Card Locks Thwarted by Shopping Club Card

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

Man.....

[Mayhem178]

In college we had palm scanners just to get into the student recreation center. There was a rumor flying about that they could be beaten by scanning the back of your hand instead of the palm. Turned out to not be true.

If you're telling me that my college gymnasium had better security than these places, then I am apalled.

Easy full access

[nizo]

I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.

Re:RTFA

[profet]

They also don't want homeless people sleeping in the warm atm room.

Re:Bad Advice?

[pe1rxq]

Sure, you could have a security hit squad jump them.....
But most of the time someone looking out of place has a good reason to be there, maybe a new guy or someone from another department or just some guy with a bad sense of direction. In those cases just talking to them will be enough.
Also most of the times this will be during regular office times when you outnumber them 10:1.

Late at night you are right ofcourse, just call security.

Password Safe

[Anonymous Coward]

Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

I disagree. Use a randomly generated password. Don't write down the password, and don't eat the sticky note (for health reasons etc bla bla). Use similarly random information for all of the "backdoor" passwords. Did you know that my mother's maiden name is, on occasion, Kwier5*Y? Then, copy all of that information into Password Safe (or any of its Mac or Linux clones).

Oh, and make backup copies of your database, to prevent the embarassment of having to spell out your mother's maiden name to some call center bum in Bangalore.

Security, you get what you pay for.

[Anon-Admin]

Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.

I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.

When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!

The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.

Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.

Re:insecurity 101

[Anonymous Coward]

The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.
What if you used the bathroom while inside?

Re:Wrong use of the word man-trap

[umghhh]

It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
Alienated guards are bad guards.

security audit

[headonfire]

after the (what seems to be) unannounced first break-in attempt and briefing of the employees, any and all results should be considered fairly invalid for at least several months afterwards. Being caught on their second attempt is a no-brainer - hopefully by that point all of the employees have been informed of a security audit, so everyone is going to pay attention, at least for a while.

I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security audits by both internal and external teams. The external security teams (and other inspectors, in fact) were required to be announced, and somebody always caught them - because management would address the entire staff and say 'Security audit, everyone; be alert for x, y and z happening'!

Sort of smacks of cheating. Why? Because when the internal teams worked, unannounced, almost every time someone would slip by, usually by riding through a secure door without a badge on someone's coat-tails. Then we'd get chewed out by management, and within a couple of day someone would be caught, thus "bringing us back into compliance". This cycle continued every 6 months or so.

It's a sham, pure and simple Unless security issues are constantly, CONSTANTLY addressed, and security staff is on the ball and doing their job 24/7, most employees won't give more than a passing thought to it - because it's a pain in the ass to deal with every day, and it feels like the company is just being cheap by using the main workforce as a security guard in addition to their normal duties.

bah.

Re:Bad Advice?

[Overzeetop]

maybe it was an upper manager who was in a hurry and didn't want to get out his ID card

Yes, it's not the situation in the article, but you bring up a very valid point:

Security Is For Everyone

You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*

Re:insecurity 101

[Hoi Polloi]

I was fingerprinted as part of my DOD security clearance at a DOD lab. At the time I had psoiasis on my fingers so my fingerprints were practically smooth from thickened skin. After it cleared up I doubt any prints they took would've been too useful.

Re:Bad Advice?

[Valdrax]

Security Is For Everyone

Actually, that very egalitarian notion is likely to result in the dismantling of security procedures, depending on the workplace. I have a friend who worked for an AOL call center that had a man-trap up until the day that a senior VP got stuck in it due to a glitch that revoked his ID, causing him to be locked in and secured when he lacked credentials for entry.

Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.

Re:whatever

[windowpain]

That wasn't a troll. The guy who submitted can't write for shit. There is absolutely nothing inherently insecure about a mantrap. I was puzzled until I rtfa. It's the fact that doors to ATM mantraps are configured to operate with any magnetic stripe card that is the problem. The submitter should have made that clear.

Re:Password Safe

[Overzeetop]

Why bother with all that memorization. Heck, I can never remember stuff I don't use on a regular basis and it takes me a good 10-12 logins to really burn in a password. That's why I ditched truly random in favor of a long password string, from which I chose my passwords. See, I just wrote a short routine to generate 250 characters, alphanumeric only, including upper and lowercase. I pick a starting point and use (say) a 9 character password. When it's time for a new password, I choose a new spot in the string to start from. If I'm feeling odd, I'll go backwards in the string. But how do I remember all 250 characters? I don't. I print it out on a card and put it in my wallet, unlabelled, along with all the phone numbers I might need in an emergency. Heck, I might even leave a copy on my desk if I'm burning a new password into my skull. Easy for me to remember where I started, a good bit harder for anyone else. And, since most systems that matter have a lockout function, it would take someone quite a good bit of time to try all combinations at random (there are still about 2000 resonable combinations of length, starting character, and direction). We're not talking about nuclear start codes, here.

Re:Other items that work well.

[cexshun]

I use this ruse also. Although my identification of choice is a handheld ham radio. If you have a walky-talky style radio, people will let you anywhere.

A little trick I learned when geocaching. People are always suspicious if they see people snooping around. I found that a relective vest(like that worn by motorcyclists), a clipboard and ham radio would get me into ANYWHERE! Do Not Enter? HA! Authorized Personel Only? JOKE!