Physical Security In The Workplace


Published on

Physical Security In the Workplace presentation given at Hacker Halted Miami 2008 by Doug Farre and Mitch Capper.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • -Ourselves and Background-Talk name-Tag Line*Background in mechanical locks and mechanical lock compromise*My personnel background: currently do project management at a medium size IT service company; recently gave presentation in New York and Las Vegas on recent high security lock compriomises, and identification card security
  • 0:22-Half day talk worth of material in 45 min-Not: mechanical or high sec locks or exploits, buying-Help you understand and evaluate secure areas*These things don’t effect much except what locks to stay away from and what to buy (which we could easily just tell you strait up).*Broader topic
  • 0:53-First step is deciding what to secure-Then what money you are comfortable spending to secure it*What is important to you, and how much money do you have?
  • 1:19-Lets talk about your security budget-What Security Budget? -Yearly budget-Not always case but most invest once in physical security vs ongoing on virtual*Lets talk about your security budget, some are saying “what security budget””*Many organizations have have virtual security budget allocation and but choose to just invest in physical security on a case by case basis*One of the goals of this presentation is to help your realize that virtual security should have its own separate budget allocation
  • 1:45-Best Case-slides
  • 2:00-Slides-Apple firmware key logger-Live malware even in generic download malware
  • 4:05-Slides
  • 4:30-Slides
  • 5:30-Internal and External espionage both use physical attacks as low skill-FBI 100 Billion-End game for biz-Social Engineer + minimal phys all that was required for most major espionage*Takes someone with training to copmromis a secure virtual system*Social Engineer + minimal phys all that was required for most major espionage
  • 6:25-Don’t need Social Engineering but don’t hurt
  • 6:45-5 main areas-Slides*ElectronicAC: wide range *Egress: any hardware that involves in/out – frequently overlooked.
  • 7:50-Lets talk latches-What are standard latches / found in all exist and some entry-slides*A latch is in all doors that will remain closed without being locked*To open a latch just means depressing it*Guards: prevent shimmin*Deadlatch (if the bar is all the way out then the latch can be depressed)
  • 9:50-Most don’t think about-Slides-Simple under door/ Balloon*push bars – for exits but drill a hole and use a wire*button: access from the other side*infared/motion sensor: wiggle under door, baloon
  • 12:00-Once understood not overly complex/secure-Read Slides-false alarms / remote / response time
  • 15:40-Things attacker wont know /will trip/ or etc…-Slides
  • 16:15-Cameras good record lots if resolution k good for identification-Not aware of breaches right away -Even 24/7 monitored not obvious-Id cards not inspected easy dupe-Guards respond not detect, 2 guards
  • 18:10-Easy replay streams-Hard to cover all areas-Most not High Quality
  • 18:35-EAC used by most major medium/large and some small-Slides-Auditing not always secure
  • 19:30-Slides
  • 20:50-Slides-Images-Tollerances-Lifted/captured-Photoshop
  • 22:40-Slides-Use comfort vs tolerances-kb strokes easy to analyze
  • 24:35-Slides
  • 27:00-Slides-Zac Franken –Replay, Deny, Escalate, output-Rolling Code Garage/IR devices
  • 29:50-Slides
  • 30:00-Slides
  • 31:15-Slides
  • 31:55-What most people think of-Slides
  • 32:45-Similar to past shimming-Slides
  • 33:40-Slides
  • 35:30-Combo lock/egress attack-Slides
  • 36:00-Slides-2-15 min for locksmith-Talk about as can be done over time-Working key prepped before for use later
  • 36:45-Slides-Work on all non and some high sec locks-Under 5 minutes of instruction
  • 37:30-Slides
  • 38:30-Give examples of each, bumping mul-t-lock or pirmnus, rights amp mededco/primus/assa or key duplmedeco m3-Slides
  • 39:30-Slides
  • 40:05-Slides
  • 41:50-Slides
  • 42:15-Slides
  • 43:00
  • -Slides
  • Physical Security In The Workplace

    1. 1. Avoiding getting owned without knowing it<br />Physical Security in the Workplace<br />By: Mitch Capper and Doug Farre<br />
    2. 2. This Presentation<br />We only have 45 minutes<br />Won’t be covering: <br />Mechanical lock details<br />High security mechanical lock details<br />Latest high security exploits details<br />Goal is to help you evaluate a ‘secure’ area to see possible holes in security<br />
    3. 3. What is most important to you?<br />Your Data<br />Your Contacts<br />Your Customers Confidence<br />Your Inventory<br />Your Employees <br />
    4. 4. Security Budget<br />Virtual Security:<br />Firewalls<br />Anti-virus<br />IDSs<br />VPNs<br />System administrators<br />Auditing and review<br />Segmented networks<br />Encryption and training<br />Software Updates and Group Policies<br />
    5. 5. Your Virtual Security Setup<br />IS GREAT<br />Keeps the virtual bad guys out<br />Stops drive by and 0 day exploits like no others<br />Has kept your company secrets secure for many years<br />
    6. 6. Compromising Virtual Security<br />Physical key loggers<br />Bios level rootkits with FDE and virtualization<br />Live malware<br />Cold boot attacks<br />
    7. 7. Physical Security is Trump<br />Most virtual security monitors the border<br />Secure data can only be defined as offline and encrypted<br />At the end of the day there is only one undeniable fact:<br />Physical Access means 100% data vulnerability<br />
    8. 8. Why don’t people think about Physical Security?<br />Don’t think it’s a threat<br />Impossible to secure<br />Not enough resources or knowledge<br />Haven’t got around to it<br />
    9. 9. Espionage<br />Frequently use physical attacks<br />Over 100 billion annually in cost<br />Large attacks can be “game over”<br />Social Engineering w/ minimal physical attacks have accomplished most large attacks<br />
    10. 10. Social Engineering and Information Gathering<br />Social Engineering<br />Co-worker<br />Salesman<br />Interviews<br />Reference checks<br />Impersonation<br />Information Gathering<br />Interviews<br />Prospective clients<br />Public tours<br />Dumpster diving<br />Off-site observation<br />Internet<br />
    11. 11. Lets Talk Physical Security<br />Breaks down to 5 main areas:<br />Mechanical Access Control<br />Electronic Access Control<br />Alarm Systems<br />Surveillance<br />Egress Devices<br />
    12. 12. Egress Devices: Latches<br />Latches<br />Guards<br />Deadlatches<br />
    13. 13. Egress Devices: Continued<br />Push Bars<br />Button Releases<br />Infrared/Motion Sensors<br />
    14. 14. Alarm Systems<br />Must be hardwired<br />Expensive Install<br />4 main sensor connection types:<br />Trip on fail<br />Circuit always connected<br />‘Constant Monitoring’<br />Magnetic Coupling<br />Use GSM or Phone for reporting<br />Spend most of their time off<br />Response Time<br />
    15. 15. Alarm Systems:Considerations<br />Take advantage of unconventional technologies<br />Alarmed glass<br />Photoelectric controls<br />Pull-trip switches<br />Stress detectors<br />Vibration sensors<br />Sound monitoring sensors<br />Ultrasonic motion sensors<br />
    16. 16. Surveillance<br />CCTV <br />Primarily Forensic tool<br />Partial Deterrent<br />ID Cards<br />Only good for casual ID<br />Guards <br />Response<br />Two person rule<br />
    17. 17. Surveillance<br />
    18. 18. Electronic Access Control<br />Handling of lost keys/terminated employees<br />Easy to reprogram/rekey<br />Advanced control (blackout times, use counts etc…) <br />Provides AUDITING<br />
    19. 19. EAC: Keypads<br /><ul><li>Most are fairly weak
    20. 20. Scramble Pads can be good</li></li></ul><li>EAC: Biometrics /Physical Characteristics<br />Fingerprints and hand geometry<br />Facial recognition<br />Vein mapping<br />Retinal scanning<br />
    21. 21. EAC: BiometricsBehavioral Characteristics<br />Voice mapping<br />VoiceVault – phone verification<br />Keystroke biometrics<br />BioPassword – keystroke behavior<br />Think Morse Code during WWII<br />Signature Dynamics<br />
    22. 22. EAC: Cards<br />Barcode/ Concealed Barcode Cards<br />Mag Stripe Cards<br />RFID / Prox Cards <br />Smart Cards <br />
    23. 23. EAC: Fail<br />Most devices/systems use Weigand Protocol, think clear text over hard wire<br />Mechanical Lock Backup<br />No destructive attack resistance<br />
    24. 24. Mechanical Locks: Attacks<br />Key Duplication<br />Bumping<br />Picking<br />Impressioning<br />Rights Escalation in Master Key Systems<br />Bypass<br />
    25. 25. MLA: Key Duplication<br />All non high security locks<br />Some high security locks <br />Key duplicators<br />Clay Molding<br />Silicon Casting<br />
    26. 26. MLA: Bumping<br />Requires a bump key<br />A blank or key in the system<br />A file<br />Can be purchased online for under $5 a key<br />All non high security<br />Some high security<br />Low barrier to entry<br />
    27. 27. MLA: Picking<br />Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction<br />Within months of casual practice most can open most non-high security locks both pin tumbler and wafer.<br />Large picking community<br /><br />
    28. 28. MLA: Bypass - Shimming<br />Padlock Shimming<br />Handcuff Shimming<br />
    29. 29. MLA: Lock Bypasses<br />Medeco Deadbolts<br />Master lock 175<br />American Padlocks<br />
    30. 30. MLA: Adam Rite Wires<br />Effected huge numbers of locks<br />Lock/Egress combined attack<br />
    31. 31. MLA: Impressioning<br />Key from the lock<br />Key Blanks, File<br />Skilled Attack<br />The art of a locksmith<br />
    32. 32. MLA: Rights Escalation in MK Systems<br />Matt Blaze from AT&T Labs -2002<br />No technical skill required<br />One key to the system, one lock, 5-7 key blanks, and a file<br />Under desk attack<br />
    33. 33. High Security Locks<br />Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus)<br />Should be: <br />bump resistant<br />hard to pick<br />hard to duplicate keys<br />hard to drill<br />Industrial Locks<br />
    34. 34. HSL: Problems<br />Changing Keys is a pain<br />Even some high security locks suffer from varying degrees of standard attacks (bumping, rights amplification, key duplication)<br />Getting unique blanks very hard for anyone short of the largest companies<br />
    35. 35. HSL: Ground Zero<br />Mechanical locks usually are what is in-between the outside world and the sensitive data<br />One of few Active Preventions<br />Low investment can greatly enhance security<br />Frequently Overlooked<br />
    36. 36. Electronic vs Mechanical<br />
    37. 37. Proper Physical Security<br />Layers<br />Look not just at how you are supposed to enter, but alternate methods/exit ways<br />Dual authentication separate electronic with mechanical authentication<br />
    38. 38. Combined Physical/Electronic Locks<br />Combined cylinders (Say AssaAbloy Brand’s Cliq) try to bridge gaps and minimize costs<br />Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised<br />AbloyProtecCliq still safe (also only mechanical lock for that matter)<br />
    39. 39. Closing Points<br />Use your imagination!<br />Never underestimate the attacker!<br />
    40. 40. Questions?<br />Our email is at @SecuritySnobsdot com (first name @)<br />Mitch Capper<br />Doug Farre<br />
    41. 41. MLA: Rights Escalation – The How<br />File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key<br />Put non working key in door try it<br />If doesn’t work file the one unfiled position<br />Try again until works<br />If works and is same height as normal key keep filing, otherwise the key is done<br />Once all keys are done, compare each to the original and make the GMK of different heights<br />