Card Locks Thwarted by Shopping Club Card 361
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Wrong kind of trap (Score:4, Funny)
Re:Wrong kind of trap (Score:2)
And two... it's caltrOps! And what would a bunch of tacks do to improve security anyway? I mean, sure, in a dungeon it'd work, but still...
Re:Wrong kind of trap (Score:2)
>
> One, this is completely inane.
>
> And two... it's caltrOps! And what would a bunch of tacks do to improve security anyway? I mean, sure, in a dungeon it'd work, but still...
And three, typos make the trapmaster cry. [elitemrp.net]
Re:Wrong kind of trap (Score:3, Funny)
You could nail the door shut.
Works for me (Score:5, Interesting)
Floor seats at the concert (Score:5, Informative)
Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.
Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!
Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.
* Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!
Just great. (Score:5, Funny)
insecurity 101 (Score:5, Interesting)
1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face
Just a thought.
Re:insecurity 101 (Score:2)
Using fingerprints or other such biometric data to gain access to valuable resources is a very BAD idea. Until there's a sensor that can identify me, that I'm alive and well and not in any way stressed (no gun pressed into the small of my back etc. etc.) then the whole idea is a no no.
Re:insecurity 101 (Score:3, Insightful)
Re:insecurity 101 (Score:5, Interesting)
The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.
Re:insecurity 101 (Score:5, Funny)
Re:insecurity 101 (Score:3, Informative)
Re:insecurity 101 (Score:3, Funny)
Re:insecurity 101 (Score:2, Redundant)
Wrong use of the word man-trap (Score:5, Informative)
Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
Re:Wrong use of the word man-trap (Score:2)
Re:Wrong use of the word man-trap (Score:5, Insightful)
Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
Alienated guards are bad guards.
Re:Wrong use of the word man-trap (Score:2)
Some of the "bum repelling devices" are a little more advanced and will read the frst
few digits to verify that you are a customer of the barticular bank, etc, (a bit of a nuisance if you are drunk and looking to buy more
Re:Wrong use of the word man-trap (Score:2)
Re:Wrong use of the word man-trap (Score:5, Interesting)
Surprised guy who sits by back door: How'd you get in?
Me: Popsicle stick (holding up popsicle stick)
Re:Wrong use of the word man-trap (Score:4, Informative)
I suggest you go read the definition of B&E/Burglary. Basically, it is this:
"entering a building or remaining unlawfully with intent to commit any crime"
1) every time I'm there I am there at their request and am permitted to be in the area by the back door
2) what crime? I'm there to make keys to file cabinets or reset the combination on their safe, again, at their request
Where did you acquire your legal education? Television? An accessory must generally have knowledge that a crime is being, or will be committed. At most this could be considered negligence, but as such would only be grounds for dismissal or civil suit. But given that the partners know all about it and tactly approve, that's not even a sure thing.
Re:Wrong use of the word man-trap (Score:4, Funny)
It would trap a particular kind of sea bird [artistwd.com], or a not very smart person [princeton.edu]. Or maybe it's something else entirely [castlerealm.com].
Single Entry door or Man Traps (Score:5, Informative)
They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.
At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap [wikipedia.org]
Re:Single Entry door or Man Traps (Score:2)
Re:Single Entry door or Man Traps (Score:2)
Re:Single Entry door or Man Traps (Score:5, Informative)
Just have someone carry a baby in carrier (Score:5, Informative)
Re:Just have someone carry a baby in carrier (Score:2)
Of course, if your office isn't a particularly high security environment, it may just not matter that much if someone unauthorized makes it in. In that case (as with most ordinary office buildings), the security is th
Other items that work well. (Score:5, Interesting)
Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.
Suit and tie. People will assume you're a rep of a visiting company and will give you directions.
The best locks in the world won't do any good if someone trusted opens it for an attacker.
Re:Other items that work well. (Score:4, Interesting)
Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
Work worn blue jeans and t-shirt. Cover-alls also work.
Worn work boots.
What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.
Re:Other items that work well. (Score:3, Interesting)
Where I work (a medium-sized audio/video equipment and "lifestyle" company) everyone is required to wear their access card in a visible place, and guests are issued specielt guest cards that they have to sign for. Everyone here is strongly reminded that it is their duty to question anyone who does not have a visible access card or guest card as well as anyone who looks out of place.
Also, when visiting any of the research departments and assembly lines, mobile phones and an
You make a point there at the end... (Score:3, Interesting)
At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.
When
Re:Other items that work well. (Score:5, Interesting)
I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).
The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.
Re:Other items that work well. (Score:3, Insightful)
I use this ruse also. Although my identification of choice is a handheld ham radio. If you have a walky-talky style radio, people will let you anywhere.
A little trick I learned when geocaching. People are always suspicious if they see people snooping around. I found that a relective vest(like that worn by motorcyclists), a clipboard and ham radio would get me into ANYWHERE! Do Not Enter? HA! Authorized Personel Only? JOKE!
Re:Just have someone carry a baby in carrier (Score:3, Informative)
The thieves drove up in a moving truck, wearing appropriate clothes, and explained that the chairs were being transferred to a different office. They presented "requisitions" to sign, got signatures, filled the truck, and dorve away.
In broad daylight (Score:3, Informative)
They went in, presented fake credentials, worked in the room a couple of hours, took two machines and nobody suspected a thing until someone noticed the servers were down.
Anyone can top that?
Re:Just have someone carry a baby in carrier (Score:2)
Re:Just have someone carry a baby in carrier (Score:4, Funny)
Draw your own ID card (Score:4, Funny)
Re:Draw your own ID card (Score:2)
Wow I thought everyone knew this... (Score:3, Interesting)
Re:Wow I thought everyone knew this... (Score:3, Informative)
That is most likely because your "competing" stores are different arms of the same conglomerate. Supervalu [wikipedia.org] and Ahold [wikipedia.org] are two of the largest, encompasing albertson's, stop n shop, giant, and several others. On top of this, the loyalty card databases may be maintained by an outside firm, who may combine the data across different chains into a superdatabase of every person who buys Watermelon
Man..... (Score:3, Insightful)
If you're telling me that my college gymnasium had better security than these places, then I am apalled.
Re:Man..... (Score:2)
It's one of my top movies to watch no matter how many times Comedy Central runs it. That last line is my favorite.
The other scene I like is when Jake goes to get his girl and he asks his friend where she and her date went.
"All I know is he got a room at the Sunrise Motel."
"Room number 6."
"It's the one right after the ice machine. If you hit the Pepsi machine, you've gone too far."
"Oh, and the door will definitely not be locked."
"That's all I know."
security (Score:3, Interesting)
Just a thought (Score:2)
The Man Trap (Score:5, Funny)
But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!
Re:Just a thought (Score:2)
Sadly, this post might get modded insightful...
Did the word "thought" escape your keyboard? (Score:4, Interesting)
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways [amazon.com]; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".
Re:Did the word "thought" escape your keyboard? (Score:2)
And it could even be used as a weapon of war. Teleport someone's heart (and just their heart) 10 feet away from them, and see how long they live...
-b.
Easy full access (Score:5, Insightful)
Re:Easy full access (Score:2)
Re:Easy full access (Score:2)
The secondary fact that they could bring in a laptop and plug in anywhere demonstrates a TOTAL lack of insight into security. Most people assume that if you're inside you belong. Not just physically but by having live ethernet jacks everywhere that
Re:Easy full access (Score:2)
Re:Easy full access (Score:4, Funny)
Extraordinary transformation (Score:5, Interesting)
That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.
How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
Re:Extraordinary transformation (Score:3, Interesting)
A few years ago I worked at a company that issues SSL certificates. I'd already driven from home to the office for some scheduled after-hours work, and issued a cert as part of that work. I was almost back home again when I realized I'd left my ID token card in the cert-issuing computer.
Now, this machine was in a locked room which required ID card and PIN access, and even with the token card you had to fingerprint and password the computer. Nonetheless, I drove all the way across town
Bad Advice? (Score:4, Interesting)
Umm
If you've got someone who's in the middle of a criminal act
While it may be that most data poachers serious enough to break into a building aren't violent criminals
Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me
- Roach
Re:Bad Advice? (Score:3, Insightful)
But most of the time someone looking out of place has a good reason to be there, maybe a new guy or someone from another department or just some guy with a bad sense of direction. In those cases just talking to them will be enough.
Also most of the times this will be during regular office times when you outnumber them 10:1.
Late at night you are right ofcourse, just call security.
Re:Bad Advice? (Score:2)
2 guys at 10pm when the building was pretty much cleared out? Oh, and I just happen to notice they slipped the door when someone was leaving (as in TFA)? Nope. Sorry, not my job. I'm going to smile and nod as I walk by then go pick up a phone
- Roach
Re:Bad Advice? (Score:2)
Re:Bad Advice? (Score:2)
It's late at night, and you see two guys slip a door when someone else exits.
They're
A) Co-Workers you don't know who both happened to forget their badges and need to be in the building after-hours.
B) 2 Upper Managers your don't know who both happened to forget their badges and need to be in the building after-hours.
C) Two guys who shouldn't be there.
Final Answer?
- Roach
Re:Bad Advice? (Score:5, Insightful)
Yes, it's not the situation in the article, but you bring up a very valid point:
Security Is For Everyone
You absolutely should call security on upper management, though you might want to do it from someone else's phone. Management, not matter what level, must respect the security measures, no matter how high they are. The CEO should have his ID card at the ready if he's in a secure facility. *hrupph*
Re:Bad Advice? (Score:3, Insightful)
Actually, that very egalitarian notion is likely to result in the dismantling of security procedures, depending on the workplace. I have a friend who worked for an AOL call center that had a man-trap up until the day that a senior VP got stuck in it due to a glitch that revoked his ID, causing him to be locked in and secured when he lacked credentials for entry.
Getting laughed at by underlings will cause nearly any office procedure to get revoked if the executive is high enough.
Re:Bad Advice? (Score:3, Interesting)
No, that is a sign of a company culture with far worse problems. If that is so where you work, put out your resume.
I worked at Intel for over a decade. "Employee only" technical and marketing data is published in serial numbered documents with a distinctive cover color. Every few months, the night shift guards walk the building confiscating secret documents that have not been locked aw
I swiped too (Score:2)
I'm not surprised as I've also tried this maybe 10 years ago into the bank ATM machine access - with a frequent flyer card. I was thinking, how in the world would the thing verify as other banks customers can use the mach
Reverse Scenario (Score:2, Funny)
Hard Core Intrusions (Score:2)
Security, you get what you pay for. (Score:5, Insightful)
I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.
When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!
The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.
Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
Tabloid Alert (Score:3, Interesting)
Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.
Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.
whatever (Score:2, Informative)
Re:whatever (Score:3, Insightful)
Not just electronics... (Score:2)
Doors with deadlock latch bolts can, with a good swift kick, be pushed far enough into the door jamb for the anti-jimmy mechanism to fall into the strike plate hole. From there, a credit card or thin k
security audit (Score:2, Insightful)
I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security aud
"Kinda" similar but not really.... (Score:4, Interesting)
I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".
And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".
Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.
RTFA (Score:5, Informative)
Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?
Re:RTFA (Score:2)
Re:RTFA (Score:2)
Re:RTFA (Score:3, Interesting)
Re:RTFA (Score:2)
Re:RTFA (Score:5, Insightful)
Re:RTFA (Score:3, Funny)
Yeah, that would suck. I guess you wouldn't be able to use the excuse "Sorry, I don't have any money on me at the moment."
Re:RTFA (Score:2)
Umm, maybe the same way the ATM checks for valid cards? (Though not being in the banking industry, I don't know if there's any way to verify an account number without having the PIN)
Re:RTFA (Score:2)
Wouldn't that be cool?
Re:RTFA (Score:5, Interesting)
There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.
My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.
Re:RTFA (Score:2)
No library for YOU!!
Re:RTFA (Score:4, Funny)
Re:RTFA (Score:4, Informative)
There is no ATM or even credit card standard;
Yes there is, and has been for years. Banks derive a lot of income from the charges on other banks' customers using their machines, and their customers using other banks' machines, so it is in their interest to follow the standard. There is also a standard for magstripe cards, which is why you can encode your bank details on almost any magstripe card, often without interfering with what was there before (as long as it wasn't another bank card, or a non-standard card with non-bank information on track 2).
Re:RTFA (Score:5, Informative)
These standards aren't exactly handed out at the local book store, but they do exist. If the atm inside the man-trap serves Star, CoOp, Plus, and so on type cards, the little reader outside could make sure that the card swiped was valid. If you stick your super market card into an ATM it doesn't try every bank it knows until it finds a match, it recognizes that the card is invalid. The little card reader could do that as well.
Re: (Score:3, Informative)
Re:RTFA (Score:2)
Yet his basic point is valid - if any freaking card will open the door, and everyone has some kind of card, why have a door? Appearances? Why not have a door with a fake card reader? It would be cheaper and do the same thing.
Re:RTFA (Score:2)
And the sad part is, that is pretty poor security, since I've never seen a system whereby when there is a single ATM, the system keeps others from swiping their cards and enterring while you're at the ATM. Anybody else ca
Re:RTFA (Score:2)
Re:RTFA (Score:3, Funny)
Free advertising for potential customers, too.
Re:Wtf (Score:2)
So yes, misconfigured. But such a configuration has its uses in some situations like, as in the example, ATM vestibules.
Re:Don't buy it.... (Score:5, Interesting)
Someone setup a test SQL server in the lab with access to the production netowork.
Since it's "just a lab box" the SA password was left blank.
at some point a domain admin logged into this box.
The security team accessed the box with the local SA account.
They got the LSASS password cache.
With that they got the Domain Admin account.
They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.
Re:Don't give British education a bad name, sonny. (Score:2, Funny)
Re:That's why... (Score:4, Funny)
Do they taste 50% better than M&M's?
Re:Password Safe (Score:3, Insightful)