Wed 19 Jul 2006
Dark Reading reports:
JULY 19, 2006 | 9:32 AM — For years, the “card key” has been considered a reliable means of securing the enterprise from unauthorized visitors. In some cases, these cards also serve as identification, and when combined with smartcard technology, a form of network authentication. But if these cards are misconfigured or managed, they can be rendered useless — as my penetration testing company recently proved.
About six months ago, a medical facility hired us to assess its information security as part of a HIPAA compliance effort. During a pre-assessment briefing, the customer indicated a concern about physical access to the building, which could lead to a compromise of the network.
The company asked us to attempt to circumvent the physical security system, gain access to the building, and retrieve as much information as we could. We agreed, pending the appropriate “get out of jail” arrangements in case we were caught and detained by the authorities.
This facility was a little different than our other HIPAA customers, which are usually insurance companies or hospitals. The target this time was a giant laboratory that performs tests on samples sent by physicians from all over the region. With the volume of healthcare data stored in the facility, we knew that getting inside and connecting to the network could yield a good deal of sensitive and valuable information.
Before we tried to get in, I scoped out the entry points, observed when people came and went, and looked for potential weaknesses in security. Although I couldn’t spot any video surveillance, the building security seemed pretty solid; the primary entrance was guarded by a receptionist behind glass. Other doorway access points were secured by a magnetic card swipe system.
On the day we planned to get into the building, I decided to try the magnetic swipe system. In a worst-case scenario, I figured I could fumble my way in, acting as if my card had malfunctioned and asking an employee to open the door from the inside.
Without having an “official” magnetic access card to duplicate, I pulled every card with a magnetic stripe from my wallet, including my bank ATM card, a credit card, and a shopping card from a major grocery store. To my surprise, the first swipe from the shopping card opened the door.
Once inside, we knew that blending into the environment was going to be a necessity. I needed to get my colleague to a conference room to jack into the network and start port scanning, while I started looking for logins and passwords by flipping keyboards and pulling yellow sticky notes from monitors. We located a men’s room that also served as a changing facility for employees. Conveniently, it also contained clean smocks and scrubs for us to use.
Now dressed in the appropriate attire, we started walking the facility. We located an empty conference room and commandeered it as our place to work. As my colleague jacked into the network and started scanning each address, I started moving through the facility looking for anything that could provide privileged network access.
Within minutes, I located workstations littered with sticky notes containing logins and passwords. Some even provided detailed information on which systems could be accessed. After collecting several logins and passwords, I made my way back to our conference room to use what I had found.
As soon as I walked into the room, my colleague indicated he was now a domain administrator with access to numerous systems as well. Our efforts led us to a significant find of HIPAA-rich information. After several hours, we had collected enough information for our report, and we casually exited the building through the same doorway we entered.
Back at our office, we immediately notified the customer of the security flaw in the magnetic card swipe system. We later learned that the door access system had been mistakenly set to use a feature called “man-trap,” which enables banks to secure their ATM machines while allowing access to customers of other banks. Most magnetic stripe systems have this capability.
After we gave our report, the customer asked whether anyone challenged us, but in fact, no one had given us a second thought. In fact, several individuals gave us directions or answered questions. After hearing this, the customer made an unusual request: Would we show the employees what happened?
We usually document quite a bit of our security assessment work with video and digital images, so our entire break-in was easy to recreate in a presentation. We kept our tone upbeat — we weren’t out to make anybody look bad. Most of the employees reacted with surprise and said, “I remember seeing you, but since you looked like you worked here, I didn’t bother questioning you.” We advised them to look for a badge and question individuals who appear to be out of place.
We performed a follow-up assessment six months later, attempting access through the same doorway we had used previously. None of our cards worked this time, so we waited for an employee to leave, then used the open door to gain building access. We were inside again.
As we started through the hallways, however, we were confronted by the woman who had previously exited, allowing us entry. We immediately surrendered and asked her to call our contact inside the company. While we waited, she told us that she had gotten in her car and driven away, then realized what she had done. Immediately, she gone back to the office to get security and find us.
Clearly, our presentation about network security and awareness had paid off for the customer. And we learned something as well: Building access security can be easily circumvented if improperly installed or configured. Now every security assessment we perform includes a social engineering component in which we test building access security. So far, we have not been able to recreate what happened at this customer’s location, but over time we’re pretty sure we’ll see something like this again.
— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading