Homeland Security got pwn't

032_Mendicant_Bias · Post by **032_Mendicant_Bias** » 2008-03-23 11:16pm

http://www.upi.com/NewsTrack/Quirks/200 ... eces/9759/

"ST. PAUL, Minn., March 19 (UPI) -- Someone with an urge to purge took it out on the Minnesota Homeland Security and Emergency Management office in downtown St. Paul, police said.

An unknown man defecated in several rooms Friday afternoon and left on foot before an officer arrived, the St. Paul Pioneer Press reported Tuesday. Based on the suspect's description, he appeared to be homeless, a police spokesman said.

It turns out the Homeland office wasn't too secure -- a contractor working for the building's management failed to properly secure a door behind him, said Susan Lasley, spokeswoman for the Minnesota Department of Pubic Safety."
-------------------------------------------------------------------------------------

Damn straight its not secure. Reminds me of a bit of copy pasta about a guy shitting everywhere in his office, opening up a computer and sealing a shit in it, crab walking whilst leaving like a 30 foot long trail.

I think FEMA is still more worthless and dumb than Homeland Security though.

Kamakazie Sith · Post by **Kamakazie Sith** » 2008-03-23 11:49pm

Nah, the victim here is the contractor that will probably lose his job. All the homeland security guys did was call in another contractor to clean up the mess.

PS - I despise homeless like that.

032_Mendicant_Bias · Post by **032_Mendicant_Bias** » 2008-03-23 11:56pm

He shouldn't be fired. He fucked up. People do that. Noone is perfect.

Plus this is really, really funny.

Shinova · Post by **Shinova** » 2008-03-23 11:56pm

In several rooms? If it's one guy, how long does he save it up to let it all out like that?

I feel so sick.

Post by **Darth Wong** » 2008-03-24 12:01am

032_Mendicant_Bias wrote:He shouldn't be fired. He fucked up. People do that. Noone is perfect.

Plus this is really, really funny.

He fucked up, but he fucked up on a basic security issue and he needs to be made an example of.

I read an article a while ago about a guy who specializes in probing security systems in order to test those systems (the companies hire him to see if he can breach their security). Want to know his favourite avenue of breaching secure systems? It's not exactly high-tech: he uses smokers. Yup, that's right. He says he's has more success using cigarette smokers than any other method. They come down to the main floor, they open back doors which aren't supposed to be open, they hang around and smoke cigarettes for a while, and then they go back in.

All he has to do is hang around the outside smoking cigarettes, wait for someone to come out, share carcinogens and small talk for a few minutes, and then casually go back in with him. He's breached supposedly impenetrable security systems with this absurdly simple trick.

032_Mendicant_Bias · Post by **032_Mendicant_Bias** » 2008-03-24 12:03am

Shinova wrote:In several rooms? If it's one guy, how long does he save it up to let it all out like that?

I feel so sick.

Lots of Mexican food and White Castle?

That is a good point though Wong. Although in the event someone breaks in they need to have systems that can't be hacked. The fact that this guy did nothing other than shit everywhere either shows he just wanted to shit or he couldn't do anything else.

It's still funny.

Post by **Darth Wong** » 2008-03-24 12:06am

032_Mendicant_Bias wrote:
Shinova wrote:In several rooms? If it's one guy, how long does he save it up to let it all out like that?

I feel so sick.
Lots of Mexican food and White Castle?

That is a good point though Wong. Although in the event someone breaks in they need to have systems that can't be hacked. The fact that this guy did nothing other than shit everywhere either shows he just wanted to shit or he couldn't do anything else.

It's still funny.

Who says you need to hack a system? Once you're inside a secure building, you're in an area where people feel they can let their guard down a little bit. Just wait for someone to go to the bathroom and then just sneak into his office. His computer will still be logged in, and you can go to town.

Kamakazie Sith · Post by **Kamakazie Sith** » 2008-03-24 12:09am

032_Mendicant_Bias wrote:
Shinova wrote:In several rooms? If it's one guy, how long does he save it up to let it all out like that?

I feel so sick.

Lots of Mexican food and White Castle?

That is a good point though Wong. Although in the event someone breaks in they need to have systems that can't be hacked. The fact that this guy did nothing other than shit everywhere either shows he just wanted to shit or he couldn't do anything else.

Who gives a shit about the systems? Someone could have left a bomb for the homeland security employees.

It's still funny.

I don't see the humor...why is this funny? It's disgusting. Funny? Nah.

Burak Gazan · Post by **Burak Gazan** » 2008-03-24 12:26am

Darth Wong wrote:
032_Mendicant_Bias wrote:He shouldn't be fired. He fucked up. People do that. Noone is perfect.

Plus this is really, really funny.
He fucked up, but he fucked up on a basic security issue and he needs to be made an example of.

I read an article a while ago about a guy who specializes in probing security systems in order to test those systems (the companies hire him to see if he can breach their security). Want to know his favourite avenue of breaching secure systems? It's not exactly high-tech: he uses smokers. Yup, that's right. He says he's has more success using cigarette smokers than any other method. They come down to the main floor, they open back doors which aren't supposed to be open, they hang around and smoke cigarettes for a while, and then they go back in.

All he has to do is hang around the outside smoking cigarettes, wait for someone to come out, share carcinogens and small talk for a few minutes, and then casually go back in with him. He's breached supposedly impenetrable security systems with this absurdly simple trick.

Not only that Boss, but those secure doors that are not supposed to be opened, also sometimes get blocked open with a brick, or piece of wood so they can get back in without setting off any alarms or getting locked out. A million dollar security system has no chance against a human with a ten-cent head

Durandal · Post by **Durandal** » 2008-03-24 02:37am

Darth Wong wrote:
032_Mendicant_Bias wrote:He shouldn't be fired. He fucked up. People do that. Noone is perfect.

Plus this is really, really funny.
He fucked up, but he fucked up on a basic security issue and he needs to be made an example of.

I read an article a while ago about a guy who specializes in probing security systems in order to test those systems (the companies hire him to see if he can breach their security). Want to know his favourite avenue of breaching secure systems? It's not exactly high-tech: he uses smokers. Yup, that's right. He says he's has more success using cigarette smokers than any other method. They come down to the main floor, they open back doors which aren't supposed to be open, they hang around and smoke cigarettes for a while, and then they go back in.

All he has to do is hang around the outside smoking cigarettes, wait for someone to come out, share carcinogens and small talk for a few minutes, and then casually go back in with him. He's breached supposedly impenetrable security systems with this absurdly simple trick.

That's very interesting, actually. I always assumed that Apple's campus-wide smoking ban was because Steve Jobs didn't like cigarettes, but it would make a whole hell of a lot of sense if it was to prevent security incidents like this.

Post by **The Yosemite Bear** » 2008-03-24 03:50am

I remember Kevin Mitchnik was jelous because when he was in high school, his dumpster diving for codes didn't work as well as the female nerd's method of getting passwords (flirting), so the smoking ban may not be all that effective...

Post by **Darth Wong** » 2008-03-24 09:29am

Durandal wrote:That's very interesting, actually. I always assumed that Apple's campus-wide smoking ban was because Steve Jobs didn't like cigarettes, but it would make a whole hell of a lot of sense if it was to prevent security incidents like this.

It makes a lot of sense. Smokers don't like to hear this, but they are drug addicts, and their addiction makes them irrational. That's why they do stupid things like huddling in the rain for a smoke, or opening secure doors that aren't supposed to be open, so they can get their fix. That's why so many of them can't even go for the length of a single work day without a hit.

If someone said that drug addicts were a security risk, no one would bat an eyelash. Of course they are; an addict is a risk because his addiction might lead him to do things he shouldn't do. But if someone replaces the words "drug addicts" with "smokers", people think it's totally different. It isn't.

The Grim Squeaker · Post by **The Grim Squeaker** » 2008-03-24 10:21am

The Yosemite Bear wrote:I remember Kevin Mitchnik was jelous because when he was in high school, his dumpster diving for codes didn't work as well as the female nerd's method of getting passwords (flirting), so the smoking ban may not be all that effective...

Isn't that about the first thing they get taught in security, after not blabbing in public or over unsecure connections? Surely they can't be that stupid...Right, sorry for the mistake.

Still, indeed, most leaks are people blabbing on the train, not through super-secret spying flying fly cams hiding inside peoples bags or under their skin. Really.

.

Post by **The Yosemite Bear** » 2008-03-24 10:59am

actually the point of the mitchnik's counterpart who was the one who actually got into high level security computers as a red teamer after the group was arrested appeared to be possession of testicles can be a security risk. As it appeared that flirting and acting like she belonged there was often enough to get someone to give her access....

lukexcom · Post by **lukexcom** » 2008-03-24 11:17am

I worked for Mesaba Airlines as a "ramp agent" (i.e. parking and loading bags into planes) at the MSP airport in the summer of 2005.

The MAC (Metropolitan Airports Commission, owner of the airport) and the TSA had a very traditional approach to this problem: fear. Being caught causing a security risk was not only being fired, but you owing some thousands of dollars in fines and penalty to the TSA, and then some more to MAC. They reserved the right for prosecution in court.

Every new employee would attend mandatory security training that would last a few hours. On top of that, the airlines would have their own recurring programs just like them. But obviously, you can only do so much with that, as some people can be so stupid and ignorant that nothing will stop them from having things their way. So to try to reduce the chances of someone being an utter idiot and potentially screwing everything up for everyone, here's what they decided to do:

Every day, as we arrived to the airport itself, we usually passed through a security checkpoint like most passengers do to get into the "secure area" of the airport. As we went through the line with the other passengers, we would swipe our security badges on a little swipe pad and enter our PINs in.

This action was crucial. If you didn't swipe yourself at an entry location to the secure area, the system would throw up red flags if you would then try to swipe your way through some random door inside the secured area.

In other words, there was a logical structure in the system where in order to get through a door, you would have had to swiped in at a previous door that led to the one you're currently at. That way, in the system's eyes, your first swipe should not be somewhere in the middle of a secured zone with no swipes at the doors that would lead to your particular location.

Same thing with walking outside onto the ramp where the planes are parked: swipe in at the door leading outside, and go work. When going back into the terminal building, swipe in at the door. If you miss a swipe somewhere (i.e. follow someone outside, then try to swipe in yourself while going back in), then the system will throw up a flag somewhere.

Knife · Post by **Knife** » 2008-03-24 11:27am

Destructionator XIII wrote:At a company I used to work for, the front door was locked and would open by swiping an ID badge. The door would then quickly close itself if you left it. Security policy was to swipe your badge, go in, and then if there was anyone else there, pull the door shut without letting anyone follow you. Every person entering or leaving the building was supposed to swipe his or her own badge.

The problem is people think it is rude to pull the door shut on someone, so in a lot of cases, employees would hold the door, trying to be nice. You can see how easy it would be to get in: act like you belong and wait for someone hold the door. Then, when you walk past the security checkpoint, proper procedure was to show your badge to the guard, but in practice, they didn't take that close of a look at it, especially if you were with someone else. So, boom, stay just a step behind the other person who let you in and show a fake badge to the guard. If there is a group, all the better; the guards rarely stopped a group walking in to check each badge individually. With the high turnover rate of employees that company had, no one would think anything of an unfamiliar face. And with the large number of people going in and out through the door to have a smoke, you could do this at almost any time during the day and not be at all suspicious.

Then, once inside, it becomes very easy to do whatever you are there for. Get passwords off post-it notes and go nuts if the computers are what you're after. As long as you act like you are supposed to be there, no one would question anything. One thing to be careful for is to avoid looking directly into a security camera, but it wouldn't be hard to do that without looking out of place.

The main problem with security is people are just too trusting.

sounds less a people problem then your company wanting good security on the cheap. If they want one person per door opening, they'd better have a security person there making it so.

Knife · Post by **Knife** » 2008-03-24 11:34am

OT; how on earth is this incident the HSD being pwned? It's only owned if your definition of such is pretty fucking pathetic.

Spin Echo · Post by **Spin Echo** » 2008-03-24 11:42am

Destructionator XIII wrote:At a company I used to work for, the front door was locked and would open by swiping an ID badge. The door would then quickly close itself if you left it. Security policy was to swipe your badge, go in, and then if there was anyone else there, pull the door shut without letting anyone follow you. Every person entering or leaving the building was supposed to swipe his or her own badge.

The problem is people think it is rude to pull the door shut on someone, so in a lot of cases, employees would hold the door, trying to be nice. You can see how easy it would be to get in: act like you belong and wait for someone hold the door. Then, when you walk past the security checkpoint, proper procedure was to show your badge to the guard, but in practice, they didn't take that close of a look at it, especially if you were with someone else. So, boom, stay just a step behind the other person who let you in and show a fake badge to the guard. If there is a group, all the better; the guards rarely stopped a group walking in to check each badge individually. With the high turnover rate of employees that company had, no one would think anything of an unfamiliar face. And with the large number of people going in and out through the door to have a smoke, you could do this at almost any time during the day and not be at all suspicious.

The solution for this is to have an inner security check that forces each person to swipe through. One company I worked for had this. There was the outer door, and once inside there were a row of gates to get into the rest of the building. You would swipe you ID and the gate doors swing open for a few seconds, just long enough for one person to get through. It's sort of like I've seen on some subway and train stations.

Spin Echo · Post by **Spin Echo** » 2008-03-24 11:43am

Could a mod delete these extra posts?

Spin Echo · Post by **Spin Echo** » 2008-03-24 11:44am

Damn server.

Spin Echo · Post by **Spin Echo** » 2008-03-24 11:46am

En gang til.

Tiriol · Post by **Tiriol** » 2008-03-24 02:24pm

One problem with entrance security that often gets downplayed is the foolish pride and arrogance of especially the manager level, but to be found in all levels of staff. Meaning that even if the official security policy, also including who can enter and who can not, is strict, often the staff gets furious if the security workers maintain that policy. They act like it would be a personal insult when a security guard at the door asks for some ID or doesn't instantly open the door remotely when they have contacted the security center and told "hey, it's Mike here". I have had both things happen to me and every time it results in complaints and dirty looks. This can easily result in that the seucirty guards, especially if they get yelled at by some management level idiot for doing their jobs, are more willing to take those risks than to risk their jobs (especially if they aren't actually employees of the place, but are hired through some security firm, as in Finland).

Fortunately for me, the site's upper management and those responsible for site's employees' security training understood the situation and basically congratulated me and the other security guards. Unfortunately, such is not the case with all sites and apparently at least one security contract has been cancelled because the site's employees complained about the guards doing their jobs and asking for IDs and refusing entrance if one wasn't found. As you can imagine, that doesn't fill people with confidence,