Slashdot Mirror
Card Locks Thwarted by Shopping Club Card
hal9000(jr) writes "A recent column ('Social Engineering, the Shoppers' Way') on darkreading.com shows how easy it is for a pen test team to walk into a supposedly secure facility using a shoppers club card because the man trap feature was enabled. Man-traps allow people to enter an outer door but not an inner door similar to ATM kiosks. Once inside, of course, they had the run of the place." Lessons: after writing down your password, eat your sticky notes rather than leave them on the monitor.
Should have used caltraps instead of mantraps.
Argh.
Where I work, one of my friends was able to use his shopper's club card to get access to doors he didn't have access to, but I did. I thought the odds of that happening must be astronomical, but apparently it's more common than I thought.
TFA answers your question - most card reading entry systems have a feature which will allow any ATM card to open the door, because these systems are often used to secure ATM machines, and banks want people from other banks to be able to use their machine and pay the 2.00 service charge.
Maybe next time, instead of trying to get a first post by asking a question based solely on skimming the summary, you'll RTFA?
And what's more, the security system added frequent shopper rewards to their card! Those lucky bastards are going to save so much money on their next purchases of orange juice and cat food.
Slashdot Burying Stories About Slashdot Media Owned
Maybe...
1) Have a photo ID badge that is the only card that can be swiped to get in to the location
2) Install fingerprint readers and cameras for employees to gain entry
3) Lock all doors/locations not in use, & again use ID Badges and fingerprint readers to gain entry
4) Have have all passwords on keychains updated every few minutes
5) And finally, have all employees meet regularly so they know each other by name and by face
Just a thought.
He who knows best knows how little he knows. - Thomas Jefferson
A man-trap, in the physical security world, is a "room" (loosely defined here) which has control points on both sides. Often you have to use two different forms of authorization, one for entry (i.e. a badge) and another for exit (biometrics, let's say). This allows it to *trap* anyone who tries to sneak through the system. What the article is really talking about is not a man-trap, but the anti-"bum" measures that banks use in many cities around ATMs inside a building. You have to put your ATM card into a slot, but it really doesn't read the card, it just verifies that you stuck a magstrip card into the slot. You then use your ATM card to access the ATM where it is presumably verified.
Setting anything in this method is absurd, and the physical security people should be fired on the spot for this kind of kindergarten mistake. While what likely happened is that it was turned this way when installed so that you could teach people to use it without having to deal with the slowdown of people actually being blocked, it's a bad way to behave, and shouldn't have been even turned on the first time this way. It may also be that, in fact, it was turned this way because of a problem with reliability of magstripe cards (they fail pretty regularly), and instead the system should have been converted to another form of identification -- Wiegand, RF proxy, etc.
Man trap is a bit confusing.
They are likely refering to a single person entry door.
The problem I see is this may not suffice for disabled access.
At first I thought man-trap would be they lock you in if anything goes wrong, the problem here would be a potentially devestating liability if there is any injury.
Think about the lawsuit if someone got injured or killed (or mildly annoyed) if they were physically detained by an automated system.
The wikipedia article indicates this issue.
http://en.wikipedia.org/wiki/Man-trap
My wife used to regularly get into my work buildings to meet me for lunch. You just need to carry a baby in a baby carrier and everyone will let you in.
My Weblog
I work in a secured building - it's a federally protected building right above a train hub and across from the sears tower. Anyway - security is similar to what was described - barely flashing anything that resembles a photo ID card with a splash of red on it is sufficient to get in. I keep fighting the urge to do it, but what I really want to do is just draw a half assed I.D. card with crayon and construction paper and see if it gets me through.
www.wildpad.com
During the summers as a college job I used to work at an insurance company mailroom which housed a lot of paperwork with very personal information SSN's Medical Info you name it, it was there. My fellow mailroom employees and I used to use CVS shopper cards to gain access to every room in the building when we had forgotten our ID cards at home. Also if you happen to have a shopper card for one grocery store it almost always works at a competing grocery store.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
physical security on most sites is a joke. at my last job i used to work for the u.k government and we had a running competition to see who could get past the security guard station with the most rediculous item. i think that the winner used a tin of sardines that looked nothing like the site pass, but was approximately the same shape. i used to use a cigarette packet most of the time. the mag swipes to enter various blocks did actually look for your pass number on a list of approved numbers however - but a large portion of these were left unlocked or propped open during warm periods. lh
I wonder how many companies screen the janitorial staff? Not only do they typically have full access to the building, but they are there after hours and can easily rummage around looking for usernames, passwords, and machines that are still logged in with administrator privledges. Heck they could bring a laptop in and connect directly to the internal network for that matter.
I Am My Own Worst Enemy
they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
But, you forgot, after you beam down there could be an extremely attractive woman just waiting to suck all the salt out of you!
He who knows best knows how little he knows. - Thomas Jefferson
What's most amazing about the story is not that they got "made" second time round but that the woman who did so had left the building, started her car and began to drive away. She remembered what had happened, turned round and came back to shop the two pentesters.
That this happened in this fashion 6 months after the initial (and hugely embarassing) successful penetration reflects both the company's response and the quality of the security awareness training delivered to employees.
How many people, hand on heart, once they're out of the office, would turn round and come back for such a scenario?
Backward%20compatibility%20is%20over-rated
FTA: We advised them to look for a badge and question individuals who appear to be out of place.
... how about, "Call security and tell them" instead?
... is it wise to test just how much of a criminal they are?
... I'm not going to test that theory. Especially if it's late at night, I'm unarmed, and I'm outnumbered 2:1.
:)
Umm
If you've got someone who's in the middle of a criminal act
While it may be that most data poachers serious enough to break into a building aren't violent criminals
Spending the rest of the night duct-taped in a supply closet just doesn't seem like all that much fun to me
- Roach
Pretty much any type of tools. ESPECIALLY telephone buttsets. My dad worked for a phone company for a long time, and if he had a telephone buttset, nobody every questioned his credentials, or took a second thought about letting him into anywhere in a building. Locked door? Just ask someone to open it for you!
Clipboard. If you got a clip board, people are AFRAID to question you. A coworker of mine visited a major plant once, and the employees mistook him for a CEO or something like that because he had a clipboard.
Suit and tie. People will assume you're a rep of a visiting company and will give you directions.
The best locks in the world won't do any good if someone trusted opens it for an attacker.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
It occurs to me that all this attention to security detail will come to naught in the Star Trek future - they could just use the transporter and beam into any secure area, all they need are the coordinates and blammo, they're in.
I refer you over to Larry Niven's essay, "The Theory and Practice of Teleportation", collected in All The Myriad Ways; you'll probably need to check used bookstores or libraries for it. However, as my memory serves, he characterized that type of teleportation (both recieve-to-device-from-anywhere and send-from-device-to-anywhere) as "you don't get a society, you get a short war".
//Information does not want to be free; it wants to breed.
OK here an example from a recent pen test .
Someone setup a test SQL server in the lab with access to the production netowork.
Since it's "just a lab box" the SA password was left blank.
at some point a domain admin logged into this box.
The security team accessed the box with the local SA account.
They got the LSASS password cache.
With that they got the Domain Admin account.
They used that to acccess a DC, got the SAM and used Rainbow crack with a 10gig pre compiled hash DB to get 30 out of 35 domain admin accounts.
If you think it's expensive to hire a professional to do the job, wait until you hire an amateur. --Red Adair
Most security people are minimum wage. I see people talking about flashing cards and cans of food, etc. This is not a surprise.
I once entered the R&D area of a fortune 500 company using an ID that was printed on an ink jet printer and had my picture and the CIA logo on it. I was questioned and just flashed the card. That ended all questions.
When I was managing a computer company, I came back from lunch to find the lead chatting with a guy. The guy introduced him self as the fire marshal and the lead informed me that there was a Fire Inspection going on. The "Fire Marshal" told me I could not go into the back while the inspection was going on. I proceeded to enter the back to find the "Inspector" inspecting the computer equipment. Right out the back door!
The truth is that most people will not question you, provided you look like you belong and have some form of ID to back it up.
Now it is time to go to the uniform store and get a security guard uniform. I think ill stand next to the night deposit box at the bank. Just to see how many people will give me there deposits when I tell them that the deposit box it broken and I am there to collect and secure there deposit.
"It's a good thing people generally like working here"
At my company, we've gone through two names since 2000 and went from a people loving company to a "people at the top" loving company. I've noticed that even though they've tried to tighten security, less people actually care about security so even though they've tried to close holes, they lost thier company wide security net. There isn't a single employee in my building that gives a rats arse about physical security outside of thier own tools/stuff.
When I was hired, people would ask where I worked, and that sort of thing. Although it might not be intentionally a security question, it would've caught me if I didn't belong. Now, new hires wander around without anyone ever asking them anything.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
My wife has those "Coupon Cards" or "Frequent Shopper" cards for 30 different drug and grocery stores. She used to keep adding new ones to my key chain all the time. Tired of looking like I was hiding quite a package in my pocket al lthe time, I decided to try out a theory of mine. I scanned a stores keychain tag at a totally different store (self checkout, obviously can't hand it to a cashier). Well, it worked just fine. While you obviously won't get credit for the sale (big deal) as who knows what account it goes to, you do get all the "virtual coupons" associated with the card.
I now just carry one shopping card (Harris Teeter I think). It works at almost every store wherever I travel...CVS, Lowes Foods, Bi-Lo, etc. I just scan the card and it says "Welcome member".
And FYI. The ATM vestibules- big deal- they are all set to open on any magnetic reader as most banks and credit card companies use different numbers of tracks, data types, and encryption. They don't want to "lock out" members of other banks and not get to charge them a $3.00 "convienience fee" so they let basically any card in. Its not like it gives you access to the ATM if you use a fake card, you just gain access to a vestibule full of video cameras. Its only made as a "deterrant".
Spelling/Grammer police- I did this from a mobile while in a meeting, I don't feel like jumping through hoops to use a spell check. Just bear with me for now.
Repant. Thy end is sheer.
Do they taste 50% better than M&M's?
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
Buy your tickets online, using TicketMaster's instant delivery mechanism. They email you a PDF that serves as the ticket.
Scan it in, bring it into photoshop, and edit the seat location. For that matter, use scissors and tape and a copier to modify your seat location. Make sure you make it a front row seat!
Then when you go to the concert, use the original to get in the door. Use your edited version to wander the floor. Obviously you probably won't have a seat, but you'll be able to get pretty darn close. All because they only scan the ticket at the door. They visually inspect the ticket to see if you are special enough to get up close.
* Seriously, I would never suggest that you break the law. This idea is purely for entertainment and discussion purposes. Kids, don't try this at home!