Twitter | Search | |
Tinker 8 Jun 19
Replying to @TinkerSec
Two things here: One, that security guard did nothing wrong. She received a valid request and complied with it. She verified that the employee was legit & followed through with a normal ask. Two, the employee did not tell her *why* I needed in the server room, only that I did.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
After saying goodbye to the previous person, I walked with the security guard to the server room. She asked, in a conversational tone, what I was there to do. I took a risk. I told her I was there to update the servers.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
Every lie you tell, has to be true. You have to remember what you've lied about & be prepared to constantly back it up. If two marks talk to each other and compare your stories, they had better match up, or you're caught. But...Telling this new lie would get me a lot of access.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
We approached the server room and the security guard typed in a six digit PIN and used her palm print as a second authentication factor. She then held the door open for me.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
I walked in and saw the server room. I saw a terminal open and unlocked. Why should it be locked? The room has a solid door with a PIN pad and biometric scanner. Them leaving this open makes sense from a convenience tradeoff standpoint.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
I had options... I could sit down at the terminal and load a backdoor onto it. I could have walked out with an entire server rack, and the security guard would have let me. I had complete access to the server room. I could have done anything. What would you have done?
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
I'll end it there... Thank you for reading.
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
Key Takeaways - Attacker - Don't need immediate access to goal. Get initial access then Pivot/PrivEsc - Play off Trust & Trust Transference. Be seen by authorized persons & have them get you access - Take your time - Keep your story straight, but change if opportunity arises
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
Key Takeaways - Defender - Did you call them?Or, Did they call you? - If you don't have the authority, ask those in authority (run it up chain) - Verify their story (use *your* contacts, not theirs) - Say No. (Unless emergency, it can wait. Even then, is it really an emergency?)
Reply Retweet Like
Tinker 8 Jun 19
Replying to @TinkerSec
Lastly - Key Takeaway - Defender - When handing off issues or guests, fill in the next person on what you experienced, how you know the person, and what your expectations are with the guest. This prevents con artists from changing up the story.
Reply Retweet Like
Tinker
No one person really failed here. 1) I was escorted through always 2) I was challenged when I had no badge 3) Supervisor knew I needed a badge & fixed the problem 4) Subordinate followed Supervisor's request, & got me a badge 5) Security guard followed request, & got me access
Reply Retweet Like More
Tinker 8 Jun 19
Replying to @TinkerSec
With that... Attackers, what would you have done? Anything different? Have any ideas on what may work next time? Or what I should have tried? Defenders, what would you have done to stop me? Any policies/procedures or any security solutions that would have prevented this attack?
Reply Retweet Like
Sylph 8 Jun 19
Replying to @TinkerSec
Supervisor knew you needed a badge but didn't check why you deserved one, right?
Reply Retweet Like
Tinker 8 Jun 19
Replying to @Shisyli
Yeah. Got the feeling he meant to tell his subordinate to go check me out. The supervisor assumed the subordinate did it and the subordinate thought they were doing what the supervisor wanted, etc etc.
Reply Retweet Like
Jesse 💬 8 Jun 19
Replying to @TinkerSec
The supervisor failed at step three. The authentication procedure wasn't followed. Tinker escalated to autheniticated user.
Reply Retweet Like