Home > IT Blogs > Harmonizing Regulatory Compliance and Risk Management >

Harmonizing Regulatory Compliance and Risk Management:

security compromise

PREV 1 NEXT
Dec 16 2009   2:52PM GMT

Cirvumventing Physical Security Controls- A Red Team Assessment



Posted by: Jeromie Jackson
security compromise, physical pentest, physical penetration test, red team assessment, hacking, spy pen, RFID cloning

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen.

Spy Pen

Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away’s were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

First Floor Enterance

We did not have all the equipment to clone HID cards, thus our attack did not include cloning HID cards, however it is very easy. If you’re interested I recommend checking out RFIdiot. Also, to see how vulnerable HID cards are I recommend checking out this video from Padget that shows a simple cloning device. For a fairly expensive, long-range HID Reading capability check out is more elaborate long-range HID/RFID cloning setup.

At approximately 12:30AM we arrived on-site. The back-door is protected by a HID proximity system. Shoving a wire hanger covered in a piece of paper through the door we attempted , and were able to, trip the motion sensor. “CLICK,” went the pins keeping the door closed, but the doors did not open. The plunger/break-away bar was still keeping the door locked. We hit the street-side door and attempted to pick a Schlage lock a minute or two. The amount of police traffic was too high- we left the door. Having severely compromised the organization during the day, my cohort was ready to call it a night. Having a “get out of jail free card,” and being up at 1AM, I wasn’t so eager to give up. I went back home, bent up every round bar I had. I needed something I could shove through the door, turn it, and then use it to pull the plunger, opening the door.

Break-in-bars

I had that may fit through the door, and off I was for another hit on the building. I called my cohort and told him I would call him back in 30 minutes, successful or not. We needed a strong enough bar we could push through the gap in the doors, and then turn to use to pull he plunger closed. Eight minutes on the back door, and “POP,” I was in! The bent wire above with the needle-nose pliars was the tool that breached the door. I called my accomplice, “I’m In!!!,” I told him and he was on his way to help complete the job.

Awaiting Backup

Making it into the first floor, due to poorly installed exterior doors, I called my buddy and called the troops in. After calling my wife, letting her know it was going to be a long night, I waited. All the doors in the hallway, except the stairwell, were locked. Not even the bathrooms were left unlocked. After approximately 15 minutes I hear someone yanking on the doors, then I hear radios going off. “It looks like someone tried to shim the door, there are fresh scratch marks,” I heard across the radio transmissions. Burrowing under the first floor stairwell with my bent bar, coat hanger, and get-out-of-jail-free letter, I shivered for over 15 minutes. I couldn’t call my buddy as there wasn’t service under the stairwell. After approximately 15 minutes the noise had ended- the police had left as nothing was tripped in the facility. We had entered the building and had 5 hours until security would be returning the following morning. My next blog will document getting into the interior offices and compromising the datacenter. Make sure to follow me on Twitter!

  Bookmark and Share     0 Comments     RSS Feed     Email a friend

Dec 15 2009   9:24PM GMT

Social Security Numbers Compromised (20,000+) in a Physical Security Breach



Posted by: Jeromie Jackson
security compromise, social security #'s, security breach, physical security, red team, evading motion sensors, HID Proximity, lock picking, security pins, information security, risk management, hacked, breaching physical security

SecurityBreach

An organization in California recently found a note in their data center one morning. It said “Dear Administrator, Please Call XXX-XXX-XXXX in order to discuss last night’s physical security breach.” “This has to be a joke,” the administrator thought. The organization has security guards, cameras, motion sensors, and interior locks on everything including the bathrooms. No alarms were tripped, no sensors showed any error or warning conditions.

The organization had hired us to conduct an Internal & External Vulnerability Assessment & Penetration Test, along with a Physical Security Penetration Test. The goal was to see if we could physically penetrate the organization and reach the data center in the middle of the night. This is a brief synopsis of our methodologies, the attack, and take-aways. This will be a multi-part Blog. Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

Remote Reconnaissance

Our initial site discovery was conducted on line. By reviewing information available on the Internet we were able to identify employees, vendors, high-level building information, and areas of interest and concern. Senior titles and emails were acquired. These could be use for a variety of email and phone based social engineering ruse. Maltego is an awesome graphical way to analyze information on the Internet, and relationships between content. It was used to graphically, and quickly, assess relationships the organization holds with business partners, associations, and manufacturers.  Below are a couple of screenshots from  Maltego.

Maltego-1 Maltego-2

Maltego-3

Google Maps showed the businesses in the immediate area. Identifying how big the street was, the types of adjoining and nearby businesses, and the type of neighborhood helped determine foot traffic levels at night, the amount of car traffic, etc. A review of the physical location via Google Site Maps Street View showed the rear of the building would have less visibility than the street-facing stairwell. There is an apartment complex behind the building- this may heighten the amount of potential people monitoring/seeing the building throughout the night.

Reconnaissance Day

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen. Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away’s were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted was the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

My next blog will be about the hit the following night, I’m just about done writing it.  Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

  Bookmark and Share     0 Comments     RSS Feed     Email a friend

PREV 1 NEXT