When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.
Then he went to work.
By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories.
Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story.
"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.
Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
Fighting censorship online, or, encryption’s latest surprise use-case, with Mallory Knodel
What is AI ”good” at (and what the heck is it, actually), with Josh Saxe
A private moment, caught by a Roomba, ended up on Facebook. Eileen Guo explains how
Fighting tech’s gender gap with TracketPacer
Why does technology no longer excite?
Chasing cryptocurrency through cyberspace, with Brian Carter
Security advisories are falling short. Here’s why, with Dustin Childs
Threat hunting: How MDR secures your business
How student surveillance fails everyone
A gym heist in London goes cyber
Teen talk: What it’s like to grow up online, and the role of parents
Calling in the ransomware negotiator, with Kurtis Minder
The MSP playbook on deciphering tech promises and shaping security culture
Playing Doom on a John Deere tractor with Sick Codes
Have we lost the fight for data privacy?
Roe v. Wade: How the cops can use your data
When good-faith hacking gets people arrested, with Harley Geiger
Securing the software supply chain, with Kim Lewandowski
Tor’s (security) role in the future of the Internet, with Alec Muffett
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
Black Wolf Feed (Chapo Premium Feed Bootleg)
Bannon`s War Room