Twitter | Search | |
Tinker Jun 8
Replying to @TinkerSec
Two things here: One, that security guard did nothing wrong. She received a valid request and complied with it. She verified that the employee was legit & followed through with a normal ask. Two, the employee did not tell her *why* I needed in the server room, only that I did.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
After saying goodbye to the previous person, I walked with the security guard to the server room. She asked, in a conversational tone, what I was there to do. I took a risk. I told her I was there to update the servers.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
Every lie you tell, has to be true. You have to remember what you've lied about & be prepared to constantly back it up. If two marks talk to each other and compare your stories, they had better match up, or you're caught. But...Telling this new lie would get me a lot of access.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
We approached the server room and the security guard typed in a six digit PIN and used her palm print as a second authentication factor. She then held the door open for me.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
I walked in and saw the server room. I saw a terminal open and unlocked. Why should it be locked? The room has a solid door with a PIN pad and biometric scanner. Them leaving this open makes sense from a convenience tradeoff standpoint.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
I had options... I could sit down at the terminal and load a backdoor onto it. I could have walked out with an entire server rack, and the security guard would have let me. I had complete access to the server room. I could have done anything. What would you have done?
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
I'll end it there... Thank you for reading.
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
Key Takeaways - Attacker - Don't need immediate access to goal. Get initial access then Pivot/PrivEsc - Play off Trust & Trust Transference. Be seen by authorized persons & have them get you access - Take your time - Keep your story straight, but change if opportunity arises
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
Key Takeaways - Defender - Did you call them?Or, Did they call you? - If you don't have the authority, ask those in authority (run it up chain) - Verify their story (use *your* contacts, not theirs) - Say No. (Unless emergency, it can wait. Even then, is it really an emergency?)
Reply Retweet Like
Tinker Jun 8
Replying to @TinkerSec
Lastly - Key Takeaway - Defender - When handing off issues or guests, fill in the next person on what you experienced, how you know the person, and what your expectations are with the guest. This prevents con artists from changing up the story.
Reply Retweet Like
Tinker
No one person really failed here. 1) I was escorted through always 2) I was challenged when I had no badge 3) Supervisor knew I needed a badge & fixed the problem 4) Subordinate followed Supervisor's request, & got me a badge 5) Security guard followed request, & got me access
Reply Retweet Like More
Tinker Jun 8
Replying to @TinkerSec
With that... Attackers, what would you have done? Anything different? Have any ideas on what may work next time? Or what I should have tried? Defenders, what would you have done to stop me? Any policies/procedures or any security solutions that would have prevented this attack?
Reply Retweet Like
Azoh Jun 8
Replying to @TinkerSec
Your stories are fantastic for both learning and entertainment! :D
Reply Retweet Like
Rajhiim Jun 8
Replying to @TinkerSec
Your CFA and CFS were never challenged, that would have prevented the awesome adventure you were able to share today. Employees should understand why security exists and not that it just does. And nice play on the MGR, you Kenobi’d him ;)
Reply Retweet Like
Sylph Jun 8
Replying to @TinkerSec
Supervisor knew you needed a badge but didn't check why you deserved one, right?
Reply Retweet Like
Tindra Jun 8
Replying to @daoist @TinkerSec
Concur. Such a headache, but how you need to handle things if you care about physical security. Though I have to say: guards having access to the server room is a new one for me. I’m used to it being only the people that own equipment in there.
Reply Retweet Like
Shatter Jun 8
Replying to @TinkerSec
I know this works because I used it legitimately many times as a dry run. I was never asked for ID. People assume. Also, a high vis vest will make you invisible just about everywhere except a construction yard. Also- hard hat
Reply Retweet Like
Tinker Jun 8
Replying to @Shatter242
That’s a great point! My original goal wasnt the server room, it was network access. But as the situation changed and I adapted, the server room became a great target. But you’re right. I’ll try to get to it directly next time!
Reply Retweet Like
Tinker Jun 8
Replying to @TindrasGrove @daoist
I didn’t get that either... but that’s how they had it set up. The employee not having access made sense. Me conning them to hand me off to someone who did have access was a specific goal. That person being the security guard was weird. 🤷🏼‍♀️
Reply Retweet Like
Tinker Jun 8
Replying to @Shisyli
Yeah. Got the feeling he meant to tell his subordinate to go check me out. The supervisor assumed the subordinate did it and the subordinate thought they were doing what the supervisor wanted, etc etc.
Reply Retweet Like