Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Card Locks Thwarted by Shopping Club Card

timothy posted more than 8 years ago | from the hmmm-not-so-good dept.

361

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

Sorry! There are no comments related to the filter you selected.

Wrong kind of trap (4, Funny)

HugePedlar (900427) | more than 8 years ago | (#15749889)

Should have used caltraps instead of mantraps.

Re:Wrong kind of trap (1)

Rachel Lucid (964267) | more than 8 years ago | (#15749916)

One, this is completely inane.

And two... it's caltrOps! And what would a bunch of tacks do to improve security anyway? I mean, sure, in a dungeon it'd work, but still...

Re:Wrong kind of trap (1)

Tackhead (54550) | more than 8 years ago | (#15750043)

> > Should have used caltraps instead of mantraps.
>
> One, this is completely inane.
>
> And two... it's caltrOps! And what would a bunch of tacks do to improve security anyway? I mean, sure, in a dungeon it'd work, but still...

And three, typos make the trapmaster cry. [elitemrp.net]

Re:Wrong kind of trap (3, Funny)

ozmanjusri (601766) | more than 8 years ago | (#15750068)

And what would a bunch of tacks do to improve security anyway?

You could nail the door shut.

Wtf (0)

Poromenos1 (830658) | more than 8 years ago | (#15749894)

Don't they actually CHECK the card? What, the system just read the card, saw it wasn't empty and let them in? That's like typing some stuff in the console and the OS logging you on. How did that happen?

RTFA (4, Informative)

MustardMan (52102) | more than 8 years ago | (#15749924)

TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.

Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?

Re:RTFA (1)

Poromenos1 (830658) | more than 8 years ago | (#15749936)

Uhh, I did RTFA. Having a man-trap feature doesn't mean allowing everyone. It should still check for valid cards. Otherwise, they should have just left the door open.

Re:RTFA (1, Informative)

MustardMan (52102) | more than 8 years ago | (#15749985)

And how exactly should it check for valid cards? Should it have a record of every single ATM card on the planet? Should it know some sort of ID code for every single bank? Or, should it search for some string that's common in all ATM cards, and very well might exist in other cards, too, like, say, a grocery store discount card that carries personal information about its user?

Either way - you've made a gross assumption that is in no way backed up by any factual information, and phrased in such a way that, no matter what you insist, I doubt you did RTFA.

Re:RTFA (1)

Poromenos1 (830658) | more than 8 years ago | (#15749994)

Then, like I said: Leave the door open.

Re:RTFA (4, Insightful)

profet (263203) | more than 8 years ago | (#15750101)

They also don't want homeless people sleeping in the warm atm room.

Re:RTFA (1)

KDR_11k (778916) | more than 8 years ago | (#15750141)

The only purpose is to keep the bums from setting up home in there.

Re:RTFA (1)

Cheile (724052) | more than 8 years ago | (#15750354)

The other reason is that it would be highly uncomfortable and potentially very dangerous to have someone asking for money from someone getting money out of an ATM.

Re:RTFA (1)

ipfwadm (12995) | more than 8 years ago | (#15750050)

And how exactly should it check for valid cards?

Umm, maybe the same way the ATM checks for valid cards? (Though not being in the banking industry, I don't know if there's any way to verify an account number without having the PIN)

Re:RTFA (1)

Ryan Amos (16972) | more than 8 years ago | (#15750330)

The account number is not stored on the card, and there is no way to validate without a PIN. The number recorded on the card is meaningless without a database to link it to your real bank account.

Re:RTFA (1)

TheGreek (2403) | more than 8 years ago | (#15750162)

And how exactly should it check for valid cards?
Just imagine if only the data on the magnetic stripe of ATM, debit, and credit cards had a well-defined structure that allowed them to be read by different types of machines built by different manufacturers and used by different banks and processing companies.

Wouldn't that be cool?

Re:RTFA (0)

Anonymous Coward | more than 8 years ago | (#15750163)

Either way - you've made a gross assumption that is in no way backed up by any factual information, and phrased in such a way that, no matter what you insist, I doubt you did RTFA.

The article (and summary) describe it badly. The problem is that the card reader is in ATM mode.

A man-trap means that you can only open the inner door when the outer door is closed. You can still check for authorized cards at the inner & outer doors.

Re:RTFA (4, Interesting)

Ryan Amos (16972) | more than 8 years ago | (#15750296)

Actually, checking for a valid ATM card is impossible.

There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.

My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.

Re:RTFA (1)

Billosaur (927319) | more than 8 years ago | (#15749951)

TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.

And the sad part is, that is pretty poor security, since I've never seen a system whereby when there is a single ATM, the system keeps others from swiping their cards and enterring while you're at the ATM. Anybody else can amble right in, peek over your shoulder, etc. Sure, there's a video camera, but it's usually set at an angle that allows it to only view the person standing at the machine, making it easy to stay out of range. The better ones have cameras mounted up high to capture all that's going on inside the booth.

Re:RTFA (1)

B11 (894359) | more than 8 years ago | (#15750181)

Wait, actually RTFA before posting, unpossible!

Re:RTFA (0)

Anonymous Coward | more than 8 years ago | (#15750266)

TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.
How about you read the article again, then. He did not use an ATM card. He used a shopping card from a grocery store.

Re:Wtf (1)

HugePedlar (900427) | more than 8 years ago | (#15749927)

FTA: "We later learned that the door access system had been mistakenly set to use a feature called "man-trap," which enables banks to secure their ATM machines while allowing access to customers of other banks. Most magnetic stripe systems have this capability."

So yes, misconfigured. But such a configuration has its uses in some situations like, as in the example, ATM vestibules.

Re:Wtf (0)

Anonymous Coward | more than 8 years ago | (#15749941)

Like any ATM. It just checks that the card has a mag stripe on it. You can get into an ATM with a calling card, shoppers card, credit card, etc... anything with a magnetic stripe on it.

Attention! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15749908)

Robots d'attaque, attaque les tuer tous.

Works for me (5, Interesting)

Knytefall (7348) | more than 8 years ago | (#15749923)

Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.

Just great. (5, Funny)

Rob T Firefly (844560) | more than 8 years ago | (#15749929)

And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.

Re:Just great. (1)

KDR_11k (778916) | more than 8 years ago | (#15750268)

They could use the huge savings to build a button that makes it snow on the beach!

insecurity 101 (5, Interesting)

digitaldc (879047) | more than 8 years ago | (#15749935)

Maybe...

1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face

Just a thought.

Re:insecurity 101 (1)

TractorBarry (788340) | more than 8 years ago | (#15750104)

I bet you've either never seen, or have forgotten, this story [theregister.co.uk] already.

Using fingerprints or other such biometric data to gain access to valuable resources is a very BAD idea. Until there's a sensor that can identify me, that I'm alive and well and not in any way stressed (no gun pressed into the small of my back etc. etc.) then the whole idea is a no no.

Re:insecurity 101 (4, Interesting)

Intron (870560) | more than 8 years ago | (#15750221)

One lab I consulted for had RFID badges so you just had to walk up the door to unlock it. Saved the hassle of getting a card out every time. Employees were trained not to let two people through on one activation (except legitimate visitors) and had a bulletin board with a picture and name of every employee.

The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.

Re:insecurity 101 (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15750374)

The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.
What if you used the bathroom while inside?

Re:insecurity 101 (4, Funny)

MountainLogic (92466) | more than 8 years ago | (#15750451)

Better get a receipt every time you go to the bathroom

Wrong use of the word man-trap (5, Informative)

petrilli (568256) | more than 8 years ago | (#15749939)

A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.

Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

Re:Wrong use of the word man-trap (1)

amliebsch (724858) | more than 8 years ago | (#15750006)

Interesting - I always heard of such a set-up being called a "sallyport."

Re:Wrong use of the word man-trap (1)

Daniel_Staal (609844) | more than 8 years ago | (#15750060)

The difference is whether you intend to go out or in via that door.

Re:Wrong use of the word man-trap (1, Funny)

Anonymous Coward | more than 8 years ago | (#15750087)

Ah...so a "man trap" traps a man (or woman I guess), which makes sense. What, then, does a booby trap do?

Re:Wrong use of the word man-trap (3, Funny)

MrNougat (927651) | more than 8 years ago | (#15750416)

What, then, does a booby trap do?


It would trap a particular kind of sea bird [artistwd.com] , or a not very smart person [princeton.edu] . Or maybe it's something else entirely [castlerealm.com] .

Re:Wrong use of the word man-trap (5, Insightful)

umghhh (965931) | more than 8 years ago | (#15750384)

It is indeed a major mistake. Firing the responsible technician on the spot as you suggest will not do anything to increase security however. After all persons responsible were able to act on information provided - next time this method did not work. We do not have such certainity about their replacement.

Not giving a chance for improvment is bad policy - the only thing it really does is alienate security people. It may be that next time they spot similar mistake they will not fix it in any official way fearing consequences and this can create bigger security problem then the one 'fixed' by firing squad.
Alienated guards are bad guards.

This is NOT a man trap (0, Redundant)

rbanzai (596355) | more than 8 years ago | (#15749958)

A man trap lets you into a vestibule but does NOT let you into the main area without authentication of some kind.

Don't buy it.... (1)

SlashDev (627697) | more than 8 years ago | (#15749959)

I may be naive but I personally don't buy this story, how did they get Admin privileges? What, the Admin had his password on a post-it note too?

Re:Don't buy it.... (1)

mainframemouse (740958) | more than 8 years ago | (#15750047)

Some admins are stupid enough to use their company name as the admin log in.

Or maybe used a password list

Other way could be social engineering to get a basic User's login and escalate your privalidges from there.

Vunriblities in software/services installed.

and 101 ways I wouldn't even think off.

Don't give British education a bad name, sonny. (1)

DrSkwid (118965) | more than 8 years ago | (#15750247)

Privileges
Vulnerabilities

Stick to low syllable count words if you can't hack it with the big boys !

Re:Don't give British education a bad name, sonny. (2, Funny)

mainframemouse (740958) | more than 8 years ago | (#15750290)

It's the side effect of living in the spell check generation. Besides, English is my second language. Gibberish is my first.

Re:Don't buy it.... (4, Interesting)

Pontiac (135778) | more than 8 years ago | (#15750245)

OK here an example from a recent pen test .

Someone setup a test SQL server in the lab with access to the production netowork.

Since it's "just a lab box" the SA password was left blank.

at some point a domain admin logged into this box.

The security team accessed the box with the local SA account.
They got the LSASS password cache.

With that they got the Domain Admin account.

They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.

Re:Don't buy it.... (2)

Roody Blashes (975889) | more than 8 years ago | (#15750421)

You're not so much naive as you are lacking in creative thinking. Squishy internal security is not uncommon, especially if a company has devoted a large amount of time to securing things on the outside. A very hard external shell often creates a false sense of security whereby people fail to secure against directly connected internal attacks, or attacks (and mistakes) from regular users.

Bear in mind that they did not have to deal with trying to find vulnerabilities in external gateways and then try to wind their way into the center of the network, they STARTED in the center of the network.

The fact that they were even able to get a network connection on a foreign laptop immediately suggests to me that the system is configured in a dangerous way, probably to allow management types to bring in either personal or company laptops that they take home and on business with a low level of security but a high level of convenience.

Single Entry door or Man Traps (4, Informative)

nuggz (69912) | more than 8 years ago | (#15749962)

Man trap is a bit confusing.

They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.

At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap [wikipedia.org]

Re:Single Entry door or Man Traps (0)

Anonymous Coward | more than 8 years ago | (#15750004)

To get out of the ATM mantrap, just remember the password - BOSCO

Re:Single Entry door or Man Traps (0)

Anonymous Coward | more than 8 years ago | (#15750297)

Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.

Very true. But you have to look at the corporation's (read: soulless, bottom-line driven entity) point of view.

Think about the stakes in terms of potential damage due to identity theft, data theft, loss of phyiscal property and the ensuing class-action suits that follow. I'm willing to bet that a hefty settlement for a single injury/DnD lawsuit would be far more economical than letting that guy run amok inside your data warehouse (or whatever).

Re:Single Entry door or Man Traps (1)

Secrity (742221) | more than 8 years ago | (#15750365)

The man trap in TFA is not the same as the man trap as described in the Wikipedia and I find a bit odd that the Wikipedia doesn't include an entry about the sort of man trap described in TFA. There websites that sell man traps such as are described in TFA at http://www.secureaccessportals.com/ [secureaccessportals.com] and http://www.koubasystems.com/mantrapsys.html [koubasystems.com]

Once more, in English: (0)

Anonymous Coward | more than 8 years ago | (#15749963)

"A recent column (Social Engineering, the Shoppers' Way [darkreading.com] ) on darkreading.com [darkreading.com] shows how easy it is for a penetration team [wikipedia.org] to walk into a supposedly secure facility using a shoppers club card because the man trap was misconfigured. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, they had the run of the place."

Re:Once more, in English: (0)

Anonymous Coward | more than 8 years ago | (#15750338)

Today is one of those days where I really wish I had mod points, so I could mod this up.

Just have someone carry a baby in carrier (5, Informative)

slam smith (61863) | more than 8 years ago | (#15749993)

My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.

Re:Just have someone carry a baby in carrier (1)

no_pets (881013) | more than 8 years ago | (#15750130)

Dressed as a pizza delivery man and carrying hot, aromatic pizza works, too.

Re:Just have someone carry a baby in carrier (1)

eln (21727) | more than 8 years ago | (#15750150)

Maybe it was because she was carrying a baby, or maybe it was because everyone recognized her as your wife because she was a regular visitor there. She should show up some time without the baby and see what happens. My suspicion is they'll let her in anyway because they recognize her by now.

Of course, if your office isn't a particularly high security environment, it may just not matter that much if someone unauthorized makes it in. In that case (as with most ordinary office buildings), the security is there mainly for show and/or to intervene when incidents occur, not necessarily to block access to ordinary people.

Other items that work well. (5, Interesting)

Demon-Xanth (100910) | more than 8 years ago | (#15750155)

Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

The best locks in the world won't do any good if someone trusted opens it for an attacker.

Re:Other items that work well. (4, Interesting)

tradiuz (926664) | more than 8 years ago | (#15750444)

Well abused tool belt with used tools (the one day my tools and tool belt were new and shiny, I had security ask for credentials 4 times, and have never been asked since).
Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
Work worn blue jeans and t-shirt. Cover-alls also work.
Worn work boots.

What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.

Re:Just have someone carry a baby in carrier (2, Informative)

YU Nicks NE Way (129084) | more than 8 years ago | (#15750188)

There was a famous theft in which a large number of antique chairs were stolen from an office in broad daylight during working hours, with the staff present.

The thieves drove up in a moving truck, wearing appropriate clothes, and explained that the chairs were being transferred to a different office. They presented "requisitions" to sign, got signatures, filled the truck, and dorve away.

Re:Just have someone carry a baby in carrier (1)

SCHecklerX (229973) | more than 8 years ago | (#15750327)

Where I work, you just need to be on a bicycle. I even got waved through the guard shack on a day that our governor was on site and security was being more strict. I know it's not because they know me, because I normally drive.

Draw your own ID card (4, Funny)

Brix Braxton (676594) | more than 8 years ago | (#15749995)

I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.

Re:Draw your own ID card (1)

Zemran (3101) | more than 8 years ago | (#15750315)

I used to enter a military base by just flicking my wallet open, sometimes it would be a photo of my wife that I was flashing at them but I was driving a car that they knew and they were not looking that closely. I did mean to show my ID but I often made a mistake that I did not realise until later. I have several cards and photos in the windowed section of my wallet and sometimes got it wrong but I was never stopped for that. Sometimes they would do the routine mirrors under the car bit and look under the bonnet etc. but the two never happened together.

Wow I thought everyone knew this... (4, Interesting)

Chineseyes (691744) | more than 8 years ago | (#15749996)

During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.

Man..... (2, Insightful)

Mayhem178 (920970) | more than 8 years ago | (#15749998)

In college we had palm scanners just to get into the student recreation center. There was a rumor flying about that they could be beaten by scanning the back of your hand instead of the palm. Turned out to not be true.

If you're telling me that my college gymnasium had better security than these places, then I am apalled.

Re:Man..... (0, Offtopic)

smooth wombat (796938) | more than 8 years ago | (#15750074)

then I am apalled.


No, this is appalling:

Her: "For once I wish a guy would take a dump on my chest."
Him: "That, is disgusting. I'm appalled. I can't believe no one has taken a dump on your chest."
Her: Looking soulfully into his eyes, "Would you be that man?"
Him: "It would be an honor and a privilege."

Yeah, yeah, mod me down as offtopic. Can I help it if I think of that scene when someone says they're appalled?

Besides, you know, it's funny. You would never suspect that everyone at this school is a professional dancer.

Re:Man..... (1)

Ryan Amos (16972) | more than 8 years ago | (#15750213)

What movie is that from? I recall seeing that scene in some bad teen sex comedy when I was in high school, I just don't remember which one.

Re:Man..... (1)

smooth wombat (796938) | more than 8 years ago | (#15750269)

Not Another Teen Movie

It's one of my top movies to watch no matter how many times Comedy Central runs it. That last line is my favorite.

The other scene I like is when Jake goes to get his girl and he asks his friend where she and her date went.

"All I know is he got a room at the Sunrise Motel."
"Room number 6."
"It's the one right after the ice machine. If you hit the Pepsi machine, you've gone too far."
"Oh, and the door will definitely not be locked."
"That's all I know."

Re:Man..... (0)

Anonymous Coward | more than 8 years ago | (#15750414)

I think you can officially call yourself the biggest fan of that movie. Personally, I thought it was an average effort with a few laughs. You are the first person I've seen actively quoting that film. Congrats, you're the president of the fan club.

Re:Man..... (0)

Anonymous Coward | more than 8 years ago | (#15750099)

You went to Rose? Or is this more common than I thought...

That's why... (0)

Anonymous Coward | more than 8 years ago | (#15750008)

"Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor."

I only buy 3M *flavoured* Post-It (TM) products.

Securi-licious!

skip the adverts/spamsite (1, Informative)

Anonymous Coward | more than 8 years ago | (#15750013)

Social Engineering, the Shoppers' Way

JULY 19, 2006 | 9:32 AM -- For years, the "card key" has been considered a reliable means of securing the enterprise from unauthorized visitors. In some cases, these cards also serve as identification, and when combined with smartcard technology, a form of network authentication. But if these cards are misconfigured or managed, they can be rendered useless -- as my penetration testing company recently proved.

About six months ago, a medical facility hired us to assess its information security as part of a HIPAA compliance effort. During a pre-assessment briefing, the customer indicated a concern about physical access to the building, which could lead to a compromise of the network.

The company asked us to attempt to circumvent the physical security system, gain access to the building, and retrieve as much information as we could. We agreed, pending the appropriate "get out of jail" arrangements in case we were caught and detained by the authorities.

This facility was a little different than our other HIPAA customers, which are usually insurance companies or hospitals. The target this time was a giant laboratory that performs tests on samples sent by physicians from all over the region. With the volume of healthcare data stored in the facility, we knew that getting inside and connecting to the network could yield a good deal of sensitive and valuable information.

Before we tried to get in, I scoped out the entry points, observed when people came and went, and looked for potential weaknesses in security. Although I couldn't spot any video surveillance, the building security seemed pretty solid; the primary entrance was guarded by a receptionist behind glass. Other doorway access points were secured by a magnetic card swipe system.

On the day we planned to get into the building, I decided to try the magnetic swipe system. In a worst-case scenario, I figured I could fumble my way in, acting as if my card had malfunctioned and asking an employee to open the door from the inside.

Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.

Once inside, we knew that blending into the environment was going to be a necessity. I needed to get my colleague to a conference room to jack into the network and start port scanning, while I started looking for logins and passwords by flipping keyboards and pulling yellow sticky notes from monitors. We located a men's room that also served as a changing facility for employees. Conveniently, it also contained clean smocks and scrubs for us to use.

Now dressed in the appropriate attire, we started walking the facility. We located an empty conference room and commandeered it as our place to work. As my colleague jacked into the network and started scanning each address, I started moving through the facility looking for anything that could provide privileged network access.

Within minutes, I located workstations littered with sticky notes containing logins and passwords. Some even provided detailed information on which systems could be accessed. After collecting several logins and passwords, I made my way back to our conference room to use what I had found.

As soon as I walked into the room, my colleague indicated he was now a domain administrator with access to numerous systems as well. Our efforts led us to a significant find of HIPAA-rich information. After several hours, we had collected enough information for our report, and we casually exited the building through the same doorway we entered.

Back at our office, we immediately notified the customer of the security flaw in the magnetic card swipe system. We later learned that the door access system had been mistakenly set to use a feature called "man-trap," which enables banks to secure their ATM machines while allowing access to customers of other banks. Most magnetic stripe systems have this capability.

After we gave our report, the customer asked whether anyone challenged us, but in fact, no one had given us a second thought. In fact, several individuals gave us directions or answered questions. After hearing this, the customer made an unusual request: Would we show the employees what happened?

We usually document quite a bit of our security assessment work with video and digital images, so our entire break-in was easy to recreate in a presentation. We kept our tone upbeat -- we weren't out to make anybody look bad. Most of the employees reacted with surprise and said, "I remember seeing you, but since you looked like you worked here, I didn't bother questioning you." We advised them to look for a badge and question individuals who appear to be out of place.

We performed a follow-up assessment six months later, attempting access through the same doorway we had used previously. None of our cards worked this time, so we waited for an employee to leave, then used the open door to gain building access. We were inside again.

As we started through the hallways, however, we were confronted by the woman who had previously exited, allowing us entry. We immediately surrendered and asked her to call our contact inside the company. While we waited, she told us that she had gotten in her car and driven away, then realized what she had done. Immediately, she gone back to the office to get security and find us.

Clearly, our presentation about network security and awareness had paid off for the customer. And we learned something as well: Building access security can be easily circumvented if improperly installed or configured. Now every security assessment we perform includes a social engineering component in which we test building access security. So far, we have not been able to recreate what happened at this customer's location, but over time we're pretty sure we'll see something like this again.

-- Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

security (4, Interesting)

hostylocal (827126) | more than 8 years ago | (#15750024)

physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh

Ridiculous (1)

DrSkwid (118965) | more than 8 years ago | (#15750274)

You're giving the Brits a bad name.

Re:Ridiculous (1)

mainframemouse (740958) | more than 8 years ago | (#15750457)

2 slashdotters are doing damage to the good name of Britain. What about all those MI5 operatives that leave their laptops in clubs and Taxis, the police and health services that dump hard drives full of sencitive data and the general incompantance of the government.

Just a thought (1)

ch-chuck (9622) | more than 8 years ago | (#15750038)

It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

The Man Trap (4, Funny)

digitaldc (879047) | more than 8 years ago | (#15750073)

they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!

Re:Just a thought (1)

paladinwannabe2 (889776) | more than 8 years ago | (#15750082)

Ah, but they could shield secure areas, making transporter beam-ins impossible.

Sadly, this post might get modded insightful...

Re:Just a thought (1)

everett (154868) | more than 8 years ago | (#15750289)

I wonder if something akin to a Faraday cage could block the transporter beam.

Did the word "thought" escape your keyboard? (3, Interesting)

abb3w (696381) | more than 8 years ago | (#15750225)

It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.

I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways [amazon.com] ; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".

At least it checked for a magnetic strip... (1)

ACorrosionOfDeviants (877893) | more than 8 years ago | (#15750048)

Some of the ATM doors in my city are even less secure than that, checking only that *something* has been inserted into the card slot. No magnetic strip required -- a piece of paper or thin cardboard will do.

Easy full access (4, Insightful)

nizo (81281) | more than 8 years ago | (#15750067)

I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.

Re:Easy full access (1)

Rob T Firefly (844560) | more than 8 years ago | (#15750097)

Every office I've ever worked in which had card-level access also gave cards to the janitorial staff, and their usage of the cards was logged and tracked just like everyone else.

Re:Easy full access (0)

Anonymous Coward | more than 8 years ago | (#15750149)

So what? You missed the point entirely. Janitors are going to be going into pretty much every square inch of the building (even your server room is going to have to be sweeped occasionaly) to do their job.

A rouge janitor can easily come in and take printed copies of internal technical specifications, scribbled passwords written on post-its, jack into the network, and etc.

I really chuckled at your post because its so naive to miss such obvious possibilities.

Re:Easy full access (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15750254)

So what? You missed the point entirely. Janitors are going to be going into pretty much every square inch of the building (even your server room is going to have to be sweeped occasionaly) to do their job.


Where I work (I'm in an IT dept) we actually have to clean our own stuff unless we're there babysitting the janitors. The janitorial staff comes though once a week while we're there (yeah, a pain in the ass) but other than that we're "it". Only people directly in the IT food chain have physical access to the IT section of the facility (basically it's IT peons -> Director of IT -> VP of Operations -> Pres).

When I worked for the federal government I was located in a SCIF on a military base, and we had our own janitors, MPs, bean counters, etc. and they were all cleared for TS material. We even had a technical librarian and a small library in there!

I do understand that not every company can take such precautions, but your point is noted. Own the place physically with the most innocuous folks and you still own the place. Period.

Re:Easy full access (1)

tweek (18111) | more than 8 years ago | (#15750328)

That doesn't address what they do when they get inside. In fact most janitorial staff have more access then some employees. I can't get into a boss' office but the jan. staff have a key to empty his trash can because he can't be assed to leave it outside the door.

The secondary fact that they could bring in a laptop and plug in anywhere demonstrates a TOTAL lack of insight into security. Most people assume that if you're inside you belong. Not just physically but by having live ethernet jacks everywhere that don't have MAC restrictions or that aren't in a dead VLAN.

True someone could snag the MAC address that is always on the sticker on the back of an existing computer and spoof it but that's a whole different issue in itself.

Re:Easy full access (0)

Anonymous Coward | more than 8 years ago | (#15750438)

I did a demo of this, oh, 20 years ago to prove a point. I put on a set of "workmans blues" - aka a work uniform, with a company name (actual name of the company I worked for - but NOT the company in question) and MY real name on it, grabbed a tool bag, walked in, told the guard I had to go to "the machinary room" to work on the HVAC - and walked in - I had enough tools in there to physically break just about anything

Came out, told the head of security what happened...

Remember - at that point, with a bit of skill (I've seen it done), you can swap out a lock cylinder or 2, and get the master key for the building....

Extraordinary transformation (4, Interesting)

Demerara (256642) | more than 8 years ago | (#15750075)

What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.

That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.

How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?

Bad Advice? (3, Interesting)

BrianRoach (614397) | more than 8 years ago | (#15750095)

FTA: We advised them to look for a badge and question individuals who appear to be out of place.

Umm ... how about, "Call security and tell them" instead?

If you've got someone who's in the middle of a criminal act ... is it wise to test just how much of a criminal they are?

While it may be that most data poachers serious enough to break into a building aren't violent criminals ... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.

Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me :)

- Roach

Re:Bad Advice? (1, Funny)

Anonymous Coward | more than 8 years ago | (#15750159)

Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me :)

Some people pay good money for that kind of treatment. I mean, I've heard. Just sayin' is all.

Re:Bad Advice? (2, Insightful)

pe1rxq (141710) | more than 8 years ago | (#15750211)

Sure, you could have a security hit squad jump them.....
But most of the time someone looking out of place has a good reason to be there, maybe a new guy or someone from another department or just some guy with a bad sense of direction. In those cases just talking to them will be enough.
Also most of the times this will be during regular office times when you outnumber them 10:1.

Late at night you are right ofcourse, just call security.

Re:Bad Advice? (1)

BrianRoach (614397) | more than 8 years ago | (#15750309)

Oh, I agree ... during the day when there's lots of people around and such, I'd have no problem approaching someone with a simple "Hey, are you looking for something/someone" type thing.

2 guys at 10pm when the building was pretty much cleared out? Oh, and I just happen to notice they slipped the door when someone was leaving (as in TFA)? Nope. Sorry, not my job. I'm going to smile and nod as I walk by then go pick up a phone :D

- Roach

Re:Bad Advice? (1)

alienw (585907) | more than 8 years ago | (#15750331)

Well, generally, in an office building, you don't just randomly call security on random people. It may have just been another co-worker, for instance. Hell, maybe it was an upper manager who was in a hurry and didn't want to get out his ID card. Even if it's a data poacher, it's not like they are going to stab you in the middle of a corporate lobby in the middle of the day.

Re:Bad Advice? (1)

BrianRoach (614397) | more than 8 years ago | (#15750380)

Sorry, I was responding in the context of the article. Silly me, I know.

It's late at night, and you see two guys slip a door when someone else exits.

They're ...

A) Co-Workers you don't know who both happened to forget their badges and need to be in the building after-hours.
B) 2 Upper Managers your don't know who both happened to forget their badges and need to be in the building after-hours.
C) Two guys who shouldn't be there.

Final Answer? ;)

- Roach

I swiped too (1)

grumpyman (849537) | more than 8 years ago | (#15750132)

Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.


I'm not surprised as I've also tried this maybe 10 years ago into the bank ATM machine access - with a frequent flyer card. I was thinking, how in the world would the thing verify as other banks customers can use the machine as well. Without the keypunch it probably didn't do anything other than verify it's a magnetic stripe.

Re:I swiped too (1)

generic-man (33649) | more than 8 years ago | (#15750349)

That's a pretty low-risk thing to get into an ATM area. Once you've passed through the man trap you're in a tiny camera-filled room with nothing more than a few ATMs. They only put that man trap in there to prevent bums from setting up camp in the ATM room.

Reverse Scenario (2, Funny)

ruben.gutierrez (913239) | more than 8 years ago | (#15750139)

I wonder if we can get mega-discounts at the grocery store if we use our card key in place of our club card?

Hard Core Intrusions (1)

BoRegardless (721219) | more than 8 years ago | (#15750220)

So just how secure do you think most corporations are to intrusions by intensively competitive foreign firms, like, shall we say those from Korea (Both), China, Taiwan and others, who have already figured out what college students (including the foreign students) had figured out 10 years before during their undergraduate work?

Wrong definition of man trap (0)

Anonymous Coward | more than 8 years ago | (#15750238)

The correct usage of man trap is
 
"The Man Trap was the first-aired regular season episode of Star Trek. In this episode, a landing party from the Enterprise beams down to perform an annual checkup..."

Password Safe (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15750250)

Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

I disagree. Use a randomly generated password. Don't write down the password, and don't eat the sticky note (for health reasons etc bla bla). Use similarly random information for all of the "backdoor" passwords. Did you know that my mother's maiden name is, on occasion, Kwier5*Y? Then, copy all of that information into Password Safe (or any of its Mac or Linux clones).

Oh, and make backup copies of your database, to prevent the embarassment of having to spell out your mother's maiden name to some call center bum in Bangalore.

Security, you get what you pay for. (4, Insightful)

Anon-Admin (443764) | more than 8 years ago | (#15750303)

Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.

I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.

When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!

The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.

Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.

Tabloid Alert (2, Interesting)

linuxwrangler (582055) | more than 8 years ago | (#15750310)

While on travel in Chicago a couple years ago I caught a "oh, isn't this dreadful" hand-wringing pieces of journalism where they had "discovered" that even the transit card would open the door to the ATM. They trotted out stories of people who had been mugged after getting their money. So when back home I tried my BART card and it worked fine as well.

Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.

Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.

whatever (1, Informative)

szembek (948327) | more than 8 years ago | (#15750424)

This summary made shit for sense.

Not just electronics... (1)

johnlcallaway (165670) | more than 8 years ago | (#15750430)

Many doors have locks are not installed improperly. Deadlocking latch bolts have an anti-jimmy mechanism (that little slidy thing on the door bolt) that won't let the bolt withdraw if they both aren't in the same position. When the door closes, this part of the lock remains outside of the hole for the bolt.

Doors with deadlock latch bolts can, with a good swift kick, be pushed far enough into the door jamb for the anti-jimmy mechanism to fall into the strike plate hole. From there, a credit card or thin knife is enough to open the door.

Many years ago, I was able to open the door at a secured facility for a friend of mine (who worked there and forgot his key) using this method. It only took a few seconds to recognize the problem and open the door. He thought it was wicked funny considering that he was testing some highly-sensitive jet fighter parts in the lab, a lab I wasn't supposed to have access to.
BR I didn't go in.....
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?