"The lock that Pete's company bought used two-factor authentication. First, the entrant would have to swipe an ID card. Then, they'd have to enter a four-digit PIN."
"If you entered more than 10 or 11 digits, the lock would become overloaded and open. If you entered the expected four digits and they were wrong or you didn't swipe a card, the lock would stay closed."
"When the auditor arrived, the senior sysop demonstrated the lock by only entering the expected four digits, avoiding any mention of the vulnerability."
A company seeking ISO 27001 certification faced a significant security vulnerability when its server room lock could be bypassed. The lock required two-factor authentication, but a junior sysop discovered that entering more than 10 digits would unlock the door without swiping an ID card. This flaw was reproduced by a senior sysop, creating a major issue just before an audit. To address the problem, the company strategically withheld information during the auditor's visit to avoid revealing the vulnerability.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]