Sign up to save your podcasts
Or
Share Donut breach: Lessons from pen-tester Mike Miller
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Donut breach: Lessons from pen-tester Mike Miller
When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.
Then he went to work.
By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories.
Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story.
"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.
Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
View all episodes
By Malwarebytes
4.8
4848 ratings
When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.
Then he went to work.
By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories.
Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story.
"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.
Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
More shows like Lock and Code
View all
Freakonomics Radio
32,110 Listeners
Fresh Air
38,232 Listeners
Marketplace
8,773 Listeners
On Point with Meghna Chakrabarti
4,031 Listeners
WSJ Tech News Briefing
1,655 Listeners
Science Friday
6,456 Listeners
Click Here
421 Listeners
Stay Tuned with Preet
32,338 Listeners
Darknet Diaries
8,049 Listeners
Sean Carroll's Mindscape: Science, Society, Philosophy, Culture, Arts, and Ideas
4,176 Listeners
Unpacking Israeli History
1,225 Listeners
Call Me Back - with Dan Senor
3,231 Listeners
On with Kara Swisher
3,519 Listeners
Main Justice
7,015 Listeners
Ask Haviv Anything
926 Listeners