• Home
  • About John P.
  • Contact
  • Terms
  • Facebook
  • Google+
  • Instagram
  • LinkedIn
  • Pinterest
  • StumbleUpon
  • Twitter
  • YouTube

One Man's Blog

Specialization is for Insects.

  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
  • 10 Best
  • Art
  • Computing
  • Fun Stuff
  • Gadgets
  • Videos
  • Photography
  • Travel
  • Tutorials
  • Health & Fitness
  • Politics
  • Thoughts
  • Food
  • Reviews
Home / Computing / One More Reason not to Trust Bank Security

One More Reason not to Trust Bank Security

John P.

December 1, 2006 By John P.

Bank VaultI hate to be the one to continually complain about security, but that doesn’t mean I won’t keep doing it. I would estimate that 95% of people are FAR too lax when it comes to security measures, and that another 4% are just plain old lax.

This latest story focuses on a concept called social engineering as a weak link in the chain (among other issues). Social engineering is the process of causing a security breach through submersive human interaction – in this case fooling bank personnel into believing you are someone you are not.

The full story can be found here. These are the pertinent excerpts:

Banking on Security

NOVEMBER 29, 2006 | We were recently hired by a regional bank to assess its security. When negotiating the services agreement with the bank president we agreed to perform the standard network security penetration testing, but he insisted we also test the security awareness of the bank staff.
…
After signing some legal boilerplate and “get out of jail free” paperwork, here’s what we agreed to: Pose as a vendor, enter the facility, plug into the network, sniff traffic, look for login and passwords, then try to become domain administrator of the network.

Our first step was to select a vendor to impersonate. To keep the suspicion level down, it needed to be someone who’d use a computer or laptop once inside. To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers.
…
After reviewing the list of office equipment she retrieved, we decided the best person to enter the facility was a copier technician.
…
On the day we planned to go in, I called the bank and indicated I was new to the copier company and wanted to get familiar with the machine to properly service the equipment. I indicated we could perform a preventive maintenance call at no charge to insure the quality of the prints and copies. The person at the bank agreed and thought it was a good idea.
…
I entered the bank lobby and was immediately greeted by a woman in a small glass-paneled workspace. I mentioned we called earlier, dropped the contact’s name, and indicated I was here to service the copier/printer. Without hesitation I was escorted to the machine and left unattended. To make it appear as if I were working on the device, I opened every panel on the machine, pulled all the trays out, and placed my laptop on the glass surface of the copier/printer.

I was approached by a few people who needed to make copies, I apologized for the inconvenience and said the machine might be down for 30-40 minutes. I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network. I started a few of our utilities and started sniffing the traffic on the network.

Within seconds I had a variety of logins and passwords, access to numerous shared folders, data, and administrative accounts.
…
When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

The good news is that the bank in this story actually hired these pros to come in and do this testing for them. That gives them the opportunity to try to plug these security holes. The bad news is that the security breach in this case is so simple that I could grab my laptop and go duplicate the attack tomorrow without any special tools or additional software.

The moral to this story is that in your business you need to be constantly vigilant and in your private life you need to be paranoid about what types of information to allow people access to.

Related

Filed Under: Computing, Security Tagged With: Bank-of-America, Computing, Crime, Finance, Hacking, Security

About John P.

John P. is a former CEO, former TV Show Host, and the Founder and Wizard behind Texas Metal Works. You can find him on Twitter, Facebook and LinkedIn. Feel free to send shoutouts, insults, and praise. Or Money. Money is good.

Comments

  1. Terry says

    December 1, 2006 at 10:38 pm

    Check out this article…

    http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

    even scarier. No posing as a repair man. No scouting the bank. Just drop a few around and let curiousity do the rest.

John P’s Tweets

Tweets by johnpoz

John P. on Instagram

johnpoz

Ok, what we're gonna do, see, is jack this bitch u Ok, what we're gonna do, see, is jack this bitch up so high you need a ladder to get in it. Then put low profile tires on it.

Makes sense.
Let them eat turkey... I mean cake. Let them eat turkey... I mean cake.
Need I say more? Need I say more?
Cleaned my vehicles with @ArmorAllUSA Ultra Shine Cleaned my vehicles with @ArmorAllUSA Ultra Shine Wash Wipes. Here's the story! http://onemansblog.com/ultrawipes

#ArmorAll - #Ad - #YeeHaw
Tomorrow I'm getting my new forklift from @quality Tomorrow I'm getting my new forklift from @quality_equipment! Can't wait to start forking stuff. ;-)
Aaarrgh! What should I choose? Aaarrgh! What should I choose?
Have I died and gone to heaven? Have I died and gone to heaven?
Hard boiled chili quail eggs anyone? Hard boiled chili quail eggs anyone?
I'll take two! I'll take two!
This exists. This exists.
Over two pounds of pizza! Over two pounds of pizza!
Where should I start? Where should I start?
Give it a minute. You'll get it... Give it a minute. You'll get it...
Instagram post 17855855425047701 Instagram post 17855855425047701
Instagram post 17849137462070109 Instagram post 17849137462070109
It'll tickle yore innards! It'll tickle yore innards!
Instagram post 17855388973056226 Instagram post 17855388973056226
The @genyhitch is a massive 80 pound drop hitch wi The @genyhitch is a massive 80 pound drop hitch with a bonus - it can absorb the shock from twists, turns and bumps in the road, providing cushioning for both the tow vehicle and whatever it's pulling.
Who's up for some ghost pepper powder in their sal Who's up for some ghost pepper powder in their salt?
Downloading at around 140 MB/S. That's a full Gig Downloading at around 140 MB/S.  That's a full Gigabit download speed from the World of Warcraft servers to the new @Acer Predator desktop machine.
Follow on Instagram
This error message is only visible to WordPress admins

Copyright © 2021 · Local Media on Genesis Framework · WordPress · Log in

Follow Along for E-Mail Updates
Don't miss any of John P's craziness! Just shove your email address in the slot below and we'll take care of the rest! :-)
Arrow

Email: