By Andy Greenberg
Hackers have a lot of fancy names for the technical exploits they use to
gain access to a company's networks: cross-site scripting, buffer
overflows or the particularly evil-sounding SQL injection, to name a
few. But Johnny Long prefers a simpler entry point for data theft: the
emergency exit door.
"By law, employees have to be able to leave a building without showing
credentials," Long says. "So the way out is often the easiest way in."
Case in point: Tasked with stealing data from an ultra-secure building
outfitted with proximity card readers, Long opted for an old-fashioned
approach. Instead of looking for vulnerabilities in the company's
networks or trying to hack the card readers at the building's entrances,
he and another hacker shimmied a wet washcloth on a hanger through a
thin gap in one of its exits. Flopping the washcloth around, they
triggered a touch-sensitive metal plate that opened the door and gave
them free roam of the building. "We defeated millions of dollars of
security with a piece of wire and a washcloth," Long recalls, gleefully.
In other instances, Long has joined employees on a smoke break, chatted
with them casually, and then followed them into the building. Sometimes
stealing data is as simple as wearing a convincing hard hat or walking
onto a loading dock, before accessing an unsecured computer or
photocopying a few sensitive documents and strolling out the front door.
Fortunately for his victims, the companies that Long invades are also
his customers. As a penetration tester for Computer Sciences Corporation
security team, Long is paid to probe weak points in a company's
information security. His job as a "white-hat" hacker is to think like
the bad guys--the more evil genius he can summon up, the better.
And if tactics like tailgating an employee through a backdoor or picking
a lock with a washcloth don't seem like real hacking, Long would suggest
fine-tuning the word's definition. To bring that other side of hacking
to the public's attention, he wrote a manual cum manifesto titled No
Tech Hacking , which was published this week. The book's goal, aside
from pumping Long's already significant notoriety in the world of
cyberpunks and script kiddies, is to show that hacking isn't always the
realm of high technology.
Instead, he argues, it's still rooted in old-fashioned observation and
resourcefulness. To obtain a corporate password, for instance, a hacker
can pose as an employee and call a company's help desk or simply look
over an employee's shoulder while he's on his laptop at a local cafe. To
access a network, Long will photograph an employee, fake his badge or
even his uniform, and slip past the front door security to find an
That kind of no-tech hacking isn't a new idea, but it's one worth
remembering, says Jeff Moss, the organizer of cyber-security conferences
Black Hat and Defcon. "There's a tendency in our industry to focus on
the latest and most interesting attack," he says. "But Johnny is trying
to show that the simple security problems that were spotted a long time
ago haven't gone away, and the bad guys will use whatever's available."
That's a lesson that the security industry should heed: The average cost
of a data breach rose to more than $6.3 million last year, up from $4.8
million in 2006, according to research by the Ponemon Institute. And
physical security played a growing role: Lost or stolen equipment
accounted for about half of those breaches last year.
With those kinds of costs at stake, hiring hackers like Long isn't
cheap: For basic vulnerability assessment, CSC, which is based in El
Segundo, Calif., charges a minimum of $35,000. For complete penetration
testing, which often involves obtaining specific files to demonstrate a
firm's security flaws, the team can charge as much as $90,000.
But for the most in-depth hacking missions against well-protected
companies, Long and the rest of CSC's security team are also rewarded
with the illicit thrill of intrusion. "When you get that James Bond
feeling of espionage, it's a huge adrenaline rush," he says. Long admits
that the night before a major case, his team often watches the geek
thriller Sneakers. "Penetration tests that involve a human element are
so much more exciting than sitting in front of a computer screen, poking
through a company's firewall."
As a kid in suburban Maryland during the 1980s, Long's hacking career
began under less sensational circumstances. Surfing the pre-Web
Internet, he browsed bulletin boards looking for pirated copies of video
games. To pay for the growing long distance bills from his modem, he
started charging his Web surfing to calling card numbers that he found
on semi-legal sites. And when those phone-card sites started forcing
users to pay for access, he found ways to circumvent the sites' security
Soon, the challenge of bypassing firewalls and accessing distant
networks was more interesting than any video game. "I would be on my
Commodore 64, talking to a Unix system somewhere far away," Long says.
"It was like traveling--the fascination of being in a place with a
different culture and speaking a different language."
When he graduated from high school, Long skipped college and got a job
at a local university as a systems administrator. Before he was 20, he
moved on to a major health insurance provider that was in the midst of
bringing its systems onto the Internet. Long wrote up a report detailing
all the company's security vulnerabilities. It was ignored by his
superiors. Feeling demoralized, he eventually left the company and
landed at CSC's offices in Falls Church, Va.
At CSC, Long found his niche. In 1998, for instance, he suggested a
simple social engineering method to gain access to a company's server
that wasn't attached to the Internet. Long tracked down the name of the
company's technical contact person on the Web, and made a phone call to
its help desk pretending to be that person. The help desk's staff
switched on the server's modem, and CSC's team was inside. "Once I
connected with the security team, I brought some of the perspective that
the security community was just starting to get then, a street-level
hacker mentality," Long says.
From there, CSC began to experiment with the physical security hacks it
now uses today, and Long began developing a set of techniques he calls
"Google Hacking": using simple search engine queries to find hackable
vulnerabilities in Web sites. (See: "Google: A Hacker's Best Friend"
) Today CSC has one of the security industry's better-known
penetration testing teams, and Long is a celebrity in hacker circles.
Since he first became a professional penetration tester, cyber-security
has evolved dramatically, Long says. No Tech Hacking is partly about the
latest social engineering methods used by a new generation of
cyber-criminals. Instead of searching for holes in companies'
increasingly tight security perimeters, their attacks are about drawing
the target out, bringing employees to a compromised Web site that
infects their network, or convincing an administrator to give up his or
her password in an e-mail.
But the other lesson of the book, Long says, is that some things haven't
changed. "No matter how savvy we think we are, the oldest attacks are
still possible, and they're still prevalent," he says. "The smartest
systems are still falling for simple tricks, and that's what keeps us in
Subscribe to InfoSec News