He’s the night watchman, with a courteous, intelligent, and charming demeanor whenever he speaks. His smile is disarming, and when the previous guard leaves at the end of their shift, they don't give it a second thought, leaving him to guard the building all night long.
His job includes handling access control systems, the ability to create various levels of access for contractors, taking backup tapes from the server room, and delivering them to an overnight systems admin for safekeeping.
But what you don't realize is that he holds full root privileges to every system on the network, and not just that, he also has administrative rights that can override any privilege, including root access to your precious servers.
The insider threat actor in question was yours truly.
Just another day in my life while on a two-year-long illegal hackathon spanning between 2007 and 2009. Gaining access was my addiction. I thrived on trying to see how many systems I could break into.
My lifestyle became a lesson to the companies I infiltrated as a security guard, in keeping a constant watch for potential insider threats. I wasn’t motivated by money or fame. I just wanted access, and I thrived on the challenge to see if I could do it and get away with it.
But accessing computer networks from the inside wasn’t the icing on the cake in my resume of illicit access.
What is an insider threat?
An insider threat is generally defined as a perceived threat against a company by current or former employees, contractors, business associates, and so on. Insider threats are not always malicious, and, more often than not, occur by accident. However, insiders can pose more danger to a company than external threat actors. The reason lies in the confidential and sensitive information within the heart of a business.
Sure, statistically, malicious insiders like me may be less of a threat compared to negligent employees, who make up 62% of all incidents. But those numbers only account for the known threats.
But what about the unknowns? Let's shine a light on one such case – a real story about a fugitive hacker who managed to evade United States Customs while attempting to escape the country via a cargo ship.
When physical security and access controls fail
After an extensive investigation into ways to leave the country discreetly, I stumbled upon a well-established method of exfiltration – departing via cargo ship. In this case, the CMA CGM Coral, to disappear without a trace.
I was serving a three-and-a-half-year term of probation after I had already served over seven years in federal prison for hacking. So, why run if I was already freed? Because in my mind, freedom is just a subjective term.
If you do not have autonomy over your own body, how are you free? After the lengthy time I had already served in prison and all I had to face as an incarcerated computer hacker among violent criminals, I knew I wouldn’t give the government so much as an inch. I had to be subjected to surveillance, my computer monitored which I had to pay for, and further intrusions into my personal life and place of employment.
Yes, I’d had enough. I fled the state in the middle of the night and hopped on a plane to Miami. I used a GPS spoofer to place my location at an airport in Alaska to give myself a little time to throw off my tracks.
I discovered a significant secret held by the cargo ship's captain – while in international waters, they would disable the ship's Automatic Identification System (AIS) tracking beacon, effectively transforming it into an untraceable vessel. This act was brazenly illegal, as disabling the AIS raises suspicions of involvement in illicit activities.
Despite the CMA CGM's reputation for combating illegal trafficking, I found a captain who was willing to aid my traveling companion and me in reaching Port Harcourt, Nigeria, under the guise of Israeli ivory dealers. Armed with this knowledge of his AIS manipulation, I subtly blackmailed him, knowing I had undeniable evidence.
The captain's astonishment was evident when he realized I was privy to the details of the AIS beacon. I intended to leverage this surprise to our advantage in escaping the country.
To locate this specific ship, I cannot disclose my precise method, but I utilized marine tracking software alongside a list of boats set to dock at Dade Island in Miami. This allowed me to narrow down the ship we needed.
Reaching the vessel was a nerve-wracking challenge. I didn’t have a passport, or a ticket for that matter. Without these, we couldn’t use a shuttle service. Regardless of what we lacked, my friend and I masqueraded as tourists, blending in with the crowd being processed by US Customs agents. We moved inconspicuously around them, despite standing out due to our backpacking gear. We didn’t look like the other tourists but still, the Customs agents didn’t seem to notice us.
We attempted to obtain directions to the ship at an information center, which proved fruitless. We needed a shuttle, but we couldn’t use the shuttle without being exposed. Fortunately, a shuttle driver pointed us toward a nearby dock, claiming it was where the CMA CGM docked.
This dock presented a significant obstacle. It was guarded by a manned police cruiser and a gauntlet of Customs agents with drug-sniffing dogs. Furthermore, it was primarily designated for freight and not passengers, making our presence highly suspicious.
Remarkably, we managed to sneak past the police cruiser and the guarded checkpoint without drawing any attention. How we managed this was relatively easy. No one was anticipating possible insider threat activity, which is why they weren’t paying attention.
Unfortunately, after we reached the end of the dock, we realized the directions we received were inaccurate. Much to my anxiety, we had to retrace our steps and walk past the Customs agents and their drug-sniffing dogs once more, remaining unnoticed as unauthorized individuals in an authorized zone.
When employees assist unaware insider threats
We had to navigate through the same crowd of tourists, shuttles, and Customs agents. Progressing carefully, we passed through a parking garage, emerging on the other side. Upon gaining access to yet another secure area of the island which was left wide open and unlocked, we found ourselves walking alongside train tracks in a fenced area that led to the center of the island, where our ship was docked.
Unbeknownst to us, Customs had received reports of two individuals venturing beyond permitted boundaries on the island, but they were unable to pinpoint our exact location. To avoid detection, we deliberately stayed out of the surveillance cameras' view, walking alongside a decommissioned train sitting near the fence line, strategically keeping within their blind spots as we moved as best we could.
Suddenly, a Customs agent in a patrol car pulled over on the opposite side of the fence and ordered us to halt. Ignoring his command, we continued on our path. Out of nowhere, a shipyard worker driving a truck arrived at the scene seconds later and proceeded to intervene with the agent before crossing to our side and blocking our way. Somehow, the agent relented.
From the driver's side window, he exclaimed, "Are you guys insane? Don't you know that agent was going to arrest you? What are you doing over here?" He motioned for us to put our gear in the back of the truck and hop in.
Speaking in my perfected Israeli English accent, I explained that we didn’t know how anything worked, and that we were simply trying to reach the CMA CGM Coral. Understanding our predicament, the kind-hearted employee drove us directly to the ship, no questions asked. This serves as a striking example of how employees can unwittingly become pawns in the game played by an insider threat.
As foreigners from Israel, we stood out and sounded unfamiliar with the island's workings. Unaware of the proper procedures, the employee tried to help us quickly, aware that we were supposed to be on a shuttle and not in his truck. This highlights how acting as a Good Samaritan can potentially expose a company to external threats.
The Coral, an English ship destined for Spain, agreed to deviate to Nigeria due to my knowledge of their AIS beacon. I promised to reward the captain with ivory for the favor. To avoid complications with Customs, he offered to include us on the passenger manifest, but in return, each of us had to pay him $1,500 to compensate for the alteration in travel plans.
My traveling companion and I discussed the terms in Hebrew – by reciting prayers we knew in Hebrew, since we did not actually speak the common vernacular but an antedated one. This gave the illusion that we were having a discussion, though we both knew there was nothing more to discuss. I couldn’t believe we had even gotten this far without being arrested, and it would go down as one of the most daring things I’ve ever done.
Key lessons
Well, the story ended there. We did not have that kind of money, and being a novice negotiator and not apt at blackmailing people, I didn’t press the issue to escalate the blackmail. If this tale had involved two radical extremists motivated to hurt people, it might have unraveled very differently. I walked away from this experience utterly flabbergasted at how poor the port security was at Dade Island.
But we were simply two guys trying to flee the country. We knew how to avoid specific physical access controls when we could, play the roles of hapless foreigners, gain the sympathy of a Good Samaritan, and gain access to a ship without a ticket, with secret information to persuade the captain to do what we wanted. Ideally, of course.
If there's one takeaway here, it's this: never deviate from your security plan. But most importantly, maintain a constant vigil over your various over-access control systems. Security is only achievable if your access control points are being managed by competent individuals who consider security their priority.
This includes those assigned to enforce local security policies. If their attention to detail is insufficient, it could spell disaster when someone like me appears. For threat actors, security is a lifestyle. It should be yours, too.
Your email address will not be published. Required fields are markedmarked