Penetration Testing mailing list archives
Re: [PEN-TEST] Two cents on Phys-Testing
From: John <tjm3 () EARTHLINK NET>
Date: Wed, 23 Aug 2000 21:37:16 -0400
In the Washington D.C. area almost every building has security guards or receptionists that will assign badges to you. Workers have building badges. This goes for virtually every agency, small and tiny company, fortune 500 company etc. I am not sure how it is in the rest of the world but just FYI in D.C., Northern Virginia and Maryland its no longer that easy. This has gotten so commonplace as to be done by the most brain dead. We could all learn from that! -john -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Missy, E Sent: Tuesday, August 22, 2000 11:34 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Two cents on Phys-Testing The easiest penetrations I've ever done were also the most embarrassingly obvious low-tech kind - the ones people think they'll *never* fall for - they're too smart, too security-conscious, too savvy, too many emplacements, too many techgates. IMO, simple human manipulation presents nearly as equal potential for security compromise that default settings et al. do. The majority of companies with complex dmzs, vpns, cryptocards, 'rottweiler firewalls' and other suite fantasies usually have at least one great, gaping hole....the receptionist, the 'security guard', the smoking entrance (join the group, then walk in through the locked door with the group) - once in, the 'all-hands staff meeting' where offices are deserted and workstations left on, the communal printer, stickynotes w/ passwords/file notes, the trashcan in the (empty) copy room, the helpful and courteous 'phone call from tech support' - multiple opportunities presented, and sysadmins can do little or nothing about them, because these attacks are not detected. Fundamentally, most people are very trusting. They claim to be 'worried about security/privacy', yet continue to give out personal information freely (online as well as elsewhere). A pleasant smile, comfortably appropriate attire, and friendly, relaxed demeanor plays on basic doubt and insecurity - 'I'm not going to make a scene/make a fool out myself and ask this person what he/she is doing here' feelings. It's not glamourous or exciting, it doesn't attract IT/infosec vp attention, it's not nearly as much fun as a pricey suite of software, but it still has a stunningly high frequency of success. Sysadmins get to deal with the results of lax/unimplemented/nonexistent security policies. IMO a cultural shift (not just corporate) may be required in order to accept the restrictions and discipline of living in a world where 'centralized database' is a (scarily close) reality. An active security policy/security consciousness/security culture is part of the chain of implementation. Just my 2 pennies.... ++++++++++++++++++++++++ "I'm not going to discuss what I bring up. Even if I don't discuss it, I'm not going to discuss it." Pres. George Bush, talking about his relationship with the press.
Current thread:
- Re: [PEN-TEST] Two cents on Phys-Testing Drew Simonis (Aug 21)
- Re: [PEN-TEST] Two cents on Phys-Testing andy lowton (Aug 22)
- Re: [PEN-TEST] Two cents on Phys-Testing Missy, E (Aug 23)
- Re: [PEN-TEST] Two cents on Phys-Testing John (Aug 24)
- Re: [PEN-TEST] Two cents on Phys-Testing Missy, E (Aug 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Two cents on Phys-Testing Meritt, Jim (Aug 21)
- Re: [PEN-TEST] Two cents on Phys-Testing andy lowton (Aug 22)