Card Locks Thwarted by Shopping Club Card

hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.

Works for me

[Knytefall]

Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.

insecurity 101

[digitaldc]

Maybe...

1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face

Just a thought.

Re:insecurity 101

[Intron]

One lab I consulted for had RFID badges so you just had to walk up the door to unlock it. Saved the hassle of getting a card out every time. Employees were trained not to let two people through on one activation (except legitimate visitors) and had a bulletin board with a picture and name of every employee.

The most secure place I've been (bank IT center) had a vestibule that weighed you on the way in and out. If you were heavier or lighter, the door didn't open.

Extraordinary transformation

[Demerara]

What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.

That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.

How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?

Other items that work well.

[Demon-Xanth]

Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!

Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.

Suit and tie. People will assume you're a rep of a visiting company and will give you directions.

The best locks in the world won't do any good if someone trusted opens it for an attacker.

Re:Other items that work well.

[tradiuz]

Well abused tool belt with used tools (the one day my tools and tool belt were new and shiny, I had security ask for credentials 4 times, and have never been asked since).
Well abused hard hat with a contractors name on it (Simplex/Grinell works well, since 99.9% of everyone have a Simplex/Notifier fire alarm system in Houston).
Work worn blue jeans and t-shirt. Cover-alls also work.
Worn work boots.

What really scares me though, is that I had less resistance walking around Halliburton than I had walking around BMC Computers. Apparently, software code is behind better locks than radioactive material. I used to be a fire alarm tech, and went into the wrong building once, had security open the fire command center, and opened the panel before I realised that I was a block away from my intended destination. I put the panel back on, walked out, thanked security, and made haste to my original destination. This was very soon after 9/11, and security was stopping everyone with a suit and tie, but toolbelts got to walk past the metal detectors.

Re:Other items that work well.

[Shotgun]

My dad was a painter. Same story. The benefit of using the painter ruse is that you can tape off the conference room, cover everything with tarps, spread some paint around to get it good and smelly, and people will AVOID it. You won't even have to try to be sneaky while scanning the network.

I think most of the security in corporate buildings is more about insurance liability than security. When I was a security guard while going to college*, we were told not to approach anyone we saw on the premises at night. If they looked suspicious we were to call the police. The company recieved something like a 30% discount for having a minimum wage person walk through the building every few hours. Our job was to to discourage vandalism by our presence, and to observe and report (so that the fire only guts half of the north wing instead of the whole thing).

The card readers are much the same. We just want to keep the random passerby from wandering through on sightseeing expeditions, and have something to cover our butts with at the civil trial when the judge asks why we were letting murderers and rapist wander the halls. Mention of coporate espionage will raise a few snickers amoung the security managers.

Re:Don't buy it....

[Pontiac]

OK here an example from a recent pen test .

Someone setup a test SQL server in the lab with access to the production netowork.

Since it's "just a lab box" the SA password was left blank.

at some point a domain admin logged into this box.

The security team accessed the box with the local SA account.
They got the LSASS password cache.

With that they got the Domain Admin account.

They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.

Re:RTFA

[Ryan+Amos]

Actually, checking for a valid ATM card is impossible.

There is no ATM or even credit card standard; it's just a unique identifier linked to your account in the bank's databases. You can use ANY magstripe card you have as an ATM card. Just go to the bank and ask them.

My bank did this for me when I lost my ATM card and needed cash. I went in, showed my picture ID, and they recorded my Student ID card as my ATM card. I could then stick it in an ATM and withdraw money. The guy explained that it was a lot faster than mailing me a new ATM card and that they could do it with any card that wasn't already linked to a bank account.

Re:Wrong use of the word man-trap

[Dun+Malg]

but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot....It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.

One law office where I work had so much trouble with the mag-stripe reader on the back door that the head of security himself opened the thing up and wired the electric strike release directly to the microswitch that detects when a card's been inserted! This means that you can get in the back door with anything that fits in the slot, even a popsicle stick, a trick I throughly enjoy demonstrating every time I go there. I even keep a popsicle stick in the truck just for that purpose.

Surprised guy who sits by back door: How'd you get in?
Me: Popsicle stick (holding up popsicle stick)