Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:32 AM

Social Engineering, the Shoppers' Way

Even with magnetic card readers at its doors, your company could be vulnerable to a break-in

9:32 AM -- For years, the "card key" has been considered a reliable means of securing the enterprise from unauthorized visitors. In some cases, these cards also serve as identification, and when combined with smartcard technology, a form of network authentication. But if these cards are misconfigured or managed, they can be rendered useless -- as my penetration testing company recently proved.

About six months ago, a medical facility hired us to assess its information security as part of a HIPAA compliance effort. During a pre-assessment briefing, the customer indicated a concern about physical access to the building, which could lead to a compromise of the network.

The company asked us to attempt to circumvent the physical security system, gain access to the building, and retrieve as much information as we could. We agreed, pending the appropriate “get out of jail” arrangements in case we were caught and detained by the authorities.

This facility was a little different than our other HIPAA customers, which are usually insurance companies or hospitals. The target this time was a giant laboratory that performs tests on samples sent by physicians from all over the region. With the volume of healthcare data stored in the facility, we knew that getting inside and connecting to the network could yield a good deal of sensitive and valuable information.

Before we tried to get in, I scoped out the entry points, observed when people came and went, and looked for potential weaknesses in security. Although I couldn't spot any video surveillance, the building security seemed pretty solid; the primary entrance was guarded by a receptionist behind glass. Other doorway access points were secured by a magnetic card swipe system.

On the day we planned to get into the building, I decided to try the magnetic swipe system. In a worst-case scenario, I figured I could fumble my way in, acting as if my card had malfunctioned and asking an employee to open the door from the inside.

Without having an "official" magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.

Once inside, we knew that blending into the environment was going to be a necessity. I needed to get my colleague to a conference room to jack into the network and start port scanning, while I started looking for logins and passwords by flipping keyboards and pulling yellow sticky notes from monitors. We located a men's room that also served as a changing facility for employees. Conveniently, it also contained clean smocks and scrubs for us to use.

Now dressed in the appropriate attire, we started walking the facility. We located an empty conference room and commandeered it as our place to work. As my colleague jacked into the network and started scanning each address, I started moving through the facility looking for anything that could provide privileged network access.

Within minutes, I located workstations littered with sticky notes containing logins and passwords. Some even provided detailed information on which systems could be accessed. After collecting several logins and passwords, I made my way back to our conference room to use what I had found.

As soon as I walked into the room, my colleague indicated he was now a domain administrator with access to numerous systems as well. Our efforts led us to a significant find of HIPAA-rich information. After several hours, we had collected enough information for our report, and we casually exited the building through the same doorway we entered.

Back at our office, we immediately notified the customer of the security flaw in the magnetic card swipe system. We later learned that the door access system had been mistakenly set to use a feature called "man-trap," which enables banks to secure their ATM machines while allowing access to customers of other banks. Most magnetic stripe systems have this capability.

After we gave our report, the customer asked whether anyone challenged us, but in fact, no one had given us a second thought. In fact, several individuals gave us directions or answered questions. After hearing this, the customer made an unusual request: Would we show the employees what happened?

We usually document quite a bit of our security assessment work with video and digital images, so our entire break-in was easy to recreate in a presentation. We kept our tone upbeat -- we weren't out to make anybody look bad. Most of the employees reacted with surprise and said, "I remember seeing you, but since you looked like you worked here, I didn’t bother questioning you." We advised them to look for a badge and question individuals who appear to be out of place.

We performed a follow-up assessment six months later, attempting access through the same doorway we had used previously. None of our cards worked this time, so we waited for an employee to leave, then used the open door to gain building access. We were inside again.

As we started through the hallways, however, we were confronted by the woman who had previously exited, allowing us entry. We immediately surrendered and asked her to call our contact inside the company. While we waited, she told us that she had gotten in her car and driven away, then realized what she had done. Immediately, she gone back to the office to get security and find us.

Clearly, our presentation about network security and awareness had paid off for the customer. And we learned something as well: Building access security can be easily circumvented if improperly installed or configured. Now every security assessment we perform includes a social engineering component in which we test building access security. So far, we have not been able to recreate what happened at this customer’s location, but over time we're pretty sure we'll see something like this again.

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
In SmartDraw 2020, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.