1. Avoiding getting owned without knowing it Physical Security in the Workplace By: Mitch Capper and Doug Farre
2. This Presentation We only have 45 minutes Won’t be covering: Mechanical lock details High security mechanical lock details Latest high security exploits details Goal is to help you evaluate a ‘secure’ area to see possible holes in security
3. What is most important to you? Your Data Your Contacts Your Customers Confidence Your Inventory Your Employees
4. Security Budget Virtual Security: Firewalls Anti-virus IDSs VPNs System administrators Auditing and review Segmented networks Encryption and training Software Updates and Group Policies
5. Your Virtual Security Setup IS GREAT Keeps the virtual bad guys out Stops drive by and 0 day exploits like no others Has kept your company secrets secure for many years
6. Compromising Virtual Security Physical key loggers Bios level rootkits with FDE and virtualization Live malware Cold boot attacks
7. Physical Security is Trump Most virtual security monitors the border Secure data can only be defined as offline and encrypted At the end of the day there is only one undeniable fact: Physical Access means 100% data vulnerability
8. Why don’t people think about Physical Security? Don’t think it’s a threat Impossible to secure Not enough resources or knowledge Haven’t got around to it
9. Espionage Frequently use physical attacks Over 100 billion annually in cost Large attacks can be “game over” Social Engineering w/ minimal physical attacks have accomplished most large attacks
10. Social Engineering and Information Gathering Social Engineering Co-worker Salesman Interviews Reference checks Impersonation Information Gathering Interviews Prospective clients Public tours Dumpster diving Off-site observation Internet
11. Lets Talk Physical Security Breaks down to 5 main areas: Mechanical Access Control Electronic Access Control Alarm Systems Surveillance Egress Devices
14. Alarm Systems Must be hardwired Expensive Install 4 main sensor connection types: Trip on fail Circuit always connected ‘Constant Monitoring’ Magnetic Coupling Use GSM or Phone for reporting Spend most of their time off Response Time
18. Electronic Access Control Handling of lost keys/terminated employees Easy to reprogram/rekey Advanced control (blackout times, use counts etc…) Provides AUDITING
23. EAC: Fail Most devices/systems use Weigand Protocol, think clear text over hard wire Mechanical Lock Backup No destructive attack resistance
24. Mechanical Locks: Attacks Key Duplication Bumping Picking Impressioning Rights Escalation in Master Key Systems Bypass
25. MLA: Key Duplication All non high security locks Some high security locks Key duplicators Clay Molding Silicon Casting
26. MLA: Bumping Requires a bump key A blank or key in the system A file Can be purchased online for under $5 a key All non high security Some high security Low barrier to entry
27. MLA: Picking Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction Within months of casual practice most can open most non-high security locks both pin tumbler and wafer. Large picking community www.lockpicking101.com
30. MLA: Adam Rite Wires Effected huge numbers of locks Lock/Egress combined attack
31. MLA: Impressioning Key from the lock Key Blanks, File Skilled Attack The art of a locksmith
32. MLA: Rights Escalation in MK Systems Matt Blaze from AT&T Labs -2002 No technical skill required One key to the system, one lock, 5-7 key blanks, and a file Under desk attack
33. High Security Locks Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus) Should be: bump resistant hard to pick hard to duplicate keys hard to drill Industrial Locks
34. HSL: Problems Changing Keys is a pain Even some high security locks suffer from varying degrees of standard attacks (bumping, rights amplification, key duplication) Getting unique blanks very hard for anyone short of the largest companies
35. HSL: Ground Zero Mechanical locks usually are what is in-between the outside world and the sensitive data One of few Active Preventions Low investment can greatly enhance security Frequently Overlooked
37. Proper Physical Security Layers Look not just at how you are supposed to enter, but alternate methods/exit ways Dual authentication separate electronic with mechanical authentication
38. Combined Physical/Electronic Locks Combined cylinders (Say AssaAbloy Brand’s Cliq) try to bridge gaps and minimize costs Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised AbloyProtecCliq still safe (also only mechanical lock for that matter)
40. Questions? Our email is at @SecuritySnobsdot com (first name @) Mitch Capper Doug Farre
41. MLA: Rights Escalation – The How File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key Put non working key in door try it If doesn’t work file the one unfiled position Try again until works If works and is same height as normal key keep filing, otherwise the key is done Once all keys are done, compare each to the original and make the GMK of different heights
Notas do Editor
-Ourselves and Background-Talk name-Tag Line*Background in mechanical locks and mechanical lock compromise*My personnel background: currently do project management at a medium size IT service company; recently gave presentation in New York and Las Vegas on recent high security lock compriomises, and identification card security
0:22-Half day talk worth of material in 45 min-Not: mechanical or high sec locks or exploits, buying-Help you understand and evaluate secure areas*These things don’t effect much except what locks to stay away from and what to buy (which we could easily just tell you strait up).*Broader topic
0:53-First step is deciding what to secure-Then what money you are comfortable spending to secure it*What is important to you, and how much money do you have?
1:19-Lets talk about your security budget-What Security Budget? -Yearly budget-Not always case but most invest once in physical security vs ongoing on virtual*Lets talk about your security budget, some are saying “what security budget””*Many organizations have have virtual security budget allocation and but choose to just invest in physical security on a case by case basis*One of the goals of this presentation is to help your realize that virtual security should have its own separate budget allocation
1:45-Best Case-slides
2:00-Slides-Apple firmware key logger-Live malware even in generic download malware
4:05-Slides
4:30-Slides
5:30-Internal and External espionage both use physical attacks as low skill-FBI 100 Billion-End game for biz-Social Engineer + minimal phys all that was required for most major espionage*Takes someone with training to copmromis a secure virtual system*Social Engineer + minimal phys all that was required for most major espionage
6:25-Don’t need Social Engineering but don’t hurt
6:45-5 main areas-Slides*ElectronicAC: wide range *Egress: any hardware that involves in/out – frequently overlooked.
7:50-Lets talk latches-What are standard latches / found in all exist and some entry-slides*A latch is in all doors that will remain closed without being locked*To open a latch just means depressing it*Guards: prevent shimmin*Deadlatch (if the bar is all the way out then the latch can be depressed)
9:50-Most don’t think about-Slides-Simple under door/ Balloon*push bars – for exits but drill a hole and use a wire*button: access from the other side*infared/motion sensor: wiggle under door, baloon
12:00-Once understood not overly complex/secure-Read Slides-false alarms / remote / response time
15:40-Things attacker wont know /will trip/ or etc…-Slides
16:15-Cameras good record lots if resolution k good for identification-Not aware of breaches right away -Even 24/7 monitored not obvious-Id cards not inspected easy dupe-Guards respond not detect, 2 guards
18:10-Easy replay streams-Hard to cover all areas-Most not High Quality
18:35-EAC used by most major medium/large and some small-Slides-Auditing not always secure