Unless you’re a valuable or high clearance entity, all of this stuff seems like adults having a fun pretend make believe time. Like that neighbor in a nice part of town who owns multiple guns and has a security system set up to protect his maybe… $2k worth of jewelry. And if you say stuff like this, there’s always that one guy who chimes in about that one time when it actually happened for realsies and they were so glad they had their twenty layers of protection and boobytraps set up.
The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building. If the company used a password manager to share WiFi passwords (or maybe even Enterprise WPA with certificates), and make sure unused public ethernet-ports are not patched. Then these two very simple things would have made this much harder.
I think the sad part is that they had probably had some security guy tell them this already but people where just making fun of him because people don't believe things they can not see - so it takes a "pretend to be SPYs charade" to make people actually care.
"The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building"
But the lowly security guard also does not want to piss of a higher class being, which is so high, it is above all that.
"How dare you question me! Don't you know who I am?"
This attitude for example is what makes it hard for that low guard.
Generally, if you act, like you belong somewhere and have the right to do so, your are seldom stopped.
The counter defence would be indeed, just follow strictly security protocoll for everyone with no exceptions.
And well, hire professional security.
I briefly worked in security, in a company supposedly with higher standard. Well, I would not hire them, for anything serious. General staff morale is very low, in that low payed sector.
Holding the door for people is so ingrained as a polite thing to do. You really have to tell people not to allow others to tailgate - or install turnstiles/gates that make it impossible. I suspect this would be particularly bad in an office with a hundred people or so - small enough that you're at least slightly familiar with most of the faces, but large enough that you wouldn't necessarily know if somebody got fired. If they're wearing their no-longer-valid badge and acting like they're meant to be there, I can't see many people stopping them.
I don’t want to sound like I’m disagreeing with you because you’re right; just an amusing anecdote from my past:
I worked at a place that stressed this at company meetings - “no holding doors, if someone says they forgot their badge don’t let them in etc”
At one meeting the CEO got up and talked and praised one of the employees because they actually did this to him, the CEO; shut the door in his face made him walk back to his car to get his badge. Was very funny to see a place actually walk the talk on this.
Overall though of course you’re right. People are going to be nice and you can’t stop it.
It’s not realistic to expect individual workers to slam the door in the face of someone walking behind them.
Companies that want to prevent tailgating need to spend the money on mantraps or other infrastructure that is clearly designed to allow one person through at a time.
And yet they still won't care, because most people have zero interest in their job. For those that do? They're lucky, work is fun, and they often love doing the best they can at their job.
So sadly for many only the threat of dismissal forces those unhappy ranks to do their job. Others have a strong work/duty ethic, and will do their best. One thing that can help overall is an entire corporate culture, where everyone is lambasted for such failures.
"You saw that <security guard> wasn't doing his job, and you didn't tell anyone? You're in trouble too!", and so on.
> because most people have zero interest in their job
So. Much. This.
The number of people who do “just enough” to not get fired is staggering.
There is no “work ethic”.
At least in the military when somebody fucks up during training the entire $GROUP gets punished. It doesn’t take long before people start taking “rules” seriously.
There needs to more consequences and accountability.
The military isn’t some place you send miscreants who always misbehave, most of us wanted to do our best and your description of it is petty insulting and inaccurate. We worked together to attain a goal and fight alongside each other, not because we were beaten trained dogs.
Absolutely no disrespect intended at all. Thank you for your service. Perhaps I should have said “basic training” instead of “the military” because that’s the context I was thinking of.
But those engagements would go so much differently and churn would be so much higher if the threat of prison didn’t disallow going AWOL.
It’s a threat of violent coercion, even though daddy never personally hit you or anyone you served with.
It’s how all abusive relationships work, they just operationalized and scaled it to an unprecedented degree.
And then you come out of that abusive relationship with a quick reintegration course and track your duty, but no honor, back to the private sector. If vets weren’t a protected category, they’d be subject to more discrimination due to the warped psyche basic training is designed to produce.
I get what you're saying but it is a known fact that most corporate security personnel make not a lot of money. I work in a nice high rise and our front desk security people make $23-$25/hr.
I think it fits the idiom of "aim for the stars and you'll land on the moon".
If you are the kind of company that has a focus on all aspects of security, and assumes a sophisticated actor is attacking, you will have a better chance at defending against unsophisticated actors.
If you plan your security around only defending 'less-sophisticated' actors then you might quickly find one slips through the cracks.
Value is in the eye of the beholder. All that security does is buy peace of mind, how much you have to spend for that peace of mind is very personal.
Same thing with attitudes to security of leadership teams. And if past events are indicative, there's way more leadership teams that don't give a rats ass about security than ones that do. Particularly when you're holding other people's valuables (data).
i dont think anyone who is well versed in today's threats is saying to the company board members "i mean, really guys, this whole security/risk thing.. all smoke and mirrors... wasting our money on fun and games". BF as a consulting company is pretty fucking on point in my perspective, but if i were going to throw shade at a more broad swath such as the whole infosec industry from <insert stealth / yc funded AI based cyber startup> to <DARPA / Giant AntiVirus corp> I would probably diverge slightly with something more like 'there is so much snake oil, lack of proven and holistic solutions, freemium consumer products shamelessly bait and switch'ing everyday people who caught an infected flash installer online, etc, hiding amongst however many legitimate value propositions on offer that it's like ... when disaster does come, I'd reckon is more or less a coin toss as to whether our investment into CYBERHaxPreventor56000 will have delivered some portion of the price tag in returns to us. Seem like a fair response to your points?
There's a team in DC that specializes in getting into government buildings. "Who are you and what are you doing here?" ... "We've got chocolate cake!" "Oooo!!"
"I try to leverage them together," Denis said. "I will call and say, 'Hey, I sent you an email last week, did you receive that email?' People will typically say, 'No, I never got it.' Of course they didn't because I never sent one."
But at that point, the victim already feels like they screwed up by missing an email last week, and now they feel indebted to the attacker. "They feel like they owe me. Then I can say, 'while we are on the phone right now, is it OK if I resend it to you? Can you go ahead and just do this one thing?"
I'm immune to this one. Don't send me a fucking email if it's something important. Email can wait. Email can always wait. Email is a filing system for details that are only ever useful when someone says "did you get that email?"
I don't feel indebted, I feel annoyed that you expect me to have read your email and have it memorised for whenever it is you may show up to test me on the hyper-contextual trivialities it contained.
Always say you didn't get the email when someone asks, and do it with an unrepentant attitude; put them on the back foot. If you've got the time and mental space to recall random emails from x minutes, hours, days in the past, then you probably need to re-evaluate how you prioritise your time and tasks.
(This has been true for me for at least a decade. People still get horrified at my number of unread emails. I pity them and the time they spend curating their inbox - I'd rather get shit done or use my free time on literally anything else)
For me email is the best, and only, solution for anything important.
What would be better, a text message? a phone call? smoke signals?
If you send me a physical letter and require that I'm home to receive it, not lose it in my piles of unopened mail, and reply eventually (with a physical mail? lol) it's already a lost cause.
Most likely I won't be able to take any note during a phone call, if by the most unbelievable chance I am able to pick up when you decide to call impromptu.
Text message, seriously? It's just for spam at this point. It's just the worst 'technical' solution. Unsecure, not travel-proof, etc...
An email leaves precise traces (when, who) can be archived, searched, muted or prioritized as I see fit. You can put text picture & urls inside & whatever else, that I can lookup on my own time.
If it's at all important : Send an email, then send follow-ups when it looks like the matter's urgency needs it (because as you said, obviously you can't assume I'll read it immediately and then remember it).
If it's important -to you- the onus is on you to pick the best technical way to deliver information, and then insist until you get your answer.
What is that supposed to mean? Sneakers reference?
I feel like this is a repeating pattern for security companies these days. Trying to sell a holistic solution with fancy dashboards but essentially they're doing the same any script kiddie can do.
It's the active red team that impresses me more than these products like cosmos. And they surely don't have the resources to offer active pen testing to all their clients.
> In this case, the command-and-control server happened to be controlled by a security firm's red team that had been hired by the multi-tenant building owner ...
Wow. They must have some amazing commercial tenancy agreement in place to allow them to send unknown-to-the-tenant people into the premises to literally compromise the tenants network.
To me, that sounds like extraordinary grounds for legal action by the tenant.
This was likely squared with the tenants' leadership beforehand. These folk don't just barge into something without having a solid contract backing their actions from all parties involved.
There's a show that plays on my Samsung's TV channels that has a camera crew that follows a bunch of car repo guys in a tow truck. My suspicion is that it's scripted and fake (from the times I have flipped past it), but you could still get your secret agent / red team / repo dude jones on if you kinda squinted at it.
Nah just do what all the other "reality" shows do: find real people willing to portray caricatures of themselves and put them in completely made up but plausible sounding situations then encourage them to go full drama queen... As they say at the beginning of Made in Chelsea: "some" situations "may" have been staged for your entertainment...
I called a vendor once, wanting a server setting tweaked. I asked for the present state and when it came back completely different to what I was expecting I backtracked.
I’d queued changed on a competitors live environment. I don’t think you need an elaborate charade, just blaze in with confidence.
Or walk past the boss's PA's desk, note if s/he has a photo of a cat/dog/boyfriend/girlfriend, ask someone the name of that companion and boom, there's your password.
Get a stepladder, dress like a maintenance worker and you'll be able to enter any building you like. I'd suggest starting with museums and art galleries.
She is blonde and pretty, irrelevant to 99% of attacks but when it comes to walking into buildings uninvited, pretty is like a gate pass. This is why one needs a diverse security team so that at least one member is less likely to tolerate the attractive person just walking in like they own the place.
In typical DEI fashion instead of finding actually solution to problems it is being used to further someone's political agenda.
How about not relying solely on error prone humans to grant access to places. locks have been a thing for a milenia or do you also use a diverse team of log in guards to decide who can use what systems.
>> error prone humans to grant access to places. locks have been a thing for a milenia
Except that a friendly smile and bit of eye contact can often prove enough to slip in behind after someone else opens a door. I know of buildings with claustrophobically small turnstile doors specifically to address this problem.
Why do yo assume adversaries would not - exactly for this reason (men dismissing women as an attack vector) - ask a women to plant a device? It's prejudice all the way down.
This has nothing to do with DEI hiring. I mean: why is it up to women or people of different ethnicity to spot people who should not be in a building?
Why can't men dump this perceived bias and not be so - allegedly - vulnerable?
To me this really reads as an excuse to be dismissive of the accomplishment of a women who was succesvol at her job.
>> Why can't men dump this perceived bias and not be so - allegedly - vulnerable?
The certainly can, but the average minimum-wage front desk security guard tends to not. Doing so takes training. There are security guards specifically tipped to counter this sort of thing. It is taught in areas such as national security and, ironically, the entertainment industry.
And why would this diminish one's accomplishments? For a physical pen tester, getting through is all that matters. Putting the effort in to being more physically attractive, as a tool, should not be diminished. Have a look at some of the spies that Russia has sent to penetrate US systems. Nobody thinks any less of them for being attractive. It is a very powerful weapon that certainly takes more effort than learning to metasploit.
True, but it doesn't have anything to do with diversity in hiring. Attractive people have an effect on everyone regardless of gender or skin colour.
It's the combination of being attractive (but not overtly so), looking professional, looking as if you know exactly what you are doing, and being able to shrug off any questions in a plausible manner. You have to be likeable and trustworthy, and being attractive, apparently, helps to achieve that.
Besides, a red team could just as easily send in the buff handsome black vending machine repairman if they figured that would get them past the security detail staffing the front entrance that day more easily, or team up and send in both; whoever gets the most questions asked just falls into the stalling routine whilst the other is waived through.
It all comes down to training and giving a fuck about the job (i.e., being paid decently and made to feel appreciated).
It really depends on what you think diversity hiring ought to be. If it's about gender and skin colors, yeah, you're right. If it's about different experiences and point of view, diversity hiring might help in this case. Or good, regular training.
Often - but even easier is just to physically connect to an Ethernet network, which you’ll frequently find patched in, unswitched, and unencrypted, and just capture traffic.
Does anything run on an un-switched network these days? I guess you can see broadcast traffic, but I thought dumb hubs went out of fashion a decade ago. Although there are probably plenty of offices which haven't updated their networking setup in that decade, perhaps.
> But "my most favorite type of social engineering is face-to-face," she admitted. In part, this is because it allows her to live out her dream of becoming an actor. "But also it allows me to create really compelling characters, interact with people, and create these more elaborate pretexts."
Unless you’re a valuable or high clearance entity, all of this stuff seems like adults having a fun pretend make believe time. Like that neighbor in a nice part of town who owns multiple guns and has a security system set up to protect his maybe… $2k worth of jewelry. And if you say stuff like this, there’s always that one guy who chimes in about that one time when it actually happened for realsies and they were so glad they had their twenty layers of protection and boobytraps set up.
The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building. If the company used a password manager to share WiFi passwords (or maybe even Enterprise WPA with certificates), and make sure unused public ethernet-ports are not patched. Then these two very simple things would have made this much harder.
I think the sad part is that they had probably had some security guy tell them this already but people where just making fun of him because people don't believe things they can not see - so it takes a "pretend to be SPYs charade" to make people actually care.
"The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building"
But the lowly security guard also does not want to piss of a higher class being, which is so high, it is above all that. "How dare you question me! Don't you know who I am?"
This attitude for example is what makes it hard for that low guard.
Generally, if you act, like you belong somewhere and have the right to do so, your are seldom stopped.
The counter defence would be indeed, just follow strictly security protocoll for everyone with no exceptions.
And well, hire professional security. I briefly worked in security, in a company supposedly with higher standard. Well, I would not hire them, for anything serious. General staff morale is very low, in that low payed sector.
> Generally, if you act, like you belong somewhere and have the right to do so, your are seldom stopped.
Maybe, but you better believe everyone has to scan a valid badge if they want to get into the office in the first place. And through every door.
Holding the door for people is so ingrained as a polite thing to do. You really have to tell people not to allow others to tailgate - or install turnstiles/gates that make it impossible. I suspect this would be particularly bad in an office with a hundred people or so - small enough that you're at least slightly familiar with most of the faces, but large enough that you wouldn't necessarily know if somebody got fired. If they're wearing their no-longer-valid badge and acting like they're meant to be there, I can't see many people stopping them.
I don’t want to sound like I’m disagreeing with you because you’re right; just an amusing anecdote from my past:
I worked at a place that stressed this at company meetings - “no holding doors, if someone says they forgot their badge don’t let them in etc”
At one meeting the CEO got up and talked and praised one of the employees because they actually did this to him, the CEO; shut the door in his face made him walk back to his car to get his badge. Was very funny to see a place actually walk the talk on this.
Overall though of course you’re right. People are going to be nice and you can’t stop it.
It’s not realistic to expect individual workers to slam the door in the face of someone walking behind them.
Companies that want to prevent tailgating need to spend the money on mantraps or other infrastructure that is clearly designed to allow one person through at a time.
> General staff morale is very low, in that low payed sector.
So pay a reasonable wage that actually boosts the morale of the security staff to ensure they do their best and not just act like a velvet rope?
And yet they still won't care, because most people have zero interest in their job. For those that do? They're lucky, work is fun, and they often love doing the best they can at their job.
So sadly for many only the threat of dismissal forces those unhappy ranks to do their job. Others have a strong work/duty ethic, and will do their best. One thing that can help overall is an entire corporate culture, where everyone is lambasted for such failures.
"You saw that <security guard> wasn't doing his job, and you didn't tell anyone? You're in trouble too!", and so on.
> because most people have zero interest in their job
So. Much. This.
The number of people who do “just enough” to not get fired is staggering.
There is no “work ethic”.
At least in the military when somebody fucks up during training the entire $GROUP gets punished. It doesn’t take long before people start taking “rules” seriously.
There needs to more consequences and accountability.
The military isn’t some place you send miscreants who always misbehave, most of us wanted to do our best and your description of it is petty insulting and inaccurate. We worked together to attain a goal and fight alongside each other, not because we were beaten trained dogs.
I think the implication was more that there was a lot of social pressure in the military that is absent in megacorp X
For the better, I don't live with my coworkers and I don't want to
Absolutely no disrespect intended at all. Thank you for your service. Perhaps I should have said “basic training” instead of “the military” because that’s the context I was thinking of.
But those engagements would go so much differently and churn would be so much higher if the threat of prison didn’t disallow going AWOL.
It’s a threat of violent coercion, even though daddy never personally hit you or anyone you served with.
It’s how all abusive relationships work, they just operationalized and scaled it to an unprecedented degree.
And then you come out of that abusive relationship with a quick reintegration course and track your duty, but no honor, back to the private sector. If vets weren’t a protected category, they’d be subject to more discrimination due to the warped psyche basic training is designed to produce.
> One thing that can help overall is an entire corporate culture, where everyone is lambasted for such failures.
That is precisely what you not want to do, all that breeds is a culture of hyper-paranoid ass-covering and blame deflection.
Pay has nothing to do with it. Nothing.
Here's an example. Your salary is $1M per year, or $10k. In both cases, you hate work, hate your job, don't want to do it, and...
can never be fired.
How does better pay help?
Better pay may help, but only conjoined with the threat of it being taken away if you don't do your job.
And amusingly, you throw out the "better pay" line without even knowing the salary.
I get what you're saying but it is a known fact that most corporate security personnel make not a lot of money. I work in a nice high rise and our front desk security people make $23-$25/hr.
That's probably higher than average.
I think it fits the idiom of "aim for the stars and you'll land on the moon".
If you are the kind of company that has a focus on all aspects of security, and assumes a sophisticated actor is attacking, you will have a better chance at defending against unsophisticated actors.
If you plan your security around only defending 'less-sophisticated' actors then you might quickly find one slips through the cracks.
Value is in the eye of the beholder. All that security does is buy peace of mind, how much you have to spend for that peace of mind is very personal.
Same thing with attitudes to security of leadership teams. And if past events are indicative, there's way more leadership teams that don't give a rats ass about security than ones that do. Particularly when you're holding other people's valuables (data).
I initially read your first sentence as "Value is in the eye of the shareholder" and thought to myself: Hah, yeah, clever.
I've now coined the phrase, accidentally.
Along those lines, however, it's peace of mind against an actual intrusion, but it's also peace of mind against lawsuits for dereliction of duty, etc.
i dont think anyone who is well versed in today's threats is saying to the company board members "i mean, really guys, this whole security/risk thing.. all smoke and mirrors... wasting our money on fun and games". BF as a consulting company is pretty fucking on point in my perspective, but if i were going to throw shade at a more broad swath such as the whole infosec industry from <insert stealth / yc funded AI based cyber startup> to <DARPA / Giant AntiVirus corp> I would probably diverge slightly with something more like 'there is so much snake oil, lack of proven and holistic solutions, freemium consumer products shamelessly bait and switch'ing everyday people who caught an infected flash installer online, etc, hiding amongst however many legitimate value propositions on offer that it's like ... when disaster does come, I'd reckon is more or less a coin toss as to whether our investment into CYBERHaxPreventor56000 will have delivered some portion of the price tag in returns to us. Seem like a fair response to your points?
There are also some fantastic physical pentest stories on Darknet Diaries.
https://darknetdiaries.com/
In fact this is the episode referring to Alethe from the article:
https://darknetdiaries.com/transcript/107/
There's a team in DC that specializes in getting into government buildings. "Who are you and what are you doing here?" ... "We've got chocolate cake!" "Oooo!!"
"I try to leverage them together," Denis said. "I will call and say, 'Hey, I sent you an email last week, did you receive that email?' People will typically say, 'No, I never got it.' Of course they didn't because I never sent one."
But at that point, the victim already feels like they screwed up by missing an email last week, and now they feel indebted to the attacker. "They feel like they owe me. Then I can say, 'while we are on the phone right now, is it OK if I resend it to you? Can you go ahead and just do this one thing?"
I'm immune to this one. Don't send me a fucking email if it's something important. Email can wait. Email can always wait. Email is a filing system for details that are only ever useful when someone says "did you get that email?"
I don't feel indebted, I feel annoyed that you expect me to have read your email and have it memorised for whenever it is you may show up to test me on the hyper-contextual trivialities it contained.
Always say you didn't get the email when someone asks, and do it with an unrepentant attitude; put them on the back foot. If you've got the time and mental space to recall random emails from x minutes, hours, days in the past, then you probably need to re-evaluate how you prioritise your time and tasks.
(This has been true for me for at least a decade. People still get horrified at my number of unread emails. I pity them and the time they spend curating their inbox - I'd rather get shit done or use my free time on literally anything else)
For me email is the best, and only, solution for anything important. What would be better, a text message? a phone call? smoke signals?
If you send me a physical letter and require that I'm home to receive it, not lose it in my piles of unopened mail, and reply eventually (with a physical mail? lol) it's already a lost cause.
Most likely I won't be able to take any note during a phone call, if by the most unbelievable chance I am able to pick up when you decide to call impromptu.
Text message, seriously? It's just for spam at this point. It's just the worst 'technical' solution. Unsecure, not travel-proof, etc...
An email leaves precise traces (when, who) can be archived, searched, muted or prioritized as I see fit. You can put text picture & urls inside & whatever else, that I can lookup on my own time.
If it's at all important : Send an email, then send follow-ups when it looks like the matter's urgency needs it (because as you said, obviously you can't assume I'll read it immediately and then remember it).
If it's important -to you- the onus is on you to pick the best technical way to deliver information, and then insist until you get your answer.
Company name is "Bishop Fox"
One of their products is called "Cosmos" https://bishopfox.com/cosmos
Too many secrets?
>Too many secrets?
What is that supposed to mean? Sneakers reference?
I feel like this is a repeating pattern for security companies these days. Trying to sell a holistic solution with fancy dashboards but essentially they're doing the same any script kiddie can do.
It's the active red team that impresses me more than these products like cosmos. And they surely don't have the resources to offer active pen testing to all their clients.
> What is that supposed to mean? Sneakers reference?
yes
https://www.darkreading.com/cybersecurity-analytics/security...
> In this case, the command-and-control server happened to be controlled by a security firm's red team that had been hired by the multi-tenant building owner ...
Wow. They must have some amazing commercial tenancy agreement in place to allow them to send unknown-to-the-tenant people into the premises to literally compromise the tenants network.
To me, that sounds like extraordinary grounds for legal action by the tenant.
This was likely squared with the tenants' leadership beforehand. These folk don't just barge into something without having a solid contract backing their actions from all parties involved.
If they made this into a reality show, that's one show I'd watch.
F%#& Undercover Boss! Give me Undercover Boss gets hacked!
Not exactly this, but two decades ago they used to air a show on discovery channel you might enjoy : "It takes a thief",
https://www.youtube.com/playlist?list=PLc7mVBABUGE5IITXKHvnX...
Jenny Radcliffe's The People Hacker is a similar book, with an adaptation in the works. https://deadline.com/2023/04/people-hacker-jenny-radcliffe-s...
https://en.wikipedia.org/wiki/The_Real_Hustle I remember this, this was good, lots of social engineering before I knew what it was called.
There's a show that plays on my Samsung's TV channels that has a camera crew that follows a bunch of car repo guys in a tow truck. My suspicion is that it's scripted and fake (from the times I have flipped past it), but you could still get your secret agent / red team / repo dude jones on if you kinda squinted at it.
Unless you cut it like Ocean's 11, it would probably get cancelled for being too boring to the general public.
Nah just do what all the other "reality" shows do: find real people willing to portray caricatures of themselves and put them in completely made up but plausible sounding situations then encourage them to go full drama queen... As they say at the beginning of Made in Chelsea: "some" situations "may" have been staged for your entertainment...
At a previous job I worked with a really good contract pen-tester.
He would literally just walk into facilities and ask people to give them their passwords and they would give them.
The people working would also help him open wiring cabinets so he could do whatever he wanted.
You aren’t wrong.
I called a vendor once, wanting a server setting tweaked. I asked for the present state and when it came back completely different to what I was expecting I backtracked.
I’d queued changed on a competitors live environment. I don’t think you need an elaborate charade, just blaze in with confidence.
Or walk past the boss's PA's desk, note if s/he has a photo of a cat/dog/boyfriend/girlfriend, ask someone the name of that companion and boom, there's your password.
Get a stepladder, dress like a maintenance worker and you'll be able to enter any building you like. I'd suggest starting with museums and art galleries.
How I Rob Banks by Freaky Clown is a worthwhile read on red team hacking of buildings etc
It’s mostly story telling but it’s entertaining and thought provoking too
https://www.freakyclown.com/publications
Good guy, pretending to be a bad guy, pretending to be a maintenance guy. Very Tropical Thunder
She is blonde and pretty, irrelevant to 99% of attacks but when it comes to walking into buildings uninvited, pretty is like a gate pass. This is why one needs a diverse security team so that at least one member is less likely to tolerate the attractive person just walking in like they own the place.
In typical DEI fashion instead of finding actually solution to problems it is being used to further someone's political agenda.
How about not relying solely on error prone humans to grant access to places. locks have been a thing for a milenia or do you also use a diverse team of log in guards to decide who can use what systems.
>> error prone humans to grant access to places. locks have been a thing for a milenia
Except that a friendly smile and bit of eye contact can often prove enough to slip in behind after someone else opens a door. I know of buildings with claustrophobically small turnstile doors specifically to address this problem.
Why do yo assume adversaries would not - exactly for this reason (men dismissing women as an attack vector) - ask a women to plant a device? It's prejudice all the way down.
This has nothing to do with DEI hiring. I mean: why is it up to women or people of different ethnicity to spot people who should not be in a building?
Why can't men dump this perceived bias and not be so - allegedly - vulnerable?
To me this really reads as an excuse to be dismissive of the accomplishment of a women who was succesvol at her job.
>> Why can't men dump this perceived bias and not be so - allegedly - vulnerable?
The certainly can, but the average minimum-wage front desk security guard tends to not. Doing so takes training. There are security guards specifically tipped to counter this sort of thing. It is taught in areas such as national security and, ironically, the entertainment industry.
And why would this diminish one's accomplishments? For a physical pen tester, getting through is all that matters. Putting the effort in to being more physically attractive, as a tool, should not be diminished. Have a look at some of the spies that Russia has sent to penetrate US systems. Nobody thinks any less of them for being attractive. It is a very powerful weapon that certainly takes more effort than learning to metasploit.
https://en.wikipedia.org/wiki/Anna_Chapman
True, but it doesn't have anything to do with diversity in hiring. Attractive people have an effect on everyone regardless of gender or skin colour.
It's the combination of being attractive (but not overtly so), looking professional, looking as if you know exactly what you are doing, and being able to shrug off any questions in a plausible manner. You have to be likeable and trustworthy, and being attractive, apparently, helps to achieve that.
Besides, a red team could just as easily send in the buff handsome black vending machine repairman if they figured that would get them past the security detail staffing the front entrance that day more easily, or team up and send in both; whoever gets the most questions asked just falls into the stalling routine whilst the other is waived through.
It all comes down to training and giving a fuck about the job (i.e., being paid decently and made to feel appreciated).
It really depends on what you think diversity hiring ought to be. If it's about gender and skin colors, yeah, you're right. If it's about different experiences and point of view, diversity hiring might help in this case. Or good, regular training.
> connect to the corporate network
is this trope still true? do companies still have open and unprotected smb drives as soon as you plug any device into network?
Often - but even easier is just to physically connect to an Ethernet network, which you’ll frequently find patched in, unswitched, and unencrypted, and just capture traffic.
Does anything run on an un-switched network these days? I guess you can see broadcast traffic, but I thought dumb hubs went out of fashion a decade ago. Although there are probably plenty of offices which haven't updated their networking setup in that decade, perhaps.
What is unencrypted nowadays?
> But "my most favorite type of social engineering is face-to-face," she admitted. In part, this is because it allows her to live out her dream of becoming an actor. "But also it allows me to create really compelling characters, interact with people, and create these more elaborate pretexts."
Her therapist must have a fun time.