- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Harrow, That story is ridiculously awesome. I am going to shamelessly steal it, modify it a little bit, and retell it for my own personal gain. I hope you do not mind.
Admin
Ones who are former employees?
Ones who are current employees desiring to make a bit of illicit extra money?
Ones who've never been employed there but managed to snag that one piece of information to make themselves sound more legit?
Don't assume that just because somebody knows one piece of information that they are authorized to be there. Social engineering works precisely because people assume that "oh, he wouldn't know to ask about that if he wasn't supposed to be here."
As far as security goes, it's quite possible that the company providing security is run by dorks. My brother-in-law got fired from one security job (at a hospital, no less) for upholding policy and verifying an unbadged person's identity before letting them in. (He did win the wrongful termination lawsuit.)
Admin
On the bright side, you'll never have to pay for hardware again!
Admin
Admin
I work in a secure facility (you need at least a Reliability clearance to even enter the working areas). The president of the company was doing an address and told us the story about how a new security guard/receptionist stopped him as he tried to enter the building without his badge showing. She wouldn't let him by. "Do you know who I am?", he said. She didn't recognize him, or his executive status -- no entry without a badge.
The president commended her in his speech for doing her job properly. What was left unsaid is that, likely, if she had bowed to the "social engineering" factor, said "Oh, sorry Mr. President" and let him in -- she would probably have been fired.
Captcha: craaazy (yup!)
Admin
asd
Admin
Gotta love social engineering. Yep, done stuff similar to this before. As long as you act like you know where you're going and what you're doing a lot of security guards won't even bother, assuming they are awake. I don't know how many times I've seen the security guards snoozing at the desk.
My favorite was when all I had to do was drop the name of the project I worked on, and mysteriously I never needed to show id for anything, I could get anybody's password reset for them, and what not. Of course, the project had a $250 million budget so we usually got what we wanted.
Admin
The military is good for these.
I worked in a classified data center. We had duress words to use to signal whomever we talked to that we were under duress. One of them was Scrabble.
We then had our security police come in through the building and see how many offices they could get into. They faked a pass (had a picture of a bunny on it), and then went to each workcenter.
"Hello, my name is Mr. Scrabble. I have a new employee, and we're going around to each office for the newcomer's tour."
3/4 of the offices let him in, gave him the tour (which was probably classified as well). At our shop, we actually called the security police and then was given kudos for actually following the rules.
Captcha: gygax. Why do I always get the words that aren't real words?
Admin
but seriously, they could be encrypting the swap partition as well, if that's what you're thinking
Admin
Guard: OK, so you just want me to stand here and guard it, until you, or anyone else, comes and asks for it.
Admin
When I was working in the UK, my company shared its office building with a department of the Home Office. Therefore, we had very strict security measures - in theory. I think what a lot of the experts designing security guidelines miss is the fact that the stricter and more impractical your guidelines get, the bigger the chance that people will simply ignore them. For example, we had electronic badges and we're supposed not to let anyone in - however, good manners are stronger than security concerns, at least in England, and EVERYONE would hold the door open for the guy behind him or her without checking his or her badge - I hardly ever had to use my badge when coming in in the morning. Following the terrorist attacks on the London underground, the guidelines became even stricter - and, therefore more widely ignored. In theory, people who forgot their cards had to be sent home, every bag or box or parcel had to be scanned and/or searched and you were supposed not to bring non-work-related objects to work to watch our for suspicious individuals. In reality, in the morning, when coming in with a big Amazon parcel that I just collected at the post office, I would be cheerfully greeted by the security guys who would hurry to open the door for me so that I did not have to put the parcel down to get my badge, and they would wish me a nice day. Admittedly, they might have recognized me, but there were several hundreds of people working in that office building. According to procedure, they should have denied entry to me for bringing a non-work-related parcel to work. Whenever there was a new e-mail regarding stricter security measures, annoyed, people would just ignore them even more blatantly...
Admin
To help check your false sense of security... autorun is an easy way, but hardly the only way to accomplish a USB hack like this one, Google "USB DMA hack" http://www.google.com/search?q=USB+DMA+hack, also the even easier "really cool app.exe", or "brittney shaved.jpg .bat"
The sad thing is that most people either just wanted to use a free device, or find enough information to return it to the owner, but they are oblivious to the risk involved.
Admin
http://en.wikipedia.org/wiki/Gary_Gygax
For the crime of not knowing who Gary Gygax is, turn in your I.T. credentials.
In 1999 my company was hired by other companies to test their security. I once loaded 25 brand new laptops into the camper shell on my pickup and drove away from secure nuclear site.
Admin
Yes, but I just don't think any of these are issues if the front desk was notified that someone would be coming to pick up the server that morning. Maybe even a description of the person, perhaps? The original submitter surely didn't ask the security guard "So, were you notified that I was coming, or do you just let anybody take servers?" so we don't have to assume it was an unexpected visit.
Someone probably told the guard how to power the server down, too.
Admin
The real WTF is that the "hippy" didn't ask the "security guard" for some ID.
Captca: SevereAnalBleeding
Admin
I was once Loss Prevention at a big box retail store. We had two simple rules when it came to after-hours entry/exits.
I was doing my LP thing one night when a guy manually opened the outer doors, then came up to the inner door. I opened it, and asked him if I could help him. He said he was XYZ, the GM from the store 80 miles away, and was here to see [sales manager]. He looked like he was going to walk right in, but I said, "Okay, hold on a minute," and closed and locked the door in his face. We paged the sales manager over and over, but she wouldn't respond. After about 15 mins, I asked him to call her to come up to verify him, but he said he didn't have his cell on him (a GM without a cell phone?). A line-level employee came up and told me, "that's XYZ, he's [sales manager's] girlfriend, and [our GM's] brother." I said, "that's nice, but I don't know him, and I'm not getting fired for letting him in." The employee then made a page saying, "xyz is at the front door." The sales manager was at the door in 1 minute to let him in. (stupid bitch)
I noticed him glaring at me while he mumbled at her as they made their hello's, and then he walked off to the back. Later, she asked me what I said to him, and I told her. She kind of grimmaced, and shrugged, and said I had done the right thing. That was the only time I ever saw the ice bitch give an inch.
My only thought during the whole thing was, if he's the GM, and he expects HIS loss prevention people to admit anyone who claims to be a GM from another store, I'm surprised he doesn't have a theft problem out of this world!
Of course, now I've got a better job. I break into banks for a living. The OP's situation is a daily occurrance in small to mid-size banks and credit unions across the country. The ones that try to do it right ("you must be escorted beyond this door") typically mess it up ("you were here yesterday, so buzz just go on through").
Admin
In our building, you have to sign out empty boxes.
But you can walk out with anything in a bag, no matter how big the bag.
If you are expecting a personal package to arrive at work, make sure you have your bag handy.
Admin
I hardly see why my IT credentials are in question because I had no idea that Gary Gygax was the guy that invented Dungeons and Dragons. There -are- people in the IT industry who do not enjoy D&D. shock ...
Admin
Years ago I worked for a Giant Entity. They had a facility in Puerto Rico, and that facility used a local and trusted computer supplier to support their office PCs. That worked fine, for a while....
This was during the time when RAM was very expensive. Someone wearing the support company's polo shirt (this guy had worked onsite before) walked in at 5 PM and told Security and any workers still in the office that he was doing updates. He then went and cracked open the cases of a dozen PCs. He did this for 2 or 3 weeks. Only after a PC savvy accountant noticed that his PC had slowed down considerably did anybody question what the guy was doing.
Seems that the guy had been canned a month prior from the support company, and his "update" consisted of stealing half the RAM in each PC for later resale.
Admin
This wtf is only slightly related. I went into an ATM just after someone else left, to find his card sticking out of the machine. I tried to return it, but he drove off before I could show it to him.
So I figured I'd put in the wrong PIN until it took the card and shredded it. I tried 0000. The machine logged me in. I cancelled and waited the minute or so until it ate the card.
And I thought the King of Druidia and the Spaceball were bad with 1-2-3-4-5
Admin
So very naive...
Admin
LOL.. nice one.
King: No, not anyone else. Just me.
Admin
My brother-in-law, a coroner, has done exactly the same thing with dead bodies. Though he does have a jacket that reads "Medical Examiner".
Perhaps Florian had one that said "Server Dude"?
http://www.coronerstories.com/
Admin
100% in agreement. If employers or fellow employees think dresscode matters in determining someone's morals, then perhaps they need to get to know their personnel/fellow workers better.
Admin
I agree, these privacy violations are consistently freaky. And I'm not so trusting of the government's understanding of the situation. I just read this book by David Holtzman, Privacy Lost, and it had a lot to say about this topic. It's really important that this issue gets brought out into the mainstream. I also read his blog to keep up on the constant stream of privacy violations... I think the next ten years are gonna be a weird time.
Admin
Objection! Assuming facts not in evidence.
Admin
I used to work for a large research facility. The building I worked in had two sets of doors at the main entrance, an inner door and an outer door. The inner door was locked at all times, and employees had to enter a code into a keypad to gain entry. The outer door was left unlocked during the week. Between the two doors was a window looking into the receptionist's office and a telephone, so any guests arriving could either ask the receptionist to open the inner door, or phone someone to come and let them in.
About a month after I started working there, it was decided that the keypad system wasn't secure enough and that it should be replaced with a badge reader instead. We were all issued new access badges, and the reader was installed. On the outer door. Now that it was no longer needed, the keypad on the inner door was removed, so it remained unlocked at all times.
However, we had a problem. Guests still needed to be able to gain entry to the building, so to accommodate them the outer door was left unlocked during the week. To sum up, we went from an unlocked outer door and a locked inner door to two sets of unlocked doors, because the old system was not secure enough.
Admin
the real WTF here is that many of you (us?) are acting surprised by this. Until the security zealots came along, and made us all afraid of everybody and everything, people trusted people almost implicitly. Now we're all acting like scared rabbits of having offended the security gods.
Security is important. But it is NOT the most important. And never ever try to explain that to a security guard/nutjob.
/climbs off soapbox
Admin
sex = FILE_NOT_FOUND; //??
Admin
This was another BS what the fuck.
As always, "the names are changed to protected the innocent" means that "there's no way anyone can check the veracity of this, so let's come up with any ol' crap". So why such poor articles lately? If you're gonna come up with bullshit, might as well make it truly wtf-able.
The security guard knew the guy, and was told he was coming, whatever. Who cares?
Just stick to showing bad code from the professionals (leave the students to their mistakes).
Admin
Hooray for dynamic gender!
Captcha: smile
Admin
Admin
If only all my shadowruns went this easy.
Admin
Similar thing happened to me too. We were orginizing a Linux Installation Party and had to take all PC screens from a public classroom and load them to a van. We passed several security guards along the way, none of them notified of the fact screens are to be taken, and with no questions asked.
Admin
Well I was working for a company that was a large customer of a data center co-locating servers. They had an RFID door which turned on the biometric thumb reader to get in. (Though the door 2 ft from it didn't have a biometric reader and the keycard opened the door regardless).
Anyhoo, I was told to unplug a server by a certain name. They were all in cabinets, so say it was in Rack-5 which I went to, and found said server. I unplugged it. Apparently it was a critical server bc when i get back my boss was beet red. I guess the server they wanted me to get rid of, which had the same moniker was in a different location.
Admin
Windows doesn't autorun USB devices. There are dangers of just plugging stuff in, but it's not something that your autorun disabler will fix.
Another True FUD(tm) brought to the world at large by Microsoft Haters.
(Actually this isn't entirely true; I think there is a way to get it to work, but your standard flash drive won't have it.)
Same with my college dorm.
Admin
You are also assuming facts. How do you know that the guard didn't know somebody was comming to get the server? The guard even scouted him trough the server room, and didn't let he touch anything, not even for turnning the server off and unpluging it.
I see no evidence of bad security.It could be improved not letting him into the server room, but getting the server out, but there is no reason to belive something is wrong.
Admin
Oh no, I just broke into a cold sweat. I understand the security guards don't have to be mensa members, but geez, their sole function is to ensure security. I would have thought an identity check was appropriate, even if management phoned down and told him someone would be here to pickup up the server in question (big assumption there!)
Admin
In the mid 1980s, I was a fairly junior programmer at a big-name computer manufacturer and software provider. Once I'd gone into the computer room to pick up a printout and there were two guys in there who I didn't know, poking about with the machines, so I asked them "Can I help you?" which is what we're all supposed to do when we see something suspicious. They told me they were from the company's Estates department, doing a fixed asset audit, and when I asked, they showed me convincing company ID. Just as I turned to go, one of them told me that he had been up and down the country, doing these fixed asset audits for the past two years, and I was the first person who had ever challenged him. That's what the other people have been saying: if you walk in and look like you know what you're doing, you'll get away with it.
Admin
Admin
Admin
Yes, apparently robbing a bank isn't nearly as complicated as the movies make it appear... just walk in, act like you know what you're doing and claim that you need to repair a server. Stick in a USB drive with a Superman III trojan that moves the .5 pennies to a swiss bank account, then sit back and let the money roll in. Too bad I'm too honest to try it.
Admin
I'm getting really tired of this all-too-common BS about basing trustworthyness on clothing and physical appearance.
People, people, people, it's every bit as easy for a con to put on a suit as it is for them to put on T-shirt, jeans, or anything else. Do you really beleive someone in a suit is actually less likely to be dishonest? If so, you're security problems go far beyond a guard who doesn't check IDs.
"The real WTF": Pretending that clothing is relevent when security isn't bothering to check for proper clearance in the first place.
Admin
(more to say...)
Seriously, between this, and the BS about games not needing quality code, this very site is starting to turn into a WTF itself.
Admin
I agree.
I worked as a computer tech for a local repair shop and did daily on-site repairs for many subscription based customers.
I would just walk to their workplace, tell them that I was the computer guy, and walk away with their computers. No questions asked.
This happens all the time.
Admin
Just today I was left alone in our schools main computer lab. The teacher told me "Im going to conferences, the door is locked, just turn off the lights when you leave." I spent a good half an hour peeking around the connected server closet (unlocked of course) and looking at the brand new $8000 servers. I could have made the entire student body unbeliveably happy by bypassing the SonicWall web filter while I was there.
Admin
"In 1999 my company was hired by other companies to test their security. I once loaded 25 brand new laptops into the camper shell on my pickup and drove away from secure nuclear site."
How many were returned?
Admin
Admin
Seen something like that. The computer store I used to work at installed something like 150 new computers at a school during summer break. All tested fine, then about three weeks after school started up we got a call that none of the computer would run the more advance software.
We checked and someone over the summer had stolen one of the two Dimms that were every new machine. With half the memory the computers still booted fine and ran the basic software needed to get the kids going, but once they tried Auto-Cad, Illustrator, Video Editing, etc the machines failed big time. Since the machines had been in the school for more than a month before school started, and weeks afterwards there was no clue to when the memory was removed.
Admin
Sorry for the OT question, but why does everyone post their captcha word in so many comments? Is it some kind of in-joke?