Slashdot Mirror
Card Locks Thwarted by Shopping Club Card
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Should have used caltraps instead of mantraps.
Argh.
Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.
TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.
Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?
And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.
Slashdot Burying Stories About Slashdot Media Owned
Maybe...
1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face
Just a thought.
He who knows best knows how little he knows. - Thomas Jefferson
A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.
Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
Man trap is a bit confusing.
They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.
At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap
My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.
My Weblog
I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.
www.wildpad.com
During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
In college we had palm scanners just to get into the student recreation center. There was a rumor flying about that they could be beaten by scanning the back of your hand instead of the palm. Turned out to not be true.
If you're telling me that my college gymnasium had better security than these places, then I am apalled.
"You will pay for your lack of vision..." - Emperor Palpatine to Ray Charles
physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh
I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.
I Am My Own Worst Enemy
they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!
He who knows best knows how little he knows. - Thomas Jefferson
What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.
That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.
How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
Backward%20compatibility%20is%20over-rated
FTA: We advised them to look for a badge and question individuals who appear to be out of place.
... how about, "Call security and tell them" instead?
... is it wise to test just how much of a criminal they are?
... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.
:)
Umm
If you've got someone who's in the middle of a criminal act
While it may be that most data poachers serious enough to break into a building aren't violent criminals
Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me
- Roach
I wonder if we can get mega-discounts at the grocery store if we use our card key in place of our club card?
Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!
Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.
Suit and tie. People will assume you're a rep of a visiting company and will give you directions.
The best locks in the world won't do any good if someone trusted opens it for an attacker.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".
//Information does not want to be free; it wants to breed.
OK here an example from a recent pen test .
Someone setup a test SQL server in the lab with access to the production netowork.
Since it's "just a lab box" the SA password was left blank.
at some point a domain admin logged into this box.
The security team accessed the box with the local SA account.
They got the LSASS password cache.
With that they got the Domain Admin account.
They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
It's the side effect of living in the spell check generation. Besides, English is my second language. Gibberish is my first.
Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.
I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.
When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!
The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.
Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
While on travel in Chicago a couple years ago I caught a "oh, isn't this dreadful" hand-wringing pieces of journalism where they had "discovered" that even the transit card would open the door to the ATM. They trotted out stories of people who had been mugged after getting their money. So when back home I tried my BART card and it worked fine as well.
Could they improve the ATM vestibule access? Sure. But would it do any good? I doubt it. Almost everyone has some sort of card that could reasonably be used in an ATM and a mugger can just get you when you walk out or force you in when you get out your card. Or they could use a stolen card.
Given the default security-settings and install options present on so much software, I suppose I shouldn't be surprised but I am still surprised that a system whose sole purpose is security would make it so easy to allow this sort of misconfiguration. That seems like an option you should be forced to request.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
after the (what seems to be) unannounced first break-in attempt and briefing of the employees, any and all results should be considered fairly invalid for at least several months afterwards. Being caught on their second attempt is a no-brainer - hopefully by that point all of the employees have been informed of a security audit, so everyone is going to pay attention, at least for a while.
I worked in a "secure" government contracting facility for five years. As time passed, we had more and more security audits by both internal and external teams. The external security teams (and other inspectors, in fact) were required to be announced, and somebody always caught them - because management would address the entire staff and say 'Security audit, everyone; be alert for x, y and z happening'!
Sort of smacks of cheating. Why? Because when the internal teams worked, unannounced, almost every time someone would slip by, usually by riding through a secure door without a badge on someone's coat-tails. Then we'd get chewed out by management, and within a couple of day someone would be caught, thus "bringing us back into compliance". This cycle continued every 6 months or so.
It's a sham, pure and simple Unless security issues are constantly, CONSTANTLY addressed, and security staff is on the ball and doing their job 24/7, most employees won't give more than a passing thought to it - because it's a pain in the ass to deal with every day, and it feels like the company is just being cheap by using the main workforce as a security guard in addition to their normal duties.
bah.
"It's a good thing people generally like working here"
At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.
When I was hired, people would ask where I worked, and that sort of thing. Although it might not be intentionally a security question, it would've caught me if I didn't belong. Now, new hires wander around without anyone ever asking them anything.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
My wife has those "Coupon Cards" or "Frequent Shopper" cards for 30 different drug and grocery stores. She used to keep adding new ones to my key chain all the time. Tired of looking like I was hiding quite a package in my pocket al lthe time, I decided to try out a theory of mine. I scanned a stores keychain tag at a totally different store (self checkout, obviously can't hand it to a cashier). Well, it worked just fine. While you obviously won't get credit for the sale (big deal) as who knows what account it goes to, you do get all the "virtual coupons" associated with the card.
I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".
And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".
Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.
Repant. Thy end is sheer.
While I can remember 1/2 a dozen passwords, I cannot expect my coworkers to do the same.
Most often there is a sea of sticky notes pasted right on the monitor with the bi-annual password!!!
To require constant password resets is idiotic. Please use a system that requires them to remember ONE really complicated password or invest in a fingerprint reader which is getting absurdly cheaper.
That wasn't a troll. The guy who submitted can't write for shit. There is absolutely nothing inherently insecure about a mantrap. I was puzzled until I rtfa. It's the fact that doors to ATM mantraps are configured to operate with any magnetic stripe card that is the problem. The submitter should have made that clear.
Insert witty sig here.
Do they taste 50% better than M&M's?
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
If you hire someone to sit on a stool inside the door, give them a clipboard with paper printouts including people's names, photos, and some stupid factoid about them, then point a cheap web-cam at the "guard" so they know Big Brother is watching, I bet you get pretty good results. Throw in a tazer, couple of windowless steel fire doors without external key-holes and a big ol' sign that says "Use Other Door" so the poor bastard can take a break or go home, and you're covered.
Expensive? SURE! As expensive as losing data? Talk to your accountant first.
Here will be an old abusing of God's patience and the king's English.
Why bother with all that memorization. Heck, I can never remember stuff I don't use on a regular basis and it takes me a good 10-12 logins to really burn in a password. That's why I ditched truly random in favor of a long password string, from which I chose my passwords. See, I just wrote a short routine to generate 250 characters, alphanumeric only, including upper and lowercase. I pick a starting point and use (say) a 9 character password. When it's time for a new password, I choose a new spot in the string to start from. If I'm feeling odd, I'll go backwards in the string. But how do I remember all 250 characters? I don't. I print it out on a card and put it in my wallet, unlabelled, along with all the phone numbers I might need in an emergency. Heck, I might even leave a copy on my desk if I'm burning a new password into my skull. Easy for me to remember where I started, a good bit harder for anyone else. And, since most systems that matter have a lockout function, it would take someone quite a good bit of time to try all combinations at random (there are still about 2000 resonable combinations of length, starting character, and direction). We're not talking about nuclear start codes, here.
Is it just my observation, or are there way too many stupid people in the world?
What's a better example of stealing something in plain sight of everyone than stealing two mainframes with confidential data from a secured server room belonging to Australian customs.
They went in, presented fake credentials, worked in the room a couple of hours, took two machines and nobody suspected a thing until someone noticed the servers were down.
Anyone can top that?
GPG 0x1B479C78
Everyplace I've worked seems to have those nice big glass double doors on the inside lobby entrance with the card reader on the side to unlock the doors. One night I left without my wallet, and my card key was in the wallet. I went back to the doors and they were locked for the night. So I went into the bathroom and got a stack of paper towels. I shot about 2 or 3 of them through the door, and the motion detector saw them and unlocked the doors for me.
Next day, I told my boss. He thanked me, but the facility manager started shooting me nasty looks. End of the month, my boss gave me a bonus for the info...
Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.
Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!
Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.
* Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!