The Cellular
The way of con artists

I just saw the movie: The Cellular. This is an entertaining film for sure. Don’t be worry, I’m not a film critic. Why am I writing on the film then’ Because there is some interesting things to say about it!

I’ll not resume the film here, it’s why I talk to people that saw it. For person that doesn’t know what I’m talking about, you can always refer here for more information.

One thing stroked me particularly: the bad guys was working in the LA police, they shot at people a couple of times during the film and the only thing that they needed to say was: ‘I’m from the police [leave me alone then]’. Are people naïve’ Some yes, others no’ In the film, they were police officers, but what if they were not and wore false badges’ How people can know, in few seconds, if it’s a false or not’ There is no way. The only way is to call at the police station and ask them. The second problem, whom will do this’ Probable no many people, me included. It’s exactly why con artists use this old trick, because people have respect in anybody that wear uniform and badges. Just to tell few, it was the strength of legend con artists like Kevin Mitnick or Frank W. Abagnale. Think about it, if you were at them place and had some doubt, would you ask for his badge number and call at the police station’ The only thing that I can say is: be alert.

Just another interesting thing that I saw is the way Jessica killed the first man; she cut his brachial. If I refer to Get Tough! this is a medium size artery at ½ inch of the surface, he will have a loss of consciousness in 14 seconds and death in 1 minute 30 seconds. Personally, I think that this is a realistic way (possibly lucky) to get rid of this man.

Finally, I wish you enjoyed the movie 🙂

Change mentalities
Beware old school administrators.

I was talking with the network technician of a Canado-American enterprise that works in the field of technical didactic materiel like didactic aeration systems, radar system, etc. This is a small size enterprise of approximately 215 employees and exists for more than 45 years.

I was stupefied when I learned that every employees of the enterprise shared the same email password. There was only one password know by some key peoples like administrators and network technicians. The password is saved by the email client software for future email retrieval. If you have some problems with your email client and need the password to get your emails, you only need to ask a technician to come at your workstation and let him enter the global email password.

After this astonishing exposé, I was asking to myself, ?Why?? Why are they using a single password to retrieve emails of every employee, from the secretary to the chef of software development? I was not able to answer to this question; it?s why I asked it to the tech. His answer was unbelievable: ?I know Fred, its crazy, but the answer is simple: it?s because the administrators says that it always worked in this way and it will always work like this the time they will be here?.

This situation can lead to two important threats: privacy of employees and crucial information gathering by insiders. First you need to have in mind that in both cases, an insider can easily get the password by crashing is email client software, installing a key logger on the computer and calling the tech to let him enter the password. You can also simply look the tech entering the password by watching the keyboard while he is typing it.

When the insider has the password, he can now retrieve the emails of any employees of the enterprise. There is the threat to the privacy. He can easily retrieve the emails of the beautiful blond secretary and learn more on her to know how to woo her.

He can also send emails with the email address of any employee, boss included. There is the threat on the critical information gathering. Think about it, the insider is working as an industrial spy for a concurrent enterprise. He needs to have the latest and most crucial fiscal information of the enterprise. He just has to log on the mail server as the president of the enterprise (who have same password as him) and send an email to the chief of fiscal division and ask him this information. After, he just has to wait and check emails on this account (of the president) every minute to retrieve the requested information.

The source of risks is clearly the administration?s old habit and refusal to change. Nevertheless, how can we change the mentalities of administrators? You need to have in mind that they are not IT security gurus and can have lack of security concern by interest or simply by the lack of knowledge in the domain. The best way is probably by educate them to the problem, show them to which threats the situation can lead.