Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security IT

First-Person Account of a Social Engineering Attack 347

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
This discussion has been archived. No new comments can be posted.

First-Person Account of a Social Engineering Attack

Comments Filter:
  • Hmm... (Score:5, Funny)

    by The Zon ( 969911 ) <> on Thursday November 30, 2006 @01:42PM (#17051658)
    You know, I was wondering why that guy needed my password to fix the copier.
  • Not quite news (Score:2, Insightful)

    by otacon ( 445694 )
    It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.
    • by arun_s ( 877518 )
      But it sure does make for an interesting read :)
      Plus, this is a bank that was the victim of the attack. That's pretty worrying, I think. News like this (that illustrate how trivial social engineering can be) should hopefully make more people in important places (like banks) get over their false sense of security.
      • Re: (Score:3, Interesting)

        by onepoint ( 301486 )
        think interesting was an understatement. I found it wonderful and should be sent to every VP. basic security is so rare.

        I had a job on wall street many years ago. And I consistently caught people whom were trying to get info about our main frames or dumpster diving. I ended up putting a strict policy, and I was able to buy one heck of a schreader ( this THING was as big as a wide screen TV and could eat your hand if you were not careful).

        I still do my transaction thier because the guy I left in charge was
    • by Khomar ( 529552 ) on Thursday November 30, 2006 @01:55PM (#17051888) Journal
      It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

      While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

      Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

      Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

  • by moore.dustin ( 942289 ) on Thursday November 30, 2006 @01:45PM (#17051710) Homepage
    I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

    I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

    • Yes, but this is a bank, not an office. They are in the business of securing money. I think a bank requires a little more awareness on the part of the staff than most offices.

      That said, these people do seem to have access to some special equipment:

      "Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things.


      "Using our past experience with copier folks, we
      • From what I'm seeing, this chucklehead got into the offices and sniffed the network.

        When someone bluffs his way into the vault, I'll be shocked. If he tried to monkey with the IT systems, he would probably have been snagged faster than a spawning salmon. Bank, Casinos, etc have people watching the people who watch the people.
        • He's not in the vault, true, but he is in the public part of the bank itself, not some separate administrative office building. The people he is interacting with are the same people who have access to the vault and must be aware enough to protect it.

          (To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. )
        • by mallgood ( 964345 ) on Thursday November 30, 2006 @02:13PM (#17052196)
          My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.
          • by mrogers ( 85392 ) on Thursday November 30, 2006 @02:41PM (#17052766)
            Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

            "Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

          • by Solra Bizna ( 716281 ) on Thursday November 30, 2006 @02:57PM (#17053102) Homepage Journal
            Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

            Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...

            You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.

            Wait, we are talking about Uplink, right?


          • Re: (Score:3, Informative)

            I agree. The only real things worth of value stored in vaults these days are in safety deposit boxes. Even then, when your looking at a wall of a couple hundred boxes, you've got several challenges.
            You need to get into the vault alone. Everytime I've ever gone to add/remove stuff from my SDB I've been escorted into the vault where I was put into a small room while then unlocked the safety door to the vault, not the big solid door, but a smaller internal door. On this door was a lock. Also the whole are
        • Re: (Score:3, Insightful)

          by rvw14 ( 733613 )

          Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.

          If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.

        • Re: (Score:3, Insightful)

          What gets me is that he was able to sniff the president's login and password off a LAN. Seems like they need to do some work on their intranet security.

      • by Negadecimal ( 78403 ) on Thursday November 30, 2006 @02:16PM (#17052262)
        I think a bank requires a little more awareness on the part of the staff than most offices.

        That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.

        Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.
    • How would you feel about a stranger shoulder-surfing?

      It's much easier to just plug into the LAN & sniff for l/p's (which shouldn't be sent as cleartext in the firstplace, but frequently are)
    • by blueZ3 ( 744446 ) on Thursday November 30, 2006 @02:05PM (#17052062) Homepage
      Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

      Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

      Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)
      • by Maxo-Texas ( 864189 ) on Thursday November 30, 2006 @02:12PM (#17052174)
        Completely agree.

        I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.

        1) Change every 90 days (up from 60 at least. that was really bad).
        2) no repeating letters or numbers
        3) no letter or number in the same position as last password.
        4) must have a number
        5) not be a word in a dictionary
        Starting password something like
        YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)

        Current password something like
        I have about 8 passwords.
        And they are all on a yellow sticky on my desktop.

        • by geekoid ( 135745 )
          B00B13s_giB!a is an easy to remember password, and you only need to change the last letters.

          Of course most password policies still have there roots into the mainframe world.
        • Re: (Score:3, Interesting)

          by Iron Condor ( 964856 )

          This is veering dangerously OT, but here's what has worked (so far!) for me: I had a nice, secure password that I never wrote down. When they made me "change" it regularly, I started using the same password but with my right hand shifted one letter down on the keyboard. 6 months later, shift the other hand down. 6 months later, shift the right hand outward. I intend to move around in this fashion until I can return both hands back to home position.

          The only part that requires brainpower is "what to do when

      • by hey! ( 33014 )
        It's ironic when you think of it. Companies implement "cheap" security schemes that introduce small but regular bits of frictional loss into everybody's productivity, and that actually make the problem worse.

        A secure login token system would be, after the intial purchase has been amortized, cheaper, more secure, and more convenient than some draconian password policy. It's certainly cheaper than absorbing the risks of allowing weak passwords.
      • by Beryllium Sphere(tm) ( 193358 ) on Thursday November 30, 2006 @02:50PM (#17052966) Homepage Journal
        My explanation of why you *should* write down your password []. Bruce Scheier has made the same point.

        All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.
    • Re: (Score:2, Interesting)

      "All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor."

      How about this: I _HAD_ a user who made the MS Flying banner hold his password. I would have never believed it had I not seen it myself.
    • by theStorminMormon ( 883615 ) <.theStorminMormon. .at.> on Thursday November 30, 2006 @02:12PM (#17052180) Homepage Journal
      I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

      Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

      Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

      • Here's what he said:

        Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

        He's saying that, when they do get caught, nine times out of ten i

  • penetration tester. now that's a job! is it somehow related to the porn industry?
  • Hmm (Score:2, Interesting)

    by malkir ( 1031750 )
    I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      All back-end systems and PCs of all branches of that bank are connected to a single gigantic hub. In addition, all employees are constantly login and log from those systems using only non-encrypted protocols. The guy just had to plug his laptop and fire up his sniffer. Easy. Took him seconds.
  • by Billosaur ( 927319 ) * <> on Thursday November 30, 2006 @01:46PM (#17051734) Journal
    1. Stay alert
    2. Trust no one
    3. Keep your laser handy
  • Just Check! (Score:3, Insightful)

    by Thansal ( 999464 ) on Thursday November 30, 2006 @01:47PM (#17051742)
    I need to call someone about what you're doing

    Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.

    If some one is poking around who I do not know I will check it with my boss.
    • Re: (Score:3, Insightful)

      by QuantumRiff ( 120817 )
      You would, but would your minimum wage receptionist? How about the custodian that has keys to everywhere? Would they know that someone had called ahead of time? Or would they just assume someone in another department called, and let them in?
  • by w33t ( 978574 ) on Thursday November 30, 2006 @01:48PM (#17051760) Homepage
    I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?
    • Depends on the device. Most that I have seen are just a print recognizer that inputs your password for you. That is, you spend 1 second compared to 2 filling in the password box. A neat trick, but doesn't do anything for security. Even if a system used the print itself, you're just trading a few characters for an image.

      You could make the argument that they weaken security since the password has to be stored twice. And in many cases if you know what you are doing, a good print (good enough to fool the reader
  • In this case I wrote his password on a ream of paper and tucked it under the machine.
    An amusing stunt perhaps, but perhaps not the best solution to the problem.
    • Please RTFA before commenting in this vein.

      Immediately after that sentence comes:

      When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

      The password

      • This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.

        Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.

        Intel v. Randal Schwartz: Why Care? []
        Clearly, Randal was someone who should have kno
        • Yes indeedy. Sorry for the misunderstanding.

          There are better ways to prove that an attack worked than just leaving a password somewhere, that's for sure.

  • ..go ahead, look.

    If you see your password there, that proves I was in your place.

    "In this case I wrote his password on a ream of paper and tucked it under the machine."

    If it says "12345" it proves you watched Spaceballs.
  • When we installed Wireless LAN at our company, we switched all network access ports to 802.1x authentication.

    It required some effort, since we had to "quarantine" non-802.1x devices to separate networks, but i think the security advantages outweigh the work needed.

    We're just a small IT service company, not a bank. I really wonder why a bank wasn't using 802.1x since several years.
    • Simple: You never ever ever ever ever trust a chunk of the network that doesn't have a lock on the door.

      We don't secure our wireless because it is a pain, and futile. Anyone who wanted to seriously crack into the system would use a hard line, an idle terminal, MAC spoofing, etc.

      We secure the servers, and monitor for odd behavior. Mostly because most or our problems aren't foriegn invasion, they are inside jobs, mistakes, etc.
  • by Anonymous Coward on Thursday November 30, 2006 @01:51PM (#17051818)
    In this case I wrote his password on a ream of paper and tucked it under the machine.
    That seems like an awful lot of effort, when you could just write it on one sheet. :)
  • by Lumpy ( 12016 ) on Thursday November 30, 2006 @01:52PM (#17051838) Homepage
    $2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

    Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

  • The copyer hole (Score:3, Interesting)

    by Anonymous Monkey ( 795756 ) on Thursday November 30, 2006 @01:52PM (#17051846)
    At one point I worked for a copier repair company (Dispatcher, accountant/bookkeeper, & some computer stuff). Each month I got calls from people who fell victim to one of two scams.

    1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)

    2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.

    Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.

    The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.

  • Some do (Score:2, Interesting)

    by ackthpt ( 218170 ) *

    Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your

    • by geekoid ( 135745 )
      "Common sense: If you don't know about some repairman, then it's not your fault when you turn them away."

      haha.. asdly most common sense goes out the window in the corp. world.

      If that repairman was to fix a critical issue, you would get inot trouble in most places. Even if you where following policy.

      It's that kind of crap that makes an employee not want to question anything.

  • by eno2001 ( 527078 ) on Thursday November 30, 2006 @01:56PM (#17051916) Homepage Journal
    ...I could be a penetration tester. On Jenna Jameson. ;P
    • You *would* say that, since you believe in allocating goods based on need.

      And your need for that good is pretty high after this latest dry spell, eh?
      • by eno2001 ( 527078 )
        Damn homey! Dat's FUCKED up! You just put me in my place now didn't you! (So how often do you track my posts looking for opportunities to respond again?) ;P
    • by 6Yankee ( 597075 ) on Thursday November 30, 2006 @05:58PM (#17056870)
      If you ever do get the chance, just remember the basic rule of any pen test:
      • Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
      • File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P
      Yes, I have mod points, but this seemed like more fun :)
  • by simm1701 ( 835424 ) on Thursday November 30, 2006 @01:58PM (#17051936)
    I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

    I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

    After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

    Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

    After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

    I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

    Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
    • Once they realize it's AWOL and they call the original owner who says he returned it, they'd report it stolen and then getting pulled over wouldn't be so easy to get out of.
    • You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.

      In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a
  • No DHCP! (Score:3, Interesting)

    by smooth wombat ( 796938 ) on Thursday November 30, 2006 @02:01PM (#17052004) Journal
    I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network.

    At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.

    Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.

  • ObSneakers (Score:5, Funny)

    by Rob T Firefly ( 844560 ) on Thursday November 30, 2006 @02:03PM (#17052034) Homepage Journal
    "Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"
  • True story. (Score:5, Interesting)

    by Maxo-Texas ( 864189 ) on Thursday November 30, 2006 @02:05PM (#17052074)
    Friend of a friend got a job doing security audits for a major energy company here in houston.

    1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
    2) He set off the "man trap" and found he could easily climb out of it.
    3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

    He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

    But that's the real world for you.

    • Re: (Score:3, Interesting)

      So I am understanding that someone distributed his picture to thwart the security efforts of their own company?

      Shit, I'd fire then sue them.
      • Re: (Score:3, Informative)

        by Maxo-Texas ( 864189 )
        Company politics.

        And they were reasonably clever about it.

        They didn't say "WARNING! THIS MAN IS DANGEROUS!" they said something like "This man is our new security officer. Make sure you help him out and ensure we follow all security requirements!"
    • Re: (Score:3, Interesting)

      by dr_dank ( 472072 )
      He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

      So they hire your friend to pen test their security and, rather than implement his findings, they made up a "wanted poster" and did nothing else? What was the point of hiring him in the first place?
      • Re:True story. (Score:5, Interesting)

        by Danny Rathjens ( 8471 ) <slashdot2@rathje ... org minus distro> on Thursday November 30, 2006 @03:35PM (#17053880)

        Most nuclear power facilities are run by private companies, but a separate government organization is responsible for safety inspections. When a government inspector finds something wrong, the company involved can face massives fines.

        I know a guy who was an inspector at our local nuclear power plant. He said that once he found a guard sleeping so he went and got the supervisor so it could be documented. On the way back, he said the supervisor was talking loudly and stomping his feet. Not surprisingly, the guy was awake when they reached him, and consequently, that supervisor saved the power company a couple hundred thousand dollars.

        He did learn his lesson, and in later similar situations would only tell supervisors to come with him and not the reason. :)

    • Re: (Score:3, Funny)

      by Joe Snipe ( 224958 )
      what the hell is a man-trap?
  • There were a number of technical security flaws he exploited as well. Among them:

    > I then disconnected the network cable from the copier/printer and attached my laptop. As soon
    > as my laptop booted up, DHCP provided a network address and I was on the internal network.

    This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive s
    • Re: (Score:3, Informative)

      Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.

      The switches, they do *nothing*! (See the various attack methods for turning a switch into a hub on the fly, then sniffing all traffic.)

      The better question is why the company is sending passwords in the clear in the first place? Just about every protocol under the sun can be encrypted now. And in an
  • teach employees? (Score:5, Insightful)

    by Lord Ender ( 156273 ) on Thursday November 30, 2006 @02:14PM (#17052220) Homepage
    Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

    If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

    It will never happen.

    Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

    Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.
  • "Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."
  • is gone, but one of Isreal's entertaining/scary stories are still to be found on the redirect, Introducing social engineering to the workplace []. Recommended reading.
  • and made it fax out what it found everynight. See: Penetration Analysis of a XEROX Docucenter DC 230ST:"
  • by Animats ( 122034 ) on Thursday November 30, 2006 @02:42PM (#17052776) Homepage

    Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.

    They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.

    Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.

    That's what happens when you do it right. Annoys everybody.

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"