For all you fellow consultants out there...

Received a call from a client of mine who has been very diligent about tightening their security. He wanted me to come out, unannounced, and see if I could gain access to his network through any means necessary. (I love it when somebody dares me to get in...)

Anywho, arrive on site. Meet w/client and his CIO, "Bill" (not his real name). They inform me that nobody on duty knows who I am and they have no idea that I am coming or what I will be up to.

I check server room - locked. Blinds on windows are closed. Brand new lock installed on door which requires use of smart card and pass code. Nice touch considering that 6 months ago the servers were sitting on a table in the corner of the room with no door, etc... Serious nightmare.

Start finding empty offices. Look under keyboards, in desk drawers, etc, no passwords found. Start a few workstations (NT & 2000), no display of last logged on user name. Gonna be harder than usual... no workstations powered on in unoccupied offices.

Watch for employees to go to leave their desks. They are all locking their workstations... somebody has been paying close attention to policy and training.

Go through the entire morning, without being able to snag acount info. A major accomplishment for this group of folks who had no idea about information security just a few months ago. Talk to several employees and try to weasel some info out of them. Each one notifies security, who are nice enough to detain me in a rather clinical-looking room until "Bill" comes and informs them that I'm a "good guy". Not sure I liked how he said that, and really not liking the fact that their security guards are armed and had no forwarning that I was there...

As I leave the security room, I notice that "Bill" has gone down the hallway away from his office.... Hmmm haven't been in here yet. Workstation is locked, no passwords written in usual places... Oh yeah - ROLODEX! Find phone number for their web host (who also happens to be the email admin as the mail comes through their website), bingo!

Call hosting service and talk to "Gary" (again, not his real name) at about 12:25pm. Tell "Gary" I am an IT consultant from "My Company" working at "Company XYZ" and that we're having problems with 4-5 email accounts not receiving mail. Also tell him one of the email links on the website is incorrect as it links to a person different than it indicates (which was an actual problem).

Seems "Gary" is late for a lunch appointment and needs to get going, but he is kind enough to give me the admin logon info for the web site AND the mail server. And for good measure tells me if "Bill" isn't around his logon info is "username" and "password"! Too easy.

Logon to Bill's machine. Go to the web site, alter it slightly (added some text to the bottom of the home page). Sent an email to "Bill" from his own account, then shut down all email delivery, sending all mail to queues. Surf the network and find that the PDC is an NT machine. Copy SAM through admin share and put it on a floppy ("Bill" has Domain Admin priviledges!). Logoff of "Bill's" system and go down the hall to one of the unoccupied offices. Fire up the ol' notebook and L0pht Crack - copy SAM from floppy to HDD and start ruining what is left of "Bill's" day.

Let LC do it's thing for about 30-45 minutes while I'm out wandering around giving "Bill" the impression that all is okay in the world. Complaints start to roll in about no email. Tell "Bill" I will look into it before I leave. Go back to office where notebook is, stop LC and IR print to HP in the office. 14 passswords snagged, to include "Bill's" and several other folks who have higher than normal priviledges...

Type up quick letter to client documenting everything I have done to include usernames and passwords that have been compromised. Deliver bad news to client, "fix" the things I altered, tell client to call me when they want me to come back with more training or solutions and leave - thanking the IT gods that I'm not in "Bill's" shoes...

It all goes to show, you can lock it down and take all the precautions you can think of, but sometimes all it takes is an innocent looking phone number and a call to somebody who could care less about your systems -- and you're cooked.