Issue link:

Contents of this Issue


Page 2 of 3

SUMMER 2017 SECURITY SMART 3 Companies hire Anton Abaya, a consul- tant at Accudata Systems, to come into their workplaces unannounced to employees, to see where the holes are in the network and in physical security. Here he shares some of his experiences. This is not a stickup I went into a bank wearing a fake badge with the client's logo and "IT Contrac- tor" that I made from basic materials at Staples. Before I said anything, the receptionist asked if I was there to fix the fax machine, and I said "Yes." At that point, I also "fixed" other computers, in- cluding teller systems. The bank staff let me roam around accessing pretty much anything under the context of "doing some routine maintenance and tighten- ing up of security." For my sweetie Around Valentine's Day, I dropped off a box of chocolates at a client's reception area and a USB drive that said "To my love," but with no recipient details. The USB drive, when opened, would play a cute "I love you forever" video, but behind the scenes would run a benign program that reached back to our servers to show that it ran. The receptionist gave the items to an- other employee, who opened the file on the drive. They did not involve IT. Ticketed I once sent phishing emails that in- formed recipients that the company's parking services had fined them $100 for parking next to a fire hydrant. The email gave them the option to dispute the ticket (or be forgiven) if they logged into a specially created website using their company credentials. We scammed more than 50 employees, including a medical records clerk, payroll clerk, and IT admin/programmer. Duped My colleagues and I followed employ- ees into an office, pretending to be from IT, and asked various employees to use their computer for a "just a minute" because "there's a virus going around." Most just gave us immedi- ate access. Just in case, we had fake badges and various stories (e.g., "I'm new here, which is why you haven't seen me before"). When No One Asks, "Hey, Are You Legit?" A security consultant infiltrates his clients' buildings and networks—with lots of help from their employees Prevent Searches of Your Data at the U.S. Border Ultimately, if you're a legal U.S. res- ident, CBP shouldn't prevent you from entering the country, even if you re- fuse to allow a device to be searched, Bhandari said. Still, expect to have your device seized if you refuse to unlock it. Travelers will often have to choose, she said: "Would they rather turn over their password and have a quick search versus refusing and hav- ing their device seized?" Over the past two years, U.S. Customs and Border Patrol (CBP) has targeted ever-larger numbers of travelers' smart- phones and laptops for searches as they cross the border into the country. Keep in mind that the odds of CBP searching any single traveler's device are quite small. CBP only checks the devices of a fraction of 1 percent of all people crossing the U.S. border. Still, travelers concerned about their privacy can take steps to protect their data. First, consider removing sensitive data from your devices before you travel by storing it in the cloud or on another device that stays home. "People should never lie to a CBP agent," said Esha Bhandari, a staff at- torney with the American Civil Liberties Union's Speech, Privacy, and Technology Project "If they're asked a question, they should answer truthfully. But there's no requirement you carry your data with you when you cross the border." If you don't want CBP searching your work email, you can temporarily remove your email app from your smartphone. Also, you can keep your devices turned off as you go through customs. If your smartphone is powered up, log out of apps that contain personal data. If a CBP agent asks you to unlock your smartphone or laptop, you can refuse, but there are consequences. If you're not a U.S. resident, CBP could prevent you from entering the country. If you're a U.S. resident, CBP could hold you for several hours, and they could seize your device. In April, legislation was introduced that would require warrants to search devices owned by U.S. citizens and oth- er legal residents, but for now, the law allows for warrantless device searches. CBP can detain you for refusing to allow a search but "we're talking a matter of hours, certainly not an overnight deten- tion," Bhandari said. DID YOU KNOW? Forty-five percent of employees in a recent global survey admitted to engaging in behaviors during the workday that could compromise security. These included connecting to public Wi-Fi to access confidential information (46%), using personal email accounts for work (49%), and losing a company- issued device (17 %). SOURCE: DELL END-USER SECURITY SURVEY 2017 For more information on staying safe online here at BSU or at home, contact

Articles in this issue

Links on this page

Archives of this issue

view archives of BSU - Security_Smart_Summer2017_Bridgewater