Real Life and the Application of Social Engineering Part III

And you’re back for more. Welcome.

This is where the story starts the really interesting path.  Enjoy the 3rd part in this series.

I was also in contact with the rehabilitation facility and managed to arrange to turn myself into them instead of the jail, as my P.O. wanted.  (To be honest, this probably had something to do with the warrant as well.)  I tried to avoid the unpleasantness of the county jail, yet again, and succeeded.  Looking back on it now, this must have pissed my P.O. off to no end.  This was also finals week, I was “wired like a circuit” and not in a rational state of mind.   In this screwed up state, I made a life changing decision by deciding, “I had enough! I’m going to leave this country!”  (Not my most rational moment, but I had fallen in love with life overseas during my 2 trips to Russia. This, of course, was factoring into my decision.)
I sold my motorcycle and truck.  I stayed at a close friend’s house for a few weeks (more like a month or two) until I could catch a flight out of the country.  This was about a year after 9/11; I wasn’t sure how good the databases were for flights and if they were looking for fugitives on them yet.  Since I was nervous about the heightened security after 9/11, I went to a travel agent and asked him about background checks on people flying overseas(playing on the “I’m afraid of terrorist’s” angle). The agent looked at me like a fool and told me not to worry.  After messing with him a little, I got him to admit that they weren’t doing background checks yet; they just didn’t have the infrastructure in place at the time. With that information in hand, on September 22, 2002, I fled the country as a felony fugitive from Texas.  I went to Germany where I stayed with a childhood friend that was a Military Police (M.P.) officer in the U.S. Army.

Out of anyone in this story, I owe the most to this man and can never fully repay him for how I used him and what he has done for me.  He, and his family, helped me get off of Coke.  He introduced me to the local military community.  He helped me with a visitor’s pass to the base so that I could apply for a job.  The only thing I told my friend was that I was getting away from a bad drug scene back home and needed a fresh start.  He was one of my oldest friends and didn’t ask too many questions so I didn’t have to lie to him too much, for that I am grateful.  Once he knew it was related to drugs and that I was trying to get away from it, he never asked another question.

I spent most of my first weeks in Germany with my friend at the Auto Craft shop on base.  The Auto Craft shop is a mechanical shop that soldiers (and civilians with base access) can work on their own vehicles and just rent bay space.  I was helping my friend restore a classic car that he got from someone leaving.  I was also helping other soldiers and some wives (whose husbands were deployed) work on their vehicles as well. This is a classic way to gain acceptance through a community size social network; be the friendly guy that helps out and doesn’t ask for anything in return.

I hadn’t heard anything back from the jobs I had applied to and just when I thought all hope was lost and I was thinking of taking off to Australia, my friend went with me to the employment office one last time… The lady at the employment office said that the reason I wasn’t getting any calls was that my M.P. Report (i.e. background check) had a problem. Quick as a whip I said, “That can’t be because I was living with an M.P. and his family”.  My friend stuck his head in the office (while in uniform) and confirmed to the lady that I was living with him.  Three days later, I had a job with M.W.R. (Morale Welfare and Recreation) Division of the U.S. Army in the 221st B.S.B. (Base Support Battalion). [As a side note, this was later changed over to U.S.A.G. Wiesbaden (United States Army Garrison).]

EXPLOIT USED: The employment office employee’s trust in my friend’s position as an M.P. Lying by omission to my friend who helped me escape my situation back home and gain employment without any knowledge of what he was doing.

VULNERABILITY EXPOSED:  Background checks can be voided/overridden apparently by a single employee.

PATCH:  Make approval for all flagged profiles a two- party process at the very least.  Since this happened, the Army was supposed to be merging its database with the National Crime Information Center (N.C.I.C.) to have access to Continental U.S. criminal record searches.  The glitch that flagged my profile had nothing to do with my fugitive status as the N.C.I.C. wasn’t linked to Military Police records at that time and I had no criminal records in the Army’s system.  (According to the people I talked to, at least.)

This was probably one of the dirtiest things I ever did. I used a good friend without his knowledge and placed him, his career, and family at risk for my own selfish reasons. I was the typical junkie running from Rehab. State mandated Rehab, but still just Rehab. Up until that point I have never endangered anyone else except myself. When all this cleared up, I vowed  never to do that again. As penance for doing this I regularly take IT calls from his mother/wife when they have computer problems.. i.e. “how do I burn a DVD?” and etc.  Tune in next week to see how I managed to be put in charge of a lot of money, gain access to a top secret aircraft, and befriend N.S.A. operatives. Yes you read the last one right.

Fast forward about a year, I had transferred to a job at a little bar on base. Little did I know, this job would change me forever! My boss, bless her sweetheart, was a 60-something retired Army nurse; short little battle axe of a woman, who took no crap from anyone!  She would regularly cuss out Alex Trebek while Jeopardy! was on TV saying, “Screw you, Alex! You smug, Canadian prick; it’s easy when you have the answers!”  My kind of place!  I was working as an Operations Assistant/Bartender in the bar, which means I got to count all the money from the slot machines and sort it, wrap it, and make the deposits… Then, serve you a beer and talk with you about your bad luck.  Slot machines are legal on military bases overseas and fund many programs like after school care for the soldier’s children, the gyms, and libraries.  It started out as $30k in the safe to cover jack pots, but we changed over to the card/bill system instead of coins.  At that point, the amount went up to $80k. AND… I had the keys to the door and the combo to the safe.

The procedures to access the safe were ridiculously out of touch with any kind of secure protocol: a timesheet that you had to sign when you got in/out of the safe and the use of a combination to open the safe.  In most cases, we just waited until the end of the shift and filled in all of the day’s times at once on the safe time sheet.  For “other days”, we wrote in several days’ worth of times because we had forgotten previous ones. The slot machine money drop (i.e. cash counting) procedures were actually pretty solid from a security standpoint. One representative from the slot techs (from the Army Recreation Machine Program, or A.R.M.P.) and one representative from the bar (95% of the time it was me) were assigned to count the money.  Both representatives would sign a form with the amount less any jackpot winnings paid out.  The money was then turned over to the bar representative to make it ready for deposit and restocking of the safe.

EXPLOIT USED: Lack of background checks, once you are in the system; unless you apply for a job with a Security Clearance, or child care.

VULNERABILITY EXPOSED:  Very weak security controls in place when dealing with large sums of cash.

PATCH: Expedited background checks for employees who are dealing with large sums of money. Safe log In/Out process should be automated to include the employee’s Smart I.D. that is also used to get on the base itself. This might be a little expensive to implement, but would drastically limit temptations and keep records off-site for auditing purposes. With the consolidation of bases under the B.R.A.C., costs will be kept lower as there are fewer facilities that will require such equipment.  Install a video system for security purposes with off-site monitoring and file storage. The point is moot in this case as the new manager managed to run this half million dollar a year, 2,000 sqft., little bar into the ground.  It has since been closed and turned into a thrift store that the officers’ wives run.

As time rolled on, we started to have more and more business coming into the bar including Air Force personnel and some civilians that worked with them on base.  Some contract airplane mechanics from the surrounding bases (bases in Germany are small and spread out using cold war tactics for defense in mind) also came to the bar.  I got along great with Air Force guys being an “Air Force brat” myself.  They were a very intellectual bunch who used to come in to watch Jeopardy! and have a beer, or two, while traffic died down at the end of the work day.  It took about a year, but I finally found out that the civilians that were coming in with the Air Force guys were in fact, N.S.A… yes, that N.S.A..  They ended up becoming my best customers. They had celebrations in the bar when they had good days.  I could only imagine that the bad guys had a “very bad day” by the way they got quiet during certain C.N.N. broadcasts. They would erupt in cheers after the story was over.

I was invited to their houses, but I never went because I didn’t want to put them in that position, even if they didn’t know it.  I still partied with them in bars, other than the one I worked at, and still keep in contact with some of them.  Most of them don’t even know the truth about me because I didn’t want them to get into trouble.  (I also couldn’t bring myself to tell them.)  I must admit, these are the people responsible for me wanting to change the way I work through life and they got me into computers. (I love to build gaming rigs in my spare time.)

During this time, I became close with the Airplane mechanics by filling up their external hard drives with about a terabyte of movies and TV shows that I had gotten off the web.  They would take this with them when they deployed.  I even bought a waterbed from one of them who didn’t need it anymore since he was going “Down Range” (to Afghanistan).  When I went to his job site to pick up the bed, he invited me in to take a look at the engines he was working on.

I had no idea that he worked on a Top Secret aircraft and in no way was I trying to breach security of the building; it was only after I was inside that I realized what had happened. He knew that I worked on cars in my spare time and was pretty handy with a wrench, so he was trying to pitch a career (tech school) to me by showing me how simple turboprop engines are to work on. He, of course, had no idea of who he was showing the engine of a highly classified aircraft to, OR that he was releasing classified information to me by explaining the problems associated with the aircraft. That is why he was pitching this career to me, after all, because they wanted good mechanics.   (On a side note, I never looked inside the aircraft, just the engine compartment).

I could not get out of that hanger fast enough to suit my troubled mind, yet I was then pulled into the office to be shown how their site office works… i.e. parts ordering systems; system programs that log the hours parts have been used, so that the mechanics know when to replace them (of which, he wrote the program himself and would sit in the bar and tell me all about it); and other vital computer systems involved with the plane’s maintenance. On the one hand, I was kind of honored to have been shown that and pitched for a job (after going to a tech school), but on the other hand, I couldn’t believe that it was that easy for me to gain access to the hanger with those airplanes and the office with those systems.

EXPLOIT USED:  Trust in the person that he thought he knew by granting access to restricted areas and critical systems.

VULNERABILITY EXPOSED:  Way to easy to gain access to hangers with classified aircraft, there wasn’t a single checkpoint to gain access to the building, just the side door that wasn’t even locked during business hours. There may have been a main entrance checkpoint, but again, I never saw it. Telling me what computer systems are in control of the parts maintenance/replacement programs and only utilizing a simple door lock to protect these critical systems  severely puts those systems at risk if I was someone with malicious intent. I also found out a little later on that the plane’s specifications in this story are actually listed on Google.  I believe this is because of some obscure law that has to do with the contractor bidding process. I cannot even begin to emphasize how critically bad this is for national security, much less for the guy flying it.  This begs the question, if this classified planes’ specs are on the open Internet, are others as well?

PATCH:  Total revamp of physical security protocols in place to include key card access.  Better training for contractor personnel regarding computer systems security with emphasis on Social Engineering and for everyone’s sake, take the specs off the open web.

Robert Gude

Editing: Jay Trinckes