No-Tech Hacking by Johnny Long

• Every day, corporations spend thousands of dollars on high-tech security defenses, but fail to give attention to the simple bypasses that no-tech hackers can leverage to their benefit.
• In their haste to complete tasks and move along to the next topic, many security managers are overlooking simple flaws that render their high-dollar technologies, useless.
• An intruder will always pursue the path of least resistance in an attack, while many businesses plan for the Mission Impossible scenario.
• The most overlooked factor in securing a business is the people factor.
• Social engineering is perhaps the hacker's favorite weapon of choice.
• Just look like you belong. Say hello to the employees. Be friendly. Comment on the weather.
• You need to notice everything.
• The simplest solutions are often the most practical.
• The key to no-tech hacking is to think simply, be aware, and to travel eyes open, head up.
• When faced with tough security challenges, I don't charge. I hang back and I watch. A good dose of heightened perception levels the playing field every time.
• A general-purpose strip-cut shredder will shred documents into vertical strips which can be easily reassembled. A cross-cut shredder will cut the vertical strips horizontally. The smaller the resultant shred, the harder it is to reassemble the document.
• If you're in charge of security for your company, consider at least a weekly visit to your dumpster. Get a feel for what's being tossed and what condition it's in when it lands in the big green box.
• Tailgating simply means following an authorized person into a building--basically riding on their coattails.
• Tailgating is still one of the best no-tech methods for gaining access to a secured building.
• All I need to do is be in the right place at the right time, present a convincing demeanor, and dress the part. Finding the right place at the right time takes patience. Schmoozing takes practice. Dressing the part takes a bit more work, but even this is relatively simple.
• What it boils down to is that most folks take the world at face value. If an employee sees a familiar logo on a badge or a polo shirt, he or she will naturally assume I am who I appear to be.
• When it comes time to bust your first potential hacker as a security-conscious citizen, you'll most likely have serious misgivings about the situation.
• Correctly assessing the situation can be dizzying, but fortunately you don't need to play vigilante. If you think something's up, tell someone who gets paid to care.
• Keep your eyes open as you walk through your everyday life, think like a hacker, and you'll begin to see things as well.
• What's the point of requiring a pass code if you enter it in plain site of everyone? When entering sensitive data, create some sort of barrier between the keys and wandering eyes.
• While laptop stickers can be used to profile a victim, they can also serve to mark a laptop as valuable, making the owner a target for theft or physical violence.
• Don't work on your personal stuff in public spaces, and don't make yourself a target.
• The best defense is to remain aware when traveling.
• One thing I've come to learn in this business is that even the best security systems share a common flaw: lazy human beings.
• Shimming is the use of a thin tool to bypass or disable the latch mechanism within a lock.
• A lock that can be shut without any key or combination is almost always spring-loaded internally and therefore susceptible to shimming.
• A lock in which an operating key is permanently fixed during use will often not be susceptible to shimming.
• Brute forcing describes a technique in which every possible solution for a problem is checked to see if it is the solution.
• Most mechanical combination locks can be brute forced if an adversary has enough patience to complete the task.
• Do your research, and don't purchase basic security products for high security tasks.
• Whenever you rely on a single layer of security, odds are you'll be compromised.
• Many combination locks are vulnerable to an attack known as "probing the gates". In this technique a small shim is used to probe the combination wheels of the lock in an attempt to locate "gates", or openings, which will reveal the combination and ultimately open the lock.
• It always pays to do research on any security device before using it.
• Consider the contents of your check-in luggage to be public property to anyone sufficiently motivated, airport employee or not.
• As I mentioned in the introduction, [...] it's often easier to get out of a building than it is to get in.
• Test your exit procedures. Your way out may be an adversary's best way in.
• Surveillance cameras are one of the most common physical security devices I've run into. But many camera installations are so poorly configured that an amateur can bypass them without much effort.
• Flaring is blinding or overloading a camera so that it can't record anything meaningful.
• Social engineering is the most essential weapon in a no-tech hacker's arsenal, but as a society we have a love/hate relationship with those that excel at the art.
• A hacker experiments with a piece of technology to see if he can get useful results from it that its creator never intended. A social engineer dos the same thing with human relationships.
• Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might strike us as so improbable, we haven't thought out an appropriate response.
• One of the best defenses against social engineering is awareness.
• People watching is a real skill.
• Employees should understand that security is not someone else's problem.
• Don't work on private stuff in public spaces, and don't make yourself a target.
• Th golden rule is to shred everything.
• Keep in mind that no matter how secure your locking systems may be, you should always keep your keys out of sight of the bad guys.
• If you can bypass your own security cameras and motion sensors, a bad guy can too (and probably already has).
• Don't settle for taking the world at face value.
• I your spidey-sense tells you something's wrong, it probably is.
• No-tech hackers can tell an awful lot by checking out your car's stickers. If you don't absolutely need them, take them off.