is your data literally walking out the door-presentation
TRANSCRIPT
![Page 1: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/1.jpg)
Is Your Data Literally
Walking Out the Door?Mike Saunders
@hardwaterhacker
Hardwater Information Security
![Page 2: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/2.jpg)
About Mike
In IT full-time since 1998
Entered IT Security in 2007
Certifications: CISSP, GPEN, GWAPT, GCIH
Not a professional physical security tester, just curious. And paranoid.
![Page 3: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/3.jpg)
DISCLAIMER
If you don’t own it or don’t have permission, don’t test it!
Seriously! Don’t do it!
Don’t test on your critical controls unless you have backups
Attempting physical bypass of security mechanisms may result in damage
Make sure you have written authorization with you if you’re attempting a
physical pen test
Have at least two contact numbers
Make sure your contacts will be available in case you get caught
![Page 4: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/4.jpg)
![Page 5: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/5.jpg)
Goals
Overview on how attackers see your physical security
Provide information about bypassing common security mechanisms
When you leave here, look at your infrastructure in a new way
Talk about some defenses
We aren’t going to discuss lock picking – there are plenty of resources out
there for this. Know that an attacker could also choose to pick a lock in place
of the bypasses discussed here
![Page 6: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/6.jpg)
Data Loss / Breach via Physical Theft
2009 - BCBSTN – 57 stolen hard drives = over 1M records
datalossdb.org – ~21% of all lost records due to theft
11% stolen laptop
4% stolen computer
3% stolen document
1% stolen drive
1% stolen media
1% stolen tape
![Page 7: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/7.jpg)
![Page 8: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/8.jpg)
Physical security principles
Deter
Lighting, fencing and gates, guards
Deny
Locking mechanisms
Detect
Cameras, motion sensors, glass break sensors, noise sensors, vibration sensors
Delay
Locking cables, higher security locks, attack-resistant safes
![Page 9: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/9.jpg)
Escalation
Segmentation is important
Perimeter – fencing, gates, exterior entrances
DMZ – reception/receiving areas, common areas
Core – majority of office area
VLANs – higher security than core areas
Computer room, network closet, document storage, drug storage, trade secrets, etc.
Moving from lower security area to higher security area
Controls commensurate with sensitivity of asset
![Page 10: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/10.jpg)
Surveillance and accessibility
Are there vantage points to observe your facility discretely?
Even if there aren’t, there’s always Google
7’ fences will deter most attackers
8’ with 3-strand barbwire on top, 45 degrees facing outward will deter all but most determined / most to gain
Higher security areas may require multiple perimeters with gates
Hedges and trees are great for privacy for you and potential attackers
Lights act as a weak deterrent, coupled with cameras they act as a detective control
Are there doors only used for exiting?
Are there gaps in the camera coverage?
![Page 11: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/11.jpg)
Recon
![Page 12: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/12.jpg)
Street view
![Page 13: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/13.jpg)
Cameras
![Page 14: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/14.jpg)
More cameras
![Page 15: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/15.jpg)
We haz security!O Rly?
![Page 16: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/16.jpg)
What the? I can’t even.
www.schneier.com
![Page 17: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/17.jpg)
More fail
![Page 18: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/18.jpg)
Other thoughts on perimeter security
Easy wins
Doors propped open
Doors unlocked for convenience
Windows open for cooling
Were you expecting that delivery?
![Page 19: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/19.jpg)
We’ve got doors! Even Locks!
gregvan.com
![Page 20: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/20.jpg)
Doors with External Hinges
Just pop the hinge pins!
![Page 21: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/21.jpg)
Protecting hinges
If you must have external hinges, use a secure hinge
Set screw hinges
Stud hinges
Non-removable hinge pin
![Page 22: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/22.jpg)
Set screw hinge
www.renovation-headquarters.com
![Page 23: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/23.jpg)
Stud hinge
www.renovation-headquarters.com
![Page 24: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/24.jpg)
Non-removable hinge
www.renovation-headquarters.com
![Page 25: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/25.jpg)
Crash (panic) Bar Doors
www.leinbachservices.com
![Page 26: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/26.jpg)
Bypass and protect a crash bar door
Insert a prying tool here!
A latch plate protector helps prevent prying.
Can possibly be bypassed by tying a small
screw or nail to a piece of string, inserted
behind protector plate, pulled through from
underneath to trigger latch.
Infosecinstitute.com
![Page 27: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/27.jpg)
J tool door bypass tool
© RiftRecon
![Page 28: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/28.jpg)
J tool in action
www.vententersearch.com
![Page 29: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/29.jpg)
TouchSense Crash Bar Doors
If there’s enough room, a piece of copper
wire inserted through door frame and
touched to bar will trigger sensor.
www.katzlerlocks.com
![Page 30: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/30.jpg)
Well, what do we have here?
![Page 31: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/31.jpg)
No keys? No problem!
Pick a card. Any card
will do!
![Page 32: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/32.jpg)
What about lever handles?
![Page 33: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/33.jpg)
The K-22
© RiftRecon
![Page 34: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/34.jpg)
K-22 in action
© RiftRecon
![Page 35: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/35.jpg)
Stealth
© RiftRecon
![Page 36: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/36.jpg)
K-22 meets crash bar
http://www.theben-jim.com/
![Page 37: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/37.jpg)
What about the roof?
Access to roof may be gained from adjacent building, tree, or climbing
Rooftop openings often overlooked
Simple locks or no locks at all
May not have additional controls (RFID, cameras, etc.)
Access to ventilation shafts
![Page 38: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/38.jpg)
We’ve got badge readers!
![Page 39: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/39.jpg)
And he’s cloning your badge!
![Page 40: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/40.jpg)
RFID Badge Reader Attacks
Badges can be cloned
$500 buys the hardware to clone cards and brute force RFID badge reader
Proxbrute - http://www.mcafee.com/us/downloads/free-tools/proxbrute.aspx
Larger antennas can be hidden in a clipboard, read from several feet away
Newer HID iCLASS encryption key available for purchase
Resources:
http://www.irongeek.com/i.php?page=videos/derbycon4/t110-advanced-red-
teaming-all-your-badges-are-belong-to-us-eric-smith
http://www.irongeek.com/i.php?page=videos/derbycon3/3303-how-can-i-do-that-
intro-to-hardware-hacking-with-an-rfid-badge-reader-kevin-bong
![Page 41: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/41.jpg)
Where do I find badges to clone?
Physical observation may lead to favorite lunch places or watering holes
After-hours company events posted online
Wait, didn’t we see something earlier?
![Page 42: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/42.jpg)
Or go for a
walk
Time to get
on the bus
![Page 43: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/43.jpg)
What about cameras?
![Page 44: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/44.jpg)
Who’s got a wire cutter?
www.cabletiesandmore.com www.assecurity.ca
![Page 45: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/45.jpg)
Wireless cameras?
www.astak.com
![Page 46: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/46.jpg)
Seek…
And destroy
(or at least jam)
advanced-intelligence.com
![Page 47: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/47.jpg)
IP cameras (and security systems)
www.cctvcamerapros.com
![Page 48: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/48.jpg)
IP cameras (and security systems)
…(and the Internet)
![Page 49: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/49.jpg)
IP Camera + Internet + Weak/Default Creds =
![Page 50: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/50.jpg)
Blinding a security camera with a laser
www.naimark.net
![Page 51: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/51.jpg)
You say convenience…
securestate.com
![Page 52: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/52.jpg)
Oh hai! Come on in!
securestate.com
![Page 53: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/53.jpg)
Yes, we
have
bypass!
![Page 54: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/54.jpg)
Motion detector tricks
Slide a notebook under the door
Or…
![Page 55: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/55.jpg)
![Page 56: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/56.jpg)
More thoughts on doors and locks
Good locks on bad doors = BAD
Bad locks on good doors = BAD
Master keys are great
Unless you rekey once in every never
Cheap padlocks can be shimmed or picked easily
![Page 57: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/57.jpg)
You say keypad…
Cheaper than a badge system
Convenient for sharing code between multiple employees
But you have to change the code when employees leave
Analog keypads don’t have brute forcing detection capabilities
But, they can leak information about the code…
![Page 58: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/58.jpg)
Hrm… I wonder what the code is?
www.schneier.com
![Page 59: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/59.jpg)
h/t @Rance
![Page 60: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/60.jpg)
I wonder why those buttons are
so shiny…
www.schneier.com
![Page 61: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/61.jpg)
Fun with a black light
![Page 62: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/62.jpg)
Fingerprints from UV pen ink
![Page 63: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/63.jpg)
Fingerprints from highlighter
![Page 64: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/64.jpg)
Attacking biometric systems
Biometric signatures (and/or pins) are stored on your access card!
If I can clone your card, I can just put in my own fingerprint/pin
Fingerprints can be duplicated
![Page 65: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/65.jpg)
Attacking biometric systems
![Page 66: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/66.jpg)
Defending against biometric attacks
Live tissue verification
Looks for heartbeat and body heat
Iris and retina scanners
![Page 67: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/67.jpg)
More escalation
False-ceilings adjacent to higher security area
Walls should extend from floor to actual ceiling
Raised flooring can be used if wall does not extend to floor
![Page 68: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/68.jpg)
Detection gives you the upper hand
Sensors
Door open, glass break, motion, infrared, acoustic, vibration, pressure
Monitor badge system for brute force attacks
Cameras can help identify intruders and what was taken
Test your systems regularly
![Page 69: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/69.jpg)
Final thoughts
Look at your facility in a new light
Are your doors installed properly?
How are you locks looking?
What about those keypads?
Don’t forget about cameras!
![Page 70: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/70.jpg)
Other Resources
Videos
http://www.irongeek.com/i.php?page=videos/derbycon4/t110-advanced-red-teaming-all-your-badges-are-belong-to-us-eric-smith
http://www.irongeek.com/i.php?page=videos/derbycon3/3303-how-can-i-do-that-intro-to-hardware-hacking-with-an-rfid-badge-reader-kevin-bong
http://www.youtube.com/watch?v=me5eKw6BP8g
http://www.irongeek.com/i.php?page=videos/derbycon4/t540-physical-security-from-locks-to-dox-jess-hires
Other Resources
http://www.aijcrnet.com/journals/Vol_3_No_10_October_2013/12.pdf
http://resources.infosecinstitute.com/physical-security-managing-intruder/
http://www.slideshare.net/jemtallon/cissp-week-26
https://www.defcon.org/images/defcon-13/dc13-presentations/DC_13-Zamboni.pdf
https://ourarchive.otago.ac.nz/bitstream/handle/10523/1243/BiometricAttackVectors.pdf
https://blog.netspi.com/ada-requirements-opening-doors-for-everyone/
![Page 71: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/71.jpg)
Credits
Chris Nickerson, Eric Smith, Joshua Perrymon – Lares Consulting
Dave Kennedy - TrustedSec
SecureState
Tim and Jem Jensen
![Page 72: Is Your Data Literally Walking Out the Door-presentation](https://reader034.vdocuments.us/reader034/viewer/2022042615/55ab193e1a28ab780d8b4614/html5/thumbnails/72.jpg)
Any questions?
@hardwaterhacker
http://hardwatersec.blogspot.com/