Lock Picking Village - Doors, Cameras, and Mantraps OH MY
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/50739 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Information securityOpen setSelf-organizationExploit (computer security)Vulnerability (computing)Client (computing)Information securityClient (computing)Open setWebsitePhysicalismInformation technology consultingIntelligent NetworkSelf-organizationCentralizer and normalizerComputer configurationTraffic reportingPhysical lawUniverse (mathematics)Data storage deviceSource codeProcess (computing)Vulnerability (computing)Inheritance (object-oriented programming)Metropolitan area networkCybersexComputer animation
01:14
Client (computing)Information securityGUI widgetIdentity managementPerimeterScale (map)Expected valueSystem identificationAuthenticationDependent and independent variablesVideoconferencingCodierung <Programmierung>Personal identification numberBiostatisticsOpen setCrash (computing)Client (computing)DataflowFrequencyPhysicalismGame controllerMetropolitan area networkRow (database)Axiom of choiceInformation securityHost Identity ProtocolExpected valueWindowSlide ruleWaveOffice suiteInformationBookmark (World Wide Web)FingerprintMagnetic stripe cardVideoconferencingPhysical systemProcess (computing)Incidence algebraDemosceneStaff (military)Data structureHacker (term)WebsiteLaptopDependent and independent variablesType theoryData storage deviceNumberPersonal identification numberSoftware maintenanceMassCategory of beingDisk read-and-write headEndliche ModelltheorieInheritance (object-oriented programming)GoogolLimit (category theory)Hecke operatorCuboidBuildingIntegrated development environmentPoint (geometry)Touch typingOperator (mathematics)PerimeterCovering spaceKey (cryptography)Uniform resource locatorPower (physics)Flow separationSphereMechanism designExploit (computer security)Connectivity (graph theory)Electronic mailing listWhiteboardUniverse (mathematics)Arithmetic meanDigital photographyCASE <Informatik>TelecommunicationClosed setCombinational logic19 (number)Revision controlDoubling the cubeCloningPhysical lawProcedural programmingScaling (geometry)SpacetimeMoment (mathematics)Line (geometry)Multiplication signMathematicsGoodness of fitCountingComputer animation
08:37
Client (computing)AerodynamicsProcess (computing)Social engineering (security)Hacker (term)Reading (process)PhysicsVector potentialLattice (order)Group actionEvent horizonLocal ringClient (computing)Exploit (computer security)RoutingMechanism designConnectivity (graph theory)Degree (graph theory)Expected valueSelf-organizationMereologyLocal ringMultiplication signLatent heatProcess (computing)Focus (optics)Different (Kate Ryan album)Public key certificateConstructor (object-oriented programming)Content (media)Information securityNumberWebsiteSoftwareCloningFrequencySocial engineering (security)Hacker (term)AreaDisk read-and-write headUniform resource locatorGroup actionLikelihood functionLevel (video gaming)ArmEvent horizonPhysicalismDigital photographyOperator (mathematics)Integrated development environmentSoftware testingPosition operatorHand fanArithmetic meanEmailProjective planeBoundary value problemComputing Technology Industry AssociationVideo gameTelecommunicationElectronic program guideElectronic mailing listAuthorizationCASE <Informatik>Open setBitRadio-frequency identificationSimilarity (geometry)Vulnerability (computing)Online helpShared memoryPoint (geometry)InformationProcedural programmingEntire functionOffice suiteTwitterWave packetData conversionImage resolutionType theoryInstallable File SystemNeuroinformatikField (computer science)Control flowFlow separationChemical equationRandomizationTouch typing2 (number)Line (geometry)Casting (performing arts)Key (cryptography)BuildingRow (database)Digital electronicsPlanningUltraviolet photoelectron spectroscopyHypermediaGame theory1 (number)FamilySocial classSpecial unitary groupDemo (music)WordMedical imagingBlock (periodic table)DivisorXML
Transcript: English(auto-generated)
00:02
Hello, DEFCON Lockpick Village. Super excited to be here. This is my talk, Doors, Cameras, and Man Traps Oh My, an overview about the ins and outs of physical security risk assessment. If you are curious about pursuing this as a career option, you are in the right place. If you want to learn about lockpicking, I'll mention some sources that can help
00:23
with that later on in the talk. Here is a quick intro. I am the magician, or Dylan, whichever you prefer. I am a member of the Open Organization of Lockpickers in Orlando. I am a security consultant with Gold
00:41
Sky Security. I teach cyber security at the University of Central Florida. Go Knights! And I am an overall security enthusiast. This is really a hobby for me, as much as a career. What I do is straightforward. I explore client sites with the defenders in tow, so I can
01:01
demonstrate for them any physical security vulnerabilities I spot. Bringing the client defenders with me allows for a teach back while on site, instead of solely in our report. It is an absolute blast. This mostly summarizes the process. I show them the vulnerability, and I tell them the
01:21
mitigation. So, what are we going to discuss in this talk? This is not a lockpicking or how-to talk. This is more a talk about the processes and procedures, mostly about what we look for and how we relay the information to the clients.
01:41
I will cover physical security controls, key questions I ask my clients, and how I go about educating the clients about risk mitigation. At the end, I'll talk about how to approach this field. Physical security controls start with the front door, I think. So I want to start
02:01
with doors and windows. There are a lot of mechanical components to doors, but here is a short list I tackle. Do perimeter doors have the hinges exposed to the outside? Those hinges can be exploited. Can I slide something between the latch and the strike
02:21
plate to pull the door open without a key or combination? Can I get tools over or under the doors to manipulate the door handles? If I run across double doors, can I manipulate crash bars, those bars that go across the middle of doors that you can push open with your hip so you don't need to use a knob or handle? These are all
02:44
resolvable exploits. While some windows can be opened or manipulated in similar ways, they offer different challenges. In a lot of office spaces, some clients don't have policies about shoulder surfing or looking over the shoulder of a user to obtain information.
03:05
This is a physical security risk. If someone is trying to establish a good time for physical entry, maybe just what PC operating systems are being used, or even information as simple as what browser type a particular company is using, looking through a window is really
03:24
low effort. This clip, by the way, is very much not a risk model my clients have asked me to test. The next physical controls are fencing and bollards. Both are passive and require little maintenance in most cases. Even though some folks are scratching their heads about
03:44
what bollards are, don't worry, you've seen them before. Fencing is obvious, maybe folks have them in their homes, or at work maybe. Fencing establishes a clear perimeter, and if locked,
04:01
clearly sets an expectation of limited access. It would take a heck of an improviser to explain to a guard why you are walking around a parking lot or building at a locked and closed facility. It's also near impossible to scale a fence in most environments without attracting attention, unless in a very rural location. You have all seen bollards before, they are the reinforced
04:32
ramp to create a point of entry in an otherwise defended structure. This is a very fancy hydraulically assisted version, but here we are at a Target. Remember when we used to go to
04:45
Target in 2019 for groceries? Those were the days. In front of the store, these steel reinforced concrete spheres are not just to look cool, they actually prevent people from running their cars into the glass doors to gain access in off hours to steal random stuff.
05:05
It's a pretty simple passive risk mitigation, I think. Full bonus, I just find it fun to say bollards. Next up are man traps. This is a super cool concept. Man traps are completely
05:25
underutilized. Sure, it's a challenge to get people through them, you'll understand why a flow of people can be interrupted in a moment, but I think they are really awesome. Many banks have them, and after seeing the next slide I am willing to bet a few of you are going to be sitting at home saying holy cow, I've totally seen those. This is a great scene from the movie
05:47
Sneakers, my personal favorite hacker movie. The lead character Bishop walks through a glass sliding door after using a magnetic stripe reader. The door closes behind him, and another door is in his way that uses a biometric reader. Now he has to get past that. Super neat control
06:06
that I would love to see in more places. Cameras are great security control for several reasons. If you have the means, I encourage you all to grab some power over ethernet or wifi cameras and try hacking them. Cameras are in most businesses and some homes now.
06:28
If you have the funding at a job site, you can even have your cameras actively monitored in a or security operations center. Lots of small to mid-sized businesses just record video
06:41
and reference it in incident response if something goes wrong for forensic purposes. Video is easy to store, and you could find out who took company property maybe after they got terminated, or who was negligent in some security policy. There are many technologies in the world of cameras, but I firmly believe that wifi cameras specifically are a poor choice.
07:04
Please reach out for that soapbox rant if you like. A fun fact about a lot of security cameras is that often they aren't even powered on at job sites. Because I love surveillance cameras and have several to tinker with at home,
07:23
my oldest son has developed a curiosity around them and likes to point them out when we are at theme parks here in Orlando. He can quite accurately count the number of cameras on the walk up to a structure. Would you have seen the two massive dome cameras on top of this archway at Universal Studios Florida if I had not put boxes in this photo? Heck, I can't even
07:45
see them hardly with the boxes, but I assure you if you go to Google Maps, they are there. For electronic access, I am going to do a very light touch because it is quite a dense topic.
08:03
Most of you are in an office environment and have some token that grants you access. A radio frequency ID badge that you wave in front of a reader that opens a magnetic sealed door might be your front door. A pin code that is shared among employees and janitorial staff might get
08:22
you into privileged rooms. Maybe a fingerprint even unlocks the laptop at your desk. Grocery stores even have electronic sensors that know when someone is there and detect motion and open for you. All of these things can be exploited or copied in some way.
08:43
I personally am one of the many cyborgs in the hacker community. I got an implant from Dangerous Things last year and can clone radio frequency ID badges to my hand and I use that to educate clients about the importance of cycling the guest badge so that way someone
09:02
can't take that badge number and then come back with it and let themselves in. Next, I want to talk about how to speak to clients in a productive way. What is your personal area of concern? In other words, ask a client what on earth they care
09:25
about. I've demoed a parking lot to serve a room break-in in four minutes and had a client shrug their shoulders. Their dollars were in a manufacturing area in another more secure location. Ask your client what they want you to put time into. Being efficient is a good way
09:45
to get repeat clients in a role where often you're billing hourly. Don't miss any doors. There is no shame in verifying with a client that you have tested the entire perimeter.
10:02
Ask which doors get the most traffic and which get the least. Some doors may have super beefy security while another may be a smoking area door, has people flowing in and out of it throughout the day, and has less security favoring convenience. Those are good doors to
10:20
test a tailgating attack where you try and walk in behind an employee. Because you truly are a guest in the scenario of being a security risk assessor, you can test guest access policies firsthand. In some cases, if it is in scope, meaning if the client has agreed to it ahead
10:43
of time, try entering the client premises and asking to use the restroom. Then see how far you can get into the building unattended. If you show up and notice a robust check-in policy, maybe with a photo and temp badge, great. That is often not the case. Do you
11:03
get an escort? Also a bonus. Can I keep an RFID badge and replay it when I come back next year for an assignment? Not ideal, but I've seen that before. Do you get watched like you're a suspicious hacker in a hoodie, or is there instant trust once you've made
11:20
it past the perimeter? Final fun thing to look for if you get a guest badge. Where can you get in the building? You might be surprised to find yourself in a CEO or CFO office if you're lucky. Here we see some extremely robust guest security policies in
11:40
action. Armed guards are monitoring a guest who is also restrained and has their tools confiscated temporarily. Someone in security operations hands the guest off to a person of authority who is also armed for the purposes of communication. This is a bit much, but similar procedures are not unheard of in a military or DOD establishment.
12:08
As a social engineering enthusiast myself, this is a huge topic. Entire companies are dedicated to just educating and empowering employees to act as part of the security team for a company.
12:22
Here are quick points on the matter. Gamify your security training. A traveling trophy can go on the desk of the person with the least clicks on email phishing one month. Or maybe someone else who always locks their computer when they head to the break room.
12:40
Be creative. Let employees know that they are an integral part in the security of their company and that they can be the first line of defense. Every employee is part of the security team. As a social engineering enthusiast, this is equally important. You want to make sure you're
13:02
establishing rapport with your clients. You want them to want you to come back. Constructive criticism can be done in a very positive way. While there have been tons of talks about how to exploit mechanical components of physical security, there have been just a few that cover
13:24
the specifics of educating the clients on how to go about resolving the exploits that you've demonstrated on the job. Constructive criticisms are the way to go. A positive focus is absolutely critical. Directed or accusatory verbiage is never productive.
13:41
Saying things like, this is so bad, or I can't believe you set it up this way need to be replaced with, we have some good opportunities here for improvement. Simple phrasing can mean a huge world of difference. Also, leading a client to come to their own conclusions through education and demonstration will work wonders for client morale.
14:06
Here is the show and tell part. This really is my favorite part of the job. Showing the defender's vulnerabilities on site is immensely fun and can have an extremely positive impact. Telling someone you can bypass a door versus showing them how has a huge
14:25
difference in the likelihood that a mitigation will be implemented. This step in the process also gets the most heads popping into the room. It gets people excited about the security of their company. I have yet to run across a group of employees that doesn't show interest
14:41
in an under door tool or a latch slit. This is pretty big. This is all about soft skills and keeping people calm in an otherwise stressful environment. Fear, uncertainty, and doubt have no place when you're trying to be productive. You want to avoid saying things like, oh, this is bad,
15:05
or you've done this incorrectly. Instead, be inclusive and positive. We can fix this. No big deal. Make sure that you're explaining things you're not telling them. You don't want to just send an email with resolutions. You want to actually have a human conversation.
15:27
This is pretty much the best explainer of fear, uncertainty, and doubt, and why it can damage a client relationship. Fear is not a good motivator to get risks mitigated. Educate and empower. Never belittle or disrespect. Provide some means for clients
15:45
to reach out to you. Don't be out of touch. A reputable company should provide you with a company email, and if you're lucky, a company phone number. This can separate work and home,
16:00
and keeping a work-life balance in this particular career field can be challenging at times. Make sure to also set expectations about when you can be reached and how long it may take for you to respond. I feel education is the most important aspect of hacking and security, that's not to say that a four-year degree or anything like that is needed. Kudos if you're
16:25
going that route. The different approaches to learning are varied, but here are a few. Podcasts, YouTube, and Udemy were big wins for me personally. If you want to get into lockpicking or just see some jaw-dropping feats of lock exploits,
16:44
then look no further than Lockpicking Lawyer. The content on his channel is consistently enjoyable and never stale or boring. If you're an auditory learner, then podcasts are fantastic. Darknet Diaries is amazing with great storytelling and incredible guests.
17:01
The lessons learned are valuable and always come in an entertaining package. If you want to direct your attention at certification to prove you know a specific skill set, then Mike Myers on Udemy has, I personally think, the best online content for CompTIA Security Plus and Network Plus. He does cover some physical security content
17:22
in the Security Plus lecture, and he does it in a very fun way. These three are Bill Nye level explainers for those of you who are old enough to remember Bill Nye from the 90s. While not everyone learns from books, I know I certainly can, specifically if the content is fascinating to me. I tried to trim this down to a short list
17:45
that I can recommend for everybody. Social Engineering The Science of Human Hacking by Chris Hadnagy is a very professional and comprehensive guide to social engineering. If you want to learn more about that kind of engagement, Practical Lockpicking by Deviant
18:04
gives you a more complete understanding of locks, not just how to pick them. The Art of Deception by Kevin Mitnick is super famous, and if you haven't read it, you really should. Although, I will mention that Chris Hadnagy's book is more of a scientific and professional approach to learning about social engineering. What every body is saying is very
18:26
useful if reading people. This is helpful in everyday life as well as on the job. Just like previously, I wanted to throw in something strictly for those aiming at certifications. I really am a huge fan of anything and everything under the exam cram
18:42
brand. I really think they portray the information in a way that's very easy to absorb. This was a big topic for me, and I hope to emulate those who helped me and pay it forward, so to speak. Approach professionals and listen to talks. Be courteous.
19:04
These people are busy and have their own lives. That consideration aside, security professionals are people and like to share their experiences. I have received an amazing amount of support from the security community and wanted to list folks who were large influences for me.
19:21
I encourage you to pore over previous DEFCON talks and find individuals who share your personal mindset and speak to you specifically. Use the knowledge shared in venues like this to build an even stronger community of sharing. While I know I am biased as an instructor,
19:41
I recommend taking guided courses if you are able. Here are some I personally plan to attend as soon as we are able. You can learn physical security, social engineering, or really anything you like in a course guided by a professional in the field. A textbook will never have all the answers.
20:04
Being able to raise your hand and ask the what ifs and what about this type questions are hugely valuable. Since we are all at DEFCON, you all have already nailed this so well played,
20:22
attending events and local meetups is a great way to meet new people and network. The people I have met in Orlando through meetups and events have truly driven my career. I was able to learn all the skills I couldn't practice because either I personally did not have
20:41
the tools or the content online didn't quite break things down well enough for me. Just getting introduced to people that could help me understand things between the lines of textbooks was awesome. Huge shout out to the folks at Citrus Sec in Orlando and DC 407.
21:02
If you see your city on the list, then that means there is a chapter of the open organization of lockpickers in your town. I encourage you to reach out to your local tool group and meet some cool people. If you don't see your city, good news! You can now start a town and find people that are into physical security. The open organization of lockpickers
21:23
or TOOL has been amazing to me and I love being a member. Second to last slide, I promise, but I want to say thanks to my family and friends. Mostly my wife and kids. Thank you for understanding when I disappear into my lab
21:42
for hours at a time for random projects. Thanks Orlando Hackers for just being total class acts. I want to thank TOOL for providing me an unbelievable networking opportunity and the ability to practice hands-on with locks and tools I would never have seen otherwise. Thanks GoldSky Security for the opportunity to learn and grow in an incredible supportive
22:04
environment. DEFCON, thank you for having me. This event is so special. And to the hacker community at large, keep being curious and keep pushing boundaries. I love helping people who are getting started or maybe who are stuck on something. Feel free to reach out. I might take
22:25
a bit to respond, but I will do my level best to help. This was a lot of information in a short amount of time, so if you want clarification on something, I am at 31337 magician on Twitter and here is my LinkedIn if you prefer that channel. Thanks for listening to my talk. That's
22:43
all I have on this topic, but feel free to reach out if you want to have anything answered that you're still curious about. Have an excellent day and enjoy DEFCON!