John Verry, principal enterprise consultant of Pivot Point Security, and his “Tiger Team” attempted to access data possessed by the government and several Fortune 500 companies. Their methods included entering physical structures as well as using the Internet.

This research allowed Verry to suggest precautions to reduce information security risks. He found it possible to enter secure facilities without authorization in the following ways:

“Smokers are the friendliest people,” Verry said. By smoking (or pretending to smoke) outside the door of a building and striking up a conversation with other smokers, it is easy to gain access. “[The smokers] will hold the door open for you.”

Another easy way to enter secured buildings is through loading docks.

Government officials want their water, so just carry a large amount of Deer Park water bottles, he said. Or better yet, hang around the loading dock while the actual Deer Park delivery person delivers the water.

Verry pointed out that the person delivering the water probably just wants to get his or her job done. As such, he or she will not be paying attention to anyone lurking in the loading dock.

Getting data online is also quite simple.

First, gather information on someone from using a site such as Pipl.com, he said. Then, call the person and pretend to be from the payroll department at his or her workplace. Next, accuse the person of logging onto the payroll department’s online information site without proper authorization.

When the person says he or she did not, ask them to verify their e-mail address (which can easily be found online).

“After the individual confirms, say, ‘And your password is 123, right?’ The individual will say, ‘No, it’s XYZ,’” Verry explained.

He told the audience that many security lapses are due to people not realizing the gravity of the situation in which they find themselves.

“People act stupidly,” he said. “They give out passwords when accused or reset passwords without verifying who is trying to gain access. They let smokers and delivery people in without checking identification.”

Eliminating stupid mistakes would reduce cyber information risks. But as Verry pointed out, “You can’t fix stupid. You can only try to make people more aware.”

Verry spoke as part of the second International Conference on Cyber Security, which was co-sponsored by Fordham and the FBI.

—Jenny Hirsch

Davis, the director of anti-malvertising at Google, is responsible for finding ways to manage the malware parasites that can be buried in on-line advertisers’ SWF (shockwave flash) files. Most of the time, even the advertisers selling bundles of ads don’t know when a malicious ad is there, and they sell it to some of the most recognized and respected (and unsuspecting) companies.

Davis spoke on the last day of Fordham University’s second International Conference on Cyber Security (ICCS) held Aug. 2 through 5 at the Lincoln Center campus and co-sponsored by the FBI. He said that malvertisements can mimic real brand names—WeightWatchers or Suzuki, for example—or appear as other ads (i.e., “Live and Work in Canada.”) Once a user clicks on the malicious advertisement, it either installs malware or jumps to a site that installs it. Then, it can can corrupt information or crash a user’s machine, trick a user into accepting an unwanted software download, steal a user’s credit card information, or cue for a future attack on the system. The number of such ad hits is estimated at more than a million a day.

Most of the time, site owners have no idea they’ve been infected, he said.

In a “perfect world,” said Davis, computers would have been designed from the outset with tighter main frames. In lieu of that, there are lots of anti-malvertising sites to visit, and Google has a site where you can check URLs against the company’s blacklist of suspected phishing and malware sites.

—Janet Sassi