Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

The Spy in Your Server Room

Posted by ScuttleMonkey on Mon Nov 05, 2007 12:41 PM
from the social-engineering-for-fun-and-profit dept.
Security IT
CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."
+ -
story

Related Stories

Submission: The Spy in Your Server Room by CorinneI (1081655)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

The Spy in Your Server Room 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Eh? (Score:5, Insightful)

    by ScorpFromHell (837952) on Monday November 05 2007, @12:44PM (#21243443) Homepage
    Is this an ad or an article?

    • CmdrTaco (Score:5, Interesting)

      by u38cg (607297) <calum@callingthetune.co.uk> on Monday November 05 2007, @01:09PM (#21243795) Homepage
      When you say you refuse to allow advertising masquerading as articles, I believe that's your intention, but really - what else is this?
    • For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys.

      • Re: (Score:2, Insightful)

        by mOdQuArK! (87332)

        For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards.

        Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

        • That is a very similar concept to other high security places I have been in, except usually its revolving metal bars, so you couldn't even really break them if you wanted to.

    • Re:Eh? (Score:5, Funny)

      by blincoln (592401) on Monday November 05 2007, @01:51PM (#21244417) Journal
      Is this an ad or an article?

      According to TraceSecurity, advertisements on Slashdot often masquerade as articles. That's why many Slashdot members hire TraceSecurity to validate their contents before reading them. This message brought to you by TraceSecurity: Tracing your Security so that you can be secure in the knowledge that your Security is Traced.
    • Oh come on, the submitter's name is linked to PC Mag's website fer crying out loud. This has advert written all over it - the only question is which company (PC Magazine or the pen testers) paid the most for it.
      • TraceSecurity...the shining star of Baton Rouge's burgeoning information technology industry.

        A city of paranoiacs with a single successful computer-related company...why am I not surprised?

  • Slashvertisement! (Score:5, Insightful)

    by b96miata (620163) on Monday November 05 2007, @12:44PM (#21243445)
    This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!
    • I've got a penetration testing company, and Im the CEO.

      Cause Im da pimp!

    • Re:Slashvertisement! (Score:5, Informative)

      by GroeFaZ (850443) on Monday November 05 2007, @01:05PM (#21243741)
      I agree. TFA packaged the company's name 48 times in exactly as many mostly one-sentence paragraphs. Yes, I did count. PCMAG should disclose, did they ask that company for help in that report, or was it the other way around?

      • Re: (Score:3, Interesting)

        by Anonymous Coward
        Yep. This poseter created a brand new user id (CorinneI) and linked it directly to www.pcmag.com, too. What a crock.

        • Re: (Score:3, Interesting)

          by Frosty Piss (770223)
          As I've pointed out in the past, there are a number of high profile consumer computer mags that get an amazingly (and suspicious) free ride here at Slashdot.

  • Server room? (Score:3, Insightful)

    by sm62704 (957197) on Monday November 05 2007, @12:46PM (#21243467) Journal
    If you have trade secrets on your web server, the spy is the least of your problems.

    OK, bad joke, I know we're talking about the file server here, but why would a spy be in the server room? Wouldn't he be a lot less notcable logging in from an empty office? Or better yet, an empty office whose owner has just left his machine for the rest room?

    What do you mean, RTFA? This is slashdot, we don't need no FAs!

    -mcgrew
    • Or you could be sneakier and use a powerline ethernet extension, since they aren't very common not many people would look for one. I don't know how well that would work, since I don't use them either.
  • Old con, it shows how trusting people can be, but shouldn't.

  • They must be good (Score:5, Funny)

    by Sockatume (732728) on Monday November 05 2007, @12:46PM (#21243473) Homepage
    They managed to walk right into the front page of Slashdot with no resistance whatsoever.
  • The article is ok... but the movie adaptation is a thrill ride!
  • This article was a complete waste of time. No details were layed out for us; my favorite was when they said they "could have" plugged in a wireless access point to the server rack. Without actually trying it, they didn't prove dick....for all we know their network may not have allowed unknown MAC addresses. It was all a bunch of "we could have" done this, or "could have" done that. Just do it for god's sake! Just walking into the server room and putting stickers on a server doesn't prove that you actua

  • Moderated -1 "Blatant advertising" (Score:5, Informative)

    by Bagheera (71311) on Monday November 05 2007, @12:54PM (#21243589) Homepage Journal
    Penetration testers doing their job: Film at 11.

    Seriously, while it's not an entirely bad article on a penetration test, this is nothing but a shameless plug.

  • #1 cause is underpaid IT staff. (Score:4, Interesting)

    by Lumpy (12016) on Monday November 05 2007, @12:58PM (#21243647) Homepage
    first server room access should be limited to a very short list. and nobody on that list should be so underpaid they would stupidly let someone in there without at least 2 sets of eyes on them.

    All they prove is that IT departments are not only underpaid but under staffed.

    the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

    There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place.

    • Re:#1 cause is underpaid IT staff. (Score:4, Interesting)

      by Aladrin (926209) on Monday November 05 2007, @01:12PM (#21243841)
      "I never call the number given by the person or on their badge or paperwork."

      Would you similarly distrust the number given to you from the email that was sent and appeared to be from management? I know I would assume that if the number differs from the public one on the web, it's because we have a corporate plan and have priority support from them. I -do- distrust anyone who claims to be X and give me the phone number to prove it. WAY too easy to fake.

      "There are lots of other ways. also you don't need access to the server room to install a rogue AP and gain a wireless cracking point. one hidden nicely under the a desk on the 2nd floor corner office is a better place."

      You do if the network is secured properly. Especially if they bothered to have 2 networks.
        • Wouldn't most places use VPN encryption these days?
          • VPN is for external connections (and even that may be crackable depending on the implementation), generally local network traffic is not encrypted (as they assume it is physically secure).

    • Re: (Score:3, Interesting)

      by surprise_audit (575743)
      Around here, even people *on* the access list don't get to go into the server room without a phone call to the guard from elsewhere in the building. Heck, you can't even get into the building without an access card, or someone going to the guard shack to check you in.

      On the other hand, it wouldn't be too hard for a disgruntled IT worker to set up a WAP for someone to gain access, but I suspect the signal would be a bit hard to pick up through concrete walls and across 500 feet of parking lot...

    • Re: (Score:3, Insightful)

      by pikine (771084)

      the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

      It probably wouldn't be very difficult to setup a rogue website. Since TraceSecurity bothered to prepare for the operation a week in advance, even printing a custom designed magnetic plaque to brand their rented car, there is ample time for

  • Come on people, if there is a lock on the door and you know the people with the key to the room the chances for needing a slashvertisment like that decrease and knowing who has physical access to your servers increase...

    • Re: (Score:3, Insightful)

      by Lumpy (12016)
      Actually we use the insecure proximity cards for access. but we also have motion sensors in the server room that set off a blinking light in the IT offices whenever someone is in the room. when we see the blinky most of us usually flip over to look at the plasma on the wall showing the camera or we simply connect to one of the axis cameras in the room and sww what is up.

      If it's not one of the 5 people that are allowed in there. Call security and have them meet you at the door.

      really simple. but it's money
  • While a relevant article (to some, I guess), the summary IS a shameless plug - even if not intended.

    Editors: For the sake of credibility, please consider before you post. Unless you would consider my story about a bridge in Brooklyn I have for sale, then I might reconsider my position.

  • Auto-Hack 2000 (Score:4, Insightful)

    by nsanders (208050) on Monday November 05 2007, @01:11PM (#21243817) Homepage

    TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.


    So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

    I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?
    • Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

      • Who said automatically? They said they COULD have gone a step further. They could have placed a trojan on the computer, which would then contact the TS computer and allow remote access. They are saying that they DO that when the customer requests it, but it was not requested in this case.

        By hacking the OS from the login prompt? By standing at the terminal for 20 minutes while they reboot and bypass the OS? By installing software on an unlocked terminal? I still find this whole story fluff.

    • Re:Auto-Hack 2000 (Score:4, Insightful)

      by Ritchie70 (860516) on Monday November 05 2007, @01:21PM (#21243983) Journal
      It's a reasonable tag if you ask me.

      If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

      • Doubt it:
        For a start anyone worth their salt would have set up the bios correctly and you can't do the exploit you've just cited, hell I can't even do that exploit on any of the desktop work PCs I've used(3 separate companies), never mind one of the servers...
        Secondly if you're about to say - swap out the hard drive then you're still wrong - it takes a fair amount of time to swap out a hard drive and I bet that would be noticed. Now maybe they are hot plug drives in the server, but good luck getting a prope
  • From TFA:

    TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.
    They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...
    • I think it means that they modified their own companie's domain - in other words they changed the From: field in their email message so it looked internal. Not exactly high-tech but probably enough to fool the majority of users. Their incoming mail servers shouldn't allow those through, but I'm sure most of them do.

    • They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

      Not entirely true for an institution where the public facing servers and administrative intranets are seperate from each other and from the production servers and networks.
    • What they probably meant is that they forged a return address from a modified variant of the company's domain.

      e.g. sending an email from FIRSTUNI0N.COM to employees of FIRSTUNION.COM

  • Flame ON! (Score:5, Insightful)

    by nuzak (959558) on Monday November 05 2007, @01:21PM (#21243973) Journal
    Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

    Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

    This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.
    • Yunno, I'm not one to complain about moderation, but how the fuck do you justify defending slashdot here?

  • What I want to know is... (Score:3, Funny)

    by afabbro (33948) on Monday November 05 2007, @02:05PM (#21244585)
    ...if TraceSecurity's Senior Vice President Dariel LeBouef [tracesecurity.com] is a real name or a stage name for porn?

    Dariel...THE BEEF!

    • Leaving aside the rather "only in the U.S." comment about "citizens," the point is valid. Quite often the two groups that have complete access to a building - the security guards and the cleaners - are also the groups most likely to be subcontracted to the lowest and/or shadiest bidder.

      I suspect that because these people only arrive after office hours no-one in charge ever thinks of them as existing, much less as a security risk.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.