Infiltrating Like a Ninja: Unveiling Detection Gaps in Physical Security Across Japan and the U.S.

All right. Hello everyone. Uh good afternoon. Today we're going to talk about the uh physical security between the US and uh Japan perspective. Um my name is Vietloo and I work for Sofos for seven years now. And uh this here is behind me are my co-workers and they are from Japan. It means hello everyone in Japanese. Hello. [laughter] If I told you I was going to hack you, what method do you think I'd use? A clever ride. Perhaps that's certainly one tactic. But there's a far more powerful and far less noticeable weapon than lies. It's a very common sense and good will you trust without question. Okay. Hey everyone, please look please look to your right.

Okay. Thank you all for your kind cooperation. What you just did was participate in a right social engineering demonstration. By following my read, you adhere to an unspoken rule that people generally follow the instructions of the person within the microphone. I didn't tell a single right, but I was still able to guide your actions. Now, imagine I show up at your office door carrying coffee and donuts. Someone would almost certainly open the door for me. Not because I lied, but because we are wired to help someone who appear to need it. I leverage that ingrained goodwill and common sense as a foundation that makes small lies feel believable. In physical security oh sorry in physical penetration testing we use all

kind of or too but it's social engineering that lets us sweep in quietly and skillfully like a ninja infiltrating a castle. Today I'll wake you through those techniques and explorer how they differ between the United States and Japan. Oh, it doesn't work. [laughter] Okay, now let me introduce the fantastic team presenting with me today. First, we have Viet against my name is Vietloo and I work for Sophos. Um, seven years doing red teamings and physical security. >> And next, please welcome Yan. >> [laughter] >> This is you Nakatu from Japan and yeah uh I'm really happy to be here and uh hope uh you enjoy this talk and I'm a little bit nervous because he's so

nervous. [laughter] >> Yeah, >> sorry. >> Okay. And last but not least, leading our physical security efforts on the Japan gym. Uh I'm Humia. I primarily uh work on red team engagement here in Japan and I serve as our physical security lead. It's a pleasure to be here. Thank you. And the photo of us sungasses in top of right. It's just a bit of fun but every insight we share comes from deep hands on red team experience. Okay, here's our agenda for today's presentation. So to kick things off, let's tackle the fundamental question. Why should we even thinking about physical security? Okay. I'll hand it over to you now. Okay. Uh let me introduce uh uh actual

incidents involving uh physical approach. So most of you know uh uh ATM jackpoting is a famous uh physical approach. So in 2017 uh 17 uh the SW actor uh stole uh tens of million dollars uh from European banks and uh not only for criminals uh the physical approach uh used by Chinese uh nation state sweat actors. So for example uh in 2022 uh flow cloud uh used a USB based attack you know uh it's called Owang and also uh most of you know uh is Chinese cyber security company uh which supports uh government sponsored cyber attacks. So uh in 2024 uh I assume document has been leaked and uh the document uh uh there are lots of uh Chinese uh TTP

lots of uh Chinese TTP explained u there are several uh physical devices such like this so so that's why uh we are interested in uh physical approach in cyber attacks and uh we do uh penetration testing in physical area. Okay. Next. >> All right. So our physical physical testing methodology is um very common uh with the Japan teams. So from when it's come to perspective of doing uh physical pentest we have a few tools that we use uh the most and you you can see on the left here is the uh WRTA what we call as the wireless device and it's been mimics like a dropbox that uh we can put it anywhere in the building. So once we

enter a building, we can drop this device inside a building location that can be stealthy and we can use this to remotely access this device inside the network. And the device that next to that is called uh the Proxmark and we use that to scan for batches and make clone batches. Um the two devices called LF readers and the high frequency uh readers those are the readers that we use to captures the batches that from a long distance. So once we have a batch data we use the Prox Mark to make cars and use it to enter buildings and things like that. And then the the rest of the other device that we have on the right

there, we just use it to for like post exploitations and then also we use it to gain access to the internal networks. All right. Um when has come to uh physical security the differences between the US and the Japan. So today we're going to talk about the technology um what type of technology that we're going to use for in the US and what type of technology that we use for in Japan and then also the process between the US and the Japan uh process and the people. Now in the in the US cases um most company maintain I would say at least the basic level of physical security right you have security gate you have

cameras you know access controls and security guard um this thing here usually that's what we see when it's come to physical security when we try to enter a parameters that's what we see we have to bypass all that sort of things so we have to bypass security gate whether we have to capture a badges and use those batches to access the security gate. And when when it's come to security camera, we try to be stealthy and try to avoid getting spot in the cameras. So try to not get suspicious, right? And as for as for security personnel, security guards, uh we try our best to avoid eye contact with them or try to not approach them

and stay away from those guys because the more that we interact with them, then the higher chance that they're going to get more suspicious. Now in the US cases what we see is when we enter the office um they have a process that they're always going to verify who we are. um that's automatically uh they're just going to go through the process and they're going to ask us to verify who we are and then they then they're going to um check whether if we know somebody that work in the office then they will confirm and verify right and let's say when we inside the buildings and they think that we are suspicious their process is they going to call someone

and they wanted to see whether you know if we are supposed to be there and belong to uh the place. Now um in the US is the culture is because the crime is high in the US and therefore the trust is very low and by default the uh in the US uh the suspicion is more normalized. So whenever we inside some place uh there will be someone that's going to approach us and they wanted to verify if we supposed to be there, right? Um and then also because you know there's a lot of crimes and frequent threats and that's why the employees they get to train educates regularly. So on their mindset, you know, they

always have this high alert. So whenever they see some unknown faces, they're going to verify and they're going to approach us and ask who we are. The what we what we found uh when we perform pentest uh for most company we see that the system security is very consistent uh based on the culturally enforced in the US. So security system in the US are I would say is very on point with global standards and they are rely heavily on procedures enforcement and employee awareness. Uh what is the difference? Well, in the US the culture is the expectation is to challenge someone is unknowns right and and sometime because you know we like to help people's and uh whenever we see

someone is not supposed we like to go and approach them and ask if they need any help. Um and then also you know because we have a lot of high risk that's why we do get a lot of security awareness trainings yearly. Um but as for the resort even though we have a good process um we have a good security system but we still vulnerable to uh social engineerings if we can bypass the security and that process and once we get inside it's really easy to social engineering an individuals um so now we're going to talk about the US uh the Japans the differences Okay, now let's shift our focus to Japan's physical security. Uh, starting

with the technology perspective, most people think of Japan as an exceptionally safe country and you are you might therefore assume that corporate physical security here is somewhat lack. But in reality, it's exactly the opposite. When it comes to technologies, Japan is every bit as strong as United States. In large corporate environments, security gates and sance cameras are ubiquitous and technological defense are extremely robust. In other words, public safety and corporate security systems doesn't always go hand in hand. So the notion that Japan is vulnerable at the technologies layer simply doesn't hold up. And next let's look at the process perspective. First uh take a look at the four panel cartoon on the right side of the slides.

In this cartoon I know employee simple said I forgot my batch today and is given a guest pass without being asked any questions. Does this sound like a joke? Of course, uh we are not saying that this will actually happen but uh procedure root holes like this could happen in real life. So what about at your own workplace when someone ask may have a guest pass how is their identity verified? Um, if you spot an unfamiliar person inside the building who takes action and what's the response? Is there a clearly defined culture of challenging strangers and explicit criteria for making that call? In my experience, many organizations still have gaps in both awareness and rule setting around these processes.

By contrast, in the US, the moment anything even slightly suspicious happened, security guards spring into action. It wouldn't be surprising at all for security guav.

And now let's turn to the people perspective of physical security in Japan. I uh I want to start with a striking piece of data. Oh, same of US. Uh here we are comparing bary right per 100,000 inhabitants in the United States versus Japan. As you can see, the United States right is roughly seven times higher. On the surface, this simply uh confirms that Japan is exceptionally safe. But as cyber security professionals uh we know every strength can hide a weakness. I argue that this very sense of safety actually creates a serious vulnerability in our physical defenses. What do I mean? Uh in Japan cultural norms discourage us from questioning others or proactively approaching strangers. We are guided by the spirit

of what uh it means harmony and we avoid conflict to keep the peace. Now imagine at unknown individual uh wandering around your office because danger is so rare here. They are far more likely to be perceive uh perceived as a guest or caric rather than a potential threat. We fall victim to normaly bias the assumption that nothing bad could happen in a price like this. And when someone suddenly strikes up a compensation whenever suspect they might be an attacker. It's like setting your firewall trust all incoming or traffic clearly a recipe for disaster. So the real challenge in physical security isn't a lack object get of camera but this cultural and psychological gap in business and the good news is by

strengthening this human layer by encountering healthy skepticism and create challenge protocols uh we can dramatically uh improve our overall security posture. recent Japan cases uh Redmi recap we uh we've covered so far first from technology standpoint Japan is as strong as the US so what difference uh it's a process and people mindsets and pinned by cultural background I believe this is creates the cap physical uh gap in physical security between Japan and US so the United States passed Japan what were The result as you can see Japan suffered from uh suffered a painful defeat at this point we'd have to we'd have to recruit Sh Otani as our pro physical security ambassador to change the situation

but this is no laughing matter I believe this gap diretory reflects the cultural background we've discussed how we interact with other hand our level of everyday business and share the most important message. It's not just Japan roast. Our research shows that both countries are alarmingly vulnerable to social engineering. This is not a Japanese program. Uh it's a problem for all of us. Uh what this means uh for us as professional is career. First uh to to the brute. Our defenders what we need is friendly business. This isn't about treating everyone as a potential enemy. It's about embedding your culture where a natural helpful getting uh helpful greeting. Can I help you or may I ask who you are? It is

automatic. Uh by turning this mindset into a formal process and we can make our organizations far more resilient. And second to the regiments that is to our penetration testers uh social engineering is uh remains one of the most reliable and most destructive weapons in our arsenal. No matter how rock solid your system are, it's there a weakness in the human mind and attacker can simply work right in. Okay. Um do you have any points to add for the red teams? Any comment? Do you have >> Yeah, I would say like when you try out your tools and if doesn't work, social engineering is the best. [laughter] >> Okay. Thank you. >> Okay, that concludes our presentation.

Um, okay. Thank you for all and since my English isn't great, sorry. [laughter] And please save your question for Viet. Thank you. Thank you everyone. [applause]