Card Locks Thwarted by Shopping Club Card 361
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Works for me (Score:5, Interesting)
insecurity 101 (Score:5, Interesting)
1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face
Just a thought.
Wow I thought everyone knew this... (Score:3, Interesting)
security (Score:3, Interesting)
Extraordinary transformation (Score:5, Interesting)
That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.
How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
Bad Advice? (Score:4, Interesting)
Umm
If you've got someone who's in the middle of a criminal act
While it may be that most data poachers serious enough to break into a building aren't violent criminals
Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me
- Roach
Other items that work well. (Score:5, Interesting)
Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.
Suit and tie. People will assume you're a rep of a visiting company and will give you directions.
The best locks in the world won't do any good if someone trusted opens it for an attacker.
Re:insecurity 101 (Score:5, Interesting)
The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.
Did the word "thought" escape your keyboard? (Score:4, Interesting)
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways [amazon.com]; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".
Re:Don't buy it.... (Score:5, Interesting)
Someone setup a test SQL server in the lab with access to the production netowork.
Since it's "just a lab box" the SA password was left blank.
at some point a domain admin logged into this box.
The security team accessed the box with the local SA account.
They got the LSASS password cache.
With that they got the Domain Admin account.
They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.
Re:Easy full access (Score:1, Interesting)
Where I work (I'm in an IT dept) we actually have to clean our own stuff unless we're there babysitting the janitors. The janitorial staff comes though once a week while we're there (yeah, a pain in the ass) but other than that we're "it". Only people directly in the IT food chain have physical access to the IT section of the facility (basically it's IT peons -> Director of IT -> VP of Operations -> Pres).
When I worked for the federal government I was located in a SCIF on a military base, and we had our own janitors, MPs, bean counters, etc. and they were all cleared for TS material. We even had a technical librarian and a small library in there!
I do understand that not every company can take such precautions, but your point is noted. Own the place physically with the most innocuous folks and you still own the place. Period.
Re:RTFA (Score:5, Interesting)
There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.
My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.
Tabloid Alert (Score:3, Interesting)
Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.
Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.
Re:Other items that work well. (Score:4, Interesting)
Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
Work worn blue jeans and t-shirt. Cover-alls also work.
Worn work boots.
What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.
Re:Other items that work well. (Score:3, Interesting)
Where I work (a medium-sized audio/video equipment and "lifestyle" company) everyone is required to wear their access card in a visible place, and guests are issued specielt guest cards that they have to sign for. Everyone here is strongly reminded that it is their duty to question anyone who does not have a visible access card or guest card as well as anyone who looks out of place.
Also, when visiting any of the research departments and assembly lines, mobile phones and anything else possibly containing a camera are to be stored at the receptionist's desk for the duration of the visit.
In the end, it is very much up to the employees, however. It's a good thing people generally like working here, so they do put in the slight extra effort to maintain some level of security
Re:Wrong use of the word man-trap (Score:5, Interesting)
Surprised guy who sits by back door: How'd you get in?
Me: Popsicle stick (holding up popsicle stick)
You make a point there at the end... (Score:3, Interesting)
At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.
When I was hired, people would ask where I worked, and that sort of thing. Although it might not be intentionally a security question, it would've caught me if I didn't belong. Now, new hires wander around without anyone ever asking them anything.
"Kinda" similar but not really.... (Score:4, Interesting)
I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".
And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".
Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.
Re:insecurity 101 (Score:2, Interesting)
I'm not advocating using fingerprint readers as a single source of security though. The technology isn't really quite there yet, but there's been a lot of progress in recent years. Even with a perfect non-spoofable fingerprint reader, to be really secure there has to be the "what you know" aspect used in conjuction.
Re:RTFA (Score:3, Interesting)
Re:Extraordinary transformation (Score:3, Interesting)
A few years ago I worked at a company that issues SSL certificates. I'd already driven from home to the office for some scheduled after-hours work, and issued a cert as part of that work. I was almost back home again when I realized I'd left my ID token card in the cert-issuing computer.
Now, this machine was in a locked room which required ID card and PIN access, and even with the token card you had to fingerprint and password the computer. Nonetheless, I drove all the way across town again to put the token back in the safe.
Chances are I could've been the first person into the room the next day and no one would've been the wiser, but better safe than sorry--especially when it's policy.
Re:Other items that work well. (Score:5, Interesting)
I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).
The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.
Re:insecurity 101 (Score:2, Interesting)
Re:RTFA (Score:2, Interesting)
Paper towels... (Score:2, Interesting)
Next day, I told my boss. He thanked me, but the facility manager started shooting me nasty looks. End of the month, my boss gave me a bonus for the info...
Re:Bad Advice? (Score:3, Interesting)
No, that is a sign of a company culture with far worse problems. If that is so where you work, put out your resume.
I worked at Intel for over a decade. "Employee only" technical and marketing data is published in serial numbered documents with a distinctive cover color. Every few months, the night shift guards walk the building confiscating secret documents that have not been locked away for the night. Document control matches up the serial numbers to names, a list gets generated, and the manager of those caught out gets an e-mail.
So, one day the V.P. of our division had a document picked up, and his name was put on a list that was sent to Andy Grove. We all got a good laugh out of that, including the V.P., who took the ribbing quite good naturedly. It's possible to take your work seriously without taking yourself overly seriously.
Re:insecurity 101 (Score:1, Interesting)
Any employee with a cold is also expected to carry any tissues onto which he/she has deposited nasal mucus and/or phlegm.
Sincerely,
The Management