After my information gathering adventures at the airport on my way to Shmoocon, I was looking forward to getting to my hotel, grabbing a shower, and going to find some attendees for a beer. An uneventful hotel check in found me in my room only a few minutes later.
On my way to my room, I noticed a few smaller event rooms on my floor, hosting a number of smaller meetings. These meetings appeared to be some sort of mini-sales type of convention - "deductible junkets" if you will. This type of thing is not uncommon.
Once I found my room, I had a small surprise upon entering. Apparently a fine gentleman was originally scheduled to be at one of these mini-conventions apparently did not show up, and I was assigned his room. How do I know this?
I'm not Frank.
It would appear that this particular company (obscured to protect the innocent/guilty), was able to get the Wardman Park Marriott to place these helpful packets in the attendees rooms before they arrived. How convenient! Why do I think that Frank didn't attend? The envelope was still sealed, and it was placed in the correct room, according to the designation on the envelope.
Upon opening, I had been provided some excellent information on the company.
Sweet. Employee directory and last years sales report, amongst a few other things that may be helpful during social engineering attempts. Now, sure I'd have to want to target this particular company. The one that was right down the hall, with free drinks...
This company has just provided someone unknown with some potentially sensitive information (well, at least not public) without any type of authentication. supposedly, authentication would have been provided by the front desk, by checking Frank into his room. I spoke to a friend who is a meeting planner/conference organizer for a very large organization about this particular situation, who was notably shocked with this practice. For a nominal fee per attendee (and sometimes you can even negotiate it for free), the hotel will proved this type of information in person, at the hotel registration desk, when the attendee presents his or her identification. This sounds like a little bit better authentication to me.
What's the lesson? Require some form of authentication for distribution of sensitive information (paper or otherwise), and be mindful that utilizing a third party to perform that authentication may not always work either - sometimes the third party's commitment isn't the same as your own. If you want a job done right, do it yourself.
- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com