Sign up to save your podcasts
Or
Share Donut breach: Lessons from pen-tester Mike Miller
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Donut breach: Lessons from pen-tester Mike Miller
When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.
Then he went to work.
By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories.
Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story.
"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.
Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
View all episodes
By Malwarebytes
4.7
3939 ratings
When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client's offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.
Then he went to work.
By hard-wiring his laptop into the company's Internet, Miller's machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company's online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories.
Miller's work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn't always go like this, he said that it isn't uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story.
"It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that,” Miller said.
Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he's seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
More shows like Lock and Code
View all
Science Friday
6,185 Listeners
Security Now (Audio)
1,981 Listeners
Marketplace
8,622 Listeners
Risky Business
364 Listeners
Planet Money
30,734 Listeners
Hacked
182 Listeners
CyberWire Daily
1,013 Listeners
Click Here
408 Listeners
Darknet Diaries
7,921 Listeners
Hacking Humans
311 Listeners
Your Undivided Attention
1,469 Listeners
Cyber Security Headlines
128 Listeners
Risky Bulletin
43 Listeners
Hacker And The Fed
168 Listeners
The 404 Media Podcast
314 Listeners