Slashdot Mirror
Card Locks Thwarted by Shopping Club Card
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Should have used caltraps instead of mantraps.
Argh.
Don't they actually CHECK the card? What, the system just read the card, saw it wasn't empty and let them in? That's like typing some stuff in the console and the OS logging you on. How did that happen?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.
TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.
Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?
And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.
Slashdot Burying Stories About Slashdot Media Owned
Maybe...
1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face
Just a thought.
He who knows best knows how little he knows. - Thomas Jefferson
A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.
Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
A man trap lets you into a vestibule but does NOT let you into the main area without authentication of some kind.
I may be naive but I personally don't buy this story, how did they get Admin privileges? What, the Admin had his password on a post-it note too?
TOP DSLR Cameras Reviews of the top DSLRs
Man trap is a bit confusing.
They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.
At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap
"A recent column (Social Engineering, the Shoppers' Way) on darkreading.com shows how easy it is for a penetration team to walk into a supposedly secure facility using a shoppers club card because the man trap was misconfigured. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, they had the run of the place."
My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.
My Weblog
I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.
www.wildpad.com
During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
In college we had palm scanners just to get into the student recreation center. There was a rumor flying about that they could be beaten by scanning the back of your hand instead of the palm. Turned out to not be true.
If you're telling me that my college gymnasium had better security than these places, then I am apalled.
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
"Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor."
I only buy 3M *flavoured* Post-It (TM) products.
Securi-licious!
Social Engineering, the Shoppers' Way
JULY 19, 2006 | 9:32 AM -- For years, the "card key" has been considered a reliable means of securing the enterprise from unauthorized visitors. In some cases, these cards also serve as identification, and when combined with smartcard technology, a form of network authentication. But if these cards are misconfigured or managed, they can be rendered useless -- as my penetration testing company recently proved.
About six months ago, a medical facility hired us to assess its information security as part of a HIPAA compliance effort. During a pre-assessment briefing, the customer indicated a concern about physical access to the building, which could lead to a compromise of the network.
The company asked us to attempt to circumvent the physical security system, gain access to the building, and retrieve as much information as we could. We agreed, pending the appropriate "get out of jail" arrangements in case we were caught and detained by the authorities.
This facility was a little different than our other HIPAA customers, which are usually insurance companies or hospitals. The target this time was a giant laboratory that performs tests on samples sent by physicians from all over the region. With the volume of healthcare data stored in the facility, we knew that getting inside and connecting to the network could yield a good deal of sensitive and valuable information.
Before we tried to get in, I scoped out the entry points, observed when people came and went, and looked for potential weaknesses in security. Although I couldn't spot any video surveillance, the building security seemed pretty solid; the primary entrance was guarded by a receptionist behind glass. Other doorway access points were secured by a magnetic card swipe system.
On the day we planned to get into the building, I decided to try the magnetic swipe system. In a worst-case scenario, I figured I could fumble my way in, acting as if my card had malfunctioned and asking an employee to open the door from the inside.
Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.
Once inside, we knew that blending into the environment was going to be a necessity. I needed to get my colleague to a conference room to jack into the network and start port scanning, while I started looking for logins and passwords by flipping keyboards and pulling yellow sticky notes from monitors. We located a men's room that also served as a changing facility for employees. Conveniently, it also contained clean smocks and scrubs for us to use.
Now dressed in the appropriate attire, we started walking the facility. We located an empty conference room and commandeered it as our place to work. As my colleague jacked into the network and started scanning each address, I started moving through the facility looking for anything that could provide privileged network access.
Within minutes, I located workstations littered with sticky notes containing logins and passwords. Some even provided detailed information on which systems could be accessed. After collecting several logins and passwords, I made my way back to our conference room to use what I had found.
As soon as I walked into the room, my colleague indicated he was now a domain administrator with access to numerous systems as well. Our efforts led us to a significant find of HIPAA-rich information. After several hours, we had collected enough information for our report, and we casually exited the building through the same doorway we entered.
Back at our office, we immediately notified the customer of the security flaw in the magnetic card swipe system. We later learned that the door access system had been mistakenly set to use a feature called "man-trap," which enables banks to secure their ATM ma
physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Some of the ATM doors in my city are even less secure than that, checking only that *something* has been inserted into the card slot. No magnetic strip required -- a piece of paper or thin cardboard will do.
I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.
I Am My Own Worst Enemy
they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!
He who knows best knows how little he knows. - Thomas Jefferson
What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.
That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.
How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
Backward%20compatibility%20is%20over-rated
FTA: We advised them to look for a badge and question individuals who appear to be out of place.
... how about, "Call security and tell them" instead?
... is it wise to test just how much of a criminal they are?
... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.
:)
Umm
If you've got someone who's in the middle of a criminal act
While it may be that most data poachers serious enough to break into a building aren't violent criminals
Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me
- Roach
I'm not surprised as I've also tried this maybe 10 years ago into the bank ATM machine access - with a frequent flyer card. I was thinking, how in the world would the thing verify as other banks customers can use the machine as well. Without the keypunch it probably didn't do anything other than verify it's a magnetic stripe.
I wonder if we can get mega-discounts at the grocery store if we use our card key in place of our club card?
Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!
Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.
Suit and tie. People will assume you're a rep of a visiting company and will give you directions.
The best locks in the world won't do any good if someone trusted opens it for an attacker.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
So just how secure do you think most corporations are to intrusions by intensively competitive foreign firms, like, shall we say those from Korea (Both), China, Taiwan and others, who have already figured out what college students (including the foreign students) had figured out 10 years before during their undergraduate work?
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".
//Information does not want to be free; it wants to breed.
The correct usage of man trap is
"The Man Trap was the first-aired regular season episode of Star Trek. In this episode, a landing party from the Enterprise beams down to perform an annual checkup..."
Privileges
Vulnerabilities
Stick to low syllable count words if you can't hack it with the big boys !
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
I disagree. Use a randomly generated password. Don't write down the password, and don't eat the sticky note (for health reasons etc bla bla). Use similarly random information for all of the "backdoor" passwords. Did you know that my mother's maiden name is, on occasion, Kwier5*Y? Then, copy all of that information into Password Safe (or any of its Mac or Linux clones).
Oh, and make backup copies of your database, to prevent the embarassment of having to spell out your mother's maiden name to some call center bum in Bangalore.
You're giving the Brits a bad name.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.
I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.
When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!
The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.
Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
While on travel in Chicago a couple years ago I caught a "oh, isn't this dreadful" hand-wringing pieces of journalism where they had "discovered" that even the transit card would open the door to the ATM. They trotted out stories of people who had been mugged after getting their money. So when back home I tried my BART card and it worked fine as well.
Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.
Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
This summary made shit for sense.
nothing
Many doors have locks are not installed improperly. Deadlocking latch bolts have an anti-jimmy mechanism (that little slidy thing on the door bolt) that won't let the bolt withdraw if they both aren't in the same position. When the door closes, this part of the lock remains outside of the hole for the bolt.
Doors with deadlock latch bolts can, with a good swift kick, be pushed far enough into the door jamb for the anti-jimmy mechanism to fall into the strike plate hole. From there, a credit card or thin knife is enough to open the door.
Many years ago, I was able to open the door at a secured facility for a friend of mine (who worked there and forgot his key) using this method. It only took a few seconds to recognize the problem and open the door. He thought it was wicked funny considering that he was testing some highly-sensitive jet fighter parts in the lab, a lab I wasn't supposed to have access to.
BR I didn't go in.....
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
after the (what seems to be) unannounced first break-in attempt and briefing of the employees, any and all results should be considered fairly invalid for at least several months afterwards. Being caught on their second attempt is a no-brainer - hopefully by that point all of the employees have been informed of a security audit, so everyone is going to pay attention, at least for a while.
I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security audits by both internal and external teams. The external security teams (and other inspectors, in fact) were required to be announced, and somebody always caught them - because management would address the entire staff and say 'Security audit, everyone; be alert for x, y and z happening'!
Sort of smacks of cheating. Why? Because when the internal teams worked, unannounced, almost every time someone would slip by, usually by riding through a secure door without a badge on someone's coat-tails. Then we'd get chewed out by management, and within a couple of day someone would be caught, thus "bringing us back into compliance". This cycle continued every 6 months or so.
It's a sham, pure and simple Unless security issues are constantly, CONSTANTLY addressed, and security staff is on the ball and doing their job 24/7, most employees won't give more than a passing thought to it - because it's a pain in the ass to deal with every day, and it feels like the company is just being cheap by using the main workforce as a security guard in addition to their normal duties.
bah.
How do I secure my lunch in the company fridge? When someone can provide an answer to that one the world will be a truly better place!
Thanks to eating disorders most chicks are reasonably good looking these days.
if you use indelible ink on plastic instead, you get a password reminder in 14-24 hours!
free software, open standards, open file formats, no software patents.
It is nice to see that technology doesn't change much. I went to a military school where we would go up on the ski hill late at night and put huge letters made of toilet paper to be seen from the football field below.
How did we "commandeer" that much toilet paper? The dispensers in the bathrooms had locks, but our mail keys opened them right up. From what I hear that still works.
"Oh, say, can you see by the dawnzer lee light," sang Miss Binney
Of course, the mention of the man-trap setup (which is, obviously, irrelevant) as well as the entire rerefence to the security system being misconfigured is nothing more than an attempt to hide the painful truth: both the grocery store (the one that issued the card) and the secure facility being tested belong to and run by the same corporation! And the verification requests from the door locks are processed by the same system that processes the shopper card swipes in the store, which immediately explains why the door opened.
:)
This simple attempt at cover-up can only fool a naive individual that believes that "Bed, Batch and Beyound" and "Linens and Things" are competing stores
You mean all that time play videogames that I spent looking for keycards could have been alleviated if I just took my ATM card with me on the mission!? Macgyver strikes again?
I knew a woman who worked in one of MIT's biotech labs. The labs were generally a mess and grad students were constantly going back and forth between the labs at all hours of the day and night. Unfortunately the local crooks and bums new about the lousy security too and would occasionally steal student's laptops, wallets, purses, etc. I'm sure they also kept an eye out for hypodermic needles.
One day I came in and she said that someone had come in during the night and opened the small fridge they used for bacterial cultures and drank some bottles with liquid media in them (like a hi-c colored bacterial growth medium). Lucky for the idiot the bacteria were plant pathogens. About a year after, MIT closed the building and rebuilt it into a much nicer, and much more secure, facility.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
I'm not sure card readers are really all that useful, unless you can get everyone there obsessed with security.
Doors inherently allow multiple people. Whenever I swipe into a building, I hold the door for the people behind me. If I'm coming out of a building, I hold the door for anyone coming in. (This is on a college campus, though, not exactly a facility needing super-security.) Heck, I've opened doors to other buildings because someone was standing outside who forgot their card.
Unless you can convince me, and even harder, Joe Average, that letting a door slam in someone's face is okay, I think everyone's going to hold the door for people, or stop in the dead of winter to let what's presumably a fellow student / co-worker into their building.
I suppose the way to fix it is to insist that only one person may use the door at a time, and threaten to terminate on the spot anyone allowing anyone to enter the building with them. And then actually enforce the rule.
________________________________________________
suwain_2
"It's a good thing people generally like working here"
At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.
When I was hired, people would ask where I worked, and that sort of thing. Although it might not be intentionally a security question, it would've caught me if I didn't belong. Now, new hires wander around without anyone ever asking them anything.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
Can you imagine Tom Cruise on an impossible mission, faced with trying to enter a secure facility, shrugging his shoulders, and just "pull[ing] every card with a magnetic stripe from [his] wallet"--and discovering that one of them works?
Who would believe it?
True, in a 1998 movie called "Wrongfully Accused," Leslie Nielsen, faced with a computer screen asking for "User" and "Password" gets in by typing in "User" into the user field and "Password" into the password field... but you're supposed to think it's a joke.
"How to Do Nothing," kids activities, back in print!
My wife has those "Coupon Cards" or "Frequent Shopper" cards for 30 different drug and grocery stores. She used to keep adding new ones to my key chain all the time. Tired of looking like I was hiding quite a package in my pocket al lthe time, I decided to try out a theory of mine. I scanned a stores keychain tag at a totally different store (self checkout, obviously can't hand it to a cashier). Well, it worked just fine. While you obviously won't get credit for the sale (big deal) as who knows what account it goes to, you do get all the "virtual coupons" associated with the card.
I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".
And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".
Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.
Repant. Thy end is sheer.
6 ) Only an idiot doesn't clear the factory configuration.
Like OS installs - first thing I do is reset the BIOS and reinstall the OS.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
While I can remember 1/2 a dozen passwords, I cannot expect my coworkers to do the same.
Most often there is a sea of sticky notes pasted right on the monitor with the bi-annual password!!!
To require constant password resets is idiotic. Please use a system that requires them to remember ONE really complicated password or invest in a fingerprint reader which is getting absurdly cheaper.
If you hire someone to sit on a stool inside the door, give them a clipboard with paper printouts including people's names, photos, and some stupid factoid about them, then point a cheap web-cam at the "guard" so they know Big Brother is watching, I bet you get pretty good results. Throw in a tazer, couple of windowless steel fire doors without external key-holes and a big ol' sign that says "Use Other Door" so the poor bastard can take a break or go home, and you're covered.
Expensive? SURE! As expensive as losing data? Talk to your accountant first.
Here will be an old abusing of God's patience and the king's English.
They don't care what's on it as long as they can use it as a unique identifier.
Sorry about coward mode, but I am about to say something unpleasant.
MustardMan, you are clearly the one making gross assumptions. The poster obviously did not know the details of the man-trap system, which were not discussed in great detail within TFA. Like another poster said, Cirrus or other card companies could put an ATM identifer. Mayhaps not for the anti-bum ATM system, but in other applications context dependent man-traps may be handy.
So, STFU and let the guy ask a question about the man-trap system without being accosted by some know it all prick.
People don't understand the importance of a secure facility. All it takes is one dedicated person to cost a company a LOT of money. Unfortunately, its hard to explain to higher-ups and accounting why the facility needs better security than a swipe-card or RFID card for some doors.
Picture this. A woman is standing outside of the front or side doors of your office struggling with a briefcase and a pocketbook, trying to get a good grip on them. Naturally you'd want to hold the door open for her to make it easier. She in turn holds the door open for her boyfriend, the shady guy your IT department warned you about. He gets in, and Schrodinger's cat leaves the bag at a high rate of speed.
How will you know what damage he caused until it happens?
On the other hand, most companies do NOT want to impliment one or two entrances with turnstiles and a manned guard booth keeping watch to make sure no one jumps them. Makes things seem a little too secure.
A good secure facility would use a security system that's practically transparent. You swipe your RFID card in front of the door, the door makes the card calculate a number, and then approves or denies based on the response. The security guard is alerted if more than one person enters on one swipe. They can take action based on that. There are no sticky notes with passwords. This is stictly enforced. Just like workstations that auto-lock after the user leaves their cube or is inactive for a set time. That would solve most problems right there.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
What's a better example of stealing something in plain sight of everyone than stealing two mainframes with confidential data from a secured server room belonging to Australian customs.
They went in, presented fake credentials, worked in the room a couple of hours, took two machines and nobody suspected a thing until someone noticed the servers were down.
Anyone can top that?
GPG 0x1B479C78
"We performed a follow-up assessment six months later, attempting access through the same doorway we had used previously. None of our cards worked this time"
..." mechanism in place. Stupid, if you ask me.
That sure does sound as there was no "failed attempt made at door number
Most ATM's will eat your card after three failed attempts, but such an entry-to-secure-area will let you try as many times as you like ?
That does sound as if someone forgot to think I'm afraid.
i've been doing that to get to copies of software the IT dept. keeps in a locked supercloset since my freshman year. atm cards from bellco, wells fargo, tcf, and u.s. bank open it right on up and helll-ooooo legit-copy-of-3dsmax-installed...and the dept. heads know that people do this.
Isn't Mantrap a new show on OLN?
RTFM; please, I beg you.
Everyplace I've worked seems to have those nice big glass double doors on the inside lobby entrance with the card reader on the side to unlock the doors. One night I left without my wallet, and my card key was in the wallet. I went back to the doors and they were locked for the night. So I went into the bathroom and got a stack of paper towels. I shot about 2 or 3 of them through the door, and the motion detector saw them and unlocked the doors for me.
Next day, I told my boss. He thanked me, but the facility manager started shooting me nasty looks. End of the month, my boss gave me a bonus for the info...
Our ATM's are driveup or walkup with no authentification required to get access to them.
Best practice is to view the area first and make sure it is clear. Have your non-lethal weapon, mace etc, ready in one hand, ATM card in other. Make transaction(s) while still being aware of your surroundings and ready to drop non-lethal weapon and use lethal weapon if necessary.
Of course, robbing most people for their bank balance around here would be less productive than robbing kids for their lunch money.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
that incident is evidence against the cliche that "security training doesn't work". The team talked to employees in terms that made sense (humans seem to be hardwired to send and receive stories). The hospital administration must have refrained from de-training the workforce (don't expect security training to stick if the bosses yell at people for slowing work down to follow security procedures).
The reason nobody can get end users to stop clicking on attachments is that end users are getting trained every day that they should open attachments. Their boss sends them Word documents that they're required to read. They double-click hundreds of times and nothing bad happens. If security training seems not to be working, it's probably because insecurity training is winning.
Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.
Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!
Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.
* Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!
Pen test team? I was thinking of a bunch of people in a room with a brand new box of bic's, scribbling like mad. In fact, until I followed the wikipedia link for pen test, the whole thing sounded like a MacGyver episode.
Some chick: "Damn! We've got to get though this man-trap security door and we have nothing but a shoppers club card and a box of pens!"
MacGyver: -pulls out pocket knife- "I'm way ahead of you..."
If her HR handbook reads like my company's HR handbook, she might have been worried about getting caught on tape letting strangers into the building...
...
Section X.X Security - employee responsibilites
The following activites indicate a serious security violation. These activities may lead to disciplinary action up to and including dismissal:
-Violating security control mechanisms
-Violating security policies
just kidding
A few years ago I went to the parking lot, let myself into my locked car, turned over the ignition-- and then noticed that my upholstry was the wrong color. I stopped the car and got out-- only to see that MY car, with the correct uphostry and my junk in the back, was parked NEXT to it. Our cars were the same make, same model, same exterior color-- and had the same damn lock & key. If the upholstry hadn't clued me off, I'd have happily driven off with someone else's car, and not noticed until I tried to get my stuff out of the trunk.
If you're telling me that my college gymnasium had better security than these places, then I am apalled.
A palm scanner is cheaper in the long run; when you signed up, you didn't have to have an ID printed, or remember a pin, etc. When you go to an on-campus gym, do you have your wallet+campus ID with you? What is to stop you from sharing your ID card?
You can't "loose" or forget your hand, so they never have to deal with replacing ID cards (which require programming the security system, which requires someone trained+trusted to do so) or resetting PINs. You also can't "share" your hand with your roommate who isn't paying gym dues (if it was required to pay extra for gym access), etc.
Please help metamoderate.
We do the same thing where I work (a university). Our security isn't actually aimed at stopping you from stealing stuff, it's there to be good enough to make insurance happy. Our locks on the computers are easy to cut through. Scisors will do for the cables, small bolt cutters for the locks themselves. I've had to cut a few when I lost the keys. We know you can cut them, that's not the point. The point is it'll stop some random yahoo from wandering out of there with a computer and that's enough for insurance to be happy.
Most criminals are really dumb thankfully, and a little security does it, hence insurance is happy.
1) You can't go through conscious: intelligent beings that go through conscious end up psychologically broken and typically drop dead right after they come out the other end. It appears that going through conscious is equivalent to spending several million (billion?) years in sensory-deprivation limbo.
2) You have to have a receive station set at the transmission end to get anywhere. But: the transmit end can be set to NULL for the destination. You go in, but you don't come out anywhere. (There's a vignette of a man accused of murdering his wife by Jaunting her to NULL. His lawyer tries to get him off by saying "well, she's not really dead...", which backfires as the jury is so horrified they convict with the maximum sentence.)
-- Old Man Kensey
A few years ago, the IT dept. I worked in (for a large mobile phone company) was invited to a presentation by a vendor. We were ushered into a presentation room in the brand new office they had just built nearby. On one wall of this room was a large window and a door, behind which was a number of shiny new servers, intended to impress customers.
This room was protected by a card swipe.
One of my co-workers noted the card swipe looked much like the swipes we used back at our office. He took out his id badge (for the company we worked for), and slid it through the swipe. The door to the server room unlocked. Whoops.
The vendor? Microsoft.
Doors inherently allow multiple people. Whenever I swipe into a building, I hold the door for the people behind me. If I'm coming out of a building, I hold the door for anyone coming in. (This is on a college campus, though, not exactly a facility needing super-security.) Heck, I've opened doors to other buildings because someone was standing outside who forgot their card.
Unless you can convince me, and even harder, Joe Average, that letting a door slam in someone's face is okay, I think everyone's going to hold the door for people, or stop in the dead of winter to let what's presumably a fellow student / co-worker into their building.
That's why the last place I worked had security *revolving* doors. Man those were a pain, but you sure weren't going to hold the door for anybody. Kind of hard on me, who likes to carry a briefcase, a thermos of coffee, and a huge lunchbox full of snacks ... if anything touches the walls of the door, it stops, makes a nasty announcement, and reverses!
Dressed as a pizza delivery man and carrying hot, aromatic pizza works, too. ...Wakka Chikka Wakka Chikka.
As porn movies have taught me... it will not only get you in the door, it will also get you laid!
Always write your name on the bag or container and randomly include an occasional treat liberally laced with haberneros. Haberneros also work pretty well to discourage wild animals and the neighbors dog when used in a spray on things like your garbage can.
Matthew