Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Spy in Your Server Room

Posted by ryuzaki0 on from the social-engineering-for-fun-and-profit dept.

CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."

17 of 120 comments (clear)

  1. Eh? by ScorpFromHell · · Score: 5, Insightful

    Is this an ad or an article?

    --
    -- Prem
    Aiming to tweet on a rice ... help me find the write pen!
    1. Re:Eh? by blincoln · · Score: 5, Funny

      Is this an ad or an article?

      According to TraceSecurity, advertisements on Slashdot often masquerade as articles. That's why many Slashdot members hire TraceSecurity to validate their contents before reading them. This message brought to you by TraceSecurity: Tracing your Security so that you can be secure in the knowledge that your Security is Traced.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  2. Slashvertisement! by b96miata · · Score: 5, Insightful

    This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!

    1. Re:Slashvertisement! by GroeFaZ · · Score: 4, Informative

      I agree. TFA packaged the company's name 48 times in exactly as many mostly one-sentence paragraphs. Yes, I did count. PCMAG should disclose, did they ask that company for help in that report, or was it the other way around?

      --
      The grass is always greener on the other side of the light cone.
    2. Re:Slashvertisement! by Anonymous Coward · · Score: 3, Interesting

      Yep. This poseter created a brand new user id (CorinneI) and linked it directly to www.pcmag.com, too. What a crock.

  3. They must be good by Sockatume · · Score: 5, Funny

    They managed to walk right into the front page of Slashdot with no resistance whatsoever.

    --
    No kidding!!! What do you say at this point?
  4. Sneakers by underwhelm · · Score: 4, Funny

    The article is ok... but the movie adaptation is a thrill ride!

    --

    I don't need large brains to have a good time.

  5. Moderated -1 "Blatant advertising" by Bagheera · · Score: 4, Informative

    Penetration testers doing their job: Film at 11.

    Seriously, while it's not an entirely bad article on a penetration test, this is nothing but a shameless plug.

    --
    Never attribute to malice what can as easily be the result of incompetence...
    1. Re:Moderated -1 "Blatant advertising" by spun · · Score: 4, Funny

      Penetration testers doing their job: Film at 11. Normally, CineMax doesn't show that type of film until after midnight...
      --
      - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  6. #1 cause is underpaid IT staff. by Lumpy · · Score: 3, Interesting

    first server room access should be limited to a very short list. and nobody on that list should be so underpaid they would stupidly let someone in there without at least 2 sets of eyes on them.

    All they prove is that IT departments are not only underpaid but under staffed.

    the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

    There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

    --
    Do not look at laser with remaining good eye.
    1. Re:#1 cause is underpaid IT staff. by Aladrin · · Score: 3, Interesting

      "I never call the number given by the person or on their badge or paperwork."

      Would you similarly distrust the number given to you from the email that was sent and appeared to be from management? I know I would assume that if the number differs from the public one on the web, it's because we have a corporate plan and have priority support from them. I -do- distrust anyone who claims to be X and give me the phone number to prove it. WAY too easy to fake.

      "There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place."

      You do if the network is secured properly. Especially if they bothered to have 2 networks.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  7. CmdrTaco by u38cg · · Score: 4, Interesting

    When you say you refuse to allow advertising masquerading as articles, I believe that's your intention, but really - what else is this?

    --
    [FUCK BETA]
  8. Auto-Hack 2000 by nsanders · · Score: 3, Insightful

    TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.


    So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

    I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?
    1. Re:Auto-Hack 2000 by Ritchie70 · · Score: 3, Insightful

      It's a reasonable tag if you ask me.

      If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

      --
      The preferred solution is to not have a problem.
  9. How exactly did they send an email to the office? by appleguru · · Score: 3, Insightful
    From TFA:

    TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.
    They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...
    --
    appleguru.org
  10. Flame ON! by nuzak · · Score: 4, Insightful

    Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

    Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

    This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.

    --
    Done with slashdot, done with nerds, getting a life.
  11. Penetration testing is next to useless by David_Hart · · Score: 3, Insightful

    For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys. David