Cyber War? Anonymous, Patriots and what it means for us

I was asked the other day on my opinion of the latest round of cyber attacks from anonymous and their apparent new rivals, The Patriots. And what I think is happening in regards to all of the DDoS attacks against Mastercard and PayPal which have been caught in the cross-hairs.

(Not sure if this is what they wanted… but it is the
most accurate portrayal of what I think is happening.)

To put it simply, Operation Payback is just a form of protesting, been thrown
into the digital world. Anonymous is basically a collection of bored internet
users, passing time and often feeling incriminated by politics going on around
them. How does an individual protest, or make a change when you are… just a bored internet user?

When they started the DDoS campaigns against companies protecting copyright, it
was because it was something that impacted them. Each individual that ‘signed up’ to this payback campaign was personally affected. It was basically ‘the man’ taking away their freedoms. The freedoms of being a bored internet user (censorship and piracy are the big players here).

People often go on 4chan and ask ‘Anonymous’ to attack someone, or something. But this doesn’t work unless it is something that affects the majority of people. It is something which has started a ‘hive mind’ in which Anonymous operates.

Enter Julian Assange, the founder of Wikileaks. He has come along as the poster boy of sticking it to the American government and has been glorified as the Che of the cyber world. He is the Malcom X of the digital age to the players which operate within it. This is exactly the sort of figure which the masses of Anonymous see within themselves with trying to fight for their internet freedoms. Just like throughout history, you have minorities of like minded people feeling their rights and freedoms are being taken away, so they bind together and protest. It happened in the 60’s and 70’s with so called ‘Hippies’ protesting the Vietnam War. It happened in the 90s when ‘depressed teenagers’ would lock themselves in their rooms, smoking drugs whilst they listen to Nine Inch Nails thinking the world was against them and that they thought they couldn’t make a difference. It is this minority of young minds that feel the world is against them, that forms this ‘hive mind’, or a movement.

In current times of political turmoil, wars, economic collapses and
authoritarian figures telling the youth of the world what they can and can’t do, this mind-set is born. The ‘bored internet user’ of today (which is seemingly now referred to as ‘hacker’) is the label which is applied to them and ‘Anonymous’ is the flag they protest under (or fight for). It is parallel to
like minded groups throughout history. How do you protest when you are a ‘bored internet user’? The answer is what we are witnessing right now in terms of these groups of civilians launching cyber attacks on one another. It is the idea they are fighting for.

How could all of these cyber attacks be coordinated by a depressed group of
‘bored internet users’? Well it isn’t. You have different layers, a sort of
hierarchy in this ‘hive mind’. You have very smart, sophisticated and
technological people with the same ideals within this group. These are the
people that coordinate, and tell the masses what they should do if they believe in whatever it is they are fighting for.

The tool used in the latest DDoS attacks against rivals to Wikileaks are tools
developed by the higher up in the hive mind, and given to followers which
support the same goal.

LOIC (Low Orbit Ion Canon) is a user-friendly, easy to use piece software
developed to send large amounts of internet traffic to a designated host. So
basically, if you get enough people on board with your ideals, you tell them to enter an address (or website) into LOIC at a certain time (and with enough
followers) random bits of data on a mammoth scale will be directed towards an online service or site rendering it inoperable. What happens next? Front page news. Is that not achieving a successful protest?

Therefore, what happens when the pin-up boy for anti establishment gets
arrested, gets his web presence removed, and gets his funding abilities stripped away from him? The mass of ‘bored internet users’ relate to the what-they-see as unfair treatment and with the direction of a few within the ‘hive mind’, point their Low Orbit Ion Canons towards the Wikileaks’ rivals, bringing fourth a new era in Information Warfare. I saw somebody on twitter post the other day that this point in history will be known as ‘World Infowar 1’. And it is true.

Enter ‘The Patriots’. I don’t believe The Patriots are of the same ‘hive mind’
mentality. The controversy surrounding Wikileaks brought to the forefront a lot of different opinions. Some for, and some against. But something this
controversial and something that inflames so much emotion within different
groups can’t go un-noticed.

There has been debate whether The Patriots are state sponsored actors, trying to shut down Wikileaks and anyone defending them. Similar to the hacker named ‘The Jester’ who claimed to knock off the Wikileaks website with a ‘slow HTTP request’ attack (not a DDoS). This single hacker was not state sponsored, but he believes that he is fighting for something. He believed that Wikileaks would endanger lives, so what did he do? He protested by the only means he thought he could make a difference, and that is through cyber warfare. This is exactly what the hive mind of Anonymous is doing.

People like The Jester, people like Adriam Lamo (who was the hacker who
disagreed with Bradley Manning releasing confidential information and turned him in to the FBI) and any other person out there that believes that Wikileaks is destroying the ideals that they believe in will stand up to protest. But why are The Patriots so unknown, where is the publicity? It is because The Patriots aren’t thousands (if not millions) of ‘bored internet users’ like Anonymous. The Patriots would be small groups of sophisticated people protesting back in their own right. (Here is the Jester’s public twitter page, he claims responsibility for taking down Wikileaks, and more recently attacks against Anonymous http://twitter.com/th3j35t3r)

Anonymous relies on (in more cases than not) average people that do not
understand the consequences of their actions. Two Dutch teenagers
recently arrested for taking part in Operation Payback by using LOIC to take
down PayPal’s blog and Mastercard’s website. It’s the thousand’s of bored
internet users which take part, which can be caught, arrested and charged with cyber related criminal offences. It’s the higher up in the hive that get away un-noticed. These are the people that direct other (and less sophisticated) users to use LOIC. The Patriots on the other hand, I see them as a group of hackers (if you could call them that) which are retaliating for what they believe in. Botnets are easy to acquire or hire if you have the know-how. And botnets aren’t even required with the recent spate of  ‘slow HTTP’ request attacks which have become popular. Could this possibly be how The Patriots work? Probably. You don’t need an army of ‘bored internet users’ to blindly click a button without knowing the implications. The Patriots are smaller in numbers, but on the cyber warfare plains, this point is irrelevant.

To summarise, the battle raging between Anonymous, The Patriots, Wikileaks and the US government is just a point in history. A point where jaded individuals banded together with the same ideals, and decided to protest in the only (and most effective) ways they know how. And we (you and me) are the unsuspecting, politically neutral civilians being caught up in the middle of this new era of cyber warfare. As like traditional civilians in the midst of a conflict, we all get affected one way or another.

—- ADDITION —-

Since I wrote this post, there has been a flurry of posts from security experts dismissing that this whole fiasco isn’t a cyber war…

One thing I’d like to point out. These experts mention that this isn’t a cyber war, as the numbers of individuals and the sophistication of attacks are minor. My point would be that you don’t need the sophistication for it to be a war. One or more groups of individuals fighting against another group of individuals who are equally fighting for something would be classed as war. Look at gang war, turf wars and tribal wars. They don’t need sophistication, or governments involved. So how is this not ‘cyber war’? We have seen players from all around the world joining into these recent attacks.
It is true that we haven’t seen anything yet in terms of large scale cyber war,
where countries and institutions are knocked offline and millions of people are affected (which an article in SC Magazine is referring). But this could be a
start of a worrying trend. What’s happening right now with Anonymous, Wikileaks and the retaliatory DDoS is definitely a cyber war. Being that which it is, a civilian war, we definitely don’t want to see state sponsored groups getting involved. Just have a look at the South Osetia War in 2008, where Russia crippled Georgia’s telecommunication and data networks before invading. Look at something like Stuxnet, the first weaponised computer worm which has disrupted Iran’s nuclear processing plants. Look at April 2009, where China performed a Man in the Middle attack on a massive scale and intercepted 15% of the world’s internet traffic for 18 minutes without anybody realising.
Right now, these battles are being fought with sticks and stones (in Internet
Speak). But many battles have been fought with sticks and stones. It is just
evolution. The more we rely on technology, the more weaponised it will become.

FIN

Roughly a month after I wrote this, I stumbled upon a similar article. It is authored by an individual of the same mindset of the people I speak of. So for some additional insight, the article can be found here: http://theworldexposed.wordpress.com/2011/01/02/warriors-in-battle/


Stuff I did or believed as a kid (geek version)

  1. I remember in highschool, a friend said he could hack into government servers by using this ‘leet’ tool called Neotrace. (Which is a GUI traceroute). I asked where he got this tool from. He said it is illegal and his brother gave him a copy. I didn’t know anything about computers at that stage, so I believed him. Then a year later I got into security a little, and googled ‘NeoTrace’. Man I felt like an idiot! What is more worrying is that he actually believed he was hacking into stuff as the ping hopped around the screen to different routers.
  2. I remember in school, a Swedish exchange student said he created a hardcore virus which he had on a floppy disk. It was actually a .bat file of deltree /y C:\*.* . I was only 13 or so at the time, so thought it was pretty hardcore… That kid was walking around the school like a pimp. He even started wearing a leather jacket and cologne. He also had a little underling who used to follow him around and managed his social affairs. “If you want to speak to Mattias about his virus, you have to take a number.”
  3. When I was a kid, a friend just got a 56k modem with his new computer. (Windows 95, baby). He said that he was a hacker ‘because he had a modem’, and he didn’t want to show me how it worked out of fear his dad would get mad. One day we were sitting at the computer playing Carmageddon, and I was like “hey so show me how to hack!”. As his dad was at work, he mischievously closed the game, and went to ‘dial-up connections’ and hit ‘connect’. The angelic sound of the modem started to ring, hiss and buzz. He started to scream and hit ‘disconnect’ before it was finished. “That’s as much as I can show you… it’s pretty hardcore.” I thought we had just done something criminal, and was expecting the feds to kick in the door at any second.
  4. Which reminds me of when I was 16, my idiotic older brother came into my room, and said ‘wow, that’s a nice looking modem!’.. as he pointed to my Logitech speaker’s subwoofer.
  5. When I got my first computer as a teen, it ran Windows ME. I told everyone at school that Windows ME was far superior to anything they had. Until I came across an article on how Linux is the best OS for ‘hackers’. So I went to the newsagent and bought a Linux magazine which came with Red Hat 7 and Mandrake. It came with instructions on how to install it. So naively following the instructions, I ended up installing over top of my Windows partition and lost all my files. What was worse is, I didn’t know how to get the GUI up… it took me about 4 days of following this magazine on ‘how to use Linux’ until it got to a chapter called ‘Start X’. Man, that was a tough 4 days (and this was before the days I had the interwebs). My mum would walk past me sitting on my new computer, and all I seemed to be doing was typing commands hopelessly into a back shell with tears rolling down my face.
  6. One of my finer moments was when my friend at school told me he had this ‘thing’ called a ‘CD Burner’. He explained to me he could make copies of Music CDs and his burner had a feature called ‘Overburn!’. I went all the way to his house to check it out, because I didn’t believe him. I hadn’t been so impressed in a long time. The speedy 2x burner churned through disks at the blinding speed of 1 every 4 hours. This was the point in my life when I realised humanity had evolved from apes, to highly technological creatures.
  7. When I was a teenager, I thought it would be cool to be a Database Administrator as a profession.
  8. When I was in school, I thought I was bordering on being Zero-Cool (Dade Murphy) because I figured out how to use ‘net send’ to send messages to other computers in the PC Lab, and edit the registry to make a pop up message appear on next login. Now the Swedish virus pimp had left, I was the new king in school.
  9. I remember in high school, one of the geeky girls was trying to impress us. She came in to school with a floppy disk. “On it…” she said “is the full versions of Age of Empires, Starcraft and Diablo”. One of my friends claimed it was impossible to fit all of that onto a floppy. She insisted she ‘had her ways’. Upon taking the floppy home and opening it, there was 3 shortcuts to all of the games she mentioned, with blank icons… with plenty of Kb to spare.
  10. When I was a teen, I thought that the IT teachers were smart. Until I cracked their passwords using Cain and discovered that the 3 admins passwords were ‘computer’ ‘password’ and ‘internet5′ – more troubling was that they never changed for the duration of my education.

  1. Stuff I did, or believed as a kid (geek version)

  1. I remember in highschool, a friend said he could hack into government servers by using this ‘leet’ tool called Neotrace. (Which is a GUI traceroute). I asked where he got this tool from. He said it is illegal and his brother gave him a copy. I didn’t know anything about computers at that stage, so I believed him. Then a year later I got into security a little, and googled ‘NeoTrace’. Man I felt like an idiot! What is more troublesome is that he actually believed he was hacking into stuff as the ping went around the screen to different routers.

  1. I remember in school, a Swedish exchange student said he created a hardcore virus which he had on a floppy disk. It was actually a .bat file of deltree /y C:\*.* . I was only 13 or so at the time, so thought it was pretty hardcore… That kid was walking around the school like a pimp. He even started wearing a leather jacket and cologne. He also had a little underling who used to follow him around and managed his social affairs. “If you want to speak to Mattias about his virus, you have to take a number.”

  1. When I was a kid, a friend just got a 56k modem with his new computer. (Windows 95, baby). He said that he was a hacker ‘because he had a modem’, and he didn’t want to show me how it worked out of fear his dad would get mad. One day we were sitting at the computer playing Carmageddon, and I was like “hey so show me how to hack!”. As his dad was at work, he mischievously closed the game, and went to ‘dial-up connections’ and hit ‘connect’. The angelic sound of the modem started to ring, hiss and buzz. He started to scream and hit ‘disconnect’ before it was finished. “That’s as much as I can show you… it’s pretty hardcore.” I thought we had just done something criminal, and was expecting the feds to kick in the door at any second.

  1. Which reminds me of when I was 16, my idiotic older brother came into my room, and said ‘wow, that’s a nice looking modem!’.. as he pointed to my Logitech speaker’s subwoofer.

  1. When I got my first computer at a teen, it ran Windows ME. I told everyone at school that Windows ME was far superior to anything they had. Until I came across an article on how Linux is the best OS for ‘hackers’. So I went to the newsagent and bought a Linux magazine which came with Red Hat 7 and Mandrake. It came with instructions on how to install it. So naively following the instructions, I ended up installing over top of my Windows partition and lost all my files. What was worse is, I didn’t know how to get the GUI up… it took me about 4 days of following this magazine on ‘how to use Linux’ until it got to a chapter called ‘Start X’. Man, that was a tough 4 days (and this was before the days I had the interwebs). My mum would walk past me sitting on my new computer, and all I seemed to be doing was typing commands hopelessly into a back shell with tears rolling down my cheeks.

  1. One of my finer moments was when my friend at school told me he had this ‘thing’ called a ‘CD Burner’. He explained to me he could make copies of Music CDs and his burner had a feature called ‘Overburn!’. I went all the way to his house to check it out, because I didn’t believe him. I hadn’t been so impressed in a long time. The speedy 2x burner churned through disks at the blinding speed of 1 every 4 hours. This was the point in my life when I realised humanity had evolved from apes, to highly technological creatures.

  1. When I was a teenager, I thought it would be cool to be a Database Administrator as a profession.

  1. When I was in school, I thought I was bordering on being Zero-Cool (Dade Murphy) because I figured out how to use ‘net send’ to send messages to other computers in the PC Lab, and edit the registry to make a pop up message appear on next login. Now the Swedish virus pimp had left, I was the new king in school.

Physical Security: How somebody could break in to your company

In this day and age, I think most people are concerned with their cyber security more so than physical security. I’m not talking the government or financial sectors, but the average day to day corporation (which is most of them out there)

They have alarm codes at the entrance. RFID swipe cards for building access. Security cameras and motion detectors. Cleaners make sure they lock doors and windows at night and the office manager is sure to be diligent in cancelling all access on the cards of employees who have left. This seems pretty standard, and seems perfectly secure.

The attitude of people is, “ If somebody wants to break in, they can”. But you would be subscribing to the idea that you assume your security is ‘good enough’ to stop and deter the average criminal, opposed to the professional one.

This post is by no means comprehensive. It’s just observations by myself and some knowledge I’ve gained over the years. My recent CISSP study got me thinking about ‘Physical Security’ a bit more. I’ve always been security minded, as most of you readers probably are. But I felt there was no real resource explaining to regular people about some abhorrent weaknesses in common physical security which is actually relevant. Nothing new in here, just some thoughts that people might want to think about when implementing proper security controls in real world scenarios.

I just threw together a quick list off the top of my head in which I thought would be most relevant, also I thought i’d include a couple of real examples of what i’ve done on site, albeit it pretty mediocre! I will keep building on to this list when I get time. Keep in mind, these are all simple, common methods. Might seem boring, but the fact that these attacks still work shows that people aren’t listening.

Locks:

 

You get what you pay for when you install locks. I’m not skilled enough myself, but we all know people can pick locks. It’s not as easy as some let on (yes I have dabbled in the past). Although someone doesn’t need to be a master locksmith to pick a lock. A lock can also be broken in to with a bump key, hammering a screwdriver into the lock, drilling it, or if you are a fan of DIY projects, the old thermal lance from the anarchist’s cookbook would see you through it in no time at all.

As I said, it is important not to cut corners on your budget for secure locks. Shop around.

 

Doors:

Apart from a lot of locks actually being able to be picked, the biggest issue with them is being able to be jimmy open by strong metal objects. I once was speaking to a local police officer, and he said “Most break and enters are pretty simple, but are so effective and quick that you can’t do much about it”. And he was referring to crowbars. A suitably sized crowbar to a particular door or window could easily get it opened with the right leverage. And pending on the type of entry point can be made undetectable.

It’s a simple concept, but it is the easiest for an intruder to use, and I think it gets overlooked. The obvious solution? Pay the extra money and buy doors and windows with security in mind. Make sure they are strong and have steel frames, make sure they have solid deadbolts. ‘Anti Shim’ locks. Make sure the hinges can’t be accessed from outside or the frame can ‘t be taken off.

Windows:

[WARNING: I am about to ramble off into a story here]

I was tasked with testing the physical security of a block of offices years ago for a friend’s business (Don’t get any ideas, I don’t work for free…). Most access for the offices could be achieved from the ground floor. It was a two storey block backing onto a carpark and other businesses.

Every window in the building (ground floor and up) were sliding windows. They were metal on the outside frames and the actual locking mechanism was a metal ‘latch’ that when the two windows are closed, the latch is moved over to latch onto the other. So separating them is impossible without being able to do it from the inside.

Enter my $30 crow bar from Mitre10. It was roughly 75cm long. Reasonably thick and sturdy, but easily concealed inside a duffel bag or inside a jacket (you might have had to attend the Cronulla riots after the job, i don’t know). All that you had to do was place the flat end of the bar into the crack of the window (the left hand seal, where you would place your hand and pull right to open), then wiggle and force it in for few a few seconds. Once you had the bar in as far as it would go, you’d slowly pull back on it, and then forward. You would have to do this pretty hard, but if you didn’t want to leave a trace, it had to be slow. As you pulled back more, the latch on the lock would actually start to bend. Once you hit a certain point, the force you were putting onto it combined with the bend in the latch, would make it slip off the lock and the window would fly open. As the latch was metal, it would bend back in to place after this, as it was just for a moment you were applying pressure.

Solution? Steel window frames with real locking mechanisms. Pay the extra money. There are tonnes of providers out there now that do really good security windows and doors for reasonable prices. Use some common sense really… if the lock on the window looks a little small or fragile, then it probably is.

Crowbars are also efficient in opening doors. Same principal. Pop the flat end into the crack of the door (around about where the lock is), and bend it back. Pending on the access you can get, type of door and leverage, it might be able to be popped open. Wooden doors are the worst for this. Make sure your doors are heavy and strong with no way for any foreign object to be wedged between itself and the frame.

Motion detectors:

Motion detectors are great… provided you place them in the right spot and know how to use them. Going from the story above about gaining entry through the window off the ground floor office. As soon as I was inside the office, straight away I saw a motion detector up on the corner wall flashing with all 3 lights… the one being RED was not what you wanted to see. This triggered a silent alarm that when back to the security company. (I know this because I tested it out weeks earlier… more than once. It always took 10 minutes exactly for a guard to arrive and check the premises, and 10 minutes exactly for them to look around and leave again).

So I was standing inside this office in the middle of the night, motion detector is flashing all types of bright LEDS. I have roughly 10 minutes to do what I need to do, right? Wrong. In my bag I had a roll of white masking tape. The sort of stuff you pack boxes with, has a consistency of paper. I grabbed a chair, placed it under the alarm, stood up with my roll of tape and ripped of a square that fix perfectly over the sensor. I put a couple of layers on, replaced the chair, jumped back outside, closed the window and ran off to safety.

Looking at my watch, sure enough, 10 minutes and the security car drives into the premises. From the safety of the trees across the road, I watch him walk around with a flash light. I see him go into the main office briefly, this would be to reset the alarm. I see him go to the area I was at. And I see him leave again.

So after a while, I go back to my window. Now I don’t have 10 minutes to get what I was after… I have all night. The sensor does not pick me up when I get back inside. The intruder could take this tape off when they leave, bringing the guard back for a second time for no reason, or it could stay there until somebody finds it. More than likely it will be taken down and a guard will come back (unless they were stealing loads of equipment, they might need more get away time)

And this is a true story. But it isn’t a great example of motion sensor security and I know it has been used before. Guards should pick up on this. “Should” being the key word.

There is also a threat of if somebody had access through your premises through the day… be it an employee or somebody pretending to be an electrician (more on that later). In old motion sensors, all you have to do is pop the cover off the detector, and you see a red and black wire. If you strip these and cross them together. It will then not send an alarm back to base because you are looping the circuit, but they will not know it has been ‘deactivated’. It keeps the sensor alive, but breaks the ‘phone home’ function. I’m sure this is harder in more modern systems, but it takes decades for some places to change up physical security, and this was around back in the day, so it still is a real threat.

Another problem with motion detectors (which I could defeat in this instance) is placement. Once inside the initial office, there was a corridor that went to other areas, more offices and finally upstairs. The office I entered was half way down the hallway, probably 25 metres to the other end where the next motion detector was. Can motion detectors reach that far? These ones didn’t. The company assumed the sensor would pick up the entire length of the hall way. Which is untrue. You need to test out the strength and placement of these.

You normally don’t install security systems into your office yourself (that’s what you pay the security guys to do), but you do have to test it yourself. An easy way to test it is – through the day, walk up to a sensor and you will see the lights go off… it is picking up rapid changes in heat patterns in the environment (your body heat). Walk away… walk to the side… step back… see when the sensor stops picking up your heat. This is what criminals do. They may enter a premises under the guise of doing regular business, and test the motion detector on the way out.

There are other ways to beat motion sensors. Like the old soap water on the lens trick (spray bottle or super soaker style) but this would be a similar and more awkward approach to the tape application, more than likely the alarm will go off in the process. Moving super slow so that the sensor doesn’t see a rapid change in heat in within it’s viewing area is a popular one. Not the most efficient one, but we’ve all heard stories. Crawling along the ground under its field of view, that is also a popular one and this actually works more than people would like to think.

Solution? You need to make sure that your sensors actually cover the areas you want, and not just appear like they do. It sounds stupid I know, but have a look around your own place and see where the sensors are and how they work, and you might notice the potential that somebody could easily bypass them.

You could also invest your money on more secure types of ‘motion sensing’ systems. There is a wide arrange of technologies out there. Vibration sensors, magnetic pads, even James Bondesque laser beams. You have to factor in the beneficial costs to the assets you are protecting. The standard motion detectors are fine PROVIDED you use them properly.

Keys

One thing that people get relaxed about is spare keys in the office. Or ANY key for that matter. On this particular job, I found a jar full of keys in one of the offices. It was in a top drawer of a desk, but it wasn’t locked. Even if the lock was locked, these locks are so easy to open that a 6 year old with safety scissors could do it. In any case, I ended up testing the keys I found on various locks in the end of the building I was in, which lead me to the discovery that one of them was the master key. No need for my crowbar anymore. Master keys have codes on them so they can’t be replicated down at the corner locksmiths. But when dealing with criminals, it wouldn’t be too hard to have a contact that would do this on their behalf… or even have a machine themselves. And what about the key to one of the back offices? Surely no one would see that missing, I didn’t see a ‘do not copy’ imprint on this particular key. People would ask where the master key was, but the spare key to the back door? Maybe. Maybe not… As you can see, any entry way is an entry way. (Similar to ‘any hole is a goal’…)

Make sure to be diligent when controlling keys. If you lock a high value key into a draw with a cheap lock, then you are defeating the purpose.

Security Guards

Security guards are great. Provided they do their job properly! Continuing on from the story above, I knew the routine of the guards. Apart from me knowing how long it took them to respond to my alarms, they did not come around regularly. They only came out when the alarm went off. It makes it very hard for bad guys to break in if your have security guards that show up at random intervals.

Criminals could visit your site every few nights of the week and set off the alarms on purpose. Then after 2 weeks of fake alarms, when the real alarm goes off, they may be less likely to respond. I know they have fallen for this before and it shouldn’t impact their routines, but security guards are humans after all. And humans are the biggest weakness in any security function.

Please make sure you get a reputable security company to not only install your security, but do the proper checks. Ask them what service you get. If you don’t agree with their service, go elsewhere. There are plenty of good security companies out there, it doesn’t mean you have to use the cheapest…

Surveillance cameras

Well won’t people that go around breaking in to your offices be caught on the old CCTVs? If you have them, then ‘probably’. But the majority of  places I’ve been, cameras are placed in ineffective locations. Sure, they give a view of a ‘high risk area’ like the main entrance, but what is behind that camera? So many times you will find somebody could sneak around behind or underneath it, and cover it with something, or stick something over it (masking tape??) before they even have to walk in front of it. And if this isn’t a high risk facility that has in-house guards watching the cameras in real time, no body will respond.

Cameras are known as security deterrents (as they often deter criminals from doing an offense through fear of getting recorded). It is only a deterrent if the criminal can actually be identified. If no body is watching these tapes than it doesn’t deter anyone from breaking in. Robbing a supermarket maybe. But if nobody is watching, a camera can be easily covered, or a disguise would be worn. The tapes don’t usually even get viewed unless the next day they find the office has been robbed, or if they come in early Monday morning and they find their server room without any servers… That’s when the tapes get checked. (Remember, I am talking normal business here, no high risk facilities)

And that brings me to the next thought. IP Cameras. They are pretty awesome. If they are used right, that is. This borders into the realm of cyber security but still relevant. I recall being at a client’s office and auditing their systems, and found that their IP camera system’s server only held recordings for 7 days. 7 Days isn’t much at all. You might think that ‘if somebody committed a crime, 7 days is enough recordings’. But no way. If the intruder knew of how long you stored your tapes for, they could do something in the form of a social engineering attack. Make some bogus phone calls to the office, say something about building management or that they have been sent to check the fire extinguishers comply with safety regulation. Come into the office one day, pretend to be doing whatever it is they claimed to be doing, disable sensors, leave a window at the back of the office unlocked, plant hardware keyloggers, steal a sensitive laptop – all sorts of stuff. They could even plug in a Rogue Access Point under a desk if they were that way inclined. All types of things could be done to give more leverage to an intruder. But say Monday morning 2 weeks later, the company finds they have been robbed. They check the tapes and see a robber wearing a mask quietly cleaning out the office. As he is disguised, there isn’t much they can do. When the police ask ‘Was there any one unusual around here lately?’. The office might mention the nice man who came to fix the lights a couple of weeks ago seemed a little out of place. ‘Well when was he here? Can we see the CCTV footage?’… ‘Sorry we only hold footage for 7 days…’.

Another thing with IP cameras. Like any other computer system, there is a potential they can be broken. The sheer number of SOHO security cameras that have been wrongly configured and in which you can view online through special search requests is scary. Doing a WHOIS look up on the IP and some digging could give you the actual company and address that this camera is currently servicing. Shodan can illustrate how simple this actually is http://shodanhq. Do we really need more criminals finding their prey this easy? You want to make it harder for the bad guys, not easier.

Swipe Cards

I still think the percentage of HID contactless smart cards in Australia is around 90% (I did read the figures somewhere a couple of years ago). You know when you work in an office building, and you more than likely have a white card that you swipe to gain entry? The one with HID written on it? They can be cloned pretty easy by products from vendors such as http://proxmark.org/proxmark. If somebody had one of these readers in their backpack, they could easily walk up behind you on the street… or while you are having a few after work drinks at the pub. Or perhaps when you put your wallet down for a minute. It just takes a second of getting close to you, and your card could be stolen. Social Engineering could come in to play here, but regardless of the method to obtain it, the point is they can be cloned. If a criminal wanted access to a sensitive area of the business…they could follow the CEO out of the office one day, or the IT manager even.

Cloning the card (putting the reader in a close enough proximity to the victim’s card) will now copy the data onto the device, and it can be written to a new card. This new card will have the same access of the one that was just cloned. All of the facility security logs will see is that the other person’s card was used for entry at a certain time (which may land them in hot water pending on what happens after a successful intrusion).

If you work in a large office building, with different companies on different floors. Who has a swipe card that can get into every office and every company? Come on guess… it’s really quite simple and very scary. Probably the most least security conscious person of them all… the humble cleaner.

Cleaner’s are employed by the building to clean the offices. Not necessarily just the company’s offices, but the entire building. Pending on what building you work in, they could have access to all areas, or just designated spots.  Around 5.30pm you see flocks of them start to make their rounds around the office for their nightly shifts. Their cards are usually hanging off their waste as well. This is the low hanging fruit. Cloning a card that is ‘access all areas’!? Not dissimilar to Willy Wonka’s golden ticket.

How do you defend against your card being cloned? You could purchase something like an RFID shield to issue to all employees. This might be cumbersome as employees would need to take the cards out of the protective jackets every time they enter an area. But it is that sweet spot in the balance of security and productivity you are after. You decide how important your assets are, and decide accordingly. http://www.rfid-shield.com/

You should also be diligent in card management. Making sure cards are deactivated when lost or stolen. Making sure that no employee has after hours access if it is not a job requirement (think the principal of least privilege but for the physical world)

Server Rooms/Data Centres

If data is of high importance, it will no doubt be stored in a secure Data Processing Facility (this may be with a third party, and may be complete with biometrics and ‘proper’ access controls). But what about the regular run-of-the-mil company? Your data is just as important to you as anybody else’s is to them. These type of companies often don’t have the budget, or knowledge of proper physical security.

Server Rooms are a gold mine, for all sorts of reasons and for all sorts of intruders. If somebody snuck in to one, they could install a trap device to capture traffic entering and leaving the entire organisation, they could install a rogueAP on the sensitive and protected ‘server VLAN’, they could even load a bootkit onto your servers, and have access from the comfort of their own home, stealing confidential information and having access to everything in your company while they sit back and drink lattes. They could steal, they could sabotage, they could do anything to the central nervous system of your organisation. It is the last place you want un-authorised people to access.

One thing I learnt while studying CISSP’s Physical Security domain is that apart from having layered security zones in your facility protecting your most holiest of assets (think a physical maze of walls and offices, each one slowing down an attacker from reaching the gold mine in the middle – which is your server room), is that dropped ceilings are bad. As you can see from this picture.

 

This image was taken from Shon Harris AIO CISSP Guide (Good book)

It had never occurred to me before and I don’t know why, but The MAJORITY of places I have worked had dropped ceilings. Pretty simple for somebody to remove one of those panels from somewhere else in the building and crawl across. Might be unlikely, but again, how important is your data to you? More importantly, how important is your data to somebody else?

It’s also good practice to have a sign in form for server rooms, and accompany any individuals entering your room. Preferably your server room should have strong glass walls so everyone in the department can see who or what is inside at any given time. CCTV also wouldn’t be a bad idea to implement inside to back up your physical security controls. It might also have good auditing functions if one of the administrators used the general domain admin account and stuffed up the exchange database from the console, the camera could correlate with the time stamps of your logs.

I’ve been in so many places where all they had was a swipe card for server room access (read above on cloning), with the server rooms not even located near any IT teams, just the general staff population. Do you think anyone non-IT staff member would care if somebody walked in with overalls and a toolbox and swiped their way into the server room? Nope.

Protecting your data in transit

How about your data when you travel? You might have a full disk encryption solution on your company laptop. You might need to take it with you on business. You leave it in a hotel room when you go out for dinner perhaps. How secure are these  hotels? If you had mission critical files on your laptop which was in your hotel room, how much confidence would you have that nothing on there could be taken? I can’t speak for all hotels, or even hotels overseas, but all of the hotels I’ve stayed in have no CCTV in the actual hallways. Only at elevator entrances and main thoroughfares. If your laptop went missing from your room… there would be no realistic way of tracking down who did it (by looking over the CCTV footage). And worse yet, if your hard drive was cloned you wouldn’t even know.

How could somebody break in to your room undetected? Simple! A perfectly shaped piece of metal or aluminium can be used to unlock most doors from the outside. One of these could fit inside a suitcase or carry  bag. (Here is a video demonstrating this technique)

“So who cares if someone steals my laptop… so who cares if someone breaks into my room or steals my laptop!” I hear you protest. Well, someone could 1. Clone your drive, taking it away and bypassing all authentication and encryption. 2. They could do it on the spot, or 3. they could just steal it and break through it elsewhere. How would somebody do this? Some of the most popular Full Disk Software Encryption packages (looking at you TrueCrypt and PGP) can have their entire encryption and local authentication bypassed using a bootloader like “Stoned Bootkit”or the dreaded ‘Evil Maid’ attack. A bootkit could be run by booting the laptop off of the bootkit CD or USB stick.

This all might sound a little far-fetched and like too much effort for somebody to go through to get your files. If they succeed, you might say “Kudos to them, the deserved it”. Truth is, all of this isn’t really that hard. It’s all very basic stuff. Mid-Level criminals can and do pull this off. And again, how much is someone willing to pay for YOUR data?

One thing you could do is take the laptop cable locks with you when you travel which can secure your device to a solid foundation, preventing most people from being able to steal it. They still could cut through it yes, but slowing down or deterring an attacker is better than nothing at all.

Another technical control your laptop should have is a BIOS password and to not allow the boot order to be changed. Sure, BIOS can be cracked, but it involves opening up the device in most cases, and the criminal may not have enough time to do this. Stealing the drive or cloning it might be the only option for them. So this might be a wake up call to not store data locally. If you do need local data when you travel, consider fully encrypted (hardware) USB sticks (IronKey are great) and store your data there. Make sure you do not lose it though! These drives can securely destroy themselves automatically if they get into the wrong hands. But we want to prevent that from happening to start with.

Staff awareness

User awareness is paramount for security. Both physical and technical. You need to inform and train all staff on proper security procedures and why they are needed. You have to do it in an interesting way also, or they won’t listen. One thing I think is a good idea, is to get a piece in the monthly newsletter (or whatever) for Information Security matters. But make it relevant to the users. People are actually interested in being more secure, it is how you deliver it to them which can cause the heartache.

One month do a write up on ‘how to stay sure on facebook’ and ‘how to protect your bank account from being hacked’ etc, and link the technologies and concepts in to business systems and why it needs to be done. Staff love reading a little creative snippet about how a social engineer can infiltrate a company and sneak out data… and the lessons start to be learnt from within. You also want to reward users for good behavior and make them proud to work for you, there is nothing worse than disgruntled employees. They are more dangerous than the criminals we are trying to defend against.

Conclusion?

Everything I have posted are just for general awareness. Most people know these techniques, as I said “it is nothing new”. I tried to steer away from getting too geeky and just keeping things simple. I also wanted to stay clear of the general mundane foundations of physical security and actually put in some relevant and useful information. I could have went on forever if I started with combining different social engineering attacks with physical penetration. And one thing to keep in mind. This controversy to perform client side pentests? This content is highly relevant and just shows why these sorts of tests need to be conducted for businesses to keep them safe.

Hope you enjoyed, and I hope someone at least learnt how to be more secure from this.