How I Broke Into Your Data Center
Show transcript [en]
[Music] all right so I think of already four minutes late even though I was here early it's a special gift yeah we got in very late last night so I'm still trying to associate myself with everything here I've never been on campus before and I ended up over a Sports Complex I'm like these are not my people but I found my way obviously um I gotta ask that we don't record the talk today you guys want to do still that's fine I've got a lot of client photos and things in here from the field so I really just don't want it floating around on YouTube I will have a releasable set of the slides my contact information will be at the
end so if you want a copy of the slides be happy to share them with you I just don't want videos out there so no snapping or whatever it is that we do with videos now alright so for those of you who don't know me which is probably all of you never been here before probably I'm what's called an executive security consultant for now for a company called secure cotton so what that means is I occasionally get to use covered Airport parking and not get in trouble it's cool so I've been Chester by trade and so I've been doing this for a little while now little else because I'm a glutton for punishment and I also co-authored a book
on creating an awareness program the thing that nobody wants to do in the industry so that was a good experience one of the other things that I do fairly frequently is social engineering training as well so kind of do some technical some physical some social and it blends together a lot so I want to put this talk together because it really pieces together some stuff that doesn't look like a very big deal individually and then tie it together in the end and show you some of the ways that we've put it together in the field and I tried to keep it fairly a high level but oh something's not clear just you know ask away
this is usually a joint talk with my boss too so I'm trying to figure out how to do this without saying we the entire time wondering why so but we slips that would be like so physical security we all know that it's really important right at the end of the day we're all guarding the same stuff but when you tell somebody that you work in computer security the reaction is usually wow you are like so smart if you tell somebody that you work in physical security you get the get a better job someday right you're working your way through school yes I'm sure it's just to pay the bills but we're really guarding the exact same
thing and I think that in the industry those pieces depend on each other a lot but don't understand each other a lot so one of the ways that we're working to fix that at sakura-con I can use week is to really start to include the physical and the cyber and the social pieces all together to emulate more real-world attacks we do a lot of work with utilities in critical infrastructure the utility space has room for improvement let's say they don't really understand cyber threats to any extent physical security is sort of there but not really so a lot of the examples I've got some skater like examples in here today I think I've got some other stuff in here too so when we
scope the stuff it's usually called physical penetration testing which sounds really dirty you're not used to this industry you can always tell the people who aren't used to hearing the terminology because you get that like really really interesting stuff so it's not just about breaking in there are a lot of other things that we evaluate when we look at this kind of stuff not all physical controls are meant to prevent entry some of them are really meant to delay entry such as fences fences aren't really meant to prevent entry they're meant to slow you down enough for somebody to actually see you and decide that you probably don't belong there if you're trying to climb
the fence and do something about it so we look for a lot of different things it doesn't have to be in combination with a technical or on the cyber side the best last year we like to combine them when possible but not all of our clients come with that because they think it's cheating because bad people don't break into buildings apparently so I wanted to go over some of the basics of how it works so before we do anything we gotta have our letter alright this letter is very important it usually keeps us from going to jail usually I've only had to show it once so and it did keep me from going to jail
which was nice we'll get to that later um it's basically a high level just a single page document that's from usually the head of security or whoever they report to says yeah this person is conducting a physical test from these dates to these dates and these locations if you are presented with this letter please contact it's usually gonna have a head of physical security at that point and then everybody in the environment signs it CIO usually does as well since we're gonna probably be touching technical things and we carry that with us make copies because stuff happens right you're gonna be dumpster diving and crawling around and climbing fences you don't want to drop your letter
somewhere and then your only copy not be there if you need it okay not that I would know but copies are good so a lot of our clients because we're clients because we're based out of DC don't really want to pay for us to travel places to do reconnaissance so we've kind of had to get creative and figure out how to do a lot of that without traveling so what we've tried to look for is really to try to get the lay of the land before we travel to wherever that site is gonna be there are some lovely tools to do that in the physical space you'll find that some of the tools are sophisticated last
year and some are not it's really how we put them together right so you're gonna see Google in a whole new way at this point Google Maps is great I only have two uses for Bing Bing Maps is actually fairly useful because it has a 3d view or you can kind of tilt and see you around the sides of the building which is really cool Google doesn't have it everywhere yet but they're starting to expand but what I'm looking for there is really just what's in this environment or are we contracted to break into this building or test this entire campus sometimes we're supposed to look for a data center or a control center sometimes the client
tells us where that is like what building other times we have to try to figure it out because they think that that's hard I love crushing their dreams uh it's really kind of depends on what we're doing but when we're looking from afar are really just trying to get the lay of the land right so really trying to see what's there what's around any of those areas so if you're doing a test in downtown Chicago those surroundings are gonna be really different from like rural Pennsylvania right but what I'm doing they're not only looking at entry ways and potential places for parking right because you got to get to and from somewhere there somehow I'm also looking for what's
around right is there a Starbucks nearby is there some kind of restaurant nearby because we're gonna use that later on in some of the social engineering pieces that we do so Google sort of doing traffic cameras a handful of years ago they've gotten pretty good at it so this is useful especially if we're doing a test in somewhere like New York and Manhattan I can sit and watch the traffic patterns in and out of that building all day without pants at home and it's great I don't have to worry about hiding anywhere when we look at the traffic patterns we're really just trying to understand the flow of that building so it's common for our clients to only
occupy a half of a floor and a high-rise so while I'm only really worried about the 12th floor or whatever it is I need to understand how much traffic is going in and out of the building for a couple of different reasons all right I might want to use some of that as cover slip in and out I want to know when it's busy and when it's not because depending on the attack that we decided to do we might want to wait until it's busy so it's good to know what the the hours of the building tend to be like some folks like they come in really early they're like a 7:30 kind of crowd but the other
thing that we like to use this for is at night yeah I watched traffic cameras at night on the dark because I want to see when the lights come on on Flor is it most of the cleaning companies are only allowed in there after hours and if I need the cleaning company to let me in or turn off the alarm if they have an end suite alarm I got one I don't know a rough idea when the cleaning crews gonna be there so that we can have plan who's gonna be where and when traffic cameras they're very useful probably for traffic to I don't really know but they're great for other things so because we're not in the
Washington DC area nobody is going to know what is a five hundred Delaney Street so I'll tell you spoiler five hundred Delaney Street and alexandria's the United States Patent and Trademark Office this is a really nice building which means it can't possibly be theirs because most of the buildings downtown are not not awesome that are government-owned and this one's very pretty that's good big glass atrium lots of fancy things right so no way this building is theirs we'll get to that in a minute so if we're just googling for now right we're just gonna go we're gonna check out some Street View I like Street View a lot um it kind of gives me a heads up of what's gonna be around
before I actually get there I mentioned something about watching traffic patterns in and out of the building if there's not a camera nearby that I can access legally to watch those patterns in and out of the building I'm gonna need to find a way to do that once I get there so in this photo I see a great place where I can do that I'll even share my newspaper with that dude there on that bench I'm nice like that and what I'm looking for in photos like these in these kinds of areas we're looking for the card readers and the doors right I noticed the they use them here they're kind of smaller usually they're more square a little easier to
see that kind of helps me understand what kind of system they're using entry and we will get into some details of that and a little bit the fact that I don't see any of those squares on the outside on this photo tells me that that's probably an open Lobby probably folks can just kind of go in and out of there and there's a control point beyond that area but I'm not sure yet so I'm gonna look around some more back to they can't possibly own this building right so pull off the tax website here for the city of Alexandria and see what they paid in their property taxes to see you onto the building they paid a lot of
money and property taxes so it's owned by ELQ or which is really convenient for me they they manage a lot of higher-end properties in the Alexandria DC area and while some companies are really good about making sure that they're not sensitive photos and things on their website if they're leasing a space the owner of that space is probably not being as careful about that right because they're so proud of it they want you to see how beautiful and how safe and special their properties are so alcor's website tells you all about the headquarters campus so it's actually a big kind of a u-shape of building so all of the buildings in this photo technically are the patent and
trademark office with the one with a big glass atrium being the one and this shot from the street view so this is useful you know you kind of read through here it tells you a little bit about the campus it's got some great photos so if you look at the photo on your right that looks a whole lot like that right the other side of that so what I don't see there let's zoom in I'll get a better picture next time sorry what you don't see on the inside of those doors are turnstiles or any kind of control point for somebody to present a credential like a badge or some kind of key fob or whatever so very
safe bet that it's an open Lobby if you do a little bit more reading you'll you'll know that there is a actual little museum for the trademark office right in that Lobby so they have school tours and things in and out of there all the time so it's a very high traffic area and the lobby so it's pretty easy if you wanted to get a little bit closer to see where the rest of the control access points are and what technology they might be using now you can get in a little bit closer to get a better look yes not the first time so we've had clients that have made changes after we've broken in but don't get updated in
maps and Street View oven and things like that so it's like oh wow that's new so that's why we always make sure that we do an off-site and then an on-site we don't just get off the plane and then go try to break in right it takes a little a little warm-up to to kind of get acclimated with the area but yeah it does happen especially I mean they update Google Maps and stuff like that fairly often and but even in some of the larger areas you do see some lag in between so it's definitely not gospel but it's usually fairly reliable once you start doing this work you'll look at the world a little bit differently so
everybody here usually sees a very pretty campus and it looks nice and inviting and brick walkways and all that I see that security dome cameras sticking out right in the middle of those photo just because there are cameras does not mean that somebody's watching them so while cameras are meant to really let's say discourage folks from hanging around your security guard your average security guard is watching anywhere between five and a hundred cameras per guard they're not gonna see everything at that exact moment in time cameras are really used for after the fact more and you know we had a break-in a way to bridge whatever they pull the camera footage to try to get the face and and
so on and so forth so while cameras are meant to look really intimidating they are probably not being watched so don't let that make you too nervous if you belong there of course disclaimer so I was really curious about what you have to do to get in there turns out I don't really have to go hang out in the lobby because Elcor is very proud of the security that they have so proud that they put a nice photo of it here for me so that's really cool it gives me a lot of information the turnstiles for instance that tells me it's probably not gonna be easy to tailgate to piggyback like behind somebody with a badge at
this area doesn't mean that there are other areas in the building that aren't as watched let's say but if I want to go in the main way that looks like it's gonna be a little bit difficult to to tailgate behind somebody with a working badge if I don't have a working badge they also if you look there have a metal detector and a little tiny x-ray machine probably a good assumption that that's for visitors on badge folks that tells me if I'm gonna try to get some of my suspicious-looking hacking tools inside it looks weird on the x-ray they might take a little closer look so I might need to kind of change out the tools and
I'm gonna bring with me or disguise them a little bit better great gonna get a little MacGyver so that's off site right we're just googling we haven't got anywhere yet once I have the idea of what it looks like around there if it's a metric area what not now we can start to plan our on-site reconnaissance of who's gonna do what who's gonna watch at what time there are lots of cool ways to do this you can really get creative with it we've done all of these at one point or another to do surveillance just because you have a stroller doesn't mean that you actually have to have a live baby in that stroller put it all in there and cover
it up and put a little cover but the point is you really just want to blend in with a regular traffic that's around the building so if it's in an area where there's some residential and stuff mixed in and folks you know they jog through there or there are people taking walks there's a train station close to there like there is at the Patent Office and it's gonna be fairly typical to have just regular foot traffic through that area in addition to the people who belong there so they're used to seeing folks mixed in with a walking traffic that don't necessarily belong in the actual building love the park benches they're wonderful bird seed feed the
birds relax for a while homeless guys you know this works in a really great places like Chicago downtown Chicago it's very useful um what I didn't mention is I have a little bit of a background in theatrical makeup so we have a really good time with this sometimes so when we had to get a volunteer for our homeless guy Sean wanted to be our homeless guy so this is Sean normally then we made him into homeless shop all right well you know you just get him bag with some cans and you know something that rattles around and then he can literally lay on the park bench with the street or whatever and observe the traffic in that building and be
pretty much ignored until you know the beat cop comes along and moves him along and that's fine whatever reconnaissance we do we want it to blend and be typical so it's all about not triggering that whole fight or flight' deal won't go too deep into the psychology of it but in the brain there's a part called the hypothalamus but basically controls your inner BS meter right so whenever there aren't really a lot of benders here so whenever a vendor tells you you know they've got this great product that that's gonna fix all of your problems that like weird twist you just got in your stomach that that's fight or flight right it's it's our internal survival mechanism we'll
say so we don't want to trigger that so anything that we can do to blend that's what we'll do this only took about five minutes to do the scar on his head is actually one that we got from like a Halloween store so you attach it with some some stuff and then you just do some makeup around it right some stage blot a little bit on top there and just basic makeup the dental piece really brings it home right so again right after Halloween like Party City in those places all that stuff goes on clearance so you know he looks a lot different after a couple of bucks and some props and a little bit of makeup he's wearing
the same shirt but you don't really notice the shirt that much gets you kind of distracted by the big gash in his head so once we're on site like I said we want to blend it's great if there's a coffee shop nearby kind of sit and watch the traffic and all that for reasons that I will never understand folks walk around with their work badges dangling from their or from their Beltline even in DC I'll never understand why they feel the need to do this but they do so that's fine it makes my job a lot easier because then I can really start to spot who belongs in what building so in places like Chicago
where you've got a multi-tenant building it gets a little bit confusing because you got to make sure that you're targeting the right folks if there's a bar nearby it's even better right so I'm so it's always better if there's a bar but sometimes it's the watering hole they after work happy hour watering hole and you can learn a lot if you just sit there and nurse your drink and listen listen take some notes you get familiar with the terminology what's going on the office gossip sometimes we have to go vehicle why is for surveillance when people say surveillance van this is usually what pops into mine okay if you're trying to blend I would not
recommend that so when we do surveillance vehicles it's really important to understand the area that you're in what's what's going on around there if we're doing something like a manufacturing facility that's in an industrial complex you know the u-haul is perfect there are box trucks that go in and out of there all the time sometimes their new halls sometimes there's something else nobody's gonna blink twice if they see one of those parked on the street in front of are these you know facilities and it's useful because you can put your whole team in the back and then kind of trade out and then if you're doing a wireless test in addition to that you can be doing some of your Wireless work
while you're doing your recon as well it doesn't work in the summer as well when it's really hot though because then you bake all your hackers in the back it's not less use when we do tests in rural areas like rural Pennsylvania learn this the hard way make sure that you don't get a brand new foreign model vehicle with out-of-state plates right because when you're in Chevy and Ford territory and you roll you know Nissan or Honda or anything order Chevy it draws the attention it really does so we'll talk about that a little bit more later and how that kind of cost us and some points see whatever your supplies with you right there
there's a little bit of a prep that goes into this that thing in the middle is called a map for those of you who may not be familiar a long time ago these used to be paper that you would have to carry with you um I like to keep them still because you can unfold them and lay them out to cover up suspicious items that you might have like all your wireless equipment and your cameras and your binoculars if if rent a cop or something sneaks up behind you and you didn't really have a chance to put everything away you can put the map over it right I'm sorry I'm so lost I'm from out of town I'm trying
to find have a spot picked out beforehand can you help me mine the right spot you know whatever it works if you're a guy too you don't even have to do dizzy headed chick great to work what we're looking for when we're doing on-site stuff in addition to flow in and out of the building we're looking for stuff that are we called them trust pieces right so are there parking permits on the cars they all have the same stickers are the employees wearing ID cards when they get out of the car maybe they don't have them some companies don't some companies instead of using a swipe card or a proximity card they literally just enter
a six digit PIN to unlock the gate or I lock the door to go in now some think that that's more secure and it can't be defeated but really it's a six digit pen most of the numbers that are commonly used or worn off on the keypad did bring it with me today but I don't know if anybody's familiar with the the infrared guns the flares so you can get a pretty good about here to the door maybe a little bit more sight on it so when they touch the buttons you'll see it on the infrared which button is they touch so it'll kind of narrow down what kind of order you need to do that
so it might take you a couple of tries but probably not too many because you've only got so many options there and if you've got somebody who does it nice and slow with one finger for you makes it even easier so when some companies use you know swipe card and pen they think you know it's cool we're good nobody will ever figure that out usually we figure that out but that's one of the ways that we do it so high tech low tech and in the middle right once you're inside it doesn't really matter how you guys inside usually everything from networks the buildings have the same candy shell right it's hard on the outside and then gooey in
the center okay usually once you're in the security controls on the inside are a lot more relaxed than on the outside there are frozen haunts to this and will argue to many of the pros from the commercial side but from the attackers side there are so many pros to this approach you'll come across a lot of doors that look like this probably those things at the top those two dots to the top told me that that's a magnetic lock door and that will be useful later on for a couple of different reasons mmm remember if I have a slide for it or not so I'm just gonna point it out now so if there is not a way to get around that
door by tricking the the access system and to unlocking it for us the hinges are on the outside you can't get through it just take the door off the hinges so if you carry around like a roofing nail or something about that long or so up underneath the bottom of that hinge there's a hole normally there so you just put that roofing nail in there and just give it a good whack with something doesn't even have to be a hammer now the door is not gonna come all the way off because the magnets holding it at the top right magnetic lock but we don't need it to come all the way off that's fine we just need to be able to angle it
out a little bit just far enough to shove the skinniest guy through right and then he can open the other door it doesn't really take very long though of my let's call him more petite coworkers I think this game weighs like a buck 15 or something we can have one of those doors off in 30 seconds so it's not it's not overly difficult it just takes a little bit of practice to do I also recommend a commercial-grade doorstop to go underneath of it if you're gonna try that because that doors really heavy so once you get it off of the hinge it is it's gonna ban right down on the floor unless you've got something to for it their home depot is
a great place yes you can just kind of you can put the pin back in if you're polite usually when we're inside it's more of smash and grab at that point the longer that you were inside or you don't belong the greater chance to you risk of getting caught so it's very much a smash-and-grab most of the time try to be in and out as quickly as possible but yeah same process though alright you just put pup and pin back end but usually we've got the other door open at that point so it's a lot easier because then you can hold the door in front wean um I mention these card readers are out the little boxes we use things to open
them like cards look like this this little fobs these are all the same thing basically on the inside they all have similar chips that do the job looking the little boxes on the wall around the school here it looks like they use some type of system that's similar we call that a physical access control system or a pax and commercial space there are lots of great toys that you can use for this in the earlier days before people got really creative with stuff like before there was like Raspberry Pi and Arduino and all of that that made it a lot easier started pretty pretty simple with this tool called the Proxima 3 it's a research tool research
you can weaponize it though so the device itself is really about the size of a solid-state hard drive so it kind of tricks you at first you think that that's probably you know field friendly you can try to use it to steal other people's access card content but it's not just that device right so you've got to power it so you need like a power bank for like a phone and then the antenna so depending on the type of system you've got high and low frequency so two different antennas on the old model the newer model they've made it a lot more streamlined but that basically equates to you three things and cables that you have to figure out how to cart
around and not look suspicious doing and the cables don't stay in very well so if the cables not pushed in all the way the lights won't work and it will tell you they've got a good card read and then when you go to replay it there's nothing there because ball is loose not very field friendly but again that's that's what we had in the beginning the read range on this is just a few centimeters - yeah how hard it is to get a few centimeters from somebody's bad without being all creepy really hard even for a female it's some of the major metropolitan areas where there's like a dream yelling Manhattan that's a lot easier just kind of shove in with
everybody on the train please - this plague scene Paul right where they're used to having their a nice personal bubble and they don't want anybody on their bubble that's that's a lot harder like you've got to get creative with that I'm clumsy I fall I fall you know it's really nice of them they bend over or than the badge kind of hangs down so I can get it close to whatever it is I'm using to read the card um some folks put this like down on the inside of their jacket but my arms are short my hands are small so I can't really conceal everything so I had to figure out a way to do that so this was my RFID binder of
doom which sounds cool it looks cool ended up not working that well which is kind of sad right so just took some velcro pulled back the under cover on that rocks works in the bottom that's just a little battery pack acting like Best Buy or something it doesn't take a lot of power so that little battery pack will power it for a long time thread the cable through on the other side that's the low frequency antenna had to look for the CD holders I had a big box though that's cool so you zip it all up and then you just basically need to kind of tap the folder close to the badge so there are a couple different
ways to do that but the leather on the folder actually prevented the antenna from powering the card which is what you need there's a little tiny chip in there that you gotta power it proximity yes to get the information from it so well it looked cool results very didn't work that great in the field for those of you who like the grid it and lo the grid it it's designed to hold all kinds of little accessories like throw smack people that need 16 adapters to do anything it also holds the pieces for the proxmark really well because it's got those little rubber rippers on there it keeps everything in place and it keeps the cables fairly study the
problem with the proxmark I mean there are a lot of problems with it but if it loses power it loses its data yeah so you know you've done all this work you've gotten close to somebody you've got your card read you've got to get it back somewhere to either replay it at the card reader itself or replay it like back in the hotel room to one of your devices so that you can write it to another cards a little more reliable so if the time you get it all back there and you're all excited and then you realize that you don't have any data it's it's a big bummer but we put this in a laptop sleeve so I made it a little
bit easier a little more mobile you can kind of swing it when you're walking something to people it was a little easier early days right so those more of the early days of how we did some of the entry um haven't seen these in the building here but I'm sure you've seen them around that little white box usually makes a weird clicking noise when you get close to it normally associated with doors with the two Mac locks the two bolts on the outside of the door so that's called our request to exit or a rack bless you and for reasons that I guess I sort of understand some building owners don't want people to be inconvenienced
enough to have to push a button to open the door the controlled door to exit to leave so they put a motion detector on the inside thinking that you know if you're there and you're approaching the door to leave that you you belong there so it will just release the door so that you can leave without having to swipe or push any kinds of buttons and this is great in theory until you get people like us with sophisticated tool sophisticated tools being you can unfold it make a pretty little flag and if there's a nice gap between the doors of their double doors you can just slide it in between and then wave the little flag
and it will trigger that motion sensor on the inside right so you hear the click and on the door is open under the door works sometimes to my video literally if you do it right it literally pops open that fast right so if you look at the card reader those usually flash green when they've had a successful open from the outside still red right because it hasn't received a signal from the outside to open this is important for a couple of reasons because in the packs and the control system on the inside of the door that's its normal operation is to release that way so it's releasing that way because the things that somebody is on the
inside and they're leaving that means that it won't throw an alarm or somebody to go investigate do people actually investigate those alarms immediately no not really but but occasionally some do yeah
they do some of them are motion some are heat-based some are infrared right so you just got to interrupt the stream so if you vape some people can blow a baby stream my favorite one I think is by a guy his name is deviant no not making that up he works for a company called core security he actually opened one of these with a mouthful of whiskey just get up to it Lola whiskey through really hard and then it would trigger the Rex on the inside it's on YouTube so you go check it out it's pretty funny it was really funny we were testing this on random buildings and random cities that we were traveling to as well there are a
lot of failed video footage out there for it but it works pretty well so the way to help control that if you don't want to make your employees push buttons or enter codes or swipe cards to leave is to adjust the the beam the range on that so it's out further it's supposed to be more towards inside of the room that has good and bad one of the the problems with it though is that people like me are persistent and just find something else about and that's the work so when you blow this up like I've kids right so I have a little hand pump and a little balloons for the kids parties so you put it between the door and then you
just use the hand pump to pump it up so it's just about ready to pop and you let it go all right so on the inside it goes like this and then it will trigger the right set up at the door when it doesn't work there's a pile of balloons too it's a little embarrassing I usually just blame the cleaning crew like I don't I don't know what kind of way sugar renard around here I mean they're having parties at night and stuff when you're not here let's check your cameras oh you don't keep that footage huh you should think about that because I have kids I also read books you know that talked about you can't go over it go
around it you go under it right data centers and places with you know important servers and them usually have raised floors so it's easier the cables and whatnots most of the walls will go all the way to the truth floor but I found that a lot of times the contractor cut some corners and they don't do that in doorways all right so even if it's along the wall and you pull a tile and you know the walls all the way to the bottom the true floor go find a doorway and look there too so for those of you who have never crawled underneath a raised floor that's the action shot be careful because sometimes they run like really big power cables
underneath of there so just have a look before you go in there and make sure that you're not gonna hurt yourself those tiles are weighted on if you can see you kind of like the grid on them they weigh about 40 ish pounds you've got to give them a really good bump with your shoulder on the inside to get it up so that you can let yourself out and then you can just open the door for nobody outside same thing with a drop ceiling right so most of these have a raised floor and a drop ceiling if they did the floor sometimes they forget the ceiling and if you have the skinny guy that weighs about 15 you can just shove
him through you know he never wonder what another test with us after that that's kind of a bummer well it's me are you so unless you're gonna pick me up and toss me over there I think that you're gonna have to do it what he was he was kind of a scar from that we were talked about the hinges so I'm not gonna go through that again um just because doors look like they shouldn't open when they're assessed does not necessarily mean that they won't this is a pre-production data center basically the last step before they put it into production and of course those networks would never connect to production that would be bad do that so they put those doors on so
that the people with server carts didn't have to try to worry about opening the door and swiping the card how'd you get in here yeah excellent love so the reason that that free flows that way was for fire code right in the event of a fire that Dory's to openly openly flow openly open there you get a lot of sleep so anyway but that does not mean that it should open whenever you just wanted to from the outside right because you're not inside so that shouldn't happen I had to change some settings on that door but we did fix it the guy that was with us was not happy this was at the point where we got in at about six different
ways sometimes they insist on coming with you you could do this test but what about physical security guys has to come with you I'm like whatever he can hold the camera we'll get some good shots here at this point he's just lost all hope it's like leave it open because it will alarm after it's left open or so long he's like leave it open I want to see if one of my birth will come down and check it out ten minutes later with the door still open nobody so lots of improvements to be made at that facility let's talk about fences and they make great neighbors and other sayings that I can't recall of this exactly
lots of different kinds right so we can deal with these again they're not necessarily meant to keep you out just slow you down long enough to get caught security controls gone wrong does anybody know what's wrong with this offense you don't have to raise your hands oh yeah so the barbed wire is supposed to go the other way to make it hard for people to climb over the fence right so it's supposed to you know because you would have to kind of lean back to get over the barbed wire um I cannot tell this is my biggest pet peeve I see this paper where I can't tell you how many places I've been to or driven by the the barbed
wire and their fence is the wrong way I mean it looks like an iPod Factory or something I don't really know if you people in and if you're gonna keep people and you probably need more than that but you never know right so you're right could be a prison if it's a prison it's not a good one there's a really nice gap underneath of that fence - they can be dealt with in other ways clients get really upset when we do this so we don't do that often again back to the kids book right can't go through it can go over it just because it has barbed wire doesn't mean that that can stop you just take the
floor mat and go through the barbed wire had your hands there so I'm a big Burn Notice fan great so I decided to include it here because it's awesome all right so they work in teams here just like we do you use folks to roll up and create the distraction right so that the security guard is not watching his camera that you'll see in the background I should put some audio on this sorry about that it never works with the projectors and stuff so demo fails and all of that I just you don't really need the words but the further entertaining because they're arguing right they're trying to find a restaurant we're gonna be late we're
gonna miss our reservation so I can't do the flip like that though um when you do that take that floor mat with you if that's how you're planning on leaving because it's a one-way trip otherwise not good all right we're starting get short on time and I've got so many other great things to talk about see what I can do okay so client story rural Pennsylvania State a client let's call it so these guys have a control center for the smart grid we don't even have enough time to talk about smart grid that's a whole different talk their control center was four stories underneath of a building and we were never getting in so we
shouldn't even try I love when they tell me that huh it's so encouraging so where the blue dot is is the back door to this building the yellow dots where I parked my car and drank my Starbucks while I was observing they were on construction on this building the guys in the fact where the construction guys were using that entrance and at first they were really good about it they open the door they would close it behind them then if they started carrying things and the door started staying open a little longer a little longer and then the paint bucket came out right and they just propped it open and left it open that was cool I had had already cloned
one of the the access cards but I didn't know if it had access to the control center stairwell to go down the four stories to get to the control center one of those where you just you won't find out until you get there right so again sophisticated tools right clone too bad and that was useful but but really sometimes it's just the basics right so usually we hit up a thrift store nearby the client site to get some swag jackets and whatnot couldn't find any there so we just had one made so we've got some really nice jackets with some client logos on them that we had made up but the problem with that was
they turned out to be nicer than the ones that they gave the employees so it kind of drew a little bit more attention Oh where'd you get that oh it's new I just started I don't know clipboard clipboard will get you so many places because you look like you belong and you look important right you're always looking for it with a clipboard so I get in with the back door there and I get to the hallway to where you go in to get to the card reader put the stairwell all right so my big badge would get me into that hallway but it wouldn't get me down to the stairwell that had a biometric reader on it I keep bumping this cable
had a biometric reader on card reader there those can be dealt with but at the time I did not have what I needed to deal with it then I decided it's just a small hallway right so and it's the only thing there so if you're standing there it's obvious that you're you're waiting to go down there like there is no like hang out and read a book and look natural there's nowhere to go so my next thought was I'll just grab the door when somebody comes out the door closes slowly enough you can grab it and let yourself in so this younger guy comes out and the door literally just slams him he didn't even touch it so they'd
already thought of that we're just cool they got some bonus points there so I decided well we're out of time so now we're never right so I grab the guy I'm like hey I'm from the audit department look forward great rapport with spreadsheet looking things on it said I'm doing an asset inventory this is a big thing in the government in the military they're always doing asset inventory right commercial space they're getting a little bit better so it's kind of like the thing now so there are four printers down here that I need to get the serial number and verify their asset tag ID on them there's somebody who can let me in he's like oh I can let you in
okay that's cool he's like but we have to check in with security first okay you know how to fake badge and we have a badge printer right so it's it's the same kind of printer the things which is funny because when we got caught later on our badges actually looked better than theirs so they were kind of fascinated at though they didn't understand but checking with security basically ammount security guy I didn't look up from the novel he was reading shove the sign-in sheet at me I even said okay go ahead you know because she's with you right he's like yeah she's with me and that that was that consistent of checking with security no
but he looked at the employee badge that I had nobody bothered to look me up on the system to make sure I belonged there none of that good times so he takes me down right opens the door with a biometric reader goes down the four stories there's another door with another biometric reader to get into the control center at the bottom so even if my grab the door really quickly before it closes had worked it would have been even more obvious that I was standing there in the bottom of the stairwell but the only place to go right in front of me that I couldn't open the door and I'd have to wait for somebody else and then
try to act like all slick but they all know each other down there because when you're locked in a windowless room for eight to ten hours a day you get to know the people that are there really well so need a cover story to go with that right I don't long obviously in many ways not a lot of women in skata right so it's kind of like a unicorn walks in girls don't know anything about computers so we get in there and then the guy just like walks away okay so I go over to the closest printer that I can find and it does have an asset tag on it so I wrote it down I
was there why not doing my thing taking some shots with my cell phone and I wasn't supposed to have him there to prove I was there other than the camera footage that they should have been keeping but that's another story um he's go off to go find the other printer for me so he goes and finds the other tag numbers and it comes back with a list thanks man that's so cool right so and you know we get our printers you talked to me on a sign I leave five minutes right five minutes for the time I walked in from the Paint Bucket to getting down there to getting my stuff and out right so you
don't want to spend a lot of time because the more time you spend the more they're like wow you're right you know if you don't know what a smart grid control center looks like it looks like that cool stuff right you can see where the thir the power is going and how they've rearranged it that's a stock photo I made sure that when I was taking the pictures to get like the clipboard of my arm in them so they didn't think that I had taken a photo of like the one on the wall in the lobby or something I was there just in case right because we were hired by the audit department which means that we were hated by everybody
instead of security right so when auditors come in to audit security people and security people aren't doing it on their own free will they're not very cooperative so that's always been challenging let's say so like okay fine you got that one you're never gonna find our backup control center it okay like we're not even gonna tell you where it is you gotta find it yourself all right I mean you got the hours for it so yeah you see hours in the recon that's fine new couldn't be too far away though just on some of their procedures and their their personnel in the area all right there are rules about how far away it should be for certain certifications in
the industry I don't think they actually meet that rule but I'm not an auditor so whatever so it did some digging you know and it was okay I couldn't really find a lot online didn't see it on the website and see on Google I couldn't find the real estate record where they bought any other property than their own that I knew about um somebody checked in on Foursquare from this place hi Wayne bottom-1 training center today thanks man I appreciate that he didn't work there anymore I don't know if that was directly related to the Foursquare post or not um you don't even get cell phone signal out there so I'm not exactly sure how how he did Foursquare but anyway
that's not not my deal oh they don't they don't Wi-Fi at all but anyway so I find this place on the map rate and this is the road it's the best place okay I think I saw some movies that started like this there will be no blending and no Starbucks Inge and taking photos and just kind of chilling near this place you start down this road there's nothing nothing nothing you start to see a building it pops up whoa that looks awesome and then it's gone again right it's literally just a few seconds and that's it it's like a one and a half lane roads you can't really fit two cars on it without having to pull over to let
somebody by you there's no just hanging out got a fence there okay I can probably be dealt with so once I knew where it was I could start to really check out the aerial and stuff on Google quick side tangent so it's actually one of the old AT&T long lines officers from the Cold War huh so it used to have a nuclear blast rating and everything on it until they decided to make it their backup control center and messed it all up so cool history on that building I mean if I was gonna build a backup site like this this would be a really good qualifier for it right it's secured secured so if we look at the dots here
on the map this is where we decided that we were gonna try to breach the fence can't can't climb it very easily so we have to come up with some other ideas again sophisticated tools can't go ever can't go around it but you can't go under it so we don't go to the fence that's me on the wrong side of the fence you can't see the no trespassing sign but I thought that was pretty awesome you know memories so get on the fence try to get my other team member under the fence and it's dark right it snowed and I was in my black ninja suit instead of my white um anyway so we get under
the fence and we start to shimmy the other guy just said two minutes so I get it then I'm almost done it's the best part I still have seven and a half of my time and we see some lights right Wow really like rent-a-cops not even to come out here and check for himself he's just gonna call the cops that's pretty lame I'm kind of disappointed at this point back to why cars are important in rental cars so there's nowhere to park out there if you're gonna go dig under a fence right so we had to pull off of the road like about a quarter of a mile away from this place and walk down the road
in the dark with the shovels right so the rental car had out-of-state plates on it it was pretty new looking nice on something or other and it was kind of weed circa had to pull off close to this house not blocking the driveway but but close by so where they could see us and it turns out the neighbor reported the car is suspicious because it had out-of-state plates so the cops come and which other my letter great and our badges and they're like oh that's your car right yeah like okay have a good night and they leave like well I'm going back under the fence so at that point rental cop was like oh wow that might be going on I should
check that out right so game over we didn't get into that one as we're walking back to the car neighbor guy is standing out there waiting for us we're cold were wet we've been out there three hours we've got long shovels with us right so he's kind of I'm throwing the Shina I'm throwing the shovels in the trunk like I'm thought right I'm ready to go like just take it now the neighbors looking at my boss who's with me he's like you know so I you guys come into the woods a shovel i watch The Sopranos two seconds two seconds okay that's slide yeah so I've also said and said well what you don't know is three
of us came in but only two of us came out
[Applause] [Music]
Related talks
49:29
53:02
55:21
28:47
47:05
51:46