The Spy in Your Server Room

CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."

Eh?

[ScorpFromHell]

Is this an ad or an article?

Re:

[rucs_hack]

Is this an ad or an article?

It reads like an Advert. I wonder....

Re:

[vought]

TraceSecurity...the shining star of Baton Rouge's burgeoning information technology industry.

A city of paranoiacs with a single successful computer-related company...why am I not surprised?

Re:

[tonyreadsnews]

Really, I thought the article read more like an old movie plot.

Increased security in recent years means TraceSecurity personnel are trying to get past "guys with machine guns.

I wonder if they get extra pay for that...

CmdrTaco

[u38cg]

When you say you refuse to allow advertising masquerading as articles, I believe that's your intention, but really - what else is this?

Penetration testing is next to useless

[David_Hart]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys.

Re:

[mOdQuArK!]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards.

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Re:

[Fulcrum of Evil]

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Management that demands IT be security jobs will just demand that they be better guards.

Re:

[Anonymous Coward]

My university (in central London) just installed revolving doors at some entrances to reduce tailgating. In peak hours they're like normal revolving doors, but outside those times (i.e. evening, night, weekends) you have to unlock the door with a university ID card. Each wave of the card lets only one person through, you can't tailgate -- the door locks, and you can only go back out. I don't know how successful they'll be at reducing tailgating (there used to be card-activated sliding doors), but I think

Re:

[pthor1231]

That is a very similar concept to other high security places I have been in, except usually its revolving metal bars, so you couldn't even really break them if you wanted to.

Re:

[xaxa]

I'm pleased we just have glass doors -- it would look too much like a prison otherwise!

There were probably fire regulations against something that secure too -- I was in the building late-ish at night a month ago when it caught fire (minor-ish), the four panels that made up each revolving door folded around the next to each other to leave plenty of space to walk out easily.

Re:

[pthor1231]

Hehe, my thought when I first saw the metal bar style turnstile was that it was a prison.

Re:

[GregNorc]

My father worked for a large federal agency with just such a system. All I had to do was say his name and I was his son, and I got in. This was not when I was young either - I was 18 and a senior at the time, and had never visited him at work before. Security guards can get just as lax as employees.

Re:Eh?

[blincoln]

Is this an ad or an article?

According to TraceSecurity, advertisements on Slashdot often masquerade as articles. That's why many Slashdot members hire TraceSecurity to validate their contents before reading them. This message brought to you by TraceSecurity: Tracing your Security so that you can be secure in the knowledge that your Security is Traced.

Re:

[Hoi Polloi]

What was TraceSecurity's website again? And just why are their rates so damn affordable?

Re:

[xorbe]

They called tech workers with lesser social skills "booger-eaters"!

Re:

[Tim C]

Oh come on, the submitter's name is linked to PC Mag's website fer crying out loud. This has advert written all over it - the only question is which company (PC Magazine or the pen testers) paid the most for it.

Slashvertisement!

[b96miata]

This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Creepy Crawler]

I've got a penetration testing company, and Im the CEO.

Cause Im da pimp!

Re:Slashvertisement!

[GroeFaZ]

I agree. TFA packaged the company's name 48 times in exactly as many mostly one-sentence paragraphs. Yes, I did count. PCMAG should disclose, did they ask that company for help in that report, or was it the other way around?

Re:

[Anonymous Coward]

Yep. This poseter created a brand new user id (CorinneI) and linked it directly to www.pcmag.com, too. What a crock.

Re:

[Frosty Piss]

As I've pointed out in the past, there are a number of high profile consumer computer mags that get an amazingly (and suspicious) free ride here at Slashdot.

Server room?

[sm62704]

If you have trade secrets on your web server, the spy is the least of your problems.

OK, bad joke, I know we're talking about the file server here, but why would a spy be in the server room? Wouldn't he be a lot less notcable logging in from an empty office? Or better yet, an empty office whose owner has just left his machine for the rest room?

What do you mean, RTFA? This is slashdot, we don't need no FAs!

-mcgrew

Re:

[cpaalman]

Getting some alone time in a server room for a couple of minutes is plenty to drop in a wireless access point that has SSID broadcast turned off, no sense in tipping your hand if someone sees a new SSID appear, and spend the rest of your time in a van within range playing on the local LAN.

Re:

[corsec67]

Or you could be sneakier and use a powerline ethernet extension, since they aren't very common not many people would look for one. I don't know how well that would work, since I don't use them either.

Social Engineering

[duplicitious]

Old con, it shows how trusting people can be, but shouldn't.

Re:

[zildgulf]

The con is very old, but extremely effective. People, unlike computer systems, don't change every five years. People are usually complaint, if not trusting.

Long ago, when I was a pimply-faced youth working at a somewhat sensitive location, we were trained over and over again to escort one guest per employee and no more, and to BE that person's shadow. We were to keep that person on task or escort them out. If they bolted, you grab anyone's phone and call security ASAP (welcome to the 80's). That way

They must be good

[Sockatume]

They managed to walk right into the front page of Slashdot with no resistance whatsoever.

Re:

[Sockatume]

If the company was called "Seatech Astronomy", you'd have a really amazing joke there.

Re:

[andreyvul]

there is no 'v' in Seatech Astronomy, therefore you are incorrect.

Re:

[myowntrueself]

Did no one get this?

Too Many Secrets.

From a famous movie.

Involving 'hackers'.

Re:

[afabbro]

Sorry, it's not...but try again here [wordsmith.org].

Sneakers

[underwhelm]

The article is ok... but the movie adaptation is a thrill ride!

Re:

[martin_b1sh0p]

Great! Thanks a lot! Now everyone knows what my nick means...

Blech

[Lurker2288]

A thrill ride? I thought it had too many secrets.

Waste of kilobytes

[Major Blud]

This article was a complete waste of time. No details were layed out for us; my favorite was when they said they "could have" plugged in a wireless access point to the server rack. Without actually trying it, they didn't prove dick....for all we know their network may not have allowed unknown MAC addresses. It was all a bunch of "we could have" done this, or "could have" done that. Just do it for god's sake! Just walking into the server room and putting stickers on a server doesn't prove that you actua

Re:

[Ragein]

The company might not have allowed them to test this far, remember they are testing clients not actually ripping the place off.

Moderated -1 "Blatant advertising"

[Bagheera]

Penetration testers doing their job: Film at 11.

Seriously, while it's not an entirely bad article on a penetration test, this is nothing but a shameless plug.

Re:Moderated -1 "Blatant advertising"

[spun]

Penetration testers doing their job: Film at 11.

Normally, CineMax doesn't show that type of film until after midnight...

Re:

[Bee1zebub]

More people reading the firehose would stop a lot of this sort of thing getting past that stage. I think the main reason the respected mags get such a free ride here is that too many people don't RTFA, so they never notice that it is a plug piece. They just see that it is in a major magazine and assume it must be good. Of course, once one person has actually read the article and noticed how bad it is, everyone else goes and has a look, and posts the same thing. It would be interesting to see if it is the sa

Re:

[Raenex]

Read the article? I read the summary and knew it was a Slashvertisement. It was so blatant I'm just reading this thread to look for any kind of response from the editors. Not that I really expect to find any but ya never know.

#1 cause is underpaid IT staff.

[Lumpy]

first server room access should be limited to a very short list. and nobody on that list should be so underpaid they would stupidly let someone in there without at least 2 sets of eyes on them.

All they prove is that IT departments are not only underpaid but under staffed.

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

Re:#1 cause is underpaid IT staff.

[Aladrin]

"I never call the number given by the person or on their badge or paperwork."

Would you similarly distrust the number given to you from the email that was sent and appeared to be from management? I know I would assume that if the number differs from the public one on the web, it's because we have a corporate plan and have priority support from them. I -do- distrust anyone who claims to be X and give me the phone number to prove it. WAY too easy to fake.

"There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place."

You do if the network is secured properly. Especially if they bothered to have 2 networks.

Re:

[Anonymous Coward]

You do if the network is secured properly. Especially if they bothered to have 2 networks.

accesspoint running OPEN-WRT clone the executives PC's mac address, now set it up to transparently allow the executive to work just fine open up ports for remote access that the IT guys will probably use. now it looks like the executives PC is online and happy. your computer connected wirelessly looks like it's the executive PC as well. start your escapades... you have remote control over the AP so you can adjust t

Re:

[megaditto]

Wouldn't most places use VPN encryption these days?

Re:

[Rakishi]

VPN is for external connections (and even that may be crackable depending on the implementation), generally local network traffic is not encrypted (as they assume it is physically secure).

Re:

[surprise_audit]

Around here, even people *on* the access list don't get to go into the server room without a phone call to the guard from elsewhere in the building. Heck, you can't even get into the building without an access card, or someone going to the guard shack to check you in.

On the other hand, it wouldn't be too hard for a disgruntled IT worker to set up a WAP for someone to gain access, but I suspect the signal would be a bit hard to pick up through concrete walls and across 500 feet of parking lot...

Re:

[JPriest]

Not everyone is that secure, and just because a company is secure in some areas does not mean there aren't any weak links.

Re:

[dreamer-of-rules]

I suppose the normal router you'd pick up at Best Buy wouldn't reach that far, but specialty devices might be able to breach the walls and reach a publicly available spot. Remember the bluetooth hacking experiments last year? They were able to hack into a bluetooth phone from a range of 1 mile. With custom transmitter on the inside and a custom receiver on the outside, cement walls probably won't be an insurmountable problem.

Re:

[pikine]

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

It probably wouldn't be very difficult to setup a rogue website. Since TraceSecurity bothered to prepare for the operation a week in advance, even printing a custom designed magnetic plaque to brand their rented car, there is ample time for

Re:

[AndrewM1]

The problem with this is that it's vulnerable to exactly what they did: faking an email. The penetration testers, a few days before their visit, sent an email forged to look like it was from senior management informing people about this. Now, it looks like the senior manager initiated the visit, though he has no clue. It's a bad idea to rely on the idea that "whoever initiated the visit should be responsible for watching them" - what happens if the security guard just sent them on their way, while assuming

Re:

[Bee1zebub]

I did work experience on a government site where highly classified work is done, and everyone who had not been fully checked, signed the local version of the official secrets act and so on had to be escorted at all times by a member of staff, from the moment they passed through the gate. If no-one collects them, the person just has to sit in the guardhouse and wait. This way, even if there was a faked message authorising their visit, they would still be supervised by someone, preventing such an attack.

Re:

[pikine]

You misunderstood my point. They can fake e-mail from anybody, which nobody should care except when they actually come on-site. The first question is "who invited you here?" Then the security guard or receptionist would look up the name from a directory, call the person, confirming that the visitor is here, then hand the responsibility over to the host. The only assumption I make is that the host would be fully accountable for his visitor's action. This includes finding a watch-person if the host is not ava

Re:

[Technician]

There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

Where I work, wireless security is taken very seriously. Sweeps for rogue access points is regular. Access points found are published in employee communications. A much better hack would be some kind of inside server, but it would have to make it's own outgoing connection to a controlled we

Locks!

[techpawn]

Come on people, if there is a lock on the door and you know the people with the key to the room the chances for needing a slashvertisment like that decrease and knowing who has physical access to your servers increase...

Re:

[Lumpy]

Actually we use the insecure proximity cards for access. but we also have motion sensors in the server room that set off a blinking light in the IT offices whenever someone is in the room. when we see the blinky most of us usually flip over to look at the plasma on the wall showing the camera or we simply connect to one of the axis cameras in the room and sww what is up.

If it's not one of the 5 people that are allowed in there. Call security and have them meet you at the door.

really simple. but it's money

Re:

[spun]

Huh. Is that what passes for security these days? We keep our servers in a darkened cellar with no stairs, in a locked filing cabinet in a disused lavatory marked 'Beware of the Leopard." So far that's kept out everyone but this one English bloke...

Re:

[garwain]

yep, only essential personnel should have access, and they communicate. If $ServicePerson shows up, to deal with $server, they should have an appointment with $internalPerson. If $internalPerson knows about it, but will not be around to supervise, then a note should be left for $AnotherInternalPerson to know $whatTheHellIsGoingOn, if there is no tracibility and no one is expecting $servicePerson, then send him packing,

Oh Please

[TheBrutalTruth]

While a relevant article (to some, I guess), the summary IS a shameless plug - even if not intended.

Editors: For the sake of credibility, please consider before you post. Unless you would consider my story about a bridge in Brooklyn I have for sale, then I might reconsider my position.

Auto-Hack 2000

[nsanders]

TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?

Re:

[wattrlz]

I just thought they assumed the, "financial institution" in question was running windows.

Re:

[Aladrin]

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

Re:

[nsanders]

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

By hacking the OS from the login prompt? By standing at the terminal for 20 minutes while they reboot and bypass the OS? By installing software on an unlocked terminal? I still find this whole story fluff.

Re:Auto-Hack 2000

[Ritchie70]

It's a reasonable tag if you ask me.

If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

Re:

[rufty_tufty]

Doubt it:
For a start anyone worth their salt would have set up the bios correctly and you can't do the exploit you've just cited, hell I can't even do that exploit on any of the desktop work PCs I've used(3 separate companies), never mind one of the servers...
Secondly if you're about to say - swap out the hard drive then you're still wrong - it takes a fair amount of time to swap out a hard drive and I bet that would be noticed. Now maybe they are hot plug drives in the server, but good luck getting a prope

Re:

[Ritchie70]

The key thing is "anyone worth their salt."

So far as the server going offline being noticed, I'll bet there are a lot of servers out there that could go down for ten minutes and not exactly have an instant response.

Re:

[toddestan]

For a server though, I wouldn't count on it. Sure, you could do something like that, but you'll likely be bringing a whole lot of attention to yourself the second that server goes offline.

Re:

[Bee1zebub]

Whist as the exploit you described would almost certainly not work, as the siblings pointed out, what might work would be to place an inline sniffer/transmitter onto a network cable. All it would have to contain is a radio transmitter to send the network traffic passing over the cable, which could possibly be done using analogue circuits which would not interfere with the signal, although powering it may be difficult to do unobtrusively. The difficult part of this would be to plug it in without the logging

Re:

[dreamer-of-rules]

By default, Windows will auto-run programs on CDs. This "feature" was exploited by Sony [wikipedia.org] to automatically install rootkits on your system when you inserted one of their pop artist music CDs. Of course, it can be exploited by hackers as well.

There is a registry entry you can change to disable autorun, which I highly recommend. Unfortunately, it breaks auto-detection of inserted CDs, which means that if you enable it for the normal employee systems, you'll have some extra training / help desk calls to expla

Re:

[dremspider]

Well, you are almost correct. What really happens is you put the disk in and it opens up something similiar to pipe dream. What you need to do is shift the "pipes" before the water gets to be too full. Depending on how well the box is locked down the water will flow faster. This is how I was taught in my classes from Bioshock university.

Sorry, I couldn't resist.

Re:

[Technician]

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" h

Re:What about the low wage rent a cop or jantor wh

[Anonymous Coward]

Also some the janitors are not even us citizens.

Heaven forfend!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DrSkwid]

Especially if he was mild mannered and particularly hursuit.

Re:What about the low wage rent a cop or janitor

[rueger]

Leaving aside the rather "only in the U.S." comment about "citizens," the point is valid. Quite often the two groups that have complete access to a building - the security guards and the cleaners - are also the groups most likely to be subcontracted to the lowest and/or shadiest bidder.

I suspect that because these people only arrive after office hours no-one in charge ever thinks of them as existing, much less as a security risk.

How exactly did they send an email to the office?

[appleguru]

From TFA:

TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Re:How exactly did they send an email to the offic

[uglyduckling]

I think it means that they modified their own companie's domain - in other words they changed the From: field in their email message so it looked internal. Not exactly high-tech but probably enough to fool the majority of users. Their incoming mail servers shouldn't allow those through, but I'm sure most of them do.

Re:How exactly did they send an email to the offic

[michaelwigle]

I suspect what we're getting here is non-tech trying to explain what the tech told him. It's not unusual for companies to have an all.staff@companydomain.com address to send company-wide e-mails. I figured they just forged the from field to show boss@companydomain.com. Only problem with that tactic, of course, is that the person you are impersonating would also get the e-mail. It does make you wonder if they had some inside help on that part. Mind you, I would think you really would only need to send the e-

Re:How exactly did they send an email to the offic

[DerekLyons]

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Not entirely true for an institution where the public facing servers and administrative intranets are seperate from each other and from the production servers and networks.

Re:How exactly did they send an email to the offic

[Andy Dodd]

What they probably meant is that they forged a return address from a modified variant of the company's domain.

e.g. sending an email from FIRSTUNI0N.COM to employees of FIRSTUNION.COM

Flame ON!

[nuzak]

Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.

Re:

[nuzak]

Yunno, I'm not one to complain about moderation, but how the fuck do you justify defending slashdot here?

Thankfully..

[Carbon016]

Server rooms are now being built with really long corridors to prevent the spies from cloaking and getting in, pyros are stationed at various checkpoints, and all workers are usually given baseball bats to hit people trying to enter to see if they bleed.

Re:

[operagost]

I really hate when I forget my keycard and have to run the gauntlet. Thankfully, my company has a good health plan.

got spy room, need server

[wardk]

got it all backwards, hoping someone can help

Spy Cat

[francisstp]

I'm in ur server roomz, spying your shitz.

What I want to know is...

[afabbro]

...if TraceSecurity's Senior Vice President Dariel LeBouef [tracesecurity.com] is a real name or a stage name for porn?

Dariel...THE BEEF!

Re:

[vought]

No, that's a common surname in Baton Rouge, where TS is located.

Re:

[Jeff Carr]

Dariel LeBouef, 15+ years in penetration testing...

...what?

Sleezy

[zippy40]

These guys are like sleezy insurance con artists.

Take the corners

[Bo'Bob'O]

Thats ok, we keep two engineers in the intelligence room to take care of spies. Just watch out for big guys with chain guns that are glowing red or blue.

Funny the reactions

[tuomoks]

Now, places who want a secure environment / systems have been doing this a long time. An insurance company where I did work in 70's and I was part of security, managing mainly systems and operations access security, we had a company once/twice a year making a check. And I can tell you, they found a lot of ways in, loose papers, open terminals, unlocked doors, whatever. Very useful. Haven't done that for a while but you should see the Swiss bank security or the France military security, scary. And these guys