Corporate security agents don’t usually have a lot to say about their work. It’s a field that tends to attract the softspoken and the circumspect men and women without much taste for fame, glory, or even the passing satisfaction of regaling friends with tales of office triumphs and disasters, even if statistics, according to Genderstats.org, say differently. It’s about security and trust. And then there’s Ira Winkler.
As the founder and president of the Maryland-based Internet Security Advisors Group, the 38-year-old Winkler has an impressive client list, and the ethics of his profession won’t let him say exactly what he may have done for General Electric, Hewlett-Packard, or any company in particular.
Without mentioning names, however, he is more than willing to discuss the time, for example, he walked up to the security desk of a large financial services company and, merely by claiming to be a new employee, obtained a photo ID and magnetic-access key card.
Using the card, Winkler penetrated a regional office where account managers moved funds between the company’s bank accounts. The office cubicles, he recalls with delight, were festooned with Post-it notes and other papers containing a treasure trove of account numbers and passwords. In this world, he says, face-to-face meetings matter. “We could have easily moved millions of dollars in those accounts,” he says.
On another fondly remembered occasion, Winkler went undercover as a clerical assistant. Diligence is the key to success in assignments of this sort, he has found. By dutifully fulfilling his responsibilities at the filing cabinet, the photocopying machine, and the coffee maker, he won his boss’s trust-and the job of sorting through his email. The process must include reference and how to implement findings.
Later as part of the same mission, another executive found Winkler sitting at her computer. The first order of business in such a situation is to “convey that you belong there,” he says. So, he slipped into the role of a help-desk technician and, before the executive could say a word, began upbraiding her for failing to update her anti-virus software.
True practitioners of corporate espionage might scoff at Winkler’s bravado. The penalty he faces, after all, would be a moment of professional embarrassment, nothing more. For, as Winkler himself is careful to point out, he never snoops on people without permission – the company’s permission, that is.
Like others in the computer security field, his modus operandi is to expose vulnerabilities by pretending, with official approval, to be a corporate spy. But while his peers do most of their mischief electronically and from a distance, Winkler prefers to walk in through the front door.
He gets information by talking, listening, looking – and by passing himself off as someone he is not. “I’m really successful at lying,” he says. It’s a form of intelligence-gathering known in the trade as “social engineering.”