The Spy in Your Server Room

CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."

Eh?

[ScorpFromHell]

Is this an ad or an article?

Re:Eh?

[rucs_hack]

Is this an ad or an article?

It reads like an Advert. I wonder....

Re:Eh?

{{db-spam}}

Re:Eh?

>Is this an ad or an article?

hint: SETEC ASTRONOMY

Re:Eh?

[blincoln]

Is this an ad or an article?

According to TraceSecurity, advertisements on Slashdot often masquerade as articles. That's why many Slashdot members hire TraceSecurity to validate their contents before reading them. This message brought to you by TraceSecurity: Tracing your Security so that you can be secure in the knowledge that your Security is Traced.

Re:Eh?

[xorbe]

They called tech workers with lesser social skills "booger-eaters"!

Re:Eh?

[Tim+C]

Oh come on, the submitter's name is linked to PC Mag's website fer crying out loud. This has advert written all over it - the only question is which company (PC Magazine or the pen testers) paid the most for it.

Re:Eh?

[vought]

TraceSecurity...the shining star of Baton Rouge's burgeoning information technology industry.

A city of paranoiacs with a single successful computer-related company...why am I not surprised?

Re:Eh?

[tonyreadsnews]

Really, I thought the article read more like an old movie plot.

Increased security in recent years means TraceSecurity personnel are trying to get past "guys with machine guns.

I wonder if they get extra pay for that...

Re:Eh?

[Hoi+Polloi]

What was TraceSecurity's website again? And just why are their rates so damn affordable?

Re:Eh?

I imagine it was purchased as a package. PC Magazine no doubt has some price structure that will let a company buy an 'article' with various options, one of which is front page at Slashdot. (Slashdot and PC Mag having settled on the cost of that in some prior negiotiations)

Really, this is a good deal all the way around. PC Magazine can buy Slashvertisements in bulk and Slashdot scores a nice high volume customer.

Slashvertisement!

[b96miata]

This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!

Re:Slashvertisement!

[syrinx]

That would have required effort on the part of the submitter: the summary is cut and pasted right out of TFA.

So I'm not sure if it's a Slashvertisement, or a PCMagvertisement + lazy submitter.

Re:Slashvertisement!

[Creepy+Crawler]

I've got a penetration testing company, and Im the CEO.

Cause Im da pimp!

Re:Slashvertisement!

[GroeFaZ]

I agree. TFA packaged the company's name 48 times in exactly as many mostly one-sentence paragraphs. Yes, I did count. PCMAG should disclose, did they ask that company for help in that report, or was it the other way around?

Re:Slashvertisement!

Yep. This poseter created a brand new user id (CorinneI) and linked it directly to www.pcmag.com, too. What a crock.

Re:Slashvertisement!

I prefer to penetrate via the backdoor. Hey now!

Re:Slashvertisement!

I can tell, the mauve triangle icon appeared on my system tray. However, my kernel has CCR5 enabled. Please keep your retroviral code to yourself.

Re:Slashvertisement!

[Frosty+Piss]

As I've pointed out in the past, there are a number of high profile consumer computer mags that get an amazingly (and suspicious) free ride here at Slashdot.

Server room?

[sm62704]

If you have trade secrets on your web server, the spy is the least of your problems.

OK, bad joke, I know we're talking about the file server here, but why would a spy be in the server room? Wouldn't he be a lot less notcable logging in from an empty office? Or better yet, an empty office whose owner has just left his machine for the rest room?

What do you mean, RTFA? This is slashdot, we don't need no FAs!

-mcgrew

Re:Server room?

[cpaalman]

Getting some alone time in a server room for a couple of minutes is plenty to drop in a wireless access point that has SSID broadcast turned off, no sense in tipping your hand if someone sees a new SSID appear, and spend the rest of your time in a van within range playing on the local LAN.

Re:Server room?

[corsec67]

Or you could be sneakier and use a powerline ethernet extension, since they aren't very common not many people would look for one. I don't know how well that would work, since I don't use them either.

Social Engineering

[duplicitious]

Old con, it shows how trusting people can be, but shouldn't.

Re:Social Engineering

[zildgulf]

The con is very old, but extremely effective. People, unlike computer systems, don't change every five years. People are usually complaint, if not trusting.

Long ago, when I was a pimply-faced youth working at a somewhat sensitive location, we were trained over and over again to escort one guest per employee and no more, and to BE that person's shadow. We were to keep that person on task or escort them out. If they bolted, you grab anyone's phone and call security ASAP (welcome to the 80's). That way it is less likely that one person is to pull off something, but it is not totally impossible.

The rest is up to the reader's imagination.

They must be good

[Sockatume]

They managed to walk right into the front page of Slashdot with no resistance whatsoever.

Seatech Astronomy

Which is an anagram of Slashvertisement.

Re:Seatech Astronomy

[Sockatume]

If the company was called "Seatech Astronomy", you'd have a really amazing joke there.

Re:Seatech Astronomy

Nitpick: Setec Astronomy.

Re:Seatech Astronomy

[andreyvul]

there is no 'v' in Seatech Astronomy, therefore you are incorrect.

Re:Seatech Astronomy

[afabbro]

Sorry, it's not...but try again here.

Re:Seatech Astronomy

[myowntrueself]

Did no one get this?

Too Many Secrets.

From a famous movie.

Involving 'hackers'.

Re:Seatech Astronomy

rat cooties semen

Sneakers

[underwhelm]

The article is ok... but the movie adaptation is a thrill ride!

Re:Sneakers

[martin_b1sh0p]

Great! Thanks a lot! Now everyone knows what my nick means...

Waste of kilobytes

[Major+Blud]

This article was a complete waste of time. No details were layed out for us; my favorite was when they said they "could have" plugged in a wireless access point to the server rack. Without actually trying it, they didn't prove dick....for all we know their network may not have allowed unknown MAC addresses. It was all a bunch of "we could have" done this, or "could have" done that. Just do it for god's sake! Just walking into the server room and putting stickers on a server doesn't prove that you actually could have walked off with it. Just saying that you "could have" disabled the alarm system doesn't really mean that you wouldn't have caught someone's attention.

Re:Waste of kilobytes

[Ragein]

The company might not have allowed them to test this far, remember they are testing clients not actually ripping the place off.

Moderated -1 "Blatant advertising"

[Bagheera]

Penetration testers doing their job: Film at 11.

Seriously, while it's not an entirely bad article on a penetration test, this is nothing but a shameless plug.

Re:Moderated -1 "Blatant advertising"

[spun]

Penetration testers doing their job: Film at 11. Normally, CineMax doesn't show that type of film until after midnight...

Re:Moderated -1 "Blatant advertising"

[Bee1zebub]

More people reading the firehose would stop a lot of this sort of thing getting past that stage. I think the main reason the respected mags get such a free ride here is that too many people don't RTFA, so they never notice that it is a plug piece. They just see that it is in a major magazine and assume it must be good. Of course, once one person has actually read the article and noticed how bad it is, everyone else goes and has a look, and posts the same thing. It would be interesting to see if it is the same few people every time who spots these articles, but it would take far too much effort to do this manually.

Re:Moderated -1 "Blatant advertising"

[Raenex]

Read the article? I read the summary and knew it was a Slashvertisement. It was so blatant I'm just reading this thread to look for any kind of response from the editors. Not that I really expect to find any but ya never know.

#1 cause is underpaid IT staff.

[Lumpy]

first server room access should be limited to a very short list. and nobody on that list should be so underpaid they would stupidly let someone in there without at least 2 sets of eyes on them.

All they prove is that IT departments are not only underpaid but under staffed.

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

Re:#1 cause is underpaid IT staff.

[Aladrin]

"I never call the number given by the person or on their badge or paperwork."

Would you similarly distrust the number given to you from the email that was sent and appeared to be from management? I know I would assume that if the number differs from the public one on the web, it's because we have a corporate plan and have priority support from them. I -do- distrust anyone who claims to be X and give me the phone number to prove it. WAY too easy to fake.

"There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place."

You do if the network is secured properly. Especially if they bothered to have 2 networks.

Re:#1 cause is underpaid IT staff.

[surprise_audit]

Around here, even people *on* the access list don't get to go into the server room without a phone call to the guard from elsewhere in the building. Heck, you can't even get into the building without an access card, or someone going to the guard shack to check you in.

On the other hand, it wouldn't be too hard for a disgruntled IT worker to set up a WAP for someone to gain access, but I suspect the signal would be a bit hard to pick up through concrete walls and across 500 feet of parking lot...

Re:#1 cause is underpaid IT staff.

You do if the network is secured properly. Especially if they bothered to have 2 networks.

accesspoint running OPEN-WRT clone the executives PC's mac address, now set it up to transparently allow the executive to work just fine open up ports for remote access that the IT guys will probably use. now it looks like the executives PC is online and happy. your computer connected wirelessly looks like it's the executive PC as well. start your escapades... you have remote control over the AP so you can adjust things at will.

Even if you have it tight as a drum, whatever that executive has access to the intruder does as well. hell he can even set it to sniff all traffic and snag the executives data to snif out the username and password easily. Look all the financial records are wide open as well as business plans etc....

You cant "protect" from that short of regular security sweeps.

Re:#1 cause is underpaid IT staff.

[pikine]

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

It probably wouldn't be very difficult to setup a rogue website. Since TraceSecurity bothered to prepare for the operation a week in advance, even printing a custom designed magnetic plaque to brand their rented car, there is ample time for Google to pick up the website. It doesn't have to be the highest page ranked for pest control because you'll be searching for the company's name.

Visitors should never be left unattended, but it is often impractical to deposit an employee for watching whenever there is a visitor. Notice there is a difference when the visit is solicited: there is someone inside the company who initiated the visit, so let him be responsible. In the case of a legitimate visit by pest control, someone inside the company must have called them over, so it is also his job to attend the pest control or at least appoint someone to attend them. There should be some way inside the company to figure out who is the host of a visitor, then make the host accountable.

Re:#1 cause is underpaid IT staff.

[JPriest]

Not everyone is that secure, and just because a company is secure in some areas does not mean there aren't any weak links.

Re:#1 cause is underpaid IT staff.

[megaditto]

Wouldn't most places use VPN encryption these days?

Re:#1 cause is underpaid IT staff.

[Rakishi]

VPN is for external connections (and even that may be crackable depending on the implementation), generally local network traffic is not encrypted (as they assume it is physically secure).

Re:#1 cause is underpaid IT staff.

VPN for the wireless is what the poster means -- I have seen this a number of places, where even the internal wireless network is considered untrusted just like the internet and therefore any wireless access to the main (wired) network and internal servers happens over a VPN, just like access from offsite.

Re:#1 cause is underpaid IT staff.

[dreamer-of-rules]

I suppose the normal router you'd pick up at Best Buy wouldn't reach that far, but specialty devices might be able to breach the walls and reach a publicly available spot. Remember the bluetooth hacking experiments last year? They were able to hack into a bluetooth phone from a range of 1 mile. With custom transmitter on the inside and a custom receiver on the outside, cement walls probably won't be an insurmountable problem.

Re:#1 cause is underpaid IT staff.

[AndrewM1]

The problem with this is that it's vulnerable to exactly what they did: faking an email. The penetration testers, a few days before their visit, sent an email forged to look like it was from senior management informing people about this. Now, it looks like the senior manager initiated the visit, though he has no clue. It's a bad idea to rely on the idea that "whoever initiated the visit should be responsible for watching them" - what happens if the security guard just sent them on their way, while assuming that the blissfully ignorant senior executive will have someone watching them?

You need a consistent policy to apply to all visitors; one which doesn't rely on assuming someone else will take care of the problem.

Re:#1 cause is underpaid IT staff.

[Technician]

There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

Where I work, wireless security is taken very seriously. Sweeps for rogue access points is regular. Access points found are published in employee communications. A much better hack would be some kind of inside server, but it would have to make it's own outgoing connection to a controlled web server as the proxy/firewall would go a long way stopping an internal server. Something posing as a VOIP client might be able to make connections without being noticed.

Re:#1 cause is underpaid IT staff.

[Bee1zebub]

I did work experience on a government site where highly classified work is done, and everyone who had not been fully checked, signed the local version of the official secrets act and so on had to be escorted at all times by a member of staff, from the moment they passed through the gate. If no-one collects them, the person just has to sit in the guardhouse and wait. This way, even if there was a faked message authorising their visit, they would still be supervised by someone, preventing such an attack.

Re:#1 cause is underpaid IT staff.

[pikine]

You misunderstood my point. They can fake e-mail from anybody, which nobody should care except when they actually come on-site. The first question is "who invited you here?" Then the security guard or receptionist would look up the name from a directory, call the person, confirming that the visitor is here, then hand the responsibility over to the host. The only assumption I make is that the host would be fully accountable for his visitor's action. This includes finding a watch-person if the host is not available.

This is what should have happened with TraceSecurity. They would send out a fake e-mail from the higher-up a week in advance announcing that pest control is coming. People could ignore it, assuming that somebody is taking care of it. When TraceSecurity comes, someone will stop them and ask who is responsible for their visit. TraceSecurity gives out the name of the CEO who authorized the security audit. Someone calls the CEO or his secretary and confirms the visit. Then the policy kicks in: the CEO himself must either be present and escort TraceSecurity folks, or he must appoint someone to do that. If nobody shows up, the security guard or receptionist holds them at the entrance until somebody does. The best thing that could happen is that the CEO or someone appointed by the CEO watches TraceSecurity folks put blank CD-ROMs and their stickers on the server.

If someone simply sends TraceSecurity on their merry way to the server room assuming the senior executive is "blissfully ignorant," then the company has serious leadership problems, and server room is just one thing that can go wrong. But I don't think many companies are like that, so this wouldn't be the reason TraceSecurity is able to penetrate successfully.

I think the most likely and the most devastating situation is when somebody tries to make the best local judgment with good intention that backfires. When pest control shows up for an appointment but you don't let them in, it could cost the company money for a missed appointment. You decide to save money for the company by letting them in regardless if that violating the policy. This typically happens in a corporate culture that values "trust" and "doing someone a favor" as an integral part of the company. These values are what make a society thrive but are also the most vulnerable to social engineering.

Locks!

[techpawn]

Come on people, if there is a lock on the door and you know the people with the key to the room the chances for needing a slashvertisment like that decrease and knowing who has physical access to your servers increase...

Re:Locks!

[Lumpy]

Actually we use the insecure proximity cards for access. but we also have motion sensors in the server room that set off a blinking light in the IT offices whenever someone is in the room. when we see the blinky most of us usually flip over to look at the plasma on the wall showing the camera or we simply connect to one of the axis cameras in the room and sww what is up.

If it's not one of the 5 people that are allowed in there. Call security and have them meet you at the door.

really simple. but it's money spent that is better spent on an executives custom desk or office remodel.

Re:Locks!

[spun]

Huh. Is that what passes for security these days? We keep our servers in a darkened cellar with no stairs, in a locked filing cabinet in a disused lavatory marked 'Beware of the Leopard." So far that's kept out everyone but this one English bloke...

Re:Locks!

[garwain]

yep, only essential personnel should have access, and they communicate. If $ServicePerson shows up, to deal with $server, they should have an appointment with $internalPerson. If $internalPerson knows about it, but will not be around to supervise, then a note should be left for $AnotherInternalPerson to know $whatTheHellIsGoingOn, if there is no tracibility and no one is expecting $servicePerson, then send him packing,

Oh Please

[TheBrutalTruth]

While a relevant article (to some, I guess), the summary IS a shameless plug - even if not intended.

Editors: For the sake of credibility, please consider before you post. Unless you would consider my story about a bridge in Brooklyn I have for sale, then I might reconsider my position.

TF2

Spy's sappin my dispenser!

CmdrTaco

[u38cg]

When you say you refuse to allow advertising masquerading as articles, I believe that's your intention, but really - what else is this?

Re:CmdrTaco

I don't know where Taco stated that, but if he did he is obviously just pandering to the anti-business types who frequent Slashdot.

He posted a series of articles dedicated to the band They Might Be Giants, which were the first obvious paid ads masquerading as stories that I remember seeing. Not more than a few days have passed without a Slashvertisement since then.

I think the readership would be fine with it if he'd just be more open about it. Slashdot has bills to pay just like any other web site.

Auto-Hack 2000

[nsanders]

TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?

Re:Auto-Hack 2000

[wattrlz]

I just thought they assumed the, "financial institution" in question was running windows.

Re:Auto-Hack 2000

[Aladrin]

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

Re:Auto-Hack 2000

[Ritchie70]

It's a reasonable tag if you ask me.

If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

Re:Auto-Hack 2000

[rufty_tufty]

Doubt it:
For a start anyone worth their salt would have set up the bios correctly and you can't do the exploit you've just cited, hell I can't even do that exploit on any of the desktop work PCs I've used(3 separate companies), never mind one of the servers...
Secondly if you're about to say - swap out the hard drive then you're still wrong - it takes a fair amount of time to swap out a hard drive and I bet that would be noticed. Now maybe they are hot plug drives in the server, but good luck getting a properly set up raid card to boot from a new drive without appropriate passwords.
So you're back on plugging in your laptop/wap to the network port, but again just about any secure network will be MAC address locked, so again that does you no good.

While i agree a physical compromise as they have described is a serious fault, it is one layer in what should be a multi-layer security model.

Re:Auto-Hack 2000

[nsanders]

Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case. By hacking the OS from the login prompt? By standing at the terminal for 20 minutes while they reboot and bypass the OS? By installing software on an unlocked terminal? I still find this whole story fluff.

Re:Auto-Hack 2000

[dreamer-of-rules]

By default, Windows will auto-run programs on CDs. This "feature" was exploited by Sony to automatically install rootkits on your system when you inserted one of their pop artist music CDs. Of course, it can be exploited by hackers as well.

There is a registry entry you can change to disable autorun, which I highly recommend. Unfortunately, it breaks auto-detection of inserted CDs, which means that if you enable it for the normal employee systems, you'll have some extra training / help desk calls to explain why File Explorer or iTunes are not showing the CDs they just inserted.

I find it weird that most of your environments can't get or send email. That probably isn't typical for most businesses. If your important data is on the network, it can be accessed from some internal systems, at least. If they hack a workstation or two, that'll give them leverage to infiltrate the rest of the network.

In the server room they might find backup tapes or media which could be stolen, or replaced with blank media with the labels switched.

If they put a wireless repeater on a network router or somewhere on the network, it will NOT be firewalled. They could attach keylogging hardware in a few seconds with physical access. If the desktop is unlocked, or they got the password previously, or if Windows hasn't been crippled, they could install software to relay whatever they want to/from the wireless gateway they've connected somewhere else on the network.

I'm just saying, there are other ways to hack systems besides rebooting servers during working hours.

Re:Auto-Hack 2000

[dremspider]

Well, you are almost correct. What really happens is you put the disk in and it opens up something similiar to pipe dream. What you need to do is shift the "pipes" before the water gets to be too full. Depending on how well the box is locked down the water will flow faster. This is how I was taught in my classes from Bioshock university.

Sorry, I couldn't resist.

Re:Auto-Hack 2000

I know what you are saying but in the IT security field if you can get physical access to a computer then it is game over.

Re:Auto-Hack 2000

[Technician]

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?
--

Before you call major BS, please consider the following... When people find thumb drives or CD ROM's, they often will check their content while logged into their own account. In a server room, this is often an admin or root account. Does it work? Take a look;

http://www.securityfocus.com/news/11397

This hack even works when the employees are warned in advance that they will be tested for security. Leaving a few CD's and thumb drives in a server room is a target rich environment for root access.

An admin checking out the item at his desk is a wonderful way to gain access without originally needing the admin password.
Does your magic CD-ROM also auto-hack their firewalls too?
In short, it has the root privileges of the administrator's account. How many administrators have auto-run disabled? They may know to not bring in outside media, but checking the contents of a misplaced internal CD might get past security checks.

Re:Auto-Hack 2000

[toddestan]

For a server though, I wouldn't count on it. Sure, you could do something like that, but you'll likely be bringing a whole lot of attention to yourself the second that server goes offline.

Re:Auto-Hack 2000

[Ritchie70]

The key thing is "anyone worth their salt."

So far as the server going offline being noticed, I'll bet there are a lot of servers out there that could go down for ten minutes and not exactly have an instant response.

Re:Auto-Hack 2000

If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

Yes, but that takes time, even if the servers are configured to boot from CD.

Do you know how many people will start neeping if a server goes down for 10 minutes? IT will notice.

Re:Auto-Hack 2000

[Bee1zebub]

Whist as the exploit you described would almost certainly not work, as the siblings pointed out, what might work would be to place an inline sniffer/transmitter onto a network cable. All it would have to contain is a radio transmitter to send the network traffic passing over the cable, which could possibly be done using analogue circuits which would not interfere with the signal, although powering it may be difficult to do unobtrusively. The difficult part of this would be to plug it in without the logging software noticing.

What about the low wage rent a cop or jantor who..

[Joe+The+Dragon]

What about the low wage rent a cop or janitor who has keys to all of doors in the building and is the same jantor who sometimes unplugs the systems to clean the floor.

Also some the janitors are not even us citizens.

How exactly did they send an email to the office?

[appleguru]

From TFA:

TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Flame ON!

[nuzak]

Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.

Re:Flame ON!

[nuzak]

Yunno, I'm not one to complain about moderation, but how the fuck do you justify defending slashdot here?

Re:What about the low wage rent a cop or jantor wh

Also some the janitors are not even us citizens.

Heaven forfend!

Penetration testing is next to useless

[David_Hart]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys. David

Re:Penetration testing is next to useless

[mOdQuArK!]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards.

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Re:Penetration testing is next to useless

My university (in central London) just installed revolving doors at some entrances to reduce tailgating. In peak hours they're like normal revolving doors, but outside those times (i.e. evening, night, weekends) you have to unlock the door with a university ID card. Each wave of the card lets only one person through, you can't tailgate -- the door locks, and you can only go back out. I don't know how successful they'll be at reducing tailgating (there used to be card-activated sliding doors), but I think they'll be effective.

Re:Penetration testing is next to useless

[pthor1231]

That is a very similar concept to other high security places I have been in, except usually its revolving metal bars, so you couldn't even really break them if you wanted to.

Re:Penetration testing is next to useless

[xaxa]

I'm pleased we just have glass doors -- it would look too much like a prison otherwise!

There were probably fire regulations against something that secure too -- I was in the building late-ish at night a month ago when it caught fire (minor-ish), the four panels that made up each revolving door folded around the next to each other to leave plenty of space to walk out easily.

Re:Penetration testing is next to useless

[pthor1231]

Hehe, my thought when I first saw the metal bar style turnstile was that it was a prison.

Re:Penetration testing is next to useless

[GregNorc]

My father worked for a large federal agency with just such a system. All I had to do was say his name and I was his son, and I got in. This was not when I was young either - I was 18 and a senior at the time, and had never visited him at work before. Security guards can get just as lax as employees.

Re:Penetration testing is next to useless

[Fulcrum+of+Evil]

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Management that demands IT be security jobs will just demand that they be better guards.

Thankfully..

[Carbon016]

Server rooms are now being built with really long corridors to prevent the spies from cloaking and getting in, pyros are stationed at various checkpoints, and all workers are usually given baseball bats to hit people trying to enter to see if they bleed.

Re:Thankfully..

[operagost]

I really hate when I forget my keycard and have to run the gauntlet. Thankfully, my company has a good health plan.

Re:How exactly did they send an email to the offic

[uglyduckling]

I think it means that they modified their own companie's domain - in other words they changed the From: field in their email message so it looked internal. Not exactly high-tech but probably enough to fool the majority of users. Their incoming mail servers shouldn't allow those through, but I'm sure most of them do.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How exactly did they send an email to the offic

[michaelwigle]

I suspect what we're getting here is non-tech trying to explain what the tech told him. It's not unusual for companies to have an all.staff@companydomain.com address to send company-wide e-mails. I figured they just forged the from field to show boss@companydomain.com. Only problem with that tactic, of course, is that the person you are impersonating would also get the e-mail. It does make you wonder if they had some inside help on that part. Mind you, I would think you really would only need to send the e-mail to a couple lower level managers to get the effect you want.

got spy room, need server

[wardk]

got it all backwards, hoping someone can help

Spy Cat

[francisstp]

I'm in ur server roomz, spying your shitz.

Re:How exactly did they send an email to the offic

[DerekLyons]

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Not entirely true for an institution where the public facing servers and administrative intranets are seperate from each other and from the production servers and networks.

Re: citizens

Also some the janitors are not even us citizens. And what, pray tell, does that have to do with anything? Are you implying that all non US citizens are somehow less trustworthy?

Re:What about the low wage rent a cop or jantor wh

If they are not US citizens then they must be terrorists.

What I want to know is...

[afabbro]

...if TraceSecurity's Senior Vice President Dariel LeBouef is a real name or a stage name for porn?

Dariel...THE BEEF!

Re:What I want to know is...

[vought]

No, that's a common surname in Baton Rouge, where TS is located.

Re:What I want to know is...

[Jeff+Carr]

Dariel LeBouef, 15+ years in penetration testing...

...what?

Re:What about the low wage rent a cop or jantor wh

> Also some the janitors are not even us citizens.

Nice to see that mastering the English language is no longer a barrier to entry though.

Re:What about the low wage rent a cop or jantor wh

In England, we'd be very suspicious of an American janitor. Non-EU citizen in an unskilled job; you claim to have a work visa...?

Re:How exactly did they send an email to the offic

[Andy+Dodd]

What they probably meant is that they forged a return address from a modified variant of the company's domain.

e.g. sending an email from FIRSTUNI0N.COM to employees of FIRSTUNION.COM

42. What was the question?

[harvey_peterson]

They used the company's name 42 times on the first page of the article.

Too bad. This could have been a great article - a non-fiction version of Sneakers - but instead it comes across as a poorly written paid advertisement.

Blech

[Lurker2288]

A thrill ride? I thought it had too many secrets.

Re:What about the low wage rent a cop or janitor

[rueger]

Leaving aside the rather "only in the U.S." comment about "citizens," the point is valid. Quite often the two groups that have complete access to a building - the security guards and the cleaners - are also the groups most likely to be subcontracted to the lowest and/or shadiest bidder.

I suspect that because these people only arrive after office hours no-one in charge ever thinks of them as existing, much less as a security risk.

Re:How exactly did they send an email to the offic

I suspect that what this means is that instead of "exec@corporate.com" they sent it from "exec@corporateoffice.com" or other such silliness. Most people aren't particularly observant about that kind of stuff.

Re:What about the low wage rent a cop or jantor wh

[DrSkwid]

Especially if he was mild mannered and particularly hursuit.

Sleezy

[zippy40]

These guys are like sleezy insurance con artists.

Re:I bet the tag along went real well

RTFA, dumbass.

Re:How exactly did they send an email to the offic

The editor likely misunderstood what was happening. My guess is that TraceSecurity "spoofed the company's domain" on an email from the outside to make it look like it came from the inside. Its trivial to do and most people don't have the time or care to double check that the source is really who they say they are. The problem isn't that they fell for the faked email. It is because they fell for the email and a number of other social engineering tricks. Victim Xyz Inc. failed to a) notice that the email was a fake, b) ensure that the pest control was actually on the visitor list, c) verify that the two guys were really from the pest control company they claim to be from, and d) follow them around at all times to ensure that they do their job and nothing else.

Take the corners

[Bo'Bob'O]

Thats ok, we keep two engineers in the intelligence room to take care of spies. Just watch out for big guys with chain guns that are glowing red or blue.

Funny the reactions

[tuomoks]

Now, places who want a secure environment / systems have been doing this a long time. An insurance company where I did work in 70's and I was part of security, managing mainly systems and operations access security, we had a company once/twice a year making a check. And I can tell you, they found a lot of ways in, loose papers, open terminals, unlocked doors, whatever. Very useful. Haven't done that for a while but you should see the Swiss bank security or the France military security, scary. And these guys who did the work for us, they sometimes were even able to penetrate those, don't know to what level but even a small is bad. So, let's hope they do a good work before someone else does it. And they also did other security checks so don't talk too much business after a couple of beers, charming fellows!

Re:How exactly did they send an email to the offic

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

The reporter doesn't know how easy it is to fake an e-mail sender (or even receipient, but that's not very usefull in this case)