Robert Redford Made Me Do It: Physical Security Stories and Tips

so yes this is called Robert Redford made me do it it's all about my obsession with film sneers um and some physical security stuff thrown in too so who am I so I'm Matthew Steed I work for KPMG breaking stuff um I like learning about breaking stuff that's basically it really um so we're going to talk about my favorite subject here which is me right so look at that you can still see you can still see the Hope in his eyes can't you it's uh yeah pretty nice anyway so yeah so when I was about this sort of age um my best friend bought a VHS copy of a film called sneakers invited me around to his house to watch it and uh I

wasn't the same after that at all it's such a great film um quite obviously the best film ever uh I don't know if any of you have seen it if you haven't essentially it's about a red team uh built with a bunch of XC cons uh they get blackmailed by a shady government organization to steal a uh revolutionary code breaking device so it's got all of the great stuff in it that you want um fantastic film it really really is uh in actual fact I think it's one of the best films ever made uh and we could objectively prove this I can't believe I did this but if you put it up against The Godfather right which once again

people think is one of the best films ever you can see they both have like a alist CBS in them you know Robert Redford Sydney pitier Dan akroy you know um they both involved the mob sneakers has got hacking it's got freaking it's got physical security social engineering I didn't see one computer in The Godfather lazy absolutely lazy movie making was a good time of doing magic I guess so um but yeah there was some physical security I was going back over this in The Godfather I mean anybody that can sneak in somebody's house and put a horse's head in someone's bed props absolutely amazing really really good okay so from here uh I wanted to go to

college I wanted to like learn some it security stuff I wanted to get into this you know I didn't realize that like breaking into places or being part of a red team was actually a thing people did back then you know it really didn't feel like it was something you could do um however my I chose a different path and I became a rock God for a while right so this took up a lot of my life right I did this above everything else um I was still doing my it stuff I still like you know I was still around on some of the hacking forums and various other bits and pieces uh but this was my this

was my life and then I I slowly moved back towards it um I went from there to pentesting which was fantastic guy down here um and then from pantes into physical security so and into your meeting rooms as well doing funny things with your internal Network that guy on the left by the way is sat down the front here this is my partner in crime for ages I did every single physical test with this guy that came out wrong uh I'll try and rephrase it a little bit better we broke into buildings together all the time and to this day we had a 100% success rate as well never caught very very cool so yeah I was very very

lucky to be paired up with Tom actually um I I will sing your Praises a little bit here I was completely green to this he had been doing it for quite some time so he you know part of lot of wisdom um made sure that I wasn't nervous or anything it it was it was a really good sort of pairing and then we realized as well that neither of us really cared about anything and we could just like smash our way through whatever we wanted um which which made for a great you know a great pairing I think uh so what I've done here is I've added a couple of what I think are good tips for

beginners just quickly has anybody in here done any sort of like pH physical security engagements before like Brokenness places or anything okay that's more than I thought fantastic you won't need to hear any of this um so I'll start off anyway so first thing I would say is do crime right seriously I will you know quantify this a little bit be the bad guy like you're going to have or give your client way more value if you get in there and just r act the place you need to find like all the weaknesses you know you can't just go in there and be like oh we got through one door let's go drink their coffee drink

their coffee always natural fact I should put this in always drink their coffee if you get a chance find a break room drink their coffee talk to their staff see if anyone like catches you but essentially like we found so many amazing things that could have saved us so much time on like the second time round of going through like drawers and things one of the best ones we we were doing this job it was a multi-level um office there were loads and loads of office rooms in there one of them wasn't being used um the people were away but the one room wasn't being used um in there in an unlocked drawer was uh a key

fob for the whole building wow so you literally just took it out there and then we just spent the rest of the day in and out going for lunch you know doing whatever you want to do uh we also found in there there's a book as well alleger with all of their clients data in it as well which is great money that was being paid out to this that and the other and you know so all into the bag so yeah whenever you if you do one of these jobs just you have to think like a criminal you have to There's No Boundaries do you know what I mean there's no point going in and being

soft about it you know ransack be a nightmare with that don't do crime okay um you have to really be careful everything in black and white make sure it's signed yeah you need it all signed you have to have it all signed um can you tell I was told to put this one [Music] in seriously though just make sure that it's everything's above board the only other thing I will say is once you've done one of these you will walk away from it and you will see things completely differently and there is like a draw to something you'll be walking along you going through like a a restaurant you'll see an open door and you'll think I

could just walk through there I could go see what's behind this it changes the way you see things and it's very very uh hard to not do it okay but just remember you know prison's worse so just please don't do it um lie your ass off like lie as much as you can and also do it in your personal life to try and train up on it a bit okay I'm I'm not talking like you know credit card fraud or anything like that or like you know whatever you do you I'm not the one that's going to get arrested um no no don't do that um but yeah seriously just lie about everything um the best thing

to do with this though there's some like little tricks with this is people watching and listening to people okay if you're in like elevators and stuff listen to the conversations they're having and then recount them as your own all like things that people have told you friends have told you okay so if you're in a building and you're like I know your pretext is like you're some sort of engineer and someone starts talking to you tell them a story your friend told you about their workplace oh it's just been terrible everything's been so bad you know um you use that as your story it becomes natural because you're not necessarily lying you're just recounting a tale you've been told it

really really really works um as evidenced by this talk Non-Stop nonsense okay so if you're walking around I advocate for doing uh security like physical security engagements in pairs because you're less likely to be stopped okay no one's going to come up to like a pair of people and say what you doing here whereas if you're on your own there's a very good chance you're going to get stopped um if you see people walking around once again people watching there's a very good chance they're going to be talking to each other if you're walking around a building as a pair and you're silent it looks weird like seriously it looks really really weird so whatever you do just try and

just talk like absolute nonsense about stuff you know like um one of the things that we used to do was we' walk around we look at like I know routs attach the wall just talk rubbish about them when people walk past yeah I think the red wire doesn't need to really go into the squangle hoop there and like the you know those those those bracket uh rotors there shouldn't be on this model people don't care people don't listen but you're saying something so you kind of blend in a little bit more find a toilet you really have to find a toilet okay this is like a serious thing it's a really good thing for composing yourself if you get

nervous on these things which a lot of people do find a toilet you can close the door get your composure back and go back out there also adrenaline does funny things to the body okay I have destroyed far too many toilets in my time doing this and yeah too much I know but seriously do that uh get some tools uh I'm going to say something now that's going to really upset a lot of people uh lockpicking is really cool but absolutely useless in these situations very very rarely you're going to be like picking any locks like it's going to be like that 1% you know it looks cool though but like you know you're dressed as a pest control guy and

you're there like you know also if you do decide to do it make sure you have that in writing too because I've destroyed doors before doing that and the company's never they might not be happy about it you know um Travelers hooks probably the best thing you can get really really cheap um they've got us into so many places uh doors that aren't flush you can always get one of these in just shimmy the lock and you're in really really good uh this however is my favorite piece of tooling that we ever used so we got to this one site it was really really tough to get in but then once you got in there was another

extra sort of level of security that was this massive door mag locked and it was like card swipe as well and we we couldn't get past it we were going to use the the standard trick of like you can put a pen up against like the door join so that when it opens the pen Falls in door closes but doesn't close all the way so you can get in I usually tell this story saying that neither of us had pens we did but we didn't want to get them wrecked so we went across the road to a home ware store bought a for and it just got past everything we we completely owned their building um Pro

tip though don't offer it to the client as a momento afterwards once You' gone past their security because they hate it they really really not fun about that okay so uh and finally get caught you know like once you've done all this stuff once you once you've completed your objective whether it's to get into a room steal something do this that and the other try try and get caught like you know uh go with like two sets of clothes like you know like really horrible jeans and and like t-shirts that are like neon pink or something change and go back in see if you get caught um you'll be surprised at how often you don't like it really is like one of

those things where you have to like stand on a table and hey please I shouldn't be here sort of situation uh but it show up loads more weaknesses and it actually provides a lot of value for the client as well to show like okay look you really should do a bit more training here um and also you know finally uh you know it's an amazing thing to do if you can get into it please do because it's it's it will change your world view on things um it will change how you see Security in general um yeah and yeah I guess that's it really so thank you for coming to my talk

we all good I guess we can take a couple of questions or we have time or we've got couple of minutes so if anyone has any questions sure sure I can't promise I'll be able to answer it but hi very very nice you to give us such an interesting yeah you know for example when obviously let's say after your wrecking as such okay that uh you tend to meet the clients and tell them all the security issues and vulnerabilities I'm sure not every client would do that but have you had resistance as such sometimes or even yeah or even either denial or even going to V like irritation even not anger but maybe irritation I had I had a wasup

call once with a client and they refused to believe that we didn't get caught because we were met at the door by the person that had arranged the engagement I was like but you you know about this you know who we are so yeah every now and again there is a bit most people are pretty you know pretty happy with it you know they they want to know what's wrong so you know pretty receptive to everything yeah oh God got a couple more I'll start the front and work way back have you ever had a client invite you back and have you seen improvements um sorry no just leave it there's no anyone [Music] else uh just two quick comments actually

not questions or maybe a question at the end um around the do crime thing yeah um what I really like as a mindset thing is Hackers don't have scope so mind think like that yeah yeah and just a reiteration of the importance of finding the toilet I think that's the best advice you've given there and it's not about going to the toilet it's the composure you're sweating you're freaking out your heart's racing find that toilet and also if you need to hide for a few minutes for whatever reason like I said if you're on site with another person you can send that person out to go do something you can wait there in the toilets for them to come

back and then obviously meet again you know it's just so I guess my question is is uh have you ever been caught in the toilet for work no uh no the answer to that I think we've got one more okay so which would you find think is better boxes or RFID Steelers for getting through doors currently people yeah people it always you don't need anything you don't I mean tools are cool and everything and and and you know flip a zeros on whatever and it's all good people you know so just carrying a box and then wait for somebody to open the door for you well yeah well I mean with with us it was more

clipboards you know but yeah just waiting around and and and I say people always make the mistakes there's there's very rarely anything I've ever done where it's been the technology that's been the problem it's always been the people so yeah I think we've kind of run out of time there now okay okay we good we good um but thank you very much thank you