Chris,
Thanks much for your reply. I feel properly chastised. So I followed
up by phoning IPF and reporting this. They confirmed that a student
named Andy Pung had been to Giltner. He has an IPF ID but usually stays
within the building so does not carry it with him, so when he suddenly
got called to Giltner he did not have his IPF ID. They will talk to him
about that. Nevertheless, I should have refused him access, and my
contact at IPF said that would have been acceptable.
Best,
-- dkm
On 2017-06-01 11:00 AM, Doerr, Chris wrote:
> Hi David
>
> As far as I know, no one should be plugging anything into phone jacks to
> check things unless it is assigned by the IPF Telecom department. If this
> is about a data port instead, it could also be IT Services, or the local
> building IT. But in any case, it seems to me that you should've refused to
> let him plug in until he could prove he was there on official business. All
> IPF employees are issues a separate ID card from their main MSU ID and are
> expected to have it visible at all times. I would think that all IT
> Services employees would be able to prove who they are, and if your building
> has any local IT, that should've been his answer. Anything short of that is
> just you doing that thing you are pointing out in your second paragraph as a
> problem. Personally, I wouldn't have let it pass.
>
> Chris Doerr
> Information Technologist I
> Support Services
> Infrastructure Planning and Facilities
> Michigan State University
> Phone: 517.432.0225 | Fax: 517.353.5001
> [log in to unmask] | ipf.msu.edu
>
>
>
>
> -----Original Message-----
> From: David McFarlane [mailto:[log in to unmask]]
> Sent: Thursday, June 01, 2017 10:49 AM
> To: [log in to unmask]
> Subject: [MSUNAG] Someone checking telephone lines
>
> So a young fellow just showed up unannounced at my office and asked to plug
> some equipment into my telephone jack. He looked all official, with various
> pieces of equipment hanging off his belt and carrying a clipboard. It
> occurred to me that if someone wanted to do some social engineering to get
> me to allow them to plug in some equipment for an attack through my phone
> line, that would do it. Just for kicks, I asked if he had any ID, and he
> said all he could show me was his student ID.
> So I let it pass.
>
> It seems to me that we give a lot of lip service asking people to be
> vigilant about security, and then in practice ask them to drop their guard.
> I myself often go into labs unannounced and start fiddling with equipment
> with no one questioning me -- often I bring to their attention that they
> should not just let me do that (which itself could be a good social
> engineering move). I don't recall getting a memo ahead of time about this
> telephone line check, that would help.
>
> Just passing on some info here.
>
> -- dkm
|