Walk through a CBD anywhere and you’ll find hundreds of office workers with ID cards swinging from their hips. To the employee, it’s a convenience, but to an attacker, it’s one of the easiest ways to break into a data centre.
Wayne, a security engineer at Securus Global loves them and its not hard to see why. He asked that his surname not be revealed.
The cards contain access control information that dictate which staff may enter which door, and at what time. More often than not, that means all staff may access all doors, whenever they like.
And that RFID (Radio Frequency Identification) information can be stolen in the blink of an eye, and cloned using basic hardware.
He demonstrates to a small audience at the Securus Global offices how easily the data can be stolen from cards in a video shot in Melbourne.
In it, Wayne walks past a man with a typical RFID card swinging from his hip, and quickly swings a reader over it. The victim doesn’t bat an eyelid.
Wayne then clones the card and successfully uses it to operate a lift to a restricted floor. He used $300 worth of hardware from a Melbourne supplier, who since last year has sold 1500 of the devices.
“Not all of those buyers are going to be good guy pen-testers,” he says.
Wayne hasn’t seen a major breach relating to cloned RFID cards, but one infosec professional in attendance had. And the breach cost the company hundreds of thousands of dollars. In another, visitor cards were given unfettered access, over and above rights handed to staff.
But the most significant problem with the ID cards is slack access control rights. Wayne regularly sees controls that allow staff 24/7 access, often to areas that they have no need to enter.
Cards with restricted access are more secure, but not invulnerable to exploitation. Stumped by limited access, Wayne located an IT administrator for a target company on LinkedIn and skimmed that user’s card.
Controls that prevent 24/7 access to restricted areas are difficult to crack, Wayne said, because attackers will often be forced to operate during business hours.
But a better strategy still is to use card sleeves that protect against scanners, yet virtually no organisations use them because the card must be removed to open a door.
“You’re crazy to allow your staff to walk around with these cards without a protector,” Wayne says. “If they don’t like the inconvenience, then take the card away.”
Wayne is obsessed with this practical social engineering approach to security. Off the job and travelling home on Melbourne’s train network, his ears are tuned to passwords spoken loudly over mobile phones and access details scribbled on books. He says he has collected more than 15 Facebook usernames and passwords and access details for a bank account in those trips.
In competition, Wayne bested dozens of skilled hackers from around the world and tied in a Defcon social engineering competition, where he convinced a staffer at one of the world’s largest beverage companies to hand over information about its anti-virus, gateways, document disposal process, and even where it orders its food.
This type of attack is not science fiction. A phishing attack, a type of social engineering, brought down security giant RSA, and its defence contractor customers this year. McAfee is under constant attack. It’s security chief told SC that one staffer was approached by an attacker at church mass who had posed as a McAfee employee.
And the attackers are persistent. Experts say they can last for six months or more, noting that attackers may often be unemployed because they devote their time to the attack in hopes of stealing many thousands of dollars from their victims.
The attack vector is effective because it bypasses many technical security controls and exploits the urge for staff to oblige the demands of an attacker.
And because attackers are prepared to target your staff, so should you.
“Some businesses don’t like us to do social engineering on their staff because it upsets them,” he says. “But the one who fails then becomes the most alert to social engineering attacks, so it makes no sense to punish them.”
He says infosec professionals should call their offices and attempt to glean as much information about a company’s controls as possible. Wayne called the IT department and posed as an auditor since such demands for information would be expected in the role.
Other tests that infosec professionals should conduct include dropping USBs around offices and carparks; leave fliers with a mock malicious web address on staff car windscreens; and unauthorised access to areas monitored by CCTV cameras or security guards, which both often fail at physical security.