Tuesday, June 24, 2008

Physical Security: The Lost Art

I had to visit my local bank today to take care of some papers. As I was sitting across the table talking about how they spelled something wrong on of my documents; I notice that right next to the Manager's office is a small but well packed Server Room.

I immediately started assessing the physical security of that server room and was disappointed by the fact that there was absolutely no access control mechanism; Just a door with a shoe rack outside. A few minutes later and a bit scared about my money, I walked out of the bank and headed back.

As I walked away from the bank, I noticed a LAN wire coming out of a window. This window was positioned exactly where the Server Room had been. Imagine my surprise, a Bank's Server Room has its information transmitted through a exposed LAN wire that is lying on public property?!

This sounds like a bad combination and a easy opportunity to cut, crimp and sniff. I decided to explore this further and see where the LAN wire led me. I walked around the bank and found an Enclosure that the wire was entering. This was of course exposed behind the bank and not monitored by anyone at anytime. Inside this unlocked box were routers, switches, and other devices up for grabs and sniffing.

As a security professional, I am not only appalled by this but might be forced to give them a complimentary penetration testing service for the safety of my own money.


Ragib Hasan said...

May be it's high time you moved your money from that bank!! :)

Yash Kadakia said...

If you can find a bank in India without an SQL Injection on its front page, let me know :(

Security in banks here, is limited to an old guard at the gate who is asleep most of the time.