Archive for the ‘Physical Security’ Category.

Shmoocon 2012: Attacking Proximity Card Systems

February 4, 2012, 6:11 pm

Brad Antoniewicz of Foundstone presented at Shmoocon on attacking proximity card systems.   HID is the most well known brand of cards.   We’ll see if I can summarize accurately.

Like the virtual pickpocketing of credit cards, and bad guy can also clone proximity cards.   As some buildings, outside work hours you need a badge and PIN to enter the premises.   But during work hours, you could just walk right in and use a cloned card.

ProxmarkIII allows the researcher to read and emulate any RFID tag.   Badges are typically sequentially numbered.   If the cloned badge doesn’t have the access you need, you could brute force the badge reader.   It would take two years to test the entire card space at the rate of one per second.  But if you already have the company code and one of the badge numbers, that narrows things significantly.

Brad’s experience is people wont challenge you even as you stand at the badge reader for multiple minutes trying badge numbers, even with the reader beeping at each attempt.

Side note, employees are told not to let other people piggyback, but at best they hold the door and ask people to swipe a badge.   The beep doesn’t indicate success.   Only that something was read.

Unless the physical access logs are sent to a SIEM, many proxcard systems will not alert you natively to the brute force attack.   There is one hilarious drawback Brad mentioned.   Security may not react to the brute force attack, but one time they had flagged a particular account so when the bruteforce tried accessing as it, security responded fast.

In addition to clone/playback attacks there can be attacks against the badge reader itself.   Communication between the reader and the controller are serial.   Physical taps may allow recording of a range of badge numbers and PINs.   You only need one badge to access so this is a bit of piling on.

The HID controllers also were found to have security issues.   I am wondering why the controller would be addressable on the network, but  this is what he found.   Default passwords, undocumented accounts, passwords that can’t be changed from default.    The database had default passwords and was vulnerable to SQL injection.

With all this access he was able to send commands like “unlock all”.

I enjoyed this talk and felt the demonstrations were very effective.   Proxcard spoofing seems very James Bond and unlikely to be used in real life.   The problem is, how many times has attack been deemed unrealistic by management until management reads about it in the Wall Street Journal.

It is important then to add monitoring for bruteforce attacks where it does not exist.   Monitor for unusual access activity, or impossible access activity (being at two locations simultaneously).   While we can only pressure the vender to remove default accounts and allow passwords to be changed, be should make sure these devices are not accessible on the network where possible.

 

Tags: ,
Category: Physical Security  |  Comment

SAIC Data Break exposes 4.9 million

October 1, 2011, 7:57 am

A SAIC employee was tasked with taking backup tapes from one facility to another.   The employee leaves the tapes in his 2003 Honda Civic for 8 hours.   The tapes and car radio were stolen.    The tapes contain 4.9 million Tricare medial records ( a good reason to not have your social security number as the ID number on the medical records).  

A SAIC spokesman said “[the tapes] were being relocated in hopes of finding a way to encrypt the data so the tapes could work with an operating system.”   

Source: http://www.mysanantonio.com/news/military/article/Tricare-patient-data-lost-in-car-burglary-2195822.php#ixzz1ZV1s4D1o

Tags:
Category: Physical Security  |  1 Comment

Grade Hacking

March 12, 2010, 8:46 pm

There is a grade changing scandal over at Walt Whitman High School locally in Montgomery County Maryland. A teacher noticed that the grades in the system did not match what he or she entered. Investigation has found 54 changes.
Montgomery County Schools CTO Sherwin Collette said they believe teacher’s passwords were obtained through the use of hardware keystroke logging.
Hardware keystroke loggers are readily available online. Check out this video from irongeek if you aren’t familiar with hardware keystroke loggers. Basically its just like it sounds. A transparent USB or PS2 device that sits between the keyboard and the computer port.
Remember Microsoft’s Immutable Laws of Security number 3. If a bad guy has unrestricted physical access to your computer, then its not your computer anymore.
The best solution to this sort of problem is multifactor authentication. The thinking is that if the password is stolen then it cant be used again later. Of course some systems will allow concurrent logons allowing an attacker to immediately use the learned password. (That wouldn’t work with this device, but keystroke loggers can also use wireless/bluetooth to send the learned information immediately.
People who don’t use multifactor authentication always thinks it costs too much. I wonder how much Montgomery County has spent on this incident. The cost of securing the data should have been part of the original decision to put the grade system online.
Even without strong authentication, other things could be done to protect against this sort of attack. Its not clear if the attackers used the teachers computer. If they didn’t that might get flagged in anomaly detection. Noting that the account was normally used during the day from location A but suddenly was also used from location B at another time.
Displaying last logon and location to the user might have helped. If someone was unusually observant they might notice they didn’t use the account then.
The Post reports that Montgomery County Schools will now have a 120 day password expiration policy. That indicates before they didn’t expire passwords at all. This means a stolen password is only good for one school year. Still a long time.
Some people are taking a “boys will be boys” attitude about this. They dont understand why the police are investigating this as a criminal matter. If they’d stolen a facebook password and vandalized the teachers Facebook page, I might be laughing. With grades they had to know they were doing wrong. And worse yet these false grades were likely used to fraudulently gain admission to college potentially depriving a more deserving person.
Right now all we can do is speculate based on media reports. And worry about whether the businesses we deal with are ready for 21st century attacks.

Tags: , ,
Category: Physical Security  |  1 Comment

The Doors

November 3, 2008, 9:21 pm

At work the doors at the elevator lobby on each floor (other than the first and the cellar) started being propped open. I never saw any official notice that this was an authorized action rather than a rogue one. Scuttlebutt around the office was that someone had put in a suggestion to have the doors propped open. The doors were propped each morning and then unpropped at night (our floor doors are only alarmed at night).
The suggestion box. A method whereby a person can take a few minutes to write an anonymous bag of excrement, light it on fire, ring the doorbell and run away without consequence. Better yet, the suggestion box goes to the CEO, so the victims of the suggestion have to spend hours coming up with a reason why the suggestion sucks and they risk appearing resistive to change.
No one could quite agree on the reason for the doors being propped open. I believe the real suggestion was “the doors are heavy and when I’m carrying a laptop its difficult to open the door.” The other theories were funny but for whatever reason, I found myself very annoyed that the elevator bell could now be heard clearly from my office. The loud cell phone talkers who once gathered in the elevator lobby, now disturbed my work as well.
I had my own list of reasons the elevator door should not be propped open. I never bothered to put in my own suggestion that the elevator lobby doors shouldn’t be propped. Instead I just waited for the next inspection by fire marshall and let him do the dirty work. The doors are no longer propped.

Category: Physical Security  |  1 Comment

NRL Employee Pleads Guilty to Computer Theft

October 1, 2008, 6:29 pm

Source: Washington Post

A former computer systems administrator for the Naval Research Laboratory pleaded guilty today to a federal charge stemming from the theft of nearly 19,000 pieces of computer and office equipment.

Items were stolen from 1997 until August 2007. 100 personal computers, 167 keyboards, 275 mice, 80 monitors, 187 toner cartridges and nearly 5000 pieces of computer software were stolen. Total cost of the stolen goods is estimated to be $120,000.
Most of the equipment has been recovered by NCIS. The system administrator is likely to get 12-18 months in prison under sentencing guidelines.
How much would it suck to go to jail for a 486 you stole in 1997?
It seems to me that there is a big physical security problem when you can walk with that many computers.

Category: Physical Security  |  Comment

Remember 9/11/01

September 11, 2008, 1:50 pm

911.png
Remember Rick Rescorla

Category: Awareness, Physical Security  |  5 Comments

Protect your Tech

January 5, 2008, 6:20 pm

Smash and grab thefts performed on parked cars have been in the news more recently. People purchase GPS, ipods and satellite radio units and leave them in their car. This allows thieves easy access to resell-able items.
This week, we received notice that one of the other parking garages in our office park had been hit.
AAA World magazine has a good article on that issue this month. (page 33)
Obviously, you bought these gadgets to use them. You need to take it with you or keep it out of plain site. The problem with hiding it, is you still have that suction cup mount on the windshield advertising goodies inside the car. Do you really have time to take that down too? What about the obvious residue of the suction cup ring? That advertises as well. That seems like too much to deal with to me. At a minimum hide the valuables.
With GPS devices, use the PIN lock if one is included. This protects your important addresses. The thief may not be interested in all the Ci-Cis Pizza locations in the U.S. but he might want to see what toys your have at home since he knows you’ll be at work.
Record the serial number, original cost, and save the receipt. This could aid in recovery or with insurance.
These kinds of thefts are on the rise in commuter parking lots, malls, and other garages. Take heed and avoid being a victim.

Category: Physical Security  |  Comment

Tiger Team on CourtTV

December 31, 2007, 9:38 pm

I just saw that CourtTV (CourtTV is TruTV as of 1/1/2008) had a pen testing show called Tiger Team that aired a couple of times last week. GrumpySecurityGuy calls it “It Takes a Thief” with a security twist.
Don’t go in expecting this show to be about a Red Team in a dark room somewhere running zero day attacks while the Symantec Security NOC is soiling themselves because green lights turn to red on a big board on the wall. It doesn’t look like we’re going to see Chloe say “its ok we’ve got the Cisco Self-Defending network”. The episodes I’ve seen have had the team attempt to penetrate small very secure businesses. You don’t need to bust through a firewall or wait for a phishing reply when you can just hand someone a USB key and ask them to print out a document from it.
The team is has a social engineer, a computer security guy and a physical security guy (if I remember the introductions correctly). In the first caper they take down security at a high end car dealership. In the second episode they go after an elite exclusive Jewelry design shop. Both episodes were a heck of a lot of fun.
Preview:

Hopefully we’ll be seeing more of these episodes. I don’t see any upcoming episodes in the program guide data. I also couldn’t find the episodes on the CourtTV website. I had to bittorrent them (kids don’t try that at work).

Tags: , , ,
Category: General, Physical Security  |  Comment

Social Engineering

May 10, 2005, 12:35 pm

I was home last week when a couple of guys knocked on my door. I hate it when people ignore the no solicitation sign that is at the entrance to our community.
They were wearing Honeywell shirts and said they were in the neighborhood offering to upgrade five people to the latest greatest alarm system for free.
I talked with them a bit about what the alarm system could do, and they did talk a good game. But the situation seemed kind of hinky to me. Isn’t that just what a bad guy would do to try and find out what security protections I have.

Category: Physical Security  |  Comments Off