Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Spy in Your Server Room

ScuttleMonkey posted more than 6 years ago | from the social-engineering-for-fun-and-profit dept.

120

CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."

cancel ×

120 comments

Sorry! There are no comments related to the filter you selected.

Eh? (5, Insightful)

ScorpFromHell (837952) | more than 6 years ago | (#21243443)

Is this an ad or an article?

Re:Eh? (0, Redundant)

rucs_hack (784150) | more than 6 years ago | (#21243523)

Is this an ad or an article?

It reads like an Advert. I wonder....

Re:Eh? (0)

Anonymous Coward | more than 6 years ago | (#21243787)

{{db-spam}}

Re:Eh? (1)

vought (160908) | more than 6 years ago | (#21244827)

TraceSecurity...the shining star of Baton Rouge's burgeoning information technology industry.

A city of paranoiacs with a single successful computer-related company...why am I not surprised?

Re:Eh? (1)

tonyreadsnews (1134939) | more than 6 years ago | (#21245299)

Really, I thought the article read more like an old movie plot.

Increased security in recent years means TraceSecurity personnel are trying to get past "guys with machine guns.


I wonder if they get extra pay for that...

CmdrTaco (4, Interesting)

u38cg (607297) | more than 6 years ago | (#21243795)

When you say you refuse to allow advertising masquerading as articles, I believe that's your intention, but really - what else is this?

Re:CmdrTaco (0)

Anonymous Coward | more than 6 years ago | (#21243903)

I don't know where Taco stated that, but if he did he is obviously just pandering to the anti-business types who frequent Slashdot.

He posted a series of articles dedicated to the band They Might Be Giants, which were the first obvious paid ads masquerading as stories that I remember seeing. Not more than a few days have passed without a Slashvertisement since then.

I think the readership would be fine with it if he'd just be more open about it. Slashdot has bills to pay just like any other web site.

Penetration testing is next to useless (3, Insightful)

David_Hart (1184661) | more than 6 years ago | (#21244055)

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys. David

Re:Penetration testing is next to useless (2, Insightful)

mOdQuArK! (87332) | more than 6 years ago | (#21244185)

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards.

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Re:Penetration testing is next to useless (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21244631)

And then TraceSecurity performed the ultimate in penetration testing: they pulled my pants down and fucked me in the ass. Management was horrified that their IT department was so easily penetrated. TraceSecurity even allowed management to try the penetration test for itself. Pretty soon, everyone, even TraceSecurity, were gleefully penetrating everything within earshot.

- excerpt from CmdrTaco's diary

Re:Penetration testing is next to useless (1, Interesting)

Anonymous Coward | more than 6 years ago | (#21244321)

My university (in central London) just installed revolving doors at some entrances to reduce tailgating. In peak hours they're like normal revolving doors, but outside those times (i.e. evening, night, weekends) you have to unlock the door with a university ID card. Each wave of the card lets only one person through, you can't tailgate -- the door locks, and you can only go back out. I don't know how successful they'll be at reducing tailgating (there used to be card-activated sliding doors), but I think they'll be effective.

Re:Penetration testing is next to useless (1)

pthor1231 (885423) | more than 6 years ago | (#21244557)

That is a very similar concept to other high security places I have been in, except usually its revolving metal bars, so you couldn't even really break them if you wanted to.

Re:Penetration testing is next to useless (1)

xaxa (988988) | more than 6 years ago | (#21245569)

I'm pleased we just have glass doors -- it would look too much like a prison otherwise!

There were probably fire regulations against something that secure too -- I was in the building late-ish at night a month ago when it caught fire (minor-ish), the four panels that made up each revolving door folded around the next to each other to leave plenty of space to walk out easily.

Re:Penetration testing is next to useless (1)

pthor1231 (885423) | more than 6 years ago | (#21246041)

Hehe, my thought when I first saw the metal bar style turnstile was that it was a prison.

Re:Penetration testing is next to useless (1)

GregNorc (801858) | more than 6 years ago | (#21246177)

My father worked for a large federal agency with just such a system. All I had to do was say his name and I was his son, and I got in. This was not when I was young either - I was 18 and a senior at the time, and had never visited him at work before. Security guards can get just as lax as employees.

Re:Eh? (0)

Anonymous Coward | more than 6 years ago | (#21244295)

>Is this an ad or an article?

hint: SETEC ASTRONOMY

Re:Eh? (5, Funny)

blincoln (592401) | more than 6 years ago | (#21244417)

Is this an ad or an article?

According to TraceSecurity, advertisements on Slashdot often masquerade as articles. That's why many Slashdot members hire TraceSecurity to validate their contents before reading them. This message brought to you by TraceSecurity: Tracing your Security so that you can be secure in the knowledge that your Security is Traced.

Re:Eh? (1)

Hoi Polloi (522990) | more than 6 years ago | (#21245311)

What was TraceSecurity's website again? And just why are their rates so damn affordable?

Re:Eh? (1)

xorbe (249648) | more than 6 years ago | (#21244497)

They called tech workers with lesser social skills "booger-eaters"!

Re:Eh? (1)

Tim C (15259) | more than 6 years ago | (#21244777)

Oh come on, the submitter's name is linked to PC Mag's website fer crying out loud. This has advert written all over it - the only question is which company (PC Magazine or the pen testers) paid the most for it.

Re:Eh? (0)

Anonymous Coward | more than 6 years ago | (#21246079)

I imagine it was purchased as a package. PC Magazine no doubt has some price structure that will let a company buy an 'article' with various options, one of which is front page at Slashdot. (Slashdot and PC Mag having settled on the cost of that in some prior negiotiations)

Really, this is a good deal all the way around. PC Magazine can buy Slashvertisements in bulk and Slashdot scores a nice high volume customer.

Slashvertisement! (5, Insightful)

b96miata (620163) | more than 6 years ago | (#21243445)

This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!

Re:Slashvertisement! (1)

syrinx (106469) | more than 6 years ago | (#21243653)

That would have required effort on the part of the submitter: the summary is cut and pasted right out of TFA.

So I'm not sure if it's a Slashvertisement, or a PCMagvertisement + lazy submitter.

Re:Slashvertisement! (1)

Creepy Crawler (680178) | more than 6 years ago | (#21243723)

I've got a penetration testing company, and Im the CEO.

Cause Im da pimp!

Re:Slashvertisement! (0)

Anonymous Coward | more than 6 years ago | (#21245257)

I prefer to penetrate via the backdoor. Hey now!

Re:Slashvertisement! (0)

Anonymous Coward | more than 6 years ago | (#21245671)

I can tell, the mauve triangle icon appeared on my system tray. However, my kernel has CCR5 enabled. Please keep your retroviral code to yourself.

Re:Slashvertisement! (4, Informative)

GroeFaZ (850443) | more than 6 years ago | (#21243741)

I agree. TFA packaged the company's name 48 times in exactly as many mostly one-sentence paragraphs. Yes, I did count. PCMAG should disclose, did they ask that company for help in that report, or was it the other way around?

Re:Slashvertisement! (3, Interesting)

Anonymous Coward | more than 6 years ago | (#21244375)

Yep. This poseter created a brand new user id (CorinneI) and linked it directly to www.pcmag.com, too. What a crock.

I bet the tag along went real well (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#21243449)

"Who are you? Why are all those people in PC Magazine jackets following you? And why are they taking pictures?"

Re:I bet the tag along went real well (0)

Anonymous Coward | more than 6 years ago | (#21247181)

RTFA, dumbass.

Server room? (2, Insightful)

sm62704 (957197) | more than 6 years ago | (#21243467)

If you have trade secrets on your web server, the spy is the least of your problems.

OK, bad joke, I know we're talking about the file server here, but why would a spy be in the server room? Wouldn't he be a lot less notcable logging in from an empty office? Or better yet, an empty office whose owner has just left his machine for the rest room?

What do you mean, RTFA? This is slashdot, we don't need no FAs!

-mcgrew

Re:Server room? (1)

cpaalman (696554) | more than 6 years ago | (#21243797)

Getting some alone time in a server room for a couple of minutes is plenty to drop in a wireless access point that has SSID broadcast turned off, no sense in tipping your hand if someone sees a new SSID appear, and spend the rest of your time in a van within range playing on the local LAN.

Re:Server room? (1)

corsec67 (627446) | more than 6 years ago | (#21244173)

Or you could be sneakier and use a powerline ethernet extension, since they aren't very common not many people would look for one. I don't know how well that would work, since I don't use them either.

Social Engineering (2, Insightful)

duplicitious (987818) | more than 6 years ago | (#21243471)

Old con, it shows how trusting people can be, but shouldn't.

They must be good (5, Funny)

Sockatume (732728) | more than 6 years ago | (#21243473)

They managed to walk right into the front page of Slashdot with no resistance whatsoever.

Seatech Astronomy (0)

Anonymous Coward | more than 6 years ago | (#21243537)

Which is an anagram of Slashvertisement.

Re:Seatech Astronomy (1)

Sockatume (732728) | more than 6 years ago | (#21243651)

If the company was called "Seatech Astronomy", you'd have a really amazing joke there.

Re:Seatech Astronomy (0)

Anonymous Coward | more than 6 years ago | (#21243679)

Nitpick: Setec Astronomy.

Re:Seatech Astronomy (1)

andreyvul (1176115) | more than 6 years ago | (#21243717)

there is no 'v' in Seatech Astronomy, therefore you are incorrect.

Re:Seatech Astronomy (1)

afabbro (33948) | more than 6 years ago | (#21246201)

Sorry, it's not...but try again here [wordsmith.org] .

Sneakers (4, Funny)

underwhelm (53409) | more than 6 years ago | (#21243543)

The article is ok... but the movie adaptation is a thrill ride!

Re:Sneakers (1)

martin_b1sh0p (673005) | more than 6 years ago | (#21244727)

Great! Thanks a lot! Now everyone knows what my nick means...

Blech (1)

Lurker2288 (995635) | more than 6 years ago | (#21245043)

A thrill ride? I thought it had too many secrets.

Waste of kilobytes (2, Insightful)

Major Blud (789630) | more than 6 years ago | (#21243577)

This article was a complete waste of time. No details were layed out for us; my favorite was when they said they "could have" plugged in a wireless access point to the server rack. Without actually trying it, they didn't prove dick....for all we know their network may not have allowed unknown MAC addresses. It was all a bunch of "we could have" done this, or "could have" done that. Just do it for god's sake! Just walking into the server room and putting stickers on a server doesn't prove that you actually could have walked off with it. Just saying that you "could have" disabled the alarm system doesn't really mean that you wouldn't have caught someone's attention.

Re:Waste of kilobytes (1)

Ragein (901507) | more than 6 years ago | (#21243759)

The company might not have allowed them to test this far, remember they are testing clients not actually ripping the place off.

Moderated -1 "Blatant advertising" (4, Informative)

Bagheera (71311) | more than 6 years ago | (#21243589)

Penetration testers doing their job: Film at 11.

Seriously, while it's not an entirely bad article on a penetration test, this is nothing but a shameless plug.

Re:Moderated -1 "Blatant advertising" (4, Funny)

spun (1352) | more than 6 years ago | (#21243861)

Penetration testers doing their job: Film at 11.
Normally, CineMax doesn't show that type of film until after midnight...

#1 cause is underpaid IT staff. (3, Interesting)

Lumpy (12016) | more than 6 years ago | (#21243647)

first server room access should be limited to a very short list. and nobody on that list should be so underpaid they would stupidly let someone in there without at least 2 sets of eyes on them.

All they prove is that IT departments are not only underpaid but under staffed.

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

Re:#1 cause is underpaid IT staff. (3, Interesting)

Aladrin (926209) | more than 6 years ago | (#21243841)

"I never call the number given by the person or on their badge or paperwork."

Would you similarly distrust the number given to you from the email that was sent and appeared to be from management? I know I would assume that if the number differs from the public one on the web, it's because we have a corporate plan and have priority support from them. I -do- distrust anyone who claims to be X and give me the phone number to prove it. WAY too easy to fake.

"There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place."

You do if the network is secured properly. Especially if they bothered to have 2 networks.

Re:#1 cause is underpaid IT staff. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21243941)


You do if the network is secured properly. Especially if they bothered to have 2 networks.


accesspoint running OPEN-WRT clone the executives PC's mac address, now set it up to transparently allow the executive to work just fine open up ports for remote access that the IT guys will probably use. now it looks like the executives PC is online and happy. your computer connected wirelessly looks like it's the executive PC as well. start your escapades... you have remote control over the AP so you can adjust things at will.

Even if you have it tight as a drum, whatever that executive has access to the intruder does as well. hell he can even set it to sniff all traffic and snag the executives data to snif out the username and password easily. Look all the financial records are wide open as well as business plans etc....

You cant "protect" from that short of regular security sweeps.

Re:#1 cause is underpaid IT staff. (1)

megaditto (982598) | more than 6 years ago | (#21245647)

Wouldn't most places use VPN encryption these days?

Re:#1 cause is underpaid IT staff. (1)

Rakishi (759894) | more than 6 years ago | (#21246139)

VPN is for external connections (and even that may be crackable depending on the implementation), generally local network traffic is not encrypted (as they assume it is physically secure).

Re:#1 cause is underpaid IT staff. (0)

Anonymous Coward | more than 6 years ago | (#21246449)

VPN for the wireless is what the poster means -- I have seen this a number of places, where even the internal wireless network is considered untrusted just like the internet and therefore any wireless access to the main (wired) network and internal servers happens over a VPN, just like access from offsite.

Re:#1 cause is underpaid IT staff. (2, Interesting)

surprise_audit (575743) | more than 6 years ago | (#21243897)

Around here, even people *on* the access list don't get to go into the server room without a phone call to the guard from elsewhere in the building. Heck, you can't even get into the building without an access card, or someone going to the guard shack to check you in.

On the other hand, it wouldn't be too hard for a disgruntled IT worker to set up a WAP for someone to gain access, but I suspect the signal would be a bit hard to pick up through concrete walls and across 500 feet of parking lot...

Re:#1 cause is underpaid IT staff. (1)

JPriest (547211) | more than 6 years ago | (#21244597)

Not everyone is that secure, and just because a company is secure in some areas does not mean there aren't any weak links.

Re:#1 cause is underpaid IT staff. (1)

dreamer-of-rules (794070) | more than 6 years ago | (#21246551)

I suppose the normal router you'd pick up at Best Buy wouldn't reach that far, but specialty devices might be able to breach the walls and reach a publicly available spot. Remember the bluetooth hacking experiments last year? They were able to hack into a bluetooth phone from a range of 1 mile. With custom transmitter on the inside and a custom receiver on the outside, cement walls probably won't be an insurmountable problem.

Re:#1 cause is underpaid IT staff. (2, Insightful)

pikine (771084) | more than 6 years ago | (#21244243)

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

It probably wouldn't be very difficult to setup a rogue website. Since TraceSecurity bothered to prepare for the operation a week in advance, even printing a custom designed magnetic plaque to brand their rented car, there is ample time for Google to pick up the website. It doesn't have to be the highest page ranked for pest control because you'll be searching for the company's name.

Visitors should never be left unattended, but it is often impractical to deposit an employee for watching whenever there is a visitor. Notice there is a difference when the visit is solicited: there is someone inside the company who initiated the visit, so let him be responsible. In the case of a legitimate visit by pest control, someone inside the company must have called them over, so it is also his job to attend the pest control or at least appoint someone to attend them. There should be some way inside the company to figure out who is the host of a visitor, then make the host accountable.

Re:#1 cause is underpaid IT staff. (1)

AndrewM1 (648443) | more than 6 years ago | (#21247587)

The problem with this is that it's vulnerable to exactly what they did: faking an email. The penetration testers, a few days before their visit, sent an email forged to look like it was from senior management informing people about this. Now, it looks like the senior manager initiated the visit, though he has no clue. It's a bad idea to rely on the idea that "whoever initiated the visit should be responsible for watching them" - what happens if the security guard just sent them on their way, while assuming that the blissfully ignorant senior executive will have someone watching them?

You need a consistent policy to apply to all visitors; one which doesn't rely on assuming someone else will take care of the problem.

Locks! (1)

techpawn (969834) | more than 6 years ago | (#21243675)

Come on people, if there is a lock on the door and you know the people with the key to the room the chances for needing a slashvertisment like that decrease and knowing who has physical access to your servers increase...

Re:Locks! (2, Insightful)

Lumpy (12016) | more than 6 years ago | (#21243733)

Actually we use the insecure proximity cards for access. but we also have motion sensors in the server room that set off a blinking light in the IT offices whenever someone is in the room. when we see the blinky most of us usually flip over to look at the plasma on the wall showing the camera or we simply connect to one of the axis cameras in the room and sww what is up.

If it's not one of the 5 people that are allowed in there. Call security and have them meet you at the door.

really simple. but it's money spent that is better spent on an executives custom desk or office remodel.

Re:Locks! (1)

spun (1352) | more than 6 years ago | (#21248423)

Huh. Is that what passes for security these days? We keep our servers in a darkened cellar with no stairs, in a locked filing cabinet in a disused lavatory marked 'Beware of the Leopard." So far that's kept out everyone but this one English bloke...

Oh Please (2, Insightful)

TheBrutalTruth (890948) | more than 6 years ago | (#21243697)

While a relevant article (to some, I guess), the summary IS a shameless plug - even if not intended.

Editors: For the sake of credibility, please consider before you post. Unless you would consider my story about a bridge in Brooklyn I have for sale, then I might reconsider my position.

TF2 (0)

Anonymous Coward | more than 6 years ago | (#21243725)

Spy's sappin my dispenser!

Auto-Hack 2000 (3, Insightful)

nsanders (208050) | more than 6 years ago | (#21243817)

TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.


So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?

Re:Auto-Hack 2000 (1)

wattrlz (1162603) | more than 6 years ago | (#21243913)

I just thought they assumed the, "financial institution" in question was running windows.

Re:Auto-Hack 2000 (1)

Aladrin (926209) | more than 6 years ago | (#21243979)

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

Re:Auto-Hack 2000 (1)

nsanders (208050) | more than 6 years ago | (#21244447)

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.
By hacking the OS from the login prompt? By standing at the terminal for 20 minutes while they reboot and bypass the OS? By installing software on an unlocked terminal? I still find this whole story fluff.

Re:Auto-Hack 2000 (3, Insightful)

Ritchie70 (860516) | more than 6 years ago | (#21243983)

It's a reasonable tag if you ask me.

If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

Re:Auto-Hack 2000 (1)

rufty_tufty (888596) | more than 6 years ago | (#21244423)

Doubt it:
For a start anyone worth their salt would have set up the bios correctly and you can't do the exploit you've just cited, hell I can't even do that exploit on any of the desktop work PCs I've used(3 separate companies), never mind one of the servers...
Secondly if you're about to say - swap out the hard drive then you're still wrong - it takes a fair amount of time to swap out a hard drive and I bet that would be noticed. Now maybe they are hot plug drives in the server, but good luck getting a properly set up raid card to boot from a new drive without appropriate passwords.
So you're back on plugging in your laptop/wap to the network port, but again just about any secure network will be MAC address locked, so again that does you no good.

While i agree a physical compromise as they have described is a serious fault, it is one layer in what should be a multi-layer security model.

Re:Auto-Hack 2000 (0)

Anonymous Coward | more than 6 years ago | (#21247707)

I know what you are saying but in the IT security field if you can get physical access to a computer then it is game over.

Re:Auto-Hack 2000 (1)

dreamer-of-rules (794070) | more than 6 years ago | (#21245581)

By default, Windows will auto-run programs on CDs. This "feature" was exploited by Sony [wikipedia.org] to automatically install rootkits on your system when you inserted one of their pop artist music CDs. Of course, it can be exploited by hackers as well.

There is a registry entry you can change to disable autorun, which I highly recommend. Unfortunately, it breaks auto-detection of inserted CDs, which means that if you enable it for the normal employee systems, you'll have some extra training / help desk calls to explain why File Explorer or iTunes are not showing the CDs they just inserted.

I find it weird that most of your environments can't get or send email. That probably isn't typical for most businesses. If your important data is on the network, it can be accessed from some internal systems, at least. If they hack a workstation or two, that'll give them leverage to infiltrate the rest of the network.

In the server room they might find backup tapes or media which could be stolen, or replaced with blank media with the labels switched.

If they put a wireless repeater on a network router or somewhere on the network, it will NOT be firewalled. They could attach keylogging hardware in a few seconds with physical access. If the desktop is unlocked, or they got the password previously, or if Windows hasn't been crippled, they could install software to relay whatever they want to/from the wireless gateway they've connected somewhere else on the network.

I'm just saying, there are other ways to hack systems besides rebooting servers during working hours.

Re:Auto-Hack 2000 (1)

dremspider (562073) | more than 6 years ago | (#21246337)

Well, you are almost correct. What really happens is you put the disk in and it opens up something similiar to pipe dream. What you need to do is shift the "pipes" before the water gets to be too full. Depending on how well the box is locked down the water will flow faster. This is how I was taught in my classes from Bioshock university.

Sorry, I couldn't resist.

What about the low wage rent a cop or jantor who.. (0, Troll)

Joe The Dragon (967727) | more than 6 years ago | (#21243905)

What about the low wage rent a cop or janitor who has keys to all of doors in the building and is the same jantor who sometimes unplugs the systems to clean the floor.

Also some the janitors are not even us citizens.

Re:What about the low wage rent a cop or jantor wh (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21244027)

Also some the janitors are not even us citizens.

Heaven forfend!

Re:What about the low wage rent a cop or jantor wh (1)

cream wobbly (1102689) | more than 6 years ago | (#21244187)

In England, hardly *any* of the janitors are US citizens.

Re:What about the low wage rent a cop or jantor wh (0)

Anonymous Coward | more than 6 years ago | (#21244667)

In England, we'd be very suspicious of an American janitor. Non-EU citizen in an unskilled job; you claim to have a work visa...?

Re:What about the low wage rent a cop or jantor wh (1)

DrSkwid (118965) | more than 6 years ago | (#21246263)

Especially if he was mild mannered and particularly hursuit.

Re: citizens (0)

Anonymous Coward | more than 6 years ago | (#21244567)

Also some the janitors are not even us citizens.
And what, pray tell, does that have to do with anything? Are you implying that all non US citizens are somehow less trustworthy?

Re:What about the low wage rent a cop or jantor wh (0)

Anonymous Coward | more than 6 years ago | (#21244571)

If they are not US citizens then they must be terrorists.

Re:What about the low wage rent a cop or jantor wh (0)

Anonymous Coward | more than 6 years ago | (#21244599)

> Also some the janitors are not even us citizens.

Nice to see that mastering the English language is no longer a barrier to entry though.

Re:What about the low wage rent a cop or janitor (1)

rueger (210566) | more than 6 years ago | (#21245087)

Leaving aside the rather "only in the U.S." comment about "citizens," the point is valid. Quite often the two groups that have complete access to a building - the security guards and the cleaners - are also the groups most likely to be subcontracted to the lowest and/or shadiest bidder.

I suspect that because these people only arrive after office hours no-one in charge ever thinks of them as existing, much less as a security risk.

How exactly did they send an email to the office? (3, Insightful)

appleguru (1030562) | more than 6 years ago | (#21243943)

From TFA:

TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.
They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Re:How exactly did they send an email to the offic (1)

uglyduckling (103926) | more than 6 years ago | (#21244115)

I think it means that they modified their own companie's domain - in other words they changed the From: field in their email message so it looked internal. Not exactly high-tech but probably enough to fool the majority of users. Their incoming mail servers shouldn't allow those through, but I'm sure most of them do.

Re:How exactly did they send an email to the offic (1)

michaelwigle (822387) | more than 6 years ago | (#21244319)

I suspect what we're getting here is non-tech trying to explain what the tech told him. It's not unusual for companies to have an all.staff@companydomain.com address to send company-wide e-mails. I figured they just forged the from field to show boss@companydomain.com. Only problem with that tactic, of course, is that the person you are impersonating would also get the e-mail. It does make you wonder if they had some inside help on that part. Mind you, I would think you really would only need to send the e-mail to a couple lower level managers to get the effect you want.

Re:How exactly did they send an email to the offic (1)

DerekLyons (302214) | more than 6 years ago | (#21244505)

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Not entirely true for an institution where the public facing servers and administrative intranets are seperate from each other and from the production servers and networks.

Re:How exactly did they send an email to the offic (1)

Andy Dodd (701) | more than 6 years ago | (#21244707)

What they probably meant is that they forged a return address from a modified variant of the company's domain.

e.g. sending an email from FIRSTUNI0N.COM to employees of FIRSTUNION.COM

Re:How exactly did they send an email to the offic (0)

Anonymous Coward | more than 6 years ago | (#21245927)

I suspect that what this means is that instead of "exec@corporate.com" they sent it from "exec@corporateoffice.com" or other such silliness. Most people aren't particularly observant about that kind of stuff.

Re:How exactly did they send an email to the offic (0)

Anonymous Coward | more than 6 years ago | (#21247475)

The editor likely misunderstood what was happening. My guess is that TraceSecurity "spoofed the company's domain" on an email from the outside to make it look like it came from the inside. Its trivial to do and most people don't have the time or care to double check that the source is really who they say they are. The problem isn't that they fell for the faked email. It is because they fell for the email and a number of other social engineering tricks. Victim Xyz Inc. failed to a) notice that the email was a fake, b) ensure that the pest control was actually on the visitor list, c) verify that the two guys were really from the pest control company they claim to be from, and d) follow them around at all times to ensure that they do their job and nothing else.

Flame ON! (4, Insightful)

nuzak (959558) | more than 6 years ago | (#21243973)

Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.

Re:Flame ON! (1)

nuzak (959558) | more than 6 years ago | (#21244109)

Yunno, I'm not one to complain about moderation, but how the fuck do you justify defending slashdot here?

Thankfully.. (1)

Carbon016 (1129067) | more than 6 years ago | (#21244103)

Server rooms are now being built with really long corridors to prevent the spies from cloaking and getting in, pyros are stationed at various checkpoints, and all workers are usually given baseball bats to hit people trying to enter to see if they bleed.

Re:Thankfully.. (1)

operagost (62405) | more than 6 years ago | (#21244267)

I really hate when I forget my keycard and have to run the gauntlet. Thankfully, my company has a good health plan.

got spy room, need server (1)

wardk (3037) | more than 6 years ago | (#21244381)

got it all backwards, hoping someone can help

Spy Cat (1)

francisstp (1137345) | more than 6 years ago | (#21244433)

I'm in ur server roomz, spying your shitz.

What I want to know is... (2, Funny)

afabbro (33948) | more than 6 years ago | (#21244585)

...if TraceSecurity's Senior Vice President Dariel LeBouef [tracesecurity.com] is a real name or a stage name for porn?

Dariel...THE BEEF!

Re:What I want to know is... (1)

vought (160908) | more than 6 years ago | (#21244935)

No, that's a common surname in Baton Rouge, where TS is located.

Re:What I want to know is... (1)

Jeff Carr (684298) | more than 6 years ago | (#21246039)

Dariel LeBouef, 15+ years in penetration testing...

...what?

42. What was the question? (1)

harvey_peterson (658039) | more than 6 years ago | (#21244711)

They used the company's name 42 times on the first page of the article.

Too bad. This could have been a great article - a non-fiction version of Sneakers - but instead it comes across as a poorly written paid advertisement.

gSn4a (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21244969)

Completely before Kreskin that the project parts of you are Is dying. Fact: or make loud noises this exploitation, completely bOefore BSD had become

Sleezy (1)

zippy40 (737906) | more than 6 years ago | (#21247141)

These guys are like sleezy insurance con artists.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>