief pleasantries. Since I was rather busy I politely moved the conversation to the business at hand and asked him what I could do for him.

He told me he needed a copy of the company Global Address List in Excel format.

[pause]

For the record; this would be the contact information for every single employee in our company. About 800+ contacts. No small thing.

[/pause]

One thing that tends to set me apart from your average IT flunky is I am not afraid to ask blunt questions and I had one for Mr. Senior VP.

What on earth for? This was an odd request and it set off alarm bells immediately. I’m not about to hand off this proprietary information without following some type of protocol even if you ARE a senior VP.

He proceeded to explain to me that he was on the road and his daughter had accidentally taken his laptop to school and he needed employee contact info ASAP. It kind of made sense. We are going through a buy-out/merger. It’s not out of the realm of possibility that a senior VP would need this information as part of maybe planning our ultimate re-organization. Still….

He was on a cell phone so it disguised the voice somewhat. It did sound like the VP.

I suggested he access the corporate e-mail system via our web interface. There he would have access to all the contacts in the GAL. He said this was not acceptable and that he needed it in a form that could be printed out.

I continued asking questions like “what is this for?” “Is there another way?” “Can you come into the office and get this?” and one final question “Is this something you would prefer I stop asking questions about?” to which he replied “yes.”

At this point he tried to pull rank. He told me that in his position he should not have to explain himself to me. This is when I was sure there was a problem. Either the person I know is acting EXTREMELY suspicious and out of character or he was not who he claimed to be.

I generated the Excel spreadsheet by exporting the GAL to a file on my desktop. I had to make a decision quick. I asked him how he wanted this delivered to him and he said “e-mail it to my personal e-mail address” and proceeded to give me an address of files@somethingoranother.com…

My thought was that if he could access his personal e-mail then he could access his corporate e-mail and I told him I would send it there. He asked me to CC the funky e-mail address and I said I would not do that. At this point I told him outright that I wasn’t even sure I was dealing with a company employee and I implored him (just in case I was wrong) to please understand that I am only protecting the company. I basically told him I would e-mail the file to his corporate address and he could then forward it as he pleased.

He was not happy but relented and agreed to my solution. At this point I was a little flustered and after I sent the e-mail I went to my boss to explain what had happened in case I managed to piss off a senior VP. Not something you want to do when they are likely evaluating current and future company positions. I have denied the requests of senior management before, citing company policy. When you do that you are putting your job at risk. I knew I was right but I feared there might be repercussions.

5 minutes later I got an e-mail from the senior VP in question asking what the heck this was that I had sent to him. I explained it and told him he could delete the message.

Turns out whoever was on the phone was impersonating the VP and was totally pulling a scam.

Had I not been alert I could have easily handed off confidential employee information to god knows who.

Let’s be careful out there!

Another successful fundraiser

Last night’s show was the last of three fundraising episodes for this fund drive. We were tasked with raising $1920 per show. To make the goal easier to speak to I just announced it as $2000 as a nice, round number.

During week 1 we raised nearly $2700 which was pretty awesome. Our listeners stepped up in a big way. We were joined by Renee Feltz of the KPFT News Department as the fund raising coordinator during the program. Her energy added greatly to the efforts.

During week 2 we fell short of the goal by about $500 so that was a little disappointing. Still, with the overage the first week we has some cushion and in terms of the overall goal we were right where we needed to be. Renee was out of town and Robb was absent as well. Dr. Simotas was our fundraiser coordinator and she did a good job. It was her first time to work with the Technology Bytes crew so it didn’t gel as well as I would have liked.

Last night we were re-joined by Renee Feltz and Robb Zipp in their usual roles and Dr. Simotas joined us in the studio. It was a winning line-up as we blew through the goal with 30 minutes left in the show. I think having a fully qualified ObGyn in the studio and on the air during a computer technology talk show pushed us over the edge. The final tally for last nights show was just over $2600.

Alexandra Simotas in the control room with phliKtid

Overall, we exceeded our goal and it was a successful fund drive for us.

Glad to be of assistance

As you might imagine, I have answered a LOT of computer questions over the years as a result of my chosen path as demagogy-free radio talk show host and newspaper techno-pundit.

The questions come via e-mail, IM, the phone, in person and via third parties, friends and relatives. Everything from consumer advice to complex network troubleshooting. Sometimes I know the answer and sometimes I am quick with a well executed Google search and on certain occasions I just grunt my displeasure at being used in this manner and go back to what I was doing before I was so rudely interrupted.

Since all my Q&A’s I write for the Chronicle are archived in the Helpline Blog they are turning up in the search engines when people are looking for an answer to a problem. This means that I am answering questions now without actually interacting with the person experiencing the problem.

There’s no way to track this. I simply have no idea how much assistance (or damage) I am perpetrating. I do, however, have an inkling based on the steady stream of replies to one particular posting I made back on Sept. 9, 2005.

My screen is sideways

It was a Q&A I put together based on a real live helpdesk issue that I solved with one of my users in the course of my workday. In terms of publishing it was kind of a “throw down” posting in that I did not see this as something that affected very many people and would possibly be more filler than anything or perhaps just demonstrate a quirky computer factoid.

I was wrong.

This week I have received three comments thanking me for that one single answer and I have received around 28 since it was posted. And since I rarely hear from people I have successfully helped the true number of people this has helped may never be fully known.

I can only imagine how many people have been suffering with a monitor turned on it’s side looking for a solution.

I’m glad I could help.

Google Chell Speck!

Are you tired of those who comment in your blog/journal only to point out your glaring spelling errors? You know, those comments that only serve to derail a perfectly good post? What could be more irritating?

Well dear blogger, fret no more!

I just stumbled on the latest Google Toolbar which spell checks Web forms and larger composition windows, such as in Web e-mail and yes, WordPress and Movable Type.

It’s a lifesaver!