Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/18/2007
07:00 AM
50%
50%

Server Room Follies

In which pizza and soda are shown to be more powerful than a crowbar for breaking and entering

In most companies, the server room is considered the heart of the network. When a customer asks us to penetrate this room, we know the challenge is going to be considerable. The server room is usually guarded by access control, cameras, and a staff person or two. We're not always successful, but when we do manage to get in, we remind ourselves that relying on the kindness of strangers opens almost as many doors as a master key.

One of the most memorable server rooms we compromised pertained to an organization that had remote locations across a large geographic area. Each office served as a critical junction of network and switch equipment, and each facility also served as a service location that deployed people in trucks to provided customer support and service infrastructure. The customer asked us to visit certain locations and attempt to gain access.

We visited our first facility and combed the exterior as if we were locked out of our homes. The building was entirely constructed of concrete block, with no windows and one steel door guarded with a proximity access key-card system. We were about to get back into the car and leave when we spotted an unlocked company truck. I opened the door and noticed an employee badge and a proximity card hanging from the visor. I grabbed the badge and put it on to see if I could get in the building.

Just as I placed the card in front of the reader, the door opened. An employee was as startled as I was, probably because we almost walked into each other. He looked right at me and asked if I needed any help. That's about the time I realized I was wearing his badge, yet he did not notice.

I told him I was a building appraiser hired by the company to inspect the properties. Figuring I was caught and about to have to deal with the local authorities, I was instead invited into the building. Asked why the property and technology was being appraised, I responded that the company was probably being sold and they needed a fair estimate. He sighed and told me to do what I have to do. He then reached for his phone – I was sure he was calling the cops. But in the meantime, I sat down among rack after rack of equipment, opened my laptop, and connected to an available network connection.

While I sat and worked, I listened to his phone conversation. It was his wife – he was telling her the company was being appraised because it was being sold, and that he might be looking for work. After a few more minutes on their network (and eavesdropping), I decided to get out while I still had the opportunity. I motioned I was leaving and letting myself out. He waved back, still on the phone. I was still wearing his photo ID.

Let 'em eat cake
Another scenario didn't quite turn out the same, but fortunately our effort wasn't a complete failure. We were hired by an organization that wanted us to compromise its server room as part of a social engineering effort. Our client indicated that only a few key people were clued in to what was planned. Unfortunately, word spread fast that the IT group was being tested, so everyone was on high alert.

The day of our attempt, my colleague, Robert Clary, and I posed as consultants needing access to the server room. We approached the door and attempted to see if it was open. As we tried the door, a man who was working in the server room opened it and asked what we were doing. Between his tone of voice and body language, it was obvious he knew who we were and what we were doing.

Feeling cheated, we decided to retaliate. Clary and I retreated to my car to have a cup of coffee and devise our Plan B. From my car, we noticed the organization's security building directly in front of us. This customer had its own mini police force to guard the facility. We decided to social engineer our way into the security building and use their network connection to penetrate the internal network.

Armed with no more then laptop bags we entered the police force building, indicating we were consultants hired to work on their network connection. The department's director provided us with private offices in which to work. We cracked the network and were scouring it as thoroughly as we could when one of private security officers popped his head in. Clary and I had the identical simultaneous thought: Busted. To our surprise, the officer asked us if we wanted to participate in a birthday party for one of his co-workers. We agreed, left our private office, sang Happy Birthday, enjoyed some cake and coffee, and then got back to scanning the network.

Fast food security
Another recent server room caper also involved food, specifically leveraging the power of pizza and Buffalo-style chicken wings. The customer's server room was in a hallway in an office building shared by several tenants. Although guarded by a proximity access, it was secured by a regular doorlock. After some surveillance, we noticed that a few tenants still had employees and visitors coming and going after 5:00 p.m., so the building remained unlocked.

We also noticed that the cleaning crew started around 6:30 p.m. We made a note and paid particular attention to the guy who was responsible for cleaning the main hallways. He appeared friendly as we walked by and said hello, and his response indicated his English was limited.

On the day of our attempt we rounded up the normal stash of stuff we take, with the addition of a large, Neapolitan cheese pizza, a couple dozen Buffalo wings (hot), and a six-pack of soda (diet). When we picked up the food, I asked for an additional empty pizza box. In that one, I stashed a laptop, power brick, and Ethernet cable.

I parked in front of the facility and then watched through the glass doors for our cleaning guy. As he started cleaning I made my way into the building, heading for the door that led into the server room, carrying my two pizzas, wings, and soda. He noticed I was struggling to balance the two pies and Styrofoam container of wings on top of the boxes, while in my other hand I held the soda in a plastic shopping bag.

When I stopped in front of the server room door, I started the one-hand-holding-the-soda-trying-to-get-in-my-front-pocket-for-a-key routine. Without hesitation he immediately came over and reached for his wad of keys and opened the door. Success! I was in. After thanking him numerous times, offering a slice and drink, I slid into the air-conditioned server room to plug in.

It almost seemed too easy. But if you think about it: Why would he question a guy trying to get into a locked room to steal something, while carrying a couple pizzas? Most hackers probably do not pack a lunch when they intend on breaking into a place. [Ed, note: Perhaps they will now.]

So forget deep-packet inspection, the latest malware updates, and other technical must-haves for a second. People remain the weakest link in any enterprise security strategy. Most people want to be helpful and are conflict-averse, especially if you look even remotely as if you might belong in a given place. Employees and any ancillary service personnel must be trained to ask questions, verify identities, and know whom to call when something smells wrong. And those skills and processes must be continually reinforced. Otherwise, what they perceive as a kindness may be little more than unlocking the safe for some nice, friendly stranger.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...