Card Locks Thwarted by Shopping Club Card 361
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Man..... (Score:3, Insightful)
If you're telling me that my college gymnasium had better security than these places, then I am apalled.
Easy full access (Score:5, Insightful)
Re:RTFA (Score:5, Insightful)
Re:Bad Advice? (Score:3, Insightful)
But most of the time someone looking out of place has a good reason to be there, maybe a new guy or someone from another department or just some guy with a bad sense of direction. In those cases just talking to them will be enough.
Also most of the times this will be during regular office times when you outnumber them 10:1.
Late at night you are right ofcourse, just call security.
Password Safe (Score:1, Insightful)
I disagree. Use a randomly generated password. Don't write down the password, and don't eat the sticky note (for health reasons etc bla bla). Use similarly random information for all of the "backdoor" passwords. Did you know that my mother's maiden name is, on occasion, Kwier5*Y? Then, copy all of that information into Password Safe (or any of its Mac or Linux clones).
Oh, and make backup copies of your database, to prevent the embarassment of having to spell out your mother's maiden name to some call center bum in Bangalore.
Security, you get what you pay for. (Score:5, Insightful)
I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.
When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!
The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.
Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
Re:insecurity 101 (Score:1, Insightful)
What if you used the bathroom while inside?
Re:Wrong use of the word man-trap (Score:5, Insightful)
Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
Alienated guards are bad guards.
security audit (Score:2, Insightful)
I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security audits by both internal and external teams. The external security teams (and other inspectors, in fact) were required to be announced, and somebody always caught them - because management would address the entire staff and say 'Security audit, everyone; be alert for x, y and z happening'!
Sort of smacks of cheating. Why? Because when the internal teams worked, unannounced, almost every time someone would slip by, usually by riding through a secure door without a badge on someone's coat-tails. Then we'd get chewed out by management, and within a couple of day someone would be caught, thus "bringing us back into compliance". This cycle continued every 6 months or so.
It's a sham, pure and simple Unless security issues are constantly, CONSTANTLY addressed, and security staff is on the ball and doing their job 24/7, most employees won't give more than a passing thought to it - because it's a pain in the ass to deal with every day, and it feels like the company is just being cheap by using the main workforce as a security guard in addition to their normal duties.
bah.
Re:Bad Advice? (Score:5, Insightful)
Yes, it's not the situation in the article, but you bring up a very valid point:
Security Is For Everyone
You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*
Re:insecurity 101 (Score:3, Insightful)
Re:Bad Advice? (Score:3, Insightful)
Actually, that very egalitarian notion is likely to result in the dismantling of security procedures, depending on the workplace. I have a friend who worked for an AOL call center that had a man-trap up until the day that a senior VP got stuck in it due to a glitch that revoked his ID, causing him to be locked in and secured when he lacked credentials for entry.
Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.
Re:whatever (Score:3, Insightful)
Re:Password Safe (Score:3, Insightful)
Re:Other items that work well. (Score:3, Insightful)
I use this ruse also. Although my identification of choice is a handheld ham radio. If you have a walky-talky style radio, people will let you anywhere.
A little trick I learned when geocaching. People are always suspicious if they see people snooping around. I found that a relective vest(like that worn by motorcyclists), a clipboard and ham radio would get me into ANYWHERE! Do Not Enter? HA! Authorized Personel Only? JOKE!