In my office complex, we have a bunch of security guards who _check_ badges of people who enter the building (My building houses about 8-9 companies). If you don't have a badge then the guard calls the office you claim to be part of to ensure you have access, and then issues a temp badge.
A couple months ago, I forgot my badge at home, but didn't want to go through the hassle of getting a temp badge, so I flashed my driver's license at the guard (which is roughly the same size as my ID badge) and he simply waved me through.
I told my colleagues this, and since then we have a silly game where we try to get in using ridiculous cards. Most recently, we have people who have flashed blood donation cards (a card that acknowledges that you donated blood on so and so date), a credit card and a folded bookmark and successfully gotten into the complex.
While this is a running joke, really goes to show how lax manual security can be (Especially because once you are on my floor, you can easily tailgate your way into my office).
TL;DR Most of our security systems work on implicit trust more than anything else.
I used to be a security guard after I left the army (no skills in civvi street to get a better job).
Couple of things come to mind reading this. One that security guard is probably getting paid a pittance to do that job and you get what you pay for. Two the guard recognises you and your colleagues, knows you work there and doesn't really care that you're playing silly games because on their wage it's not worth the hassle pulling you up for you to get all high and mighty about the inconvenience of a lowly security guard daring to question you. Three that single guard, whilst ostensibly there for "security" is really just there for show, there's no way a single lowly paid guard can possibly provide security for a building housing 8 or 9 companies even with the best intentions.
My experience as a guard was that the employees of the companies within the building treated me with contemptuous distain until something happened at which point it was righteous anger.
> My experience as a guard was that the employees of the companies within the building treated me with contemptuous distain until something happened at which point it was righteous anger.
:(
It's good to see (from the existence of these new articles) that companies are slowly starting to realize that security isn't something to sweep under the carpet and hold in distain.
What do you mean by "righteous anger" though? It sounds like there's a potentially interesting story (or three) hiding in there...
I once worked on a building that was essentially ruled by the office manager (henceforward to be referred to a the wicked witch, WW for short) of one of the buildings companies. The building manager would physically shake everytime she was near.
Anyway to cut a long story short I went to the toilet without asking (yes you heard that right) and came back to find this WW at my desk basically vibrating with righteous rage. An argument ensues which ends up with WW storming off to make a complaint about me going to the toilet and my "bad" attitude which according to WW left to whole building insecure.
Up comes the building manager. I had to call him when I needed the toilet from now on.
Anyway I had noticed that the vast majority of the employees of the office WW managed had invalid passes, they were meant to have photos and employee numbers, but practically all had worn away. So I started to do my job "properly" as per the instructions set forth by WW. Every one with an invalid pass had it removed and they could not get back to work, WW was called to verify identity and she would just give them their pass back and allow them in. WW was not impressed. This lasted until lunch when no one got back into the office. They were queuing out into the street. WW was livid and tried to publicly ridicule me, just a lowly security guard messing thing up.
By the end of our second argument during which I was overly polite in tesponse to the screaming banshee the WW had turned into it was obvious she had lost.
End result. All employees allowed back into work after reissue of invalid I'd cards, I was allowed to go to the toilet when I wanted, I was sacked from that building that evening.
Have you considered (or do you) post(ing) this sort of thing to https://reddit.com/r/talesfromsecurity? This kind of thing would definitely be very well received.
This also sounds like IT. It seems that security and tech are considered to be nothing but cost centers. And then the world can't stop laughing at the string of things that happened to Equifax in a row....
I wonder if the security guards probably notice but are more interested in avoiding confrontation. I'd hate harassing someone who probably won't cause any trouble, and having to potentially get into an argument, where they'll likely belittle my position and make me feel like a shitty person for doing my job.
I was a bank teller during college, and would be occasionally berated by people when I'd ask to check their ID when they were withdrawing money. I always asked if they'd prefer I let anyone trying to take money out of their account do so w/o checking photo ID. One guy swore he was going to get me fired for not letting him take money out of his account because he forgot his wallet at his desk.
The point was that it's not the entire purpose of having the security guard. The building management wants to "provide security" to its tenants as a feature they are willing to pay for. The tenants, for their part, want "security" but not the inconvenience of being "harrassed" by the guards when they forget their purse or whatever.
Guards know this too, and given the choice between letting someone through who you are pretty sure is legitimate and potentially starting a fight which will generate a complaint, they'll "do the best they can" and just wave people through.
Motivations interact in funny ways, and the parameters aren't like software: they're hidden and surprising.
Not for a shared building guard who works for a property company. They are there to keep rifraff and salesmen out.
Look at government and large corporate entities for how to address this. Visitor conference rooms are on the ground floor or away from the office environment. There’s a receptionist who controls access to the employee area, and identification is captured and associated with a staffer for both signin and signout.
Devils advocate, they might simply know your face.
I worked in a 5000 person building for a year, left, and went back a year later for a christmas party. The shared reception still remembered who I was without being told and were able to guess who I was visiting.
I work at a place in the centre of a large city in the UK. Security is hot on badges. I especially know this as I smoke, so going downstairs every couple of hours needed a signing in/out session. To be fair it reduced my habit quite a bit.
Now i've got a proper badge - I can flash anything I like, including my drivers license, or my debit card. The mere act of coyly moving something on a lanyard to them is sufficient, especially now i've explained that i've got noise cancelling headphones so I sometimes cannot hear.
The best bit? There are government departments in the building on a floor below us.
Even better - I used to work at a company that used to be part of the security services in the UK but were spun-out. They still work with the doughnut down the road.
In heightened security times they do random checks of cars - mirrors underneath, etc. All I had to do was say "you checked me yesterday" and they'd not bother.
This is a case where the Nuremberg defence is very useful. If you have explicit policies that are consistently followed, you take away most of the social cost and can even make breaking policy the more difficult choice.
The problems occur in dysfunctional organisations where senior management expect to be exempt from their own rules. Expecting the rules to be bent for your own convenience gives your subordinates tacit permission to bend the rules. Someone who has bent the rules for their boss is far more likely to bend the rules for their buddy. If you're asking people to do inconvenient things, you have to lead by example.
Yes, just look at the example provided by OP. He noticed a security flaw and instead of trying to do something about it he and his companions made a game of exploiting this flaw as much as possible. The employees don't want the inconvenience of actual security.
If I saw that behavior in a manager who was not in my direct reporting chain I would probably let hr know. but having worked mostly govt contract, pharma, and finance I'm used to rfid badges-- not exactly top security tech-- but it, and photos of employees stored in the system, solve the enployee badge issue.
But the security guard is being paid to challenge you, the social cost is off-set by their wages and you'd have to be an ass to take umbrage at a security guard asking for your pass at the entrance to a secure facility.
My pass used to be checked every day for years, in an office of only 1k people, and a line-manager was the only person who could sign you in without it.
Living in a parliamentary democracy and not being an American citizen, “our President” is literally not my president. Are you referring to the American President, Mr. Donald Trump?
I made a little experiment like that myself when I was studying for my Masters. In the town where I live there is a bus card system that uses scratch cards. You get a card with dates (1-31), months and four years (say 2012 to 2016) and you're responsible yourself for scratching off the seven days, month and year when you intend to use the card. So, if you want to use the card starting next Monday, you'd scratch off dates 23 to 29, October and 2017. Then you show it to the bus driver when you board the bus. The understanding is that if you scratch off the wrong days, you can't use the card.
Obviously, mistakes can and do happen. A couple of times I noticed I had scratched off the wrong days or month, or even year. Once I scratched off eight days. One of those mistakes (can't remember which) was noticed by a driver, but most seemed oblivious to the fact my card was irregular, at least (if not totally invalid).
So I decided to make my little experiment: I kept buying and scratching (correctly) a new card each week, but I also kept on me the previous week's card and showed this one to the driver. Then I marked a tick on the card for each time I was waved through without a batting of an eylid. I got about a dozen cards like that, each with a week's worth of ticks or so. I got caught exactly once (at which point I just said "oops, mistake" and took out the right card).
Outcome: we have refuted the null hypothesis that people see what they're looking at.
> we have refuted the null hypothesis that people see what they're looking at.
I remember a police officer pulling over my parents car, asking for the vehicle papers, checking them for 2 good minutes, and saying everything was fine, we were free to go.
After a few kilometres, my father suddenly noticed that he had given the copper the papers of a totally different car than the one in which we were...
It is like at the border, when customs officers flip the pages of your passport while looking at you. They spend as much time on white pages than on the ones that matter; in fact they just watch you and extend the time they watch you by pretending to check something, hoping their magical skills will allow them to detect if you get nervous because you are guilty of something.
When my friends and I all first turned 21 we would swap around our drivers licenses amongst ourselves before entering a bar and showing them to the bouncer. We didn't all look alike, and we have a variety of weights, hair colors, and skin colors. We'd always get in without a problem then all high five each other and give the licenses back to the proper owner. I'm not sure when exactly we stopped doing it but it was amusing for us for a while to "fool" bouncers.
There was a guy on Pawn Stars who was trying to sell Slash's drivers license. He claimed Slash gave it to his ex girlfriend in return for flashing him her breast. He also claimed to use it as ID to drink from 18-21, apparently being successful despite it not being his ID.
Why would you have someone manually looking at badges? That’s what HID readers are for. I have occasionally seen a security guard in addition to a badge reader to make sure that your face matches the badge photo as you pass through a turnstile, but it doesn’t matter what’s on your badge - the “source of truth” photo is loaded from the database onto the guard’s screen.
I once went to a building I had been in before years earlier, but had installed proxycard activated turnstiles. I told the receptionist I didn't have a card but I knew the building well and she walked me to the ID card office where they made me one on the spot with no verification other than to see if I had a driver's license. The card they made me was good for 5 years and got me right through the turnstiles.
The problem of security guards being too relaxed is a consequence of people being too easily inconvinienced. People don't want to wait while security verifies them, and the security doesn't want to waste time verifying people as they don't have enough incentive and receive pushback if they inconvinience anybody.
The solution would be to give incentive to both sides of the interaction; guards should give positive feedback and e.g. a popsicle to the person being verified if the interaction takes too long and the guard should receive a monetary reward when finding false ID:s (there should be a way to limit the abuse of the proposed system).
Just my 2 cents, feedback and ideas appriciated.
Thank god the TSA is not so lax! All that money going into high-tech state of the art security equipment and advanced training really does the difference.
In my personal experience the TSA security critique stems from them super ultra checking middle eastern looking people and doing security theater for everyone else.
Not sure if people are aware of this. I'm not condoning this behavior, just pointing it out.
"Software without tests should be assumed to not work" is true in real life as well. If an external company tried to enter the building periodically and the security guards review included these tests, it would change.
I've always thought this had more to do with change or attention blindess. The guard looks at identical cards so much that they just can't see that something isn't a card.
I think it's also a convenience thing. One of the most common ways for border agents to go on strike (in Europe at least) is to say "We are going to follow the law to the letter on day so and so"
People end up waiting to cross the border for hours on end.
I imagine security guards at a high traffic building have similar leverage and reasons to be lax. When a few hundred or thousand people have to get in through the lobby every morning in the span of 1 hour ... well I think most people would say "You know what, the probability of something bad happening and the consequence if it does is so low that we'd prefer convenience than standing in line for 3 hours to get to work"
I recall Bruce Schneier writing [1] about a friend of his who had a custom ID card made identifying himself as an ambassador from Mars. It supposedly works way more often than it should.
[1] I don't have the citation and search engines aren't helping. I suspect it was in Beyond Fear.
Woz had a Department of Defiance ID that he used to get into all kinds of places. Apparently it's not illegal because it doesn't actually say 'Department of Defense' so it's not a counterfeit ID card.
IANAL, but I think the legal definition of fraud would make that illegal. You're getting something by deception, since you know the person thinks it says Department of Defence.
There is an adage I came up with when working in the IT security consultancy field: 99% of IT security flaws are people, and 99% of that is complacency.
This something that the speaker in the famous "steal everything, kill everyone..." [1] defcon talk refers to as the "jedi wave" and makes similar remarks about. I think it's a great name.
The guards are probably just doing what they’ve been trained and paid to do.
In the US, security guards are paid somewhere between $20,000 and $40,000, annually. I imagine at that pay rate, a typical guard doesn’t have much motivation to do anything more than follow policy and procedure. That is if they even have policy and procedure.
Most of security instruments (guards or metal detectors) are made for shows and to make people feel secure. If you want to break into the building, just bring your friend and arm yourself with an AK-47 and kill the motherfuckers~.
The most secure building I've ever been was one of the Giro buildings in Budapest. All visitors must show id and it is checked by professional guards, doesn't matter who you are are. They will call whoever you claim to be visiting and verify. Next you get your visitors badge. You can't get anywhere with it but the given office. Where corridors cross, you have man traps and your badge will only open the one direction you are allowed to go. This was a converted building so they added sliding glass doors to the existing doors and guess what, you need a badge to open any of those. To enter from the elevator to a corridor again you have a man trap. Tailgate that. Visitor's bathroom is outside of the secure area.
This sounds quite a lot like the setup at Bank of Finland.
It's been nearly 20 years since I visited, but they had access pass only doors everywhere, and all visitors needed an escort at all time. (Helps that they can't get anywhere without badges.)
In addition to all of the above, they had one final gem. Everywhere throughout the offices, there is always one route that gets you through one-way doors. Open them from the inside, get through. Try going back, you need the badge. All of these one-way routes eventually led to a single room. No furniture. Always lit. And every square centimeter monitored with CCTV.
Essentially, if you ever found yourself inside the bank's office, all open paths led to what was essentially a holding cell.
Is a setup like that legal in Finland? Although highly effective from a security standpoint, I can't see a setup like that ever being allowed under US fire codes.
I found following note in document titled "Turvalliset oven avausratkaisut poistumisreiteillä" (roughly translates to "Safe door opening solutions in exit routes"):
> Tiloja, joiden toiminnan luonne edellyttää henkilöiden eristämistä, ei käsitellä tässä. Nämä kohteet käsitellään tapauskohtaisesti pelastusviranomaisten kanssa.
Roughly that means that the document doesn't cover areas which require isolating people and their safety should be discussed case-by-case with safety officials, so it's likely they would require some similar measurements as there are in places like prisons.
Typically activation of the fire alarm will release exit doors, unlock turnstiles, and etc. to facilitate a fast exit. Latches will be arranged so that the doors only open outwards in this case.
The fire alarm system can then be manually supervised to deter false activations. Ultimately, though, human safety always trumps asset protection or information security.
Fire codes can be assuaged in a variety of ways. For example, a Knox box is supposed to hold the master key to your building, but a front door key can sometimes get you to squeak by, depending upon the staffing level of your building (do you always have security up front, for example, 24/7?).
My first or second business trip was to a top secret facility. You had an escort at all times, and when you entered a room a revolving light lit up to let everyone know there was an unsecure person nearby.
This was quite some years ago, I wonder how much has changed:
As an employee of a private company, I was asked to do some work at one of the major data facilities of the Danish state. The place was - and still is - a huge, sprawling mass of concrete, steel and glass, and was internally partitioned into four concentric zones of supposedly escalating security, all fancy with locked doors and card readers. I was expected to present myself at the front desk in the reception area, but somehow, with my equipment on a trolley, and sort of looking for directions, I slipped in behind someone back at a delivery bay. And then just followed signs and color codes and various people through various doorways. In no time at all my trolley and I were at our destination: The holiest of holies, the central tape archive room (yes, it's that many years ago). Got to work for probably about half an hour, not another soul in sight, but in the end was interrupted by the chief of security himself, bursting in with the grimmest of looks and the strangest of colors on his face. Now, this fellow knew me, so no alarm sounded, but I was urgently desired to shut the fuck up and follow him out to reception, where I was registered, issued my proper guest card and authorization, and solemnly escorted back to the archive vault, deepest security, zone four.
When I read Kevin Mitnick's Ghost in the Wires, what impressed me was how he'd combine social engineering with technical hacks. For example even if people did call their boss or Kevin's alleged employer (the utility company, a partner company, whatever), he would have set up their phone system to send the call to himself. I'm sure that social engineering alone gets you a long way, and I'm sure that Kevin was good at it, but when your electronic communications aren't trustworthy you can really do a number on people! How are you even supposed to defend against that?
This is exactly why penetration testers and red teams do these types of engagements. We like to emphasize that organizations need to assume they've been compromised by someone, and they need to constantly keep that in mind when they build security policies and technical controls. You can never keep a determined attacker out, but you can limit the damage that they can do, and make them spend more time getting in.
Social engineering is easier as a woman than a man, at least that is what I believe.
I know companies that perform social engineering tests like this and they try to use their female colleagues for voice-based attacks as much as possible.
From my personal experienced I agree with this -- generally people are not as threatened from how I look/sound and are not as quick to be suspicious. Same goes for children, people think they are innocent, but in many places they are used as part of scams for exactly that reason.
Yep, I've seen this happen before when an old boss let a formally dressed, very attractive pen tester through the front door. It became somewhat of a joke afterwards, but at the time, the auditors involved took it very seriously.
I wonder how much different the whole thing is just because pen-testers get paid to do this by the same company, from somebody actually trying to do this for real.
Getting caught for pen-testers means something completely different, I wonder how that affects tactics.
Yeah, I was surprised by the picking locks part. That tends to be either loud or slow, and either way nearly as incriminating if caught as it is possible to be.
Picking locks isn't like on TV. They aren't talking about bumping locks. Those of use that do it as a hobby do it during meetings and barely anyone notices. If you're making a lot of noise or voiding locks, you're almost certainly doing it wrong. You're supposed to be gentle, with very little pressure, you don't force it.
Most standard door and office locks, I've been able to pop in under 2 minutes. they generally only have 4-5 pins, sometimes less, especially on the interior office locks (maybe 3 in some cases). The whole reason my lock pick group does tables at security conferences is to make people aware the locks are generally not great and you want a lock that will slow someone down long enough that even if they can pick it or bypass it, doing so would get someone's attention or take so long that even after hours a security guard on routine scheduled patrols would notice.
Bumping is the most common attack as it requires relatively little skill and the least amount of time (short of dynamic entry). And most common locks are vulnerable to it, so that would include many office locks since they cheap out on them.
Picking takes time, but if I can loid the latch or otherwise bypass the lock, I can get through the door a lot faster than picking it. An Abloy or S&G lock does you no good if your lock fitment is shit with your dead latch not engaging.
It's probably easier to get an entry-level job with the company, or the facilities contractor, a vendor etc. The turn-around is longer though and you have to supply an id and SSN that could be bought, but you'll have more access and potentially be undetected.
A very good lesson for the company, via a red-faced Mary. She'll share the lessons from this experience widely I'm sure. Excellent that she wasn't fired.
Not to say that this is anything less than completely believable, but I wonder why Mary's boss didn't check up on the cover story? I get that Sophie was able to hack the usual social proof with Mary with her pregnancy sob-story, but wouldn't her boss have asked who sent her?
A lot of large orgs have a very distributed decision making process where decisions are made far outside of a specific chain of command. Frequently it's unclear who you are even supposed to call to verify the identity of someone that just shows up. It may take awhile to even reach the right person and while you are making those calls you aren't doing your work and you are delaying the service this unknown person is theoretically there to provide. What if this person is there legitimately, you piss them off or deny them access, and then you get an angry call from someone several levels of hierarchy above you blaming you for slowing down their project? No bueno
You also can easily end up with a version of the bystander effect; if someone is here than SOMEONE in the company must have validated them etc. In orgs I have worked for in the past it would have been trivial for me to show up with tools, claim to be from IT, and be given access to whatever I wanted immediately.
Generally, the person whose been fooled once and made aware so they know what to look out for is better to have than firing them and replacing them with someone new whose just as likely to fall for the same thing.
The most fun I've had using social engineering was to get access to a database that the pukes in the home office had locked up. Our boss' boss wanted access to the raw data, but they wouldn't give it to us. My colleague and I tag teamed them to figure out which server it was on and the names of the files, then he was able to break into it. The boss was very pleased to be able to provide the data as real-time on his boss' dashboard. Christmas bonuses all around.
Good article about physical security and a intro to social engineering.
As an aside I think the easiest way to get into buildings which are associated with a technology company like this would be to apply for a job there. At worst you will be there for an hour. At best it would be eight hours. Also, there is a lot of downtime in between interview(s) or even just plain waiting on someone. You can get "lost" and if you get caught you could say "where is the bathroom".
We worked with other people's data and were contractually obligated to keep it reasonably secure. You could get inside a building, but probably not one with anything good in it.
To get into the server room you had to badge and code in and be visually verified before exiting the man trap. Computers that were able to access any of that were locked down and had no Internet. The network itself was locked down, with multiple separate networks.
Entry into the building itself required badging and visual verification.
Notably, this was only one facility. You could walk right into the other offices. I doubt anyone would have noticed. But, the secure office was pretty secure. You could get in, but not by social engineering. That office was pretty strict. Not even I could get in without my badge and visual verification.
Well, you could but it would take a lot of work and money. You'd have had to set yourself up as a potential client and we vetted client contacts and it required approval for each guest. We'd call headquarters and verify you were supposed to be coming, who you were, and things like that. We took no unscheduled, unvetted, unknown guests. Not even my kids.
I once worked for a hosting company. Getting in through the front of the data center felt like going through an airlock on a spaceship with someone having to verify your identity with 100% certainty at each gate. Going in the backdoor just required waving an electronic key in front of a sensor with no verification you were key's assigned user, and tailgating was definitely a possibility. Needless to say, a break in would likely have targeted the backdoor. I think the front door was a performance put on for customers getting a tour.
You can physically break into any facility, if you have enough force. Social engineering is a different problem.
In your case, no exiting the alarmed back doors for break. Breaks are taken by exiting the front doors or in designated break areas.
There were no security doors that weren't manned. Positive identification was required, as was approval. No exceptions.
We worked with proprietary data at that facility. Sometimes, we'd even have to put a team at the customer's site. Once, I had to personally do all of it as there were only two of us with government security clearances. For that, I had to be on a military facility.
The latter being really, really silly. I can't be specific but it is fairly well known that I modeled traffic. Yup... That's what I did and the USG determined the data was marked at a higher level that FOUO.
I worked at a place like that had all sorts of crazy protocols for data center access, including an armed policeman in the entry area, which was on a different floor, and rfid/pin access to various areas, including vendor areas.
...except for the cleaning crew, who inexplicably had elevator key codes and physical keys and nearly unfettered access. They used to smoke and play cards in the ladies room, which was huge, had a locker area and small table and was nearly unused otherwise.
Layered and strict policies help prevent that. When I say strict, I mean the policies. If there is a security incident, you study it but not to blame someone. You study it to see where you can improve it.
My initial security training came from your tax dollars by way of the Marines. With the help of consultants, I designated much of our policy. Some of my employees spoke at Defcon, for example.
It's still possible for failure, but the chances are low. Each person entering is on a list - no exceptions. People who enter are NOT people who called us. We call you, at your HQ, and then do our vetting. Things like that. I am not going to go over all the methods, but we knew who was going into the facility beyond reasonable doubt.
Well, past tense. I'm retired.
You could still get in, but it's going to be difficult and expensive. Nothing is completely secure, nothing.
Not in a "high" security building you wont I remember going for an interview at huntings (an arms manufacturer) and I never got inside the main site the interview was in a room of the gate house.
I work for a company that has relatively high security and there are specially designated rooms that are located in the lobby area only for interviewing. YMMV
I went for a job interview with the UK Ministry of Defence, at a naval base. Once passed the gate house (with only an invite letter) I was free to roam the base. This was pre-9/11.
Only works for smaller companies/facilities. With larger ones the area interviews are done in is a separate security area. Same with the area where meetings with outside contractors are done.
My goodness, how does someone get into a job like this in the first place? Start breaking into secure facilities until somebody notices you and gives you a job?
This is conjecture, but I imagine you need to be good at other skills in order to gain attention from that kind of employer. The social engineering training may come after.
I find that casually yawning while walking by security guards has a great effect. It communicates comfort and at the same time increases the cost of interrupting your yawn. Having a card that looks like the badge they're looking for casually in your hand helps also.
For getting into expensive clubs, I used a technique similar to this article. I say that I want to check out the club for a birthday party, then the red carpet gets rolled out.
Another way is to say that you left your credit card in there by the bartender an hour ago, and if they can call someone... or you can just go and get it yourself. And you are flying out or something. Never did this one though :)
Did she bother changing her voice on the phone vs. when she met Mary in person? For familiar voices, it's often pretty easy to know who's speaking even when they change their pitch or accent, but maybe it was practical to assume that Mary wouldn't be able to notice a voice she'd only heard once on the phone. Obviously this isn't a key part of the exploit since she could've always gotten someone else to do the phone conversation, just wondering how careful she needs to be with those sorts of details to avoid something going wrong.
So I do a similar kind of work, and I have a bit of an advantage since I am a transgender woman. You would never know from looking at me and I did extensive vocal therapy to reach a feminine speaking voice (but I can still use my deep voice as well). I can be John, Lisa, Mike, Amanda; whoever I want by doing just what you say here. I have a few accents I do; but thats more just for fun (it’s a job like any other). You could definitely get by without it though; everyone who does this kind of work has a slightly different methodology they like to use.
Generally this type of on-premise pen testing is a solo enterprise. People working together look suspicious and many of these secure environments require you to lock up your cell phone — so using a phone to communicate with a partner would raise red flags.
I mean, I work with other people on the overall assessment, but the site entry part is necessarily pretty sensitive so usually only the head of security at the client is in the know (that way if I get caught, I don’t get shot — though that is less of an issue now as a woman).
People can barely tell the difference between two pictures if you pause for a second between showing each one. Being able to tell that two voices are the same after hearing them days apart, once on a phone? I doubt she has to worry, unless she has a distinct accent.
Finding minute differences between pictures is a much harder problem than matching voices to those you've heard before. In the second one there are lots of possible heuristics you could use, and the attacker would have to prevent all the most common ones at least.
They're not even minute differences. One example toggles between two pictures of an airplane, with the second having the engines photoshopped out. Just a one-second delay is enough to make it difficult to notice what changed.
Now of course it's easy if the two pictures (or voices) are completely different. But who would be suspicious if the two voices sounded similar?
This story reads like a social engineering attempt itself.
As in, fully made up, never happened.
I realize the person is a pentest consultant. And before that they were a journalist. As the story says, "trust but verify"? Which in this case I guess it doesn't make enough difference to verify and the events "could" have happened which is enough for the story. It just feels made up to me though.
Sorry, but this story didn't convince me. It was too straight forward and too much focused on professional sounding keywords and representing stuff as serious security risk that actually isn't.
What I can agree with is that in most companies you probably get in without having files/id cards checked and that this may become a problem to that company at some point.
She doesn't say who the target was but high security with armed guards sounds like its what I would call a List X company in the UK. That is one that has dealings with sensitive info.
It often seems like the biggest con that physical pen testers pull on their clients is convincing them to hire them in the first place. What's the threat, exactly?
Let's say you do something like BeyondCorp. Gaining "network access" doesn't mean anything any more, because you can "gain" "network access" from anywhere in the world since it's all on the internet. Physical access shouldn't be the perimeter, identity should be.
Is that a tall bar? Sure, but it's basically the bar. Instead of wasting money on fancy pen-tests, put that money into the IT budget to get identity management up to that point.
Next, is the risk really that someone will gamble a physical snoop into a secure compound, where the possible negative outcomes are police custody and prison time, for a score of a few thousand dollars, as Sophie mentions in the article? Sure, that's a risk, hobos would cruise in and swipe a laptop off someones desk to sell it on ebay for booze money. Do you need to pay a pentesting shop $80k to know that? No. And, the risk is basically the same as if an employee takes home a laptop and their car is broken into. The fix is the same too: encrypt everything at rest.
These are all basic lessons that you can learn by downloading a CISSP study guide.
However, I think that there will always be failure points because what you want to defend against this is a culture of security, and it's difficult to instill that even when you work in an environment that is rightfully charged with maintaining high security. It's boring and generates friction. If someone shows up for an important meeting at a high security building and they forgot their ID, the guards will not accept any amount of "do you know who I am" because they know that when their supervisor is called in, they'll be backed up. Everyone else knows this too, on some level, so there's much more of a culture of "why didn't X happen?" "oh, there was a paperwork SNAFU somewhere and security stopped us at the front door" "lol! typical! we'll try again next week." That just wouldn't fly in the private sector: because the risk doesn't weigh anywhere near as much as the reward for just cutting the corner and doing it without the I's dotted and T's crossed.
So, sure. You can fast-talk your way past the rent-a-cop at the front desk of the offices of an aluminum siding manufacturing plant and swipe some coffee cups and staplers out of the supply closet, and you'll always be able to do this...
You’re testing a process end-to-end and identifying places where the policy is either too cumbersome or ineffective. Sometimes it’s a training issue, sometimes their processes just suck and need to be changed.
Physical access is enough to do a lot of damage. You could drop a 4G wireless sniffer hidden in a wall wart. You can grab someone’s password off a post-it note and then fish the RSA token out of their purse when they go to the bathroom. Now you’ve defeated 2FA and have network access from the outside. Just metasploit/nmap scan, find a vulnerable system and you’re in business.
Check out the Bash Bunny — it’s a quad core attack platform running Linux. It looks like a USB drive, but emulates a whole bunch of different USB devices (keyboards, cameras, displays, etc) paired with attack tools to break into the system.
Basically, if you get network access, there are almost certainly vulnerabilities somewhere. Imagine someone like the CIA who buys 0-day exploits by the hundreds — physical access makes total pwnage inevitable.
I got asked to do this for a FTSE 100 client (Rank) of ours and I managed to from a standing start with physical access and to extract the secrets and crack them.
Physical access to a device usually allows you to get full control, or at least be able to 'wiretap' its network packets.
Lots of fun little devices to screen capture or keylog allow an attacker to get credentials and harvest secure information. Many of these devices have wireless capabilities now, so you only need to enter facility once to plant it, and then you can download the capture from outside the building. Very few companies can prevent attacks when the attacker has valid credentials.
Once you're inside a network, you're past all of the perimeter defenses, and most companies have tons of secure information flying around. Mimikatz and responder are devastating for most Windows networks: grab the credentials, use them to pivot or get more info to grab more credentials, repeat until you get an it admin account, and you've got the keys to the castle.
> Security in this office park is a joke. Last year I came to work with my spud-gun in a duffel bag. I sat at my desk all day with a rifle that shoots potatoes at 60 pounds per square inch. Can you imagine if I was deranged?
Ah yes you're right of course. For some reason my mind immediately jumped to assuming that two separate stories would follow.. should have re-read, thanks.
I worked as a late-night valet in downtown Austin when I was in college. We would go into the bars to get water even though we were underage and eventually we got the idea to go in with our valet uniform on, take it off and order drinks.
Probably it should be dealt with structurally, a very small anteroom that only allows access to one person and can't be entered (without obvious force/misbehaviour) until the security door is locked again, like a turnstile before the door. That makes it far more uncomfortable not to challenge someone as they'd have to severely encroach your personal space to gain access.
When we use this technique (known as "tailgating") to break into client sites, we always recommend that the organization try to foster a culture of "trust, but verify". This means employees stopping people if they don't have their badges displayed, or showing unrecognized people to the reception desk, or closing the door behind you to make sure the next person has to badge in, even if they have a badge that looks plausible.
It's not an easy thing to learn to challenge people, but it's vital to maintain a good physical security posture. Employees need to feel comfortable challenging those who they don't recognize, and making sure that employees are part of an organization's security team is important.
PLEASE let this godforsaken phase of gifs after every other paragraph come to an end already. It makes yet another fascinating article basically unreadable.
Seriously, I was debating opening my dev console and just selecting them all deleting. Then I started thinking, how long would this article look without all this shit in it?
Lucky for them it was interesting enough of a read or I would have closed it outright.
I just right click and select the images with uBlock as they come on screen - maybe not the most programmatic way of dealing with them (blocking all of their host, assuming they were all hosted by the same platform, might have been quicker) but it saved some gif aggravation.
Agreed, I even went into this article after reading your comment thinking "Hmm, I'll just scroll through quickly and block all of the images then take my time reading without the distractions"...I had to give up after 5 or 6, didn't even bother reading the article.
EDIT: Saw the Safari reader view comment below and ended up using Edge's reading view for this. That makes it tolerable but I really shouldn't have to do this.
Block out all the images and replace them with whitespace. Now, fully remove the images. Which is easier to read?
Well-designed use of whitespace is necessary to make text easy to read. However, this is neither well-designed, nor whitespace. I constantly have to scroll down, reposition the next couple of paragraphs on my screen, and reacquire the text. That is not easy to read.
I have NoScript running in default deny mode, I saw blank white boxes where these animated gifs should have been. The rest of the article was fully readable, with no animation distractions.
There's quite a lot of news sites whose in-line static JPGs all vanish with NoScript. I really have no idea what people think they're doing these days.
Totally agree. Cannot express how much I hate them, it annoys me so much I basically cannot read otherwise interesting text while being hungry or irritated for some reason. Probably should consider this a chance to practice staying calm... But God, I hate it.
Hello! My name is Sophie and I break into buildings. I get paid to think like a criminal.
Organizations hire me to evaluate their security, which I do by seeing if I can bypass it. During tests I get to do some lockpicking, climb over walls or hop barbed wire fences. I get to go dumpster diving and play with all sorts of cool gadgets that Q would be proud of.
But usually, I use what is called social engineering to convince the employees to let me in. Sometimes I use email or phone calls to pretend to be someone I am not. Most often I get to approach people in-person and give them the confidence to let me in.
My frequently asked questions include:
What break-in are you most proud of?
What have you done for a test that you were the most ashamed of?
What follows is the answer to both of these questions.
A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.
First step: open source intelligence, or OSINT. I look at maps, satellite images, study what I can of their delivery and supply schedules, and so on.
The manufacturing facility looked like a prison. No windows, heavy iron gates, no landscaping. Generally a monstrosity of architecture.
This facility had armed guards, badge readers, biometric security controls and turnstiles at every entrance.
I remember thinking, "It's got to be hell to work in there. I wonder if I can use that…"
One thing was for sure… The chances of tailgating (following behind an employee with valid credentials) into this building were next to non-existent.
I was going to have to get down and dirty with my social engineering.
First stop: LinkedIn. Your LinkedIn is my best friend. The more information you have on your LinkedIn, the more options I have.
I have several fake LinkedIn profiles that you are probably connected to.
I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites. And I find a lovely young woman who I'm going to call Mary.
Mary was a brand-new hire working as an assistant at the manufacturing facility. Mary had a public Facebook account too.
On Mary's public Facebook account, she documented all of her family's adventures.
Side note: Now I know where Mary went to high school, her mother's maiden name, the names of her pets, etc.
Answers to those "security questions" you use to reset your passwords are very easy to find if you aren't careful with that information.
Not to mention that now I know where Mary works, where her kids go to school, where they vacation…I could go on. Scary stuff.
This is not an advanced investigation. I'm not a private investigator and I don't have the resources of the NSA. But I can do a lot of damage with simple methods.
Most notably to me, there were photos Mary posted of her time volunteering with a certain maternity support center.
Her passion for children and caring new moms was very plain. So of course, I took advantage of it.
For this assessment I played two roles. For the first, I spoofed my phone number to make it look like it was coming from the company's headquarters.
I called the front desk of the manufacturing facility and was transferred to Mary. "Hi Mary!" I said, "My name is Barbara."
"I am a project coordinator with facilities management. We are renovating a few of our facilities. We are sending an interior designer out to you tomorrow so she can put together proposals to update your space!"
Mary replied, "Well that's great! But why the short notice?" I could feel her getting suspicious, so I pulled out my trump card…
Sigh "Well Mary… You really should have heard from me sooner. I've just been so overloaded at work…I feel like I can't catch up, and to top it off the baby is due in 6 weeks. If my boss finds out I messed this up he's going to flip."
I was really getting into this, voice shaking. (Yes, I know, I'm a terrible human being.)
She cut me off, "Oh hunny, hunny it's ok. We will work this out! Tell me about the baby! Is it your first? Boy or girl?!"
Our Mary was committed at this point. Not because she is stupid, but because she is a good person. She wanted to help me.
We talked babies and birth plans for a while (never pick a pretext you can't speak about at length.)
Mary took down the name of the "designer" who was coming by the next day and we said our goodbyes. Mary could have saved her company a lot of heartache by simply verifying that I was who I claimed to be. (Just to be clear here, I would never give out Mary's real identity. I'm not totally heartless. This could have happened to anyone. She has not been fired.)
I showed up the next day as "Claire" with a fictional architecture firm that I had made business cards and a website for. My alter-ego Barb had done most of the leg work for me. When I arrived, Mary and her boss were waiting for me with smiles. I shook hands all around and handed them the business card I printed out the night before. I was given a visitor badge and the red carpet was rolled out.
I gained rapport with the staff there by asking them to tell me what they wanted in an office space. They were so excited. I might have claimed to be on the team that put together the Google offices…(Yes, I am HORRIBLE. This is my inner demon child.)
"You want a standing desk? New chairs over here?! Ergonomic keyboards for everyone! Let's look at swatches!"
We became best buds. I was given complete and unaccompanied access to the facility where I stayed for several hours.
I gained network access and stole several thousands of dollars in physical primitives by picking my way through cheap locks (credit to Deviant Ollam for the rad lockpicking animations.)
This client had been pretty confident that I wouldn't get into either facility, much less be able to hit both in a short time span. So the timeline was left to my discretion, but it was assumed that I would need to fly to the area twice.
I didn't see the need in burdening them with two round-trip expenses.
I went back to Mary's office and said, "Well I think I have what I need from here. How do I get to the office center?"
She looked at her watch and said, "It's almost lunch time. I'll take you there!" A whole group of us piled into the parking lot, and they took me to a nearby taco shop. That's right. My Marks took me to get tacos… I love my job.
After lunch they drove me to the offices and a few of them came in with me to show me around.
I took FOREVER looking around this office space, and eventually they said their goodbyes because they had to go back to work. They had a strict policy of escorting visitors. But I had been seen walking around with trusted insiders so no one questioned me.
I was free to take my time. I made myself at home. My main objective at this site was to weasel my way into private corner offices.
When I accomplished my goals, I tracked down my point of contact's office. This is the man who hired me in the first place. This is the best part of every job.
Steve was there, hard at work when I disturbed his groove by knocking on the door. He glanced up, "Hi there, can I help you?"
I smiled. "Hi Steve! I'm Sophie from Sincerely Security. It's nice to meet you in-person!"
I will never forget the look on his face… Pure gold. "Who?.... Wait, what? How? How did you get in here?!"
We stayed in his office and talked for a long time. I went over exactly the steps that could have prevented my success. First of all, the desire to help others is human and natural. We don't want to discourage that.
Second, I'm sure they did have some sort of policy that required visitors to check in showing government issued identification, but they weren't following it.
We also need to post by every computer, phone and door: "TRUST, BUT VERIFY."
An employee who does their homework can ruin my day.
Third, if it seems too good to be true, it probably is.
Is your company going to hire the team who designed Google's offices? Magic 8 ball says no.
Lastly, the team who took me to the second location should have found someone else to escort me through the building.
I've been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.
There are ways to protect yourself and your company from attacks like this. I think it starts by sharing stories like these, and educating and empowering each other to be vigilant.
Do people enjoy reading in this format? Beyond being a bit passé at this point, are these things ever even amusing. I know they interrupted the flow of an interesting story here, but why are people still doing this?
Complainers always make more noise. I personally find it cute, a bit like listening in person to a very expressive story teller.
I sympathize with the critics, by the way - I have gripes with plenty of online content, even if not with this one. A button to enable the GIFs would probably be best for everyone.
I don't find them super distracting, but I do miss the days when you could hit the ESC key and stop the animation loop.
That ability seems to have disappeared from browsers sometime between when the spinning skulls and under-construction gifs stopped being popular and these 12-frame silent movies appeared.
Not to add to the complaints but can somebody extract the text and post it vanilla elsewhere without the gifs? Seems like a very interesting article otherwise.
With NoScript installed in default deny JS mode, the gifs do not appear at all, only blank white boxes where they would have been. In this case NoScript made for a distraction free reading experience.
You're literally engaging in Schadenfreude here, specifically in a context where the Schaden is not self-inflicted by the person experiencing it. This means in the country of origin of the word your reaction would be seen as that of an unhealthy mind. So do you think you should be throwing rocks out of your glass house?
> you might have some bigger issues
Of course there's also the bigger question of whether "having bigger issues" invalidates the complaint a person makes, or maybe even the person, as you appear to think happens.
The fact that you take someone's honest admission that they have a problem with something, and decide the correct reaction is to point at them and make fun of them, means at the very least that you're severely lacking in empathy.
Still there are IMHO limits, this story appears to me "too easy".
From the article:
>The manufacturing facility looked like a prison. No windows, heavy iron gates, no landscaping. Generally a monstrosity of architecture.
>This facility had armed guards, badge readers, biometric security controls and turnstiles at every entrance.
The above implies that the firm is attempting to have a higher level of security than most offices/factories.
I would have expected that the pentester had to do something more than what she wrote.
I mean, you first put up some basic security/access policies, and later you hire someone to test them.
And I cannot believe that:
>I gained network access and stole several thousands of dollars in physical primitives by picking my way through cheap locks.
One thing is getting access to the premises, another one is managing to be left alone and allowed to have network access, start lockpicking locks, etc.
>Someone leaves their computer unlocked when they walk away -> network access.
Sure, and how much time do you have, alone in someone else's office, sitting down at their desk to steal info?
First part of the article is about having been shown around by "Mary" and her boss, and then being with other employees, when did the pentester have the time to access network, lockpick doors, etc.?
I need about fifteen seconds of quality time with an unlocked computer before it belongs to me. Devices like the USB Rubber Ducky ( https://hakshop.com/products/usb-rubber-ducky-deluxe ) make it trivial to compromise unlocked systems within seconds. Stealing info can then be done at your leisure, from anywhere you have internet access.
Just because she skipped over some unimportant parts of the story doesn't mean she didn't have plenty of time after being shown around the building to accomplish her objectives. She does address this, too:
> I took FOREVER looking around this office space, and eventually they said their goodbyes because they had to go back to work. They had a strict policy of escorting visitors. But I had been seen walking around with trusted insiders so no one questioned me.
> I was free to take my time. I made myself at home. My main objective at this site was to weasel my way into private corner offices.
>Just because she skipped over some unimportant parts of the story doesn't mean she didn't have plenty of time after being shown around the building to accomplish her objectives.
She didn't skip anything, the quote is this one, however (earlier in the article):
>I was given complete and unaccompanied access to the facility where I stayed for several hours.
That is "building #1", the parts you quoted are related to "building #2".
If you did this job, you would not be surprised by the ease with which you can pull off these sorts of things. I've been doing this for a couple years now, and it's terrifyingly easy to compromise data or physical security for organizations that really should know better.
You can pick office furniture locks with a binder clip and a paper clip, which you can often find in the unlocked portions of the office furniture. The paper clip is permanently disfigured in the process, but the binder clip can be put back unharmed.
I know, because I have actually done this occasionally, to remind myself to never leave anything valuable at the office. It can take less than 60 seconds to go from empty-handed to an opened lock. A few more seconds to re-lock it with your makeshift pick.
Cheap locks might as well not exist to a professional attacker. They barely exist for an amateur motivated by curiosity or boredom.
Door locks are a bit more difficult, and may require more sophisticated tools, but those are left unlocked more often, for the extremely ironic reason that the employees that have greatest use for them typically don't have the keys. The only keyed doors that ever get locked are upper management offices, the office supply closet, and wherever it is they keep the sodas and snacks for visiting customers.
As with online security, companies are only willing to pay for the illusion of security. Genuine physical security is difficult, expensive, and wears heavily on employee morale.
That's very true. In many cases, that's even _perfectly fine_. Not every organization needs enough physical security to deter a determined attacker. The ones that do hire people like Sophie (or me), and take the lessons to heart. Even if the organization doesn't make changes to their physical security posture as a result, they know what to be aware of, and they know where their weaknesses are.
A lot of our security--both network and physical--is based on the illusion of security. One of the most important things that penetration testing does is to make organizations aware of the issues, to put the bug in their ear to remind them that security is important, and shouldn't be an afterthought. We see lots of organizations make material improvements to their security as a result of red team exercises. We also see a lot of organizations that don't. It's disheartening when that happens, but I like to think I help make a difference. The next data breach might be mitigated by our recommendations, or even prevented entirely.
Heard a story recently of a major MSP forgetting to disable the Ethernet port on the back of a set top box, and it provided access to a VLAN with direct access to the company’s back-end systems. They didn’t have passwords on many of their databases because they assumed the firewall would protect them. Pwnage ensued.
This is a big company you have definitely heard of. You didn’t hear about the data breach because they basically paid the hacker off with a security consulting contract, then said he was a pen tester. This happens all the time.
Most companies are really bad at security. The bigger they are, the worse they are.
I think the term "Social Engineering" is making this seem so fun and technical, if we started using the words "fraud" or "identity theft", or "impersonation", maybe companies and lawmakers can give it the legal and enforcement attention this issue desperately needs.
Not a judgement of the article or Sophie, more just terminology which makes it difficult for non-technical people to understand the gravity of these attacks
> if we started using the words "fraud" or "identity theft", or "impersonation", maybe companies and lawmakers can give it the legal and enforcement attention this issue desperately needs.
There are already laws on the books for "fraud", "identity theft", and "impersonation." Also, trespassing, theft, cybercrime, etc.
She was hired to do this. As explained in the article, the company wanted to test their own security. She is able to revel in her deception because it's exactly what the company wanted from her.
>If you don't believe her that she was hired, why believe the rest of her story?
As a matter of fact I don't believe most of the rest of the story, and - for some reasons - I have been downvoted for expressing my doubt of it sounding "too good/easy to be true":
Maybe I should have called it "not very plausible overall", as there is IMHO too much contrast between the described "high security" context and the extents of what the pentester has reportedly been allowed to do once gained access.
A couple months ago, I forgot my badge at home, but didn't want to go through the hassle of getting a temp badge, so I flashed my driver's license at the guard (which is roughly the same size as my ID badge) and he simply waved me through.
I told my colleagues this, and since then we have a silly game where we try to get in using ridiculous cards. Most recently, we have people who have flashed blood donation cards (a card that acknowledges that you donated blood on so and so date), a credit card and a folded bookmark and successfully gotten into the complex.
While this is a running joke, really goes to show how lax manual security can be (Especially because once you are on my floor, you can easily tailgate your way into my office).
TL;DR Most of our security systems work on implicit trust more than anything else.