Low tech Romney tax return hack could be lesson in physical security

Low tech Romney tax return hack could be lesson in physical security

So, we read that one or more hackers claim to have gained access to Mitt Romney’s tax records, reported first in a Nashville paper, then in the tech/business press. The hack allegedly took place at the Franklin office of PriceWaterhouseCoopers just outside of Nashville, and PWC has alleged that no such thing happened. We have

So, we read that one or more hackers claim to have gained access to Mitt Romney’s tax records, reported first in a Nashville paper, then in the tech/business press. The hack allegedly took place at the Franklin office of PriceWaterhouseCoopers just outside of Nashville, and PWC has alleged that no such thing happened. We have

So, we read that one or more hackers claim to have gained access to Mitt Romney’s tax records, reported first in a Nashville paper, then in the tech/business press. The hack allegedly took place at the Franklin office of PriceWaterhouseCoopers just outside of Nashville, and PWC has alleged that no such thing happened. We have to say authorities are still investigating the veracity of the claims, so this whole post is written under a cautious “if this is true” disclaimer.

Office of claimed Romney tax return hackPolitics aside, what we find particularly interesting is that the scammers lay out exactly how they purportedly gained access, and it’s hardly high tech. In their own words, here’s how the hackers say they got in:

Romney’s 1040 tax returns were taken from the PWC office 8/25/2012 by gaining access to the third floor via a gentleman working on the 3rd floor of the building. Once on the 3rd floor, the team moved down the stairs to the 2nd floor and setup shop in an empty office room.

In other words, they say they gamed/gained physical access to the records system/storage, seemingly without much trouble. This hearkens back to the days where notorious hackers like Kevin Mitnick and his contemporaries had their heyday mostly through social engineered scams–less about the technology and more about gaining people’s confidence–and using that to exploit systems.

Recently, during a cyberwarfare class put on by the Securing Our eCity Foundation, a guest speaker talked about low tech hacks. While the title seems innocuous enough, the instructor, Chey Cobb, who has experience protecting some of our nation’s biggest secrets, pointed out that massive system disruption has been caused, and seemingly invincible security has been toppled, by things like a piece of heavy equipment digging through the fiber trunk outside a target’s building, or posing as an air conditioner contractor and getting into protected places. There are a host of other simple entry points and techniques…no high tech required.

So, the Romney tax document crew continues, During the night, suite 260 was entered, and all available 1040 tax forms for Romney were copied. Sounds simple. And here’s what they wrote to PWC:

“We were able to gain access to your network file servers and copy over the tax documents for one Willard M Romney and Ann D Romney. We are sure that once you figure out where the security breach was, some people will probably get fired but that is not our concern.”

Without specific details it’s hard to say how they got into the network file servers, but a former PWC employee has confirmed that with such access, the records in question could have been viewed from that office. Again, we say “if this is true” but here’s the point we can make anyway: You cannot neglect physical security if your systems offer access to sensitive data. Also, it’s important but basic to restrict access to copying sensitive files to a USB drive. Whether bad guys have physical access to a file server, or just a networked workstation with access to the corporate file share, both should be protected against unauthorized access and data exfiltration via removable media.

These are simple steps, and all but the most basic organizations can put them in place without breaking the budget. We’ll wait to see how the investigation ends, but right away you can start assessing your own security stance. Ask yourself if a bad actor would be discovered in a spare office in your organization, staying after hours? Would you be able to detect bad guys popping a USB key into a machine and trying to copy sensitive files, potentially with personally identifiable information? If they answer is yes, it might be a good time to beef up physical and also basic security at your firm, especially if you happen to be an accounting firm, or one that deals in high confidence data, regardless of your field.

Discussion