The Spy in Your Server Room

CorinneI writes "Your business's private information may not be as safe as you think — especially when you take into account how many people pass through your office's revolving door on a daily basis. That's why many companies hire TraceSecurity employees to test the security of their systems — operations that usually involve TraceSecurity personnel talking their way into offices in order to gain access to server rooms and sensitive customer information. PC Magazine was invited along to cover a recent TraceSecurity operation."

Eh?

[ScorpFromHell]

Is this an ad or an article?

Slashvertisement!

[b96miata]

This summary could have conveyed all the necessary information quite easily and been just as valid by replacing "TraceSecurity" with the more generic "penetration testing company". Enjoy your plug guys!

Server room?

[sm62704]

If you have trade secrets on your web server, the spy is the least of your problems.

OK, bad joke, I know we're talking about the file server here, but why would a spy be in the server room? Wouldn't he be a lot less notcable logging in from an empty office? Or better yet, an empty office whose owner has just left his machine for the rest room?

What do you mean, RTFA? This is slashdot, we don't need no FAs!

-mcgrew

Social Engineering

[duplicitious]

Old con, it shows how trusting people can be, but shouldn't.

Waste of kilobytes

[Major Blud]

This article was a complete waste of time. No details were layed out for us; my favorite was when they said they "could have" plugged in a wireless access point to the server rack. Without actually trying it, they didn't prove dick....for all we know their network may not have allowed unknown MAC addresses. It was all a bunch of "we could have" done this, or "could have" done that. Just do it for god's sake! Just walking into the server room and putting stickers on a server doesn't prove that you actually could have walked off with it. Just saying that you "could have" disabled the alarm system doesn't really mean that you wouldn't have caught someone's attention.

Oh Please

[TheBrutalTruth]

While a relevant article (to some, I guess), the summary IS a shameless plug - even if not intended.

Editors: For the sake of credibility, please consider before you post. Unless you would consider my story about a bridge in Brooklyn I have for sale, then I might reconsider my position.

Re:Locks!

[Lumpy]

Actually we use the insecure proximity cards for access. but we also have motion sensors in the server room that set off a blinking light in the IT offices whenever someone is in the room. when we see the blinky most of us usually flip over to look at the plasma on the wall showing the camera or we simply connect to one of the axis cameras in the room and sww what is up.

If it's not one of the 5 people that are allowed in there. Call security and have them meet you at the door.

really simple. but it's money spent that is better spent on an executives custom desk or office remodel.

Auto-Hack 2000

[nsanders]

TraceSecurity could have gone one step further and uploaded its software onto the financial institution's system with the discs. A signal would then be sent to TraceSecurity computers, which could access the system remotely.

So by placing the CD-ROM in a computer, it will automatically hack what ever OS the computer is running and auto install your software? Or are you implying that this company left server consoles logged in as an admin user?

I call major bullshit on this article. There's some real iffy stuff here as pointed out by other /.'ers as well. I get that it's all about social engineering, which is a huge problem. But some of their claims are a little too out there. Like saying they "could" have done this, or "could" have done that. Well you don't know that you really could until you try it. Most of our environments here have NO Internet access. It is entirely firewalled going out. Does your magic CD-ROM also auto-hack their firewalls too?

Re:#1 cause is underpaid IT staff.

[Anonymous Coward]

You do if the network is secured properly. Especially if they bothered to have 2 networks.

accesspoint running OPEN-WRT clone the executives PC's mac address, now set it up to transparently allow the executive to work just fine open up ports for remote access that the IT guys will probably use. now it looks like the executives PC is online and happy. your computer connected wirelessly looks like it's the executive PC as well. start your escapades... you have remote control over the AP so you can adjust things at will.

Even if you have it tight as a drum, whatever that executive has access to the intruder does as well. hell he can even set it to sniff all traffic and snag the executives data to snif out the username and password easily. Look all the financial records are wide open as well as business plans etc....

You cant "protect" from that short of regular security sweeps.

How exactly did they send an email to the office?

[appleguru]

From TFA:

TraceSecurity modified the company's domain and sent an office-wide e-mail that looked as though it came from a higher-up in the branch. It warned employees of an upcoming pest control visit, and requested that the pest control workers be escorted through the office to check for infestation.

They "modified the company's domain"? How, exactly, did they go about doing that? If they can get access to internal DNS/email servers/etc from the outside, then your company has bigger security problems than those presented by a social engineering exercise...

Flame ON!

[nuzak]

Slashvertisement, in its most distilled form. I guess the "editorship" here wrenched their shoulders after patting themselves on the back during their tenth anniversary. So much for integrity.

Seriously, even though I know all too well how running something like slashdot is a lot harder than it looks, and how not everyone can be satisfied, and how quality sometimes has to come after candor, even after all that, I know deep down I actually could start something better than this dreck. But frankly, "social links" and blog aggregators are already out there, and I won't pour my money down the hole of recreating reddit, digg, or technorati.

This article shows precisely how slashdot is not only not journalism, it's not even a respectable blog. Slashdot occupies the medium precisely inbetween, known colloquially as "The Worst of Both Worlds." You should be ashamed . But I know you aren't.

Re:Auto-Hack 2000

[Ritchie70]

It's a reasonable tag if you ask me.

If you can put a CD-ROM in the drive, you have full physical access. At least for a typical PC-type system (which most servers are these days) physical access means you own the box. Reboot, boot from the CD, mount the hard drive, bang.

Re:What about the low wage rent a cop or jantor wh

[Anonymous Coward]

Also some the janitors are not even us citizens.

Heaven forfend!

Penetration testing is next to useless

[David_Hart]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards. IT is the gatekeeper of your ditial information, not your physical hardware. If you want a physically secure facility, hire security personnel. Tailgating can be easily solved by having security guards present at each key card entrance, forcing each person to badge in. Otherwise, it is just a show put on by management to get funding for more security toys. David

Re:Penetration testing is next to useless

[mOdQuArK!]

For most companies, physical penetration testing is next to useless. Why? Because management expects IT and employees to act as security guards.

Which is a good reason for physical penetration testing: to throw management's assumptions in their face.

Re:#1 cause is underpaid IT staff.

[pikine]

the second thing they prove is that the security staff is also underpaid and understaffed. Sorry but my first shot is to ask what company they are from, then google it to find the phone number. I never call the number given by the person or on their badge or paperwork.

It probably wouldn't be very difficult to setup a rogue website. Since TraceSecurity bothered to prepare for the operation a week in advance, even printing a custom designed magnetic plaque to brand their rented car, there is ample time for Google to pick up the website. It doesn't have to be the highest page ranked for pest control because you'll be searching for the company's name.

Visitors should never be left unattended, but it is often impractical to deposit an employee for watching whenever there is a visitor. Notice there is a difference when the visit is solicited: there is someone inside the company who initiated the visit, so let him be responsible. In the case of a legitimate visit by pest control, someone inside the company must have called them over, so it is also his job to attend the pest control or at least appoint someone to attend them. There should be some way inside the company to figure out who is the host of a visitor, then make the host accountable.