PHYSICAL SECURITY IN THE

WORKPLACE

Avoiding getting owned without knowing it

By: Mitch Capper and Doug Farre

This Presentation

We only have 45 minutes Won’t be covering:

Mechanical lock detailsHigh security mechanical lock detailsLatest high security exploits details

Goal is to help you evaluate a ‘secure’ area to see possible holes in security

What is most important to you? Your Data Your Contacts Your Customers Confidence Your Inventory Your Employees

Security BudgetVirtual Security: Firewalls Anti-virus IDSs VPNs System administrators Auditing and review Segmented networks Encryption and training Software Updates and Group Policies

Security Dollars

VirtualPhysical

Your Virtual Security Setup

IS GREAT Keeps the virtual bad guys out Stops drive by and 0 day exploits like no

others Has kept your company secrets secure

for many years

Compromising Virtual Security Physical key loggers Bios level rootkits with FDE and

virtualization Live malware Cold boot attacks

Physical Security is Trump

Most virtual security monitors the border Secure data can only be defined as

offline and encrypted At the end of the day there is only one

undeniable fact:

Physical Access means 100% data vulnerability

Why don’t people think about Physical Security? Don’t think it’s a threat Impossible to secure Not enough resources or knowledge Haven’t got around to it

Espionage Frequently use physical attacks Over 100 billion annually in cost Large attacks can be “game over” Social Engineering w/ minimal physical

attacks have accomplished most large attacks

Social Engineering and Information Gathering Social Engineering

Co-workerSalesmanInterviewsReference checksImpersonation

Information GatheringInterviewsProspective clientsPublic toursDumpster divingOff-site observationInternet

Lets Talk Physical Security

Breaks down to 5 main areas: Mechanical Access Control Electronic Access Control Alarm Systems Surveillance Egress Devices

Egress Devices: Latches

Latches Guards Deadlatches

Egress Devices: Continued Push Bars Button Releases Infrared/Motion Sensors

Alarm Systems Must be hardwired Expensive Install 4 main sensor connection types:

Trip on failCircuit always connected‘Constant Monitoring’Magnetic Coupling

Use GSM or Phone for reporting Spend most of their time off Response Time

Alarm Systems:Considerations Take advantage of unconventional

technologiesAlarmed glassPhotoelectric controlsPull-trip switchesStress detectorsVibration sensorsSound monitoring sensorsUltrasonic motion sensors

Surveillance

CCTV Primarily Forensic toolPartial Deterrent

ID CardsOnly good for casual ID

Guards ResponseTwo person rule

Surveillance

Electronic Access Control

Handling of lost keys/terminated employees

Easy to reprogram/rekey Advanced control (blackout times, use

counts etc…) Provides AUDITING

EAC: Keypads• Most are fairly weak• Scramble Pads can be good

EAC: Biometrics /Physical Characteristics

Fingerprints and hand geometry Facial recognition Vein mapping Retinal scanning

EAC: BiometricsBehavioral Characteristics Voice mapping

VoiceVault – phone verification Keystroke biometrics

BioPassword – keystroke behaviorThink Morse Code during WWII

Signature Dynamics

EAC: Cards

Barcode/ Concealed Barcode Cards Mag Stripe Cards RFID / Prox Cards Smart Cards

EAC: Fail

Most devices/systems use Weigand Protocol, think clear text over hard wire

Mechanical Lock Backup No destructive attack resistance

Mechanical Locks: Attacks

Key Duplication Bumping Picking Impressioning Rights Escalation in Master Key

Systems Bypass

MLA: Key Duplication

All non high security locks Some high security locks Key duplicators Clay Molding Silicon Casting

MLA: Bumping

Requires a bump keyA blank or key in the systemA file

Can be purchased online for under $5 a key

All non high security Some high security Low barrier to entry

MLA: Picking

Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction

Within months of casual practice most can open most non-high security locks both pin tumbler and wafer.

Large picking community www.lockpicking101.com

MLA: Bypass - Shimming

Padlock Shimming Handcuff Shimming

MLA: Lock Bypasses

Medeco Deadbolts Master lock 175 American Padlocks

MLA: Adam Rite Wires

Effected huge numbers of locks Lock/Egress combined attack

MLA: Impressioning

Key from the lock Key Blanks, File Skilled Attack The art of a locksmith

MLA: Rights Escalation in MK Systems Matt Blaze from AT&T Labs -2002 No technical skill required One key to the system, one lock, 5-7

key blanks, and a file Under desk attack

High Security Locks

Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus)

Should be: bump resistanthard to pickhard to duplicate keyshard to drill

Industrial Locks

HSL: Problems

Changing Keys is a pain Even some high security locks suffer

from varying degrees of standard attacks (bumping, rights amplification, key duplication)

Getting unique blanks very hard for anyone short of the largest companies

HSL: Ground Zero

Mechanical locks usually are what is in-between the outside world and the sensitive data

One of few Active Preventions Low investment can greatly enhance

security Frequently Overlooked

Electronic vs MechanicalElectronic Mechanical

Hard to evaluate security Can be fully disassembled/understood

Compromises Simple Generally More Complex

Power Failure Issues

Auditing No Auditing

Rekeying Easy (generally) Rekeying Harder

High Cost for high quality Much Lower Cost

Proper Physical Security

Layers Look not just at how you are supposed

to enter, but alternate methods/exit ways Dual authentication separate electronic

with mechanical authentication

Combined Physical/Electronic Locks

Combined cylinders (Say Assa Abloy Brand’s Cliq) try to bridge gaps and minimize costs

Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised

Abloy Protec Cliq still safe (also only mechanical lock for that matter)

Closing Points

Use your imagination! Never underestimate the attacker!

Questions?

Our email is at @SecuritySnobs dot com (first name @)

Mitch Capper Doug Farre

MLA: Rights Escalation – The How

File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key

Put non working key in door try itIf doesn’t work file the one unfiled position

○ Try again until worksIf works and is same height as normal key keep

filing, otherwise the key is done Once all keys are done, compare each to the

original and make the GMK of different heights