Physical

GuadalajaraCON
−PHYSICAL SECURITY−
SECURITY−
Look mom,
mom, just like
JASON BOURNE
Alejandro Hernández H. CISSP, GPEN
@nitr0usmx
http://chatsubo-labs.blogspot.com
http://www.brainoverflow.org
Guadalajara, México
April, 2013
1
GuadalajaraCON
About me…
me
Senior Security Consultant at IOActive
~10 years in the security field
I break stuff
2
Table of Contents
This presentation will be a collage of
concepts, own experiences and video
clips
What to protect physically?
Security controls commonly used
Physical security assessment techniques
Interesting and unusual concepts
3
GuadalajaraCON
INTRO VIDEO CLIP
GuadalajaraCON
Jason Bourne - Stealing the Blackbriar Files
4
What to protect physically?
physically?
GuadalajaraCON
People
Earthquakes
Social Engineering
Etc.
Data / Informacion
Physical / Printed documents (contracts, invoices, etc.)
Post-its
Etc.
Technology Infrastructure
Data Center
Robots in Industrial Plants
Etc.
5
GuadalajaraCON
Security controls commonly used
6
GuadalajaraCON
Security controls commonly used
7
GuadalajaraCON
Security controls commonly used
8
VIDEO CLIP
GuadalajaraCON
Jason Bourne - Evacuation Plan
Certain information could be used against you
9
GuadalajaraCON
Physical security assessment techniques
Infiltration and Social Engineering
Fake ID creations
Banners using corporate colors (Web site)
Names / Employee numbers (OSINT)
Print the “Authorization Letter” (fake)
The same of above, but with a ‘C*O’ signature
Be confident in front of the security guard !
Determination
10
GuadalajaraCON
Physical security assessment techniques
Infiltration and Social Engineering
2011…
11
GuadalajaraCON
Physical security assessment techniques
Infiltration and Social Engineering
Another one from 2008…
12
GuadalajaraCON
Physical security assessment techniques
Piggybacking
When a person tags along
with another person who
is authorized to gain entry
into a restricted area, or
pass a certain checkpoint
13
GuadalajaraCON
Physical security assessment techniques
Lock Picking
The art of unlocking a lock
by analyzing and
manipulating the
components of the lock
device without the original
key
14
GuadalajaraCON
IOActive Lock Picking session @ Mt. Baker
[January 2013]
15
VIDEO CLIP
GuadalajaraCON
Lock Picking 101
Safeboxes and doors are also vulnerable
16
VIDEO CLIP
GuadalajaraCON
Vina F in Gringo Warrior
Lock Picking and fun @ DEFCON (Gringo Warrior Game)
17
VIDEO CLIP
GuadalajaraCON
Cyber Security. Evolved. (Deloitte UK)
Combination of all the techniques described previously
18
GuadalajaraCON
Physical security assessment techniques
Dumpster Diving
Looking for information in garbage
Financial statements, corporate
documents, signatures, etc.)
19
GuadalajaraCON
Physical security assessment techniques
Shoulder Surfing
Watch the screen and/or
the pressed keys behind
the victim
20
GuadalajaraCON
Physical security assessment techniques
Shoulder Surfing
Icons guide for Shoulder Surfing (hkm)
http://www.hakim.ws/textos/iconos_del_taskbar.html
21
GuadalajaraCON
Physical security assessment techniques
{key,video} Loggers
Special hardware for capturing
keys/videos from a victim’s
computer
22
GuadalajaraCON
Physical security assessment techniques
Default passwords
Sometimes a demo of
the software is
provided by the vendor
;-)
Biometrics
Industrial devices
CCTV
23
VIDEO CLIP
GuadalajaraCON
Spaceballs super password XD
Some physical security devices also have default passwords
24
VIDEO CLIP
GuadalajaraCON
Control of 48 security cameras in a building in Mexico City
CCTV cameras also have default passwords
25
VIDEO CLIP
GuadalajaraCON
Access to a “High Security” data center in Mexico City using the
administration panel (without password) in the biometric device
Biometric devices are well designed and developed… Some are
misconfigured or implemented incorrectly
26
GuadalajaraCON
Physical security assessment techniques
*Plugs
Small computers with different functionalities
physically connected to an energy plug inside the
building / premises / complex
Malicious USBs
27
GuadalajaraCON
Physical security assessment techniques
Industrial Plants
‘Physical’ segregation between the data (corporate)
and industrial networks
Disabled USB ports
28
GuadalajaraCON
29
DoD Looking to ‘Jump the
Gap’ Into Adversaries’ Closed Networks
Jan 15th, 2013
Iranian President Mahmoud Ahmadinejad visits the Natanz
uranium enrichment facilities, where a “closed”
computer network was infected by malware
introduced via a small flash drive.
30
http://www.defensenews.com/article/20130115/C4ISR01/301150010/DoD-Looking-8216Jump-Gap-8217-Into-Adversaries-8217-Closed-Networks
GuadalajaraCON
GuadalajaraCON
31
GuadalajaraCON
Interesting and Unusual Concepts
Urban Exploration
Ninja assessment
Often shortened as urbex or UE. It may also be
referred to as Infiltration, Building Hacking,
draining (when exploring drains), urban rock climbing
Exploration of man-made structures, usually
abandoned ruins or not usually seen components of
the man-made environment
32
GuadalajaraCON
Interesting and Unusual Concepts
Urban Exploration
33
GuadalajaraCON
Interesting and Unusual Concepts
Urban Exploration
In México….. The Rat Man in the Subway
34
GuadalajaraCON
Interesting and Unusual Concepts
Urban Exploration
http://www.infiltration.org
35
GuadalajaraCON
36
GuadalajaraCON
Interesting and Unusual Concepts
Concepts from one of
the best INFOSEC
books I ever read
37
GuadalajaraCON
Interesting and Unusual Concepts
38
GuadalajaraCON
Interesting and Unusual Concepts
39
GuadalajaraCON
Interesting and Unusual Concepts
40
GuadalajaraCON
Interesting and Unusual Concepts
41
GuadalajaraCON
Interesting and Unusual Concepts
Seen a couple of times
42
GuadalajaraCON
Interesting and Unusual Concepts
43
Moral
… Use the right security controls
44
GuadalajaraCON
GuadalajaraCON
− Thanks −
Alejandro Hernández H. CISSP, GPEN
@nitr0usmx
http://chatsubo-labs.blogspot.com
http://www.brainoverflow.org
Guadalajara, México
April, 2013
45