In Part 1 of this series, we identified the conference bridge as a potential vector for data leakage and compromise of confidential information. We discussed the four elements of a bridge - the time of call(s), conference phone number, the PIN or participant code, and human factors. We outlined how each can be compromised with a bit of social engineering and ingenuity. Let's now examine two scenarios to show how confidential company secrets can be siphoned off of a bridge. Note: these actions are illegal, and ARSC discusses them for informational purposes only and does not suggest or condone these actions.
Scenario 1:Bob is a former IT employee at www.xyz.com, now unemployed and cash-poor. He gets a call from a friend – “hey, your old job’s Web site is down!” He pulls up the old IT Operations bridge on his phone. It still works! He dials in. There are so many people working the problem that the manager does not hear the ‘join’ tone. Bob listens while IT Ops decides to relax two-factor authentication and open a back door so developers can work the problem. Voila! Bob is now in the system! The files, critical data and opportunity for profit are his for the taking!
Scenario 2: Chuck works for a competitor of StartUp 2.0. He really wishes that he could be a ‘fly on the wall’ for the Product strategy discussions. Chuck belongs to a committee on a local industry professional group – chaired by a StartUp 2.0 employee, Carol. Carol uses her company's bridge for the committee's meetings. She sends the invite out using her company bridge for this association's meetings: Dial-in 1-888-CON-CALL, pin 2067690428. Chuck now knows StartUp’s bridge number and sees that the PIN is Carol’s desk number. He finds out the name of the VP of Product, Alice (Thanks, LinkedIn!). He calls StartUp’s main number after hours and uses the dial-by-name function. He listens to the messages and now knows Alice’s extension and therefore her phone number… and therefore her PIN. Chuck tries the bridge on Monday morning. Nothing! Tries Tuesday morning. Nothing! Tries Wednesday morning. Paydirt! There are already three people on the call. “Who joined?” Chuck stays on Mute. Alice joins. “Who do we have?” “Dan here!” “Erin here!” Frank here, and there’s someone else on I think.” Alice: “Anyone else on? Ha-ha, while they’re hunting for the Unmute button let’s get started. What’s the word on our latest product launch?”
There are other scenarios but they follow a similar pattern: social engineering, a bit of guesswork and under-the-radar listening.
Now that you see how easy it is, we will examine several common-sense basic practices organizations can take to make their conference bridges more secure (not secure, but more secure)... in Part 3!
Scenario 1:Bob is a former IT employee at www.xyz.com, now unemployed and cash-poor. He gets a call from a friend – “hey, your old job’s Web site is down!” He pulls up the old IT Operations bridge on his phone. It still works! He dials in. There are so many people working the problem that the manager does not hear the ‘join’ tone. Bob listens while IT Ops decides to relax two-factor authentication and open a back door so developers can work the problem. Voila! Bob is now in the system! The files, critical data and opportunity for profit are his for the taking!
Scenario 2: Chuck works for a competitor of StartUp 2.0. He really wishes that he could be a ‘fly on the wall’ for the Product strategy discussions. Chuck belongs to a committee on a local industry professional group – chaired by a StartUp 2.0 employee, Carol. Carol uses her company's bridge for the committee's meetings. She sends the invite out using her company bridge for this association's meetings: Dial-in 1-888-CON-CALL, pin 2067690428. Chuck now knows StartUp’s bridge number and sees that the PIN is Carol’s desk number. He finds out the name of the VP of Product, Alice (Thanks, LinkedIn!). He calls StartUp’s main number after hours and uses the dial-by-name function. He listens to the messages and now knows Alice’s extension and therefore her phone number… and therefore her PIN. Chuck tries the bridge on Monday morning. Nothing! Tries Tuesday morning. Nothing! Tries Wednesday morning. Paydirt! There are already three people on the call. “Who joined?” Chuck stays on Mute. Alice joins. “Who do we have?” “Dan here!” “Erin here!” Frank here, and there’s someone else on I think.” Alice: “Anyone else on? Ha-ha, while they’re hunting for the Unmute button let’s get started. What’s the word on our latest product launch?”
There are other scenarios but they follow a similar pattern: social engineering, a bit of guesswork and under-the-radar listening.
Now that you see how easy it is, we will examine several common-sense basic practices organizations can take to make their conference bridges more secure (not secure, but more secure)... in Part 3!