- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Have you tried testing yourself? Because my camera can be configured to look like a disk drive and every time I plug it into my girlfriend's XP machine it asks if I want to auto-run the drive - and this is with only images on the camera/drive.
On the other-hand the 2.5" hard drive that I have on an USB adapter tries to auto-run without even putting up a dialog box if I have valid Windows/DOS software on it with that auto-run file in the root.
I can't give more details without experimenting on her machine as I don't use Windows myself. But I do know auto-run over USB can happen with just standard Windows files in the root.
Admin
My badge for one contract say "The Unknown Technician" in the name field, guess how few people notice?
Admin
Hey Pap, Let me know where you work as a security officer. I'll call ahead of time and let you know that I'll be coming to take your server down for some offsite maintenance, and give you the procedure to shut it down and my description.
Admin
Several jobs ago, in an allegedly secure building, my manager spotted someone he didn't recognize, so he asked, "Can I help you?"
The fellow said "I'm here to interview for a job", so my manager sat him down and talked to him. He quickly decided the guy knew nothing about software and sent him on his way.
A half-hour later, they were paging everyone to check their valuables: several wallets were missing from purses.
For the rest of my time there, it was a running joke -- "If anyone gets in the building, Tim will interview him for a job!"
And 25 years go, when a dialup terminal was A Big Deal, my father was taking one such home. He parked by the loading dock and went in to get the machine. When he came out, a University security guard was standing there. "You can't park here, sir". "I know, I'm just taking this machine home." "Oh, here, let me help you with that."
I know, he looked like he belonged, etc., etc. But it was still funny.
Admin
yea I couldn't get him either, no worries though the cat let me in and pointed me directly to the OMFGWTFBBQB00B5 server... He meowed something about Me looking trustworthy in my 3 piece suit.
Admin
Sometimes security works.
My uncle works in something top secret and relates this story (as it is one of the few things about his job he can talk about). He was working on some multi-day project, and at the end of the day wanted to go out. But the rules were strict, the project must be guarded at all times. handcuffing a briefcase to his arm in a bar didn't sound good, so he took it to the 24 hour guarded room upstairs and ask the guard if he could leave it there overnight. No problems...
Next morning he arrived, and everyone is standing outside, while the bomb squad is maneuvering their robot into the building. "Whats going on?" "Suspicious package." "Umm.. is it a black briefcase about..." "You know something about that?"
He didn't know there was paperwork to fill out before leaving anything in the room, and the guard didn't inform him. Next guard did an inspection, found something not on the list of things that should be there.
One of my favorite stories.
Admin
Admin
Where I work, part of my contract says that I have to waive my moral rights. No joke.
I don't think they thought through the implications of having a work-force with no morals though...
Admin
They quickly got off this silliness after a chemistry professor got through the check with a real bomb in his boot given to him by the police to do some forensics...
Captcha: craaazy (Yeh, it can certainly look that way)
Admin
Hmmmm. Me too. Florian? check. Need a haircut? check. unshaved? for 4 days, check. Mid twenties? check.
Weird.
Admin
Admin
Okay... so I guess the CAPTCHA isn't checked. I didn't enter it in the post by "n" nor this one
Admin
social engineering ftw!
Admin
Taking instructions from your boss that someone will be coming by to pick up PRDSEC08 this morning: Logical.
Taking instructions from an unconfirmed source over the telephone that someone will be coming by to pick up a server: Illogical.
Admin
This confuses me: Why do so many supposedly professional critical thinkers automatically assume the guard has any idea what the 'PRDSEC08 server' is? For all anyone knows, no such server has to exist, the guard just has to hear 'server' to make the connection, open the room, and point the guy in the general direction. (Nothing in the story supports the idea that the guard directed him to the exact box.)
Maybe some people are just a little too literal.
Admin
When I was in college, I did a breif stint in ROTC. As a result, 2 days a week I had to be in uniform arround campus, which unfortunately included the work study job I had on campus.
One month, I had the glorious job of tracking down all of the network ports in the building (when they built it, no one ever mapped which ports went to which room). This involved a lot of peeking behind cabinets and desks and such. On days when I did this in normal clothes, I could guarantee that at least one person would call my supervisor on the phone while I was poking around asking if I was supposed to be there. Any day that I was in uniform however, no one even so much as asked me who my supervisor was.
If you look like you know what you're doing, you can do anything.
Admin
Anyway, the greatest thieves wear suits - see WorldCom, Enron ...
Admin
Well, maybe this little piece of info led us to thinking that?!
Admin
If autorun is disabled, the users will click on any exe inside the usb anyway. Is only one more click.
Admin
That reminds me of another nice WTF.
Q: Do you know a good way to make sure your checked-in luggage is handled with great care and will not get lost (especially within the EU)?
A: Put a (licensed!!) weapon in your luggage and make sure this is known at check-in time (which is probably required anyway).
Your luggage will now be handled with great care. Why? Gun ownership is heavily regulated in EU countries, so you can imagine the conversation the airline personnel will have when they lose that gun: "Yes officer, our ground personnel must have, uhhh, 'misplaced' that piece of luggage".
Admin
Which woman? Florian is a guy's name and the guard was referred to as "he"...
That's why Social Engineering scams work - if a stranger can somehow gain information they would be unlikely to have, they're immediately assumed to be authorized.
Admin
Exercise for the reader: get yourself and your best pal some blue overalls, go to some electronics outlet, point at the largest flatscreen and say: "we came to pick this up. It goes back to the manufacturer."
Well, OK, I never tried it, but from what I heard, it will work in 9 of 10 tries.
Best wait until the place is guarded by some intern only.
captcha: digdug
Admin
Yes, they'll have you open your suitcase and check your official gun and ammunition to make sure nothing will go BANG! in the middle of a flight, and then they'll check the rest of your suitcase for drugs or unofficial things that might go BOOM! in the middle of a flight, and then you can lock up the suitcase. No more bored, underpaid security drones rifling your stuff for [pr0n|iPods|easily resellable goodies], leaving your belongings in a wild mess.
Apparently, some photographer with several thousand euros worth of equipment has taken to locking guns in his flight cases as an anti-thieving measure.
Admin
I was in corporate security for a while during and after college. so let me offer up a few things I know about security.
Just like many other businesses, the quality of what you get varies by a huge degree; and you do get what you pay for.
It is difficult to get quality security by paying Joe Tool $8 an hour to sit around and gawp at shit for 8 hours. If Joe Tool is in his 30's and working security for $8 an hour, then you have someone who perhaps has a host of other problems. Credit problems, substance abuse problems...problems that someone working in a job in which secure is a foundation of its description ought not really be working in.
These are the shitty guards we are all familiar with. Mall guards, etc. These folks are professional door rattlers and that's all they can handle and that's all they will ever be able to handle.
A bit further up the pay scale are guards hired by companies that do actual background and credit checks and don't hire anyone with black marks; they typically pay almost twice the base of bottom bracket outfits, and their staff are usually of decent quality.
Another notch up are companies that cater to companies that understand the value of security, and pay for it. Background, credit and drug checks are held at regular employment intervals and applicants are culled from the fields of military and public law enforcement and are of a uniform quality. Management usually consists of ex-military/public/national law enforcement, usually people from high in the management chain before they retired. The president of the company I worked for was SAIC of xx State for the FBI, for example.
Still, any company can get warts. Look at all the moles in the CIA and FBI, for example. But let's back things down a notch, we aren't talking about security guards that pull down 65k-100k a year for swiping badges.
Let's talk about guards that make maybe 30k a year for swiping badges.
I started out in this company filling in odd slots during the summer college breaks. I made, depending on the post, $12.75 an hour to $15 an hour, not including overtime.
I worked for a while at a large international company and made some decent cash for a security guard, something like $16 an hour back in the early nineties, certainly no gravy train, but I could live a long time off of 3-4 months work, and it made paying for college a lot easier.
I graduated college, and worked for 6 months in my chosen profession before going broke. Working at the city desk and digging up scoops and seeing my name in print sounded cool until I realized that macaroni and cheese wasn't a workable diet, and using my own newspaper for toilet paper because I couldn't afford real toilet paper was what really poor people do, so back I went to squinting at badges.
After a few months, they offered me my own post, which is like being in command of your own submarine, but without the submarine, the water, or the dignity of being in command of such, but hey! It was life money, so I took it.
At any one time, there were two guards working; the inside guy and the gate guy. The gate guy would have all the info on who was supposed to be where when, he did all the checking and security stuff. I sat inside because I knew everyone and would spot any fucker that tried to sneak in.
But really, this security only worked because managers from all departments took part in it. If there was a scheduled visit from a tech, we had their picture and that pic and info was posted in the guard station, and that info was mirrored in the Network Operations Center in the event a guard didn't have that info. So when a tech from another company came in, he'd be checked out by gate security beforehand, and once he got to me, all I had to do was give him a badge and pat him on the ass and send him on his way.
For unscheduled visits, both the NOC and security had to verify, so at any one time, there was always double checking of who gets where, when. Also, we had phone numbers and lists of other managers from other companies from the On Call list. There were no incidents of someone pretending to be from somewhere they really weren't from and getting access to were they shouldn't have been.
Physical security isn't some mystic thing. For starters, you get what you pay for. If you are going to pay $15 an hour to have a guard posted, don't bother. Give a bonus to workers in your company willing to man the front desk and skip the Rent A Cop thing.
If you want or need a good security service, be prepared to plop down 70K+ a year per guard, then apply resources to train them in other areas as well. The last company I worked for sent me to HQ for a week-long corporate security seminar. While everything they taught had zero bearing on what I did, it did make me aware of internal and external frauds this company dealt with, I wrote a small manual which did exactly nothing for anyone, but I got to wear a small pin fashioned after the corporate logo, which had no bearing on anything.
I did get my small break when an engineer in the corporation quit and formed his own company along with a guy in sales, they offered me a position... I did some sales shit and some admin shit, and the engineer taught me everything he knew about security, and he was a real asshole about it to make sure I learned it.
Many years down the line I am some IT security shit head versus some badge checking shit head, the pay is better but the job is the same.
Hello Mr. Port...may I see your ID?
At least when I did physical security, I'd get to sometimes see employees fucking each other's brains out*.
Admin
Really? I just worked at a conference where doctors turn up with their hideous powerpoint presentations on USB keys to be copied onto the presentation machine. Quite a few of the keys tried to run some kind of installer when inserted... is that something other than autorun causing that to happen?
Admin
This is just for the UK. http://www.ukgundealer.com/import.htm
Pretty much says that your luggage can disappear for three months if the Customs and Excise people feel like it.
We REALLY dont like random citizens owning guns. Let alone foreigners. Especially, those who think there guns will get lonely without them. Apart from flights to/from the USoA, most countries still allow you to lock your case, X-Rays are used for checking for bombs, drugs, etc...
PS: That is for shotguns, handguns --- not a chance in the UK, unless you are some form of policemen.
Admin
Nice post, Mr Silver.
Admin
Admin
My university had such a problem; two guys in jumpsuits went and unmounted 34 ceiling-mounted video projectors (each, back then, worth about 7500 EUR) and carried them away. We got them at number 35, as the whole university got an email with a warning and next time they entered yet another lecture room we students worked swift and deadly, locked them up and handed them over to police. But still... stealing 34 projectors unquestioned should be awarded somehow, even if only with awe.
Admin
Long ago, and far away, I was involved in porting an international funds transfer application from a PDP-11 to a VAX, for A Large Bank in London. The switchover took place on a Saturday, and it overran, naturally.
So I arrived at the data centre in a taxi, with the switchover data on a couple of CDC disk packs, at about 10pm. Once the transfer was done, I was leaving the building at about 1 am, with the disk packs. The guard was obviously prepared for data theft....
"Are those tapes?" "No."
"Let me get the door for you....."
Admin
We didn't have a problem with off-siters carrying off shit, because they were all checked in, photographed, what have you.
We did have a huge problem once with stuff going missing from the IT department, back when EDO RAM just came out and was huge bucks per meg, the stuff was flying out of IT in back and suit pockets until someone wised up and put doors up, but that was after LOTS of money grew legs and flew away...employee bonus I guess.
I was doing rounds one night and looked at all the new EDO sticks...32 MB at the time I think, all slated to go into the 750 machines in the company...there were lots and lots of these sticks, in boxes and on shelves. The warehouse had better stuff, bits of electronics easily worth 50k plus per unit with horrible accounting to boot. I could have made a lifetime's worth of sales in theft in that place and no one would be wiser for it.
Kinda funny when a company will pinch off 250k worth of Pentium Pro chips that are probably still sitting on shelves, yet balk at a $5k a year raise for some of their key people.
And no, I didn't even think about swiping RAM or anything else. :)
Admin
Admin
Ah, it must be an inside job. The real guard is probably in a cupboard tied up with a bucket on his head...
Admin
It's not even social engineering... how about calling it social LEGO?
Admin
Bruce Schneier (all well known security personage) has dealt with this issue extensively on his web site. Look at the comments - very interesting (link)
I'd rather not do that when on international flights ...
Admin
Yes, I did just before posting that. I put an autorun.inf file on a usb drive and plugged it in. Standard "what would you like to do with this" dialog.
What do you mean ask to autorun? Bring up the dialog that says transfer pictures, open the folder, no action etc?
That's different than autorun really, because the media can't tell it what to run.
The hard drive probably doesn't show up as a removable device to Windows, so autorun. Standard USB devices show up as removable and don't.
This is why you can get USB flash drives that will autorun, but making standard ones do it I think requires hardware modification.
Admin
Actually, Windows autoruns USB devices as long as they report themselves as non-removable media devices. Even Microsoft says that. Since in the bank case, the attacker could choose the hardware, and it's easy to find flash sticks that don't set the removable bit, this is a very real danger brought to you by Microsoft.
There is no FUD involved here but verifiable facts.
If you want to know FUD is, go to the source. IBM may have invented it, but Microsoft really took it to perfection.
Thus quoth Mr. Bill "virus king" Gates: "Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally."
I challenge Mr. Gates or any MS fanboy to come up with the evidence. I want at least 60 total exploits for the last 60 days.
Thus he continued in his slanderous FUD about the Mac: "Let’s be realistic, who came up with [the] file, edit, view, help [menu bar]?"
The answer, Mr. Gates, is that the first menu bar seen on an Apple Computer was that of the Apple Lisa in 1983. Now the interesting part is that even Windows computers think that 1983 came two years before 1985, the year in which Windows 1.0 was released. I'm sure Windows Update can fix that problem. (For the curious, the fullscreen DOS editor which sported the menu bar Gates is talking about, came much later, in DOS 5.0, 1991.)
Admin
I'll agree that it's easier than I said, and I probably jumped the gun a bit. However, in my defense, you still have to look for USB drives that are specifically set up to do that. Your standard Best Buy/Circuit City fare won't autorun.
Oh, I agree, Gates is delusional. I thought "wow, I'm surprised he's going that far" when I saw that.
Admin
Don't confuse Autoplay with Autorun. Autoplay is far less dangerous, although I prefer to disable it. It merely opens an image viewer if you insert a digicam, or starts audio playback if you insert an audio CD, for example. Some people love this feature, some find it annoying, but it's not a major security problem unless your image viewer or music player is exploitable (this has happened in the past, of course). Also, by default, Autoplay asks for confirmation before doing anything.
This is Autoplay.
This is Autorun and it's much more dangerous. It will execute any program and not even ask for confirmation.
Admin
And the greatest security problem is still the user who plugs random stuff into his/her computer. :-(
He first complained about Apples "lies" in their TV/Internet advertisements ("I'm a Mac ... And I'm a PC."). I find most of them only mildly funny anyway (and I'm a 90% content Mac user at home) and I'm surprised that Gates even bothers to comment on them. Much less fight FUD with counter-FUD.
Admin
That's beacuse they UNDERSTAND the term "server thingy" whereas they would not understand "Win2k server named MXCHANGE". Sad.
Admin
I did a consulting job for a large insurance company. I showed up day 1 at the front desk. They made me fill in an asset form and told me I could not take my laptop away without the form. At lunch time we left the elevator at the second floor and walked out into the shopping mall. No security guard. I commented on this to the manager I was with. They had some budget cutbacks, so the shopping mall security guard had been cut. When I leave with the laptop, could I please go past the security guard on the main floor because it screws up accounting if the asset card is not returned. Of course, if I wanted to leave without checking out my laptop all I had to do was get off the elevator at the second floor and take the escalator to the main floor. For the week I was there I left and returned from the mall elevator, then on the last day checked my laptop out.
It is true, you only get the security you are willing to pay for.
Admin
Third hand legend ... My company did a huge special initiative a decade ago that required issuing laptops to dozens of people. They stacked them all up in a conference room for a few days. One day, during a big meeting, a guy in a blue jumpsuit came in with a hand truck and said "I'm here for these laptops..." and carted a bunch away ... apparently to his car. He wasn't lying or anything. He just didn't work there.
Admin
I once had to get a password generator card reset.
with the number on the card It was possible to access the company bank account and transfer up to $500,000 electronically to any other bank account.
So I called up the Help Desk, and said I need to get my card reset it seems to be out of sysnc.
Sure do this ... and this and this ... OK Done
Note I had no authority to transact on the bank account in question, and was not a compnay offic holder. Regradless the card was happily reset for me with no questions asked (they didn't even get my name).
Saddly this kind of thing does happen all the time. People higher up invent ever more convoluted security precautions ... and they don't work because the procedure is not followed most of the time.
Admin
well, no, the guard did not knew someone was coming.
Admin
IF a guard knows where is PRDSEC08 that is the primary threat. Why on earth you need the guards to know where is PRDSEC08 etc
Admin
IF a guard knows where is PRDSEC08 that is the primary threat. Why on earth you need the guards to know where is PRDSEC08 etc
Admin
A few years ago, my parents went to India on vacation, and on the way back they were escorting a friend's elderly mother, and they had a connection in the UK. This was shortly after the foot-and-mouth scare, so the airports were (supposedly) pretty strict about people wiping their feet on those disinfecting mats to prevent the disease from spreading. But my parents ran into a customs officer that didn't quite grasp the purpose of those regulations:
Officer: What is your citizenship? Dad: Canadian. Officer: And you? Mom: Also Canadian. Officer: OK, what about her? (referring to old lady) Dad: She's an Indian citizen. Officer: She's going to have to wipe her feet on the mat.
The real WTF is that she was in a wheelchair.
Admin
Just goes to show you.
The best way to gain access is not through the fromt line security, but "through teh back door." (I.E.,The bored "security" guard at the front desk.
Admin
I once was given free run of a Military Entrance Processing Center while looking for one of my buddies, a recruiter there, because my ID badge from my office building (which happened to be next door) looked similiar to all of the ID badges that the staff in the MEPS were wearing. The big difference, of course, is that I wasn't in a military uniform.
No one questioned me as I walked from the front desk through five examination rooms looking for him so we could go to lunch.
Captcha: Dreadlocks