Black Teaming

Show Notes

Many are familiar with cybersecurity penetration testing – ethical hacking to uncover digital weaknesses. But what about the real-world threats to your company's physical security? How confident are you in your locks, cameras, and physical security measures to protect your sensitive data or equipment?

In this episode, Robby speaks with Brian Harris, a leading expert in physical penetration testing as a part of Black Teaming. Black Teaming is a type of security assessment that simulates an attack on an organisation, including tactics such as physical intrusion and social engineering. Brian, Chief Instructor for the Covert Access Team, has conducted hundreds of these physical pen tests, helping organisations identify and fix vulnerabilities that could lead to corporate espionage and other threats. 

They provide real-world examples, discuss the limitations of common security measures, and touch on methods for improvement. These methods can include gamifying security by incentivizing employees to take an active role in physical security, for instance by keeping an eye on suspicious activity in the office.

Chapters

• 0:00: Physical Pen Testing and Security Auditing
• 10:39: Physical Security Misconceptions and Vulnerabilities
• 20:43: Sophisticated Insider Threat Tactics
• 28:48: Physical Security Vulnerabilities and Solutions
• 34:54: Supply Chain Vulnerabilities and Employee Security
• 42:02: Physical Security Threats and Solutions

Transcript

Speaker 1: 0:00

Brian Harris. Welcome to the podcast.

Speaker 2: 0:03

Thank you, glad to be here.

Speaker 1: 0:05

A lot of the cool people that I look up to and think are awesome. You've been an instructor for them.

Speaker 2: 0:09

There's been a lot of really awesome people who've done some of my training, so I'm really happy to have met a lot of people that work with your company and a lot of others.

Speaker 1: 0:18

What is their training about? Because I've heard people do you have like a lot of training?

Speaker 2: 0:22

I guess there's a big spectrum there, because I've heard people do you have like a lot of training? I guess there's a big spectrum there, yeah, yeah, so the training that we do is everything from how to do covert methods of entry, covert access, that sort of thing, basically run a physical pen test. There's also physical auditing, elicitation and social engineering. There's counter elicitation, so there's a lot of different types of things.

Speaker 1: 0:45

You have a lot of hats somewhere. I do. I wear a lot of hats, so I was doing some cyber-stalking of you Started off at the Center for High Insurance Computing, which sounds awesome Everything from chips and drones to programming, which you've done a lot of. You've been a researcher at a university in Germany, a pen tester. How did you get to where you are today?

Speaker 2: 1:06

Yeah. So I have a very winding path, as I'm sure most people do. I actually started off in applied mathematics and my professor basically told me if you have no aspirations of going on to a PhD, you're not going to have a job in math. It's just not going to happen, right. So I went on and got a computer science degree on top of math and I happened to know a professor who got me a job at the Center for High Shirts Computing at the time and I got to do some really fun research with them. Among other things, they were trying to solve problems of how do you verify if a computer chip is supposed to be doing what it claims it's doing on the box at scale, right? Like if you get a million computer chips from China, taiwan, wherever how do you vet them and verify that every one of them is doing what they're supposed to be doing? Because those chips go into places like, well, really sensitive laptops and computers and other things.

Speaker 2: 2:00

So anyway that's a huge thing today? Still, yes, it is. And well, just about any amount of software security is going to be superseded by a hardware vulnerability. Like, you can have all the software security in the world, but if you've got a hardware vulnerability that's doing something especially intentionally bad, you're almost guaranteed not to find it. You have to go to the hardware level to figure it out. And so, yeah, that's a really really tricky question.

Speaker 1: 2:23

It's really hard, yeah hardware level to figure it out, and so, yeah, that's a really really tricky question. It's really hard, yeah, so today you're Mr Physical Pen Test Expert, yep.

Speaker 2: 2:32

I get. I mean, I've gotten to work with people who they've broken into some exceptionally secure places that you need some very high clearances to even to go to, let alone break into. It's one of those things that, as a result, by training with some of the best people in the world who do this kind of stuff, you go to, let alone break into. It's one of those things that, as a result, by training with some of the best people in the world who do this kind of stuff, you get to a lot of that rubs off. And then I've been doing this for like 15 years now, and so I think I know what I'm doing.

Speaker 1: 2:53

How many physical tests do you think you've done, like 100, 200, 300, 400?

Speaker 2: 2:57

There's really several different kinds. There's auditing, which is I'm not trying to break into your building, I'm going to your facility, I'm walking through the entire thing and I'm trying to point out all the stupid stuff that I would have taken advantage of if I was actually breaking it. And then there's a covert entry where you're a physical pen test, a black hundred somewhere in there, over 15 years, if you're including things like auditing, and then the miscellaneous. Oh hey, we found this weird suspicious device on the back end of the corporate boardroom and we don't know what it is, and the police don't seem to understand what it is either. So can you come in and take a look at it? I had some of those too, and I can say, even last month, the month of May, I don't think I have a single day off, including the weekends.

Speaker 2: 3:49

I mean it's just constant. Yeah, it's a lot of work.

Speaker 1: 3:52

Well, at least it's cool, right? You're having fun.

Speaker 2: 3:55

Yeah, yeah. No, it's a great job, as long as you set it up correctly and you're not running a physical engagement alone. Yeah, it's a great job. It's a lot of fun.

Speaker 1: 4:03

How often does a threat actor actually break into a building? I haven't heard that much about it, but I could also assume that if it is happening that I'm never going to hear about it because it's yeah, yeah, of course.

Speaker 2: 4:18

So there's a lot of misconceptions when it comes to what threat actors are. We have this idea of threat actors being state entities or guys in ski masks breaking in the middle, and I you know. The first thing you have to do is identify what your threat to your client is. If you're in downtown London at present, your big threat actor is not corporate espionage or downtown, or your threat actor is more of people in ski masks breaking into your store and stealing everything you have right. So if your business is merchandise you know, jewelry, watches business is merchandise, you know jewelry, watches, cell phones, that sort of thing then your theft petty theft is. I always hate the word petty because it can destroy people's businesses and livelihoods, but it's that it's basically theft. If you're talking major conglomerates, people who are selling IP or other things, then it's going to be corporate espionage, it's going to be insider threats, it's going to be a combination of the both, but this kind of stuff happens all the time. But then if you're dealing with critical infrastructure, like the Department of Energy in the United States, they argue that about 1 to 200 times per year somebody is attacking their critical infrastructure and power grid this can be anything from trying to take down transformers or substations or digging up water lives or whatever. So it really just depends on what your threat is.

Speaker 2: 5:30

There was one recently, an attack on a substation outside of Fort Bragg, north Carolina. So Fort Bragg, north Carolina, is the largest military installation in North America. It's all like this USS Special Operations Command, the Airborne and a whole bunch of other stuff, and some people were able to figure out how to shoot a substation in just the right place at distance and take the entire substation offline, which took power out to the entire base until an emergency mobile substation was brought in to take over the load. There are not a lot of emergency mobile substations out there, they just don't exist. And that was a perfect example of an asymmetrical attack where you don't require much a rifle, a bullet and a little bit of knowledge and those substations can take two to four years to build up, put into place and they're very expensive. So I mean again, this kind of stuff happens a lot, it's just you don't typically hear about it.

Speaker 1: 6:28

Yeah, exactly Well what is a typical assignment for you these days, then, when it comes to a company in our neck of the woods, Physical auditing, which I encourage all businesses to start off with auditing before pen testing.

Speaker 2: 6:41

Pen testing is more of like let me say it this way A physical pen test is usually we have a robust security apparatus and we actually want to test it. We're doing our due diligence right. That's the correct approach. Another one is the CISO wants a budget right Like the CISO needs a bigger budget to justify something and he wants to scare the hell out of the boardroom. Most companies have never even run a physical pen test.

Speaker 2: 7:04

What I usually say is you know, you will never find a self-respecting large organization today that would say I don't know what a cyber-based pen test is, we've never done one and I don't see the value of it because we have antivirus and firewalls.

Speaker 2: 7:17

It's like nobody would say it. But a lot of people say we don't know what a physical pen test is, we've never done one and we don't see the value because we have alarms and cameras and it's like it's the same thing, it's the same principle, right? So I do a lot of auditing, which is you go in and you try to verify all the stupid stuff that they should be improving. You basically help to point out everything they're doing wrong and it helped them to bring up their security to a certain competency level. And then about a third is physical engagements, where I'm actually trying to go in and covertly break into buildings. And then I do a lot of training where I'll train people how to do this. I'll train people how to do everything from elicitation, counter-elicitation, covert entry, whatever. So I'd say that those are mostly what I've been doing on any given day.

Speaker 1: 8:02

Fun, Very fun. You said the auditing aspect, what most people are doing wrong? Just the top three.

Speaker 2: 8:11

I would say the things that people mostly do wrong is that they don't understand what a threat is. So in Europe I just happened to have this on my desk it's a little Euro cylinder lock. You see them all over Europe. What most people don't realize is that these are a huge vulnerability. You walk up to the door. You see what type of brand it is, what type of keyway it is. You purchase the same thing so that the client's key will fit, but it won't unlock it right. And then you repin yours in such a way that every key that fits inside that keyway will unlock it. And that's not hard to do. It takes you 10 minutes if you know what you're doing. You come up to the client's door. You break their lock from the outside. There's now no lock keeping the door closed. You open the door, you put your lock inside, you leave. As a result, the client's going to come back and their key's still going to work. But your key's going to work.

Speaker 2: 9:00

Unless you're really observant, you're not going to notice the difference right, and so one of the biggest flaws is that people don't understand that there are vulnerabilities out there that you don't know are vulnerabilities. A lot of them is just locks, doors, latches, all that kind of stuff. Another one is cameras. So camera systems. You look at it, you say, well, I have a camera, right, it's protecting me, but a lot of cameras not all of them, but a lot of them. The way that it works is that it's not some poor soul sitting in front of the wall of monitors making sure that nobody's actively screwing with something. What it usually is is that those are being hired off by a third-party security company and, in the event of an attack, a break and a theft, something that they retroactively go back and they see who did it. And the entire business model is well, an alarm is going to go off or somebody's going to notice something was stolen or whatever, and they're going to alert us immediately.

Speaker 2: 9:51

But what you don't know is, if I were to ask you to take out your smartphone and start recording a video, do you think that you would still be recording a video this time tomorrow? It's like no, of course not. Your phone would run out of storage space almost immediately, right, like 1080p, 4k, you know, whatever. It's really bloated file size. As a result, your phone can't hold that much data. But then, when you think about a third-party security company in Denmark, g4s, is a huge one, but imagine how many video feeds they're getting at any given moment. It's huge, it's astronomical.

Speaker 2: 10:24

And then when you think of how much data storage they need to hold all those surveillance cameras or that video feed, you start realizing, if you look at the fine print of a lot of these companies, they're only going to keep your footage for two, maybe five days and then they're going to wipe over it. So if something has happened and this is one of the benefits of covert entry, if you can covertly get into a building and do something and you're not caught you plant a device, you steal something whatever and it's not discovered for, say, two weeks. There's probably not going to be any video evidence you were ever there and as a result, it becomes incredibly difficult, if not impossible, to figure out who did it. So, like I said, there's a lot of misconceptions when it comes to security and I'd say that these are kind of the big ones.

Speaker 2: 11:09

Access control systems, of course, are a huge one. That's always going to be the case where callable badges, vulnerable readers, that sort of thing. But I would say that the big one is just most people do not know what they don't know. And when it comes to physical security, we really do have this misconception of cameras, alarms, fences, doors, locks. They make us secure and nobody can get in, it's like, but that's not reality. That's not how it works. So I would say that that, honestly, is the answer to that question.

Speaker 1: 11:34

Well, that's perfect, and now I want to make the rest of the episode about the things we don't know right, yeah, sure, what's better, a digital or physical lock?

Speaker 2: 11:42

So it really depends. What most people think of with digital locks is they think, well, the background software is going to be secure, right, which it may be, maybe. Let's suppose for a minute that whatever you're running on the digital side of things perfectly secure, great, okay. So you can't hack the Bluetooth or whatever communications method you're using. But if the door itself is vulnerable, if you can do something like this? So latch slipping is a common one, right? So this is where the old school Hollywood credit card trick, where you slide a credit card into the door and you pop it open In Europe you don't have quite that same vulnerability, because in Europe you have this zigzag pattern in the door frame and you did that for insulation purposes.

Speaker 2: 12:20

It's not because people you know a hundred years ago were like man. This will prevent this attack. You did it for insulation purposes. But as a result, you can still go to companies like Multipick, which is a German company that basically makes like a little corkscrew device and you can put it on the outside and you can twist a corkscrew and it'll screw through that little bend and get to that latch and you can push the latch and open the door. So when you talk about that. When you ask that question, really, it's not just about the lock, it's really about everything. It's about the door. Can you bypass it? So have you ever seen what's called an underdoor tool?

Speaker 1: 12:50

Yeah, I have seen that yeah.

Speaker 2: 12:52

Okay, yeah, great. So this is from the. It's basically just a long piece of metal with a wire Robot, arm thing yeah. Yeah.

Speaker 2: 13:05

You slide it underneath, you grab the handle from the opposite side, you pull it. Yeah, it's a huge trick, cool, it's cool, it's cool, yeah. But well, see, the downside to digital doors is that a lot of times they are one way secure, meaning that in one direction you need a card, a badge, a phone, whatever, but in the other way you need nothing. Well, any door that has that setup is probably going to be vulnerable to a underdoor attack. Because if I can just pull the handle from the other side, you know, open the door right and you can get some serious and sophisticated, you know under-door attacks where you can go through letterboxes. You know, if you've got one on the front door, you can go through all kinds of stuff. I've seen one with like cameras on the end to go through and make sure you're grabbing what you're, you know so out there, and it's not just about the lock, but with the lock, if you're talking about preventing something like drilling and snapping, then just buy an anti-drill, anti-snap lock. But then again you have to ask the question what is your big threat? If your big threat is in a downtown major city, well, you're maybe not concerned about somebody trying to covertly get in or maybe snapping a lock. Maybe you're worried about brick through the window, right, in which case you need, you know, shadow proof windows and maybe bars and maybe a steel door. So it really, really just depends on what is your threat level. What are you actually trying to prevent against?

Speaker 2: 14:11

The funny thing about those locks, by the way, is if you look at a Euro cylinder lock that is anti-drill, anti-snap, that will prevent it from being able to drill into the lock or snapped from the outside. It'll tell you right on the front. It'll literally you'll have, like you know Yale, you know three stars, some weird symbol thing, and you just go look up that thing. Right, you take a picture of it and you go look it up and, like, you find it on Amazon, you find it wherever. You're like, oh, this is from the manufacturer, this says that I cannot drill this lock and I from doing this attack.

Speaker 1: 14:46

So there's no such thing as a locked door for you.

Speaker 2: 14:48

Of course there is. Of course there are locked doors. There are locks that I would never try to pick. There are locks that I would never even approach, but it's not just about the lock. So, for example, you can do things like impression a key, right. So if you've got a key that's, you know, ridiculous, that you could never like, if you could never pick the lock, maybe you can impression the key, maybe you could impression the lock, maybe you can slip the latch, maybe you can pop the hinges off the door. Maybe you can go under the door and grab a handle from the other side. Maybe you can social engineer your way into the building, like there's always a way in. It's just a question of what do you have to do and how far do you have to go into it.

Speaker 2: 15:24

And at the end of the day, when you're doing a physical pen test, that's really what you're trying to do. You're trying to figure out if you were an attacker, what could you do? What are the real methods for getting inside? And this is one of the reasons why this is the trade-off between auditing and covert entry. With covert entry, or pen testing, or black team, red team, whatever you call it, you usually have a very limited time maybe a week, two, three weeks, very, very limited and you're trying your best to not get caught. So the types of attacks you're going to run are very limited. You're not going to try the really dumb stuff until the last, maybe the last things right. So you don't get to try everything. You don't get to test everything. It's really kind of like when you're doing an internal network test all you're doing is looking for domain admin. Right At the end of the day, that's really all you're doing. How many paths can I get to domain admin? But with an audit you're not doing any of that. You're just trying to find all the stuff that you could have taken advantage of. Maybe you know, okay, employees are wearing their badges outside. This lock can be snapped. That door is vulnerable for the other door attack. This rec sensor is vulnerable. So it's tricky. It's really tricky to increase the security of something because it all goes back down to what are your threats? And that's one of the things that a lot of clients don't know, or maybe they do know them, but they're unaware of it, a lot of them.

Speaker 2: 16:37

I've been hired by a lot of major companies to play the insider threat. They basically say, okay, well, what if you you know, we suppose that we are a company that has and you have access to the building, what could you do? And it's like, well, if you give me a badge to the building and you have basically a flat physical security posture where every person, from Bob the intern to the CEO, has access to everything, well, you're screwed, because if Bob the intern can go to the server room, the mainframe, he can get to everything. Well, you have no real security at that point. And this gets back to for legal reasons.

Speaker 2: 17:16

I won't mention them in a podcast, but there's a certain organization that launched a very, very successful engagement on the US government and was able to pilfer enough information from certain agencies to get what's referred to as tax-exempt status. This basically means that if you're a recognized religion in the United States, you don't pay taxes on anything, which is a very coveted thing to have. Right, that'd be great. So basically, what this organization did was they got members of their group to go get legitimate jobs at the FBI, the NSA, the CIA, the IRS, all these organizations and they started pilfering information back the CIA, the IRS, all these organizations and they started pilfering information back and the secretary of, I believe, the FBI or maybe IRS, who was investigating this group that person's secretary was a member was a plant. So every single time they would have a meeting concerning this, the office would be bucked.

Speaker 2: 18:06

And it's one of those things that it's like yes, if you are tenacious enough, patient enough, you're going to get in right, you just will. And so it really comes down to what is. You know, the insider threats are a massive security concern and a lot of bigger players start to recognize it and they're like all right, how do we prevent this? How do we fix it? If the intern goes rogue, or he gets bribed or he gets really disgruntled or whatever, how do we stop him from completely messing with us? And I get hired to answer those questions and solve those kinds of things a lot and it's yeah, it's a very, very common thing.

Speaker 1: 18:39

Speaking of insiders, right Scattered spot in the States where they're, like you know, calling employees and say I'll give you $500 for access to this, do you actually do that? Do you actually like call people and say, actually like call people and say, hey, man, I know you work here, I'll give you $5,000 to do this. Like, how do you deal with that afterwards?

Speaker 2: 18:55

Yeah, yeah, so I have done similar things. The way that this goes are two methods. One, you have somebody who works at the company or gets a job at the company and they build rapport with somebody over time. And when you're building rapport with somebody, often what you're doing is you're looking for what their needs are, maybe they you know like. For example, if I was to ask you, suppose that you've broken into a building and you need to build rapport with an employee to get that employee to give you information or do a favor for you that they shouldn't or what well, who would you look for?

Speaker 2: 19:29

Oftentimes, one of the people that are perfect targets are the grumpy guy. When you see somebody who's really upset, we often try purposefully to avoid them right, because we can see that they're mad. We can see they're upset. But if I asked you this question, I want you to walk through proud of people and I want you to try and spot every single person's needs. What does that person need in that moment? Are they hungry? Are they tired? Do they need to vent? Is their marriage going poorly? Are they at the wit's end with their career? Whatever, if you look through the sea of people, it can be really hard to spot all of their needs and identify them. But the grumpy guy, you know exactly what his needs are. He's grumpy, he wants to vent, he wants to complain, he wants to, you know whatever. If you go up to him and you say something like, hey man, I'm about to get some coffee. You look like you could use one, could I get you a coffee? Well, worst case scenario, he's going to tell me to fuck off. Best case scenario, he's going to say, yeah, sure, that sounds great and I've made a buddy. And if all I do is listen to him and I validate what he's saying, then you can easily build a friend with somebody that you want and you start to, you know, have kind of a rapport. And then you ask oh, by the way, you know, I'm actually not a real employee here, I'm actually somebody who works for this other government or this other organization.

Speaker 2: 20:43

We're going to ransomware your company for $10 million. Now. We've done this all over the world. We've never had a failure. We wipe the servers as soon as the device is planted, so there's no possibility that you can get screwed Like Stuxnet. It's going to sit there for 14 days and do nothing. So the camera networks are all deleted by the time this thing triggers Wordo ransomware.

Speaker 2: 21:02

For 10 million we'll give you two. If you walk this into the server, whatever tomorrow at midnight and plant this device in, then we'll give you $2 million. And the question is is that one? You've just created a pawn, if he agrees to it? But how many of your employees would say no to $2 million if you really have a lot of trust and a lot of rapport with somebody and then you tell them to go do this? Right, it's hard, it's a really tricky thing. So I've done things like this before. But the other way that this is done today, that has a lot of but right, you can see how that's a far more sophisticated way of actually going about this. Now, the other way that this happens today is you use a lot of AI. You clone a person's voice, you clone a person's face. In Hong Kong, some poor soul just transferred $5 million to the wrong place because he thought that the I think it was the- account manager.

Speaker 2: 21:47

Yeah, yeah, and some of the clever tricks that I've seen done with this are if I'm the attacker, what I do is I spin up a fake LinkedIn account and it looks like I am like the head recruiter at Google or Apple or Microsoft or whatever, right, and I really polish this out to really look legitimate. And then I reach out to somebody who has access, somebody that I want maybe a board member, maybe like a low-level board member and I contact them and I say you know, we've been watching you for a while. We have an open position at this really high, you know position in Google or Microsoft or Apple. It's five times the salary that you're currently making. It's fully remote. It's all these bells and whistles that you want. Would you be interested in having a call with us? And it's like, well, yeah. So most people are going to feel like, yeah, I'll type a call with you. Of course I'm going to have a call with you over this job, right? And then what you're really doing is you're actually cloning. You know their face, their voice. You're using the entire meeting.

Speaker 2: 22:38

So, if you look at AI facial models, a lot of times, if I do something like this, it's okay, but if I do something like this you can take that later and then go back and do what happened to the guy I'll call. So these are much more sophisticated ways that we're seeing a lot more common of how do you steal people's data. How do you get them to do things they shouldn't, whether they know they're doing it or not, and that's the other aspect about insider threats Maybe they're not actually a bad guy, maybe they're a trit right Possible.

Speaker 1: 23:17

We never hear that much about these insider threats, though, at least in my neck of the woods. I'm not sure it's maybe a little more in Denmark, I don't know.

Speaker 2: 23:23

Well, you don't hear about it often because the company has no real reason reason to publish it.

Speaker 1: 23:28

Yeah, of course not. It's not going to help their stock price. Yeah exactly.

Speaker 2: 23:32

I mean they will publish it if they've had a breach of data or if it becomes public, but they're under no obligation to say like oh yeah, by the way, Bob, when we fired him last week, we caught him trying to put a bash money into the server. Right, they're not going to say that, they're not going to tell you that this happened, unless they have to.

Speaker 1: 23:49

It sounds like you don't necessarily need the coolest toys for a lot of the stuff to get in. You don't need to bring out your best tool kit that often, I guess.

Speaker 2: 23:58

It depends on what the engagement is and it depends on what your goals are. If you're working in an OT environment, maybe the entire purpose is just to get to a specific spot, right? If you're dealing with industrial control centers, if you're dealing with power plants and other things, maybe you're literally just supposed to get to a place and take a picture of yourself there and then leave Because you like. On a live production facility, you literally don't have access to touch any. If the goal is to plant a listening device or a man-in-the-middle device or whatever, I think you're going to bring that with you. It really really depends You're going to need.

Speaker 2: 24:34

Now, the funny thing is is that, when you think about it, you're going to need your breaching tools you're going to need whether you're doing destructive entry or a covert entry or, you know, rfid, cloning or social engineering. Whatever it is that you're doing. You have to bring all of that maybe disguises, maybe anything. You have a breed all and you have to do it in such a way that it's not obvious. You can't bring like a hiking backpack full of gear. Right, you got to try and be that James Bond where all the gadgets are tiny and whatever, but they're usually not, and this is where your team comes in.

Speaker 2: 24:55

Right, you don't want to. This is one of the many reasons why you don't want to go alone, because if you go alone, you have to bring everything right, because once you get inside, well, maybe I'm going to need this, maybe I'm going to need that. What happens if you get to the third floor and you realize you need a tool, tool that you don't have, right, so like, it can be really, really tricky. But what's that? Robert renford quote from the movie spy game, where he says you know, oftentimes all you need is a stick of gum, a pocket knife and a smile. It's like, yeah, if you're, if you're, if you're a good social engineer, sure, absolutely back to the cool tool things.

Speaker 1: 25:26

Uh, what about around like card readers? And yeah, how often do you have to use like like radio devices that like do sync like frequency stuff?

Speaker 2: 25:35

Yeah, of course. So you have tons and tons of stuff. You have a lot of Wi-Fi. You know things that can get you out of Wi-Fi network from like a mile away. You have there's a guy, a gentleman in the US, named Travis Weathers. He's got a company. That's fantastic.

Speaker 2: 25:54

Imagine a card reader that's big and you put it on a door that doesn't need a reader and then you see if people will badge into it and then you can just walk off, take the reader itself and you've got the WeGan data or whatever. So those are fun. You can also use what's called ESP keys. They're like the size of a postage stamp and you can pull the card reader off and put one of these on the back end of the reader and steal the WeGan data. That's also really cute. You can use signal analysis tools. You can use various Wi-Fi tools.

Speaker 2: 26:17

But the thing is, in a lot of these ways you often want to make your life easier. So do you know what a borescope is? No, a borescope is what a plumber will use. It's basically a camera on a wire, right, and you've got this. Imagine you have a little device. It's about the size of a wallet and it's got a camera. It's got a screen on it that'll show you whatever the camera's looking at. The camera's this really long, maybe like two or three meter long wire.

Speaker 2: 26:46

Well, if you plug into when you go home tonight and you get onto your access points, you know your Wi, your wifi, your phone, your laptop, whatever. At one point you had to type in a password, right? Well, most of the time, unless you specifically set it up this way, if you plug in an ethernet port directly to that wifi or to that access point, you don't have to authenticate in any way. You just plug your laptop with the ethernet cord directly into the to the access point and you're on the network, right. So, yes, you could bring a one-mile Wi-Fi extender and you could find a hide site and you could try to break into. You know, crack the WPA2, you know all that kind of crap. Or if you could just find an access point that's in a vulnerable spot and plug a device into it, you're just on the network. You can't do any of that.

Speaker 2: 27:26

Similarly, with the Borescope which is really funny is when you get a router for the first time, oftentimes it'll have like a little thing on there, a sticker that'll say like this is the access point. This is the admin password. This is this. This is that. Many, many times people don't take those off and if the router is like really high up and you've got a little Borescope, you can just run it up there while it's recording, see that sticker and just walk off. So I mean, yes, you can do a lot of, you know, fun gadgets and all kinds of stuff. You can use flippers and iCopies and Proxmarks, the wall range readers and all this kind of stuff and that's great. But in a lot of cases you know you're definitely not going to need all of them, but it's really important to know how they work.

Speaker 1: 28:03

And these devices. I actually went on Spyshopno just to see like what kind of devices were there. All those devices are like super cheap and anybody can go in there and buy it. That's just legal. People could do it.

Speaker 2: 28:13

Yeah, so it's always important to know what the laws are locally, like some places you can't have lockpicks. Some places Canada for a while tried to ban flippers or other RFID cloning devices. Like it's really important to know that. You asked about drones earlier. It's really important to know where can you use drones. I can't go downtown copenhagen and just have a drone fly around an office building, like there's laws, right? I can't just jump on like a a radio and just use any frequency that I want. There's restrictions. So knowing the law is very very important.

Speaker 1: 28:42

All I know is that, uh, you always have, when you're get out of jail, free cards to be somebody on your own team, first, at least yeah, so it's.

Speaker 2: 28:48

Yeah, there's, there's definitely one to downgrade the getting caught. You don't always just be like, okay, jigs up, I'm caught, right, and it's a fun job. It's a fun, fun thing and sadly it's wildly overlooked. Usually what I tell clients is this I say look, you spend millions of dollars making sure that your cyber threat landscape is, while it's very, very broad, right, you've got websites, mobile apps, bank accounts, email servers, like all this broad cyber stuff. You've spent millions of dollars making sure that the probability that you're going to be catastrophically screwed is almost zero. Right, like, that's what you do.

Speaker 2: 29:23

You spend people's salary. You have socks, internal pen testers, you have all these people constantly trying to make sure that nothing bad's going to happen to you. But it's like but then when you say, but your physical security landscape is really narrow, maybe it's only one building, but if somebody who knows what they're doing attempts it, they're always guaranteed to get in and catastrophically screw you, right, yep, and it's funny because then you tell that to like the board of directors or a C-suite or something else, and they don't really have a response. They basically just say, well, yeah, but it's not likely to happen. It's like, well, neither is ransomware, but you still spend millions of dollars making sure that doesn't happen. You've got backup plans and you test for it and with all these things, but when it comes to physical security, you're just like well, you have fences and cameras, so we're good, that's it.

Speaker 1: 30:03

It's kind of you.

Speaker 2: 30:15

The reason, in my opinion, why there's not many is because companies and organizations have yet to see the valid look. Fortunately for anybody in Europe, you have these several security standards that are coming up and going to be enacted in October, and there's a lot of organizations who, basically, are going to be mandated to start doing it.

Speaker 1: 30:34

They don't have a choice. Nist 2 or something, or what.

Speaker 2: 30:36

So you've got NIST 2, cer and DORA, and there are physical components to each one, but CER, especially, is basically just anybody in critical infrastructure or weirdly critical infrastructure adjacent, which nobody knows what that means, and there's a massive amount of companies, organizations and things that all have to now comply, and so how do you handle that? And that's one of the reasons why I've been ridiculously overworked lately.

Speaker 1: 31:00

Well, thank you for taking time for this podcast.

Speaker 2: 31:02

Absolutely no. We can go as long as you want.

Speaker 1: 31:04

Okay, cool. So I'm thinking of like anti. Now I'm just being like full paranoid. Right, you go into a hotel room I'm going to a country next week that I'm kind of like, oh shit, I need to turn off my phone and my computer when I go to the airport, sort of place, right, and I'm just thinking like, yeah, it'd be cool, it'd be nice if I walked in that hotel room and had something like am I good in this hotel room? Do you do that? Do you actually have tools that have those capabilities?

Speaker 2: 31:26

So the things in hotels that I would be most concerned about are going to be breaking into a hotel when I'm not there. Cameras inside the hotel and then just generally being on the Wi-Fi, right. These would be the types of things that I'd be concerned about. One, if I'm in a hotel, I'm probably not, especially if I'm in a country or a place where I'm questioning things. I'm just going to be using data, right. I'm not going to be using the hotel. I'm not going to be using your Wi-Fi at all, because treat it like a cafe, right.

Speaker 2: 31:52

You would never want to go to a cafe and start logging into your bank account and you know doing all that kind of stuff. So one and you basically eliminated that entire possibility. Now, that doesn't account for Bluetooth attacking and other things, but you know you can only do so much. The cameras the cameras are fairly easy to look through no-transcript things in Alibaba, on Amazon, on wherever and, as a result, you'll know what they look like, you'll know how to detect them, they'll be in very obvious places. And then the last one is your hotel room getting breached while you're not there. That's a big one, right? So if you go into a hotel room and you leave your passport, your wallet, your laptop or whatever. One of the easiest ways to secure the hotel room that people don't think about is you can buy little cameras that are tidy that will just ping you an SMS if any motion is detected and you can even set them up to basically blare out an alarm.

Speaker 2: 33:15

So think about it. Imagine someone uses an underdoor tool or something. They pop into a hotel room and they take one step in and an alarm starts going off. Chances are they're going to run Because it's a hotel room. You're not likely to deal with breached entry where somebody's got a sledgehammer or a mule kicked to the door or something. Breached entry where somebody's got a sledgehammer or a mule kit to the door or something. You're probably using an underdoor tool or maybe a cloned badge or something like this, or trying to get up through the window if that's open. But yeah, I mean yeah, then you'd know who did it. You've got an alarm set up. It doesn't take up much space, it's easy. If you're in the hotel room, that's a whole different topic, right? You can either tie off the door handle so another door attack wouldn't work, or you can set that up in a lot of different ways.

Speaker 1: 33:55

The classic chair underneath the handle.

Speaker 2: 33:57

I do that all the time, yeah, yeah, anything to prevent the mechanism from running or from working. And another instance is cleaning staff. Unfortunately, cleaning staffs can and will sometimes steal stuff. You know they have access to everybody's room, so make sure, when you're not there, always to put that little hanging thing that says do not disturb.

Speaker 1: 34:18

I don't want you coming into my room. So, yeah, cool. Well, I know I have at least one thing to buy.

Speaker 2: 34:21

Sure.

Speaker 1: 34:22

What do you see yourself doing over the next two years? Where are we going from a physical pen test direction?

Speaker 2: 34:27

Well, I see. I mean the physical security landscape is likely to explode. By the way, for companies, I highly recommend this. If you are a major company, you don't want to hire somebody like me to come in and just do a pen test on every one of your facilities, right? That's ridiculous. What you want to do is you want to hire me to come in and train your internal security staff to go. Do that, because that's far more cost effective for you.

Speaker 2: 34:54

You saw things, let me say it this way you saw things like with the North Shore 2 bombing. You see, now, that's an extreme case because that's almost guaranteed to be a state entity, but there are methods that you can disrupt entire supply chains for next to nothing. Going back to the Fort Bragg, north Carolina, example, if you know what you're doing, you can take down a substation asymmetrically very easily and it becomes very, very difficult to protect. If you look, if you Google substation right, so anybody your listeners Google substation, and so most of the things what's going to come up is you're going to see a whole bunch of transformers in the middle of nowhere, guarded by a chain link fence yeah, and that is your security, right. Like you have a power plant which has all of this security, all of this resources. That power plant is pumping energy to a substation a series of transformers, whatever and they have been pumping that energy to a city or wherever, but at the substation you have no security. It's a chain link fence and that's a massive security vulnerability.

Speaker 2: 35:56

And I will say it this way Every aspect of your supply chain, whether it's food, power, water, anything, has those bottlenecks. They all have those types of choke points and we are not doing enough to secure them. We're just not. And it's going to be one of those things that certain things are probably going to happen. And then you're going to be one of those things that certain things are probably going to happen, and then you're going to retroactively say, okay, now we're going to start taking things seriously.

Speaker 1: 36:19

But, yeah. I mean last question here, since there's only five people in Norway doing this. I guess is the best approach, the most likely to succeed approach, to help your digital security team to learn or teach them these things, or who do you grab in your company?

Speaker 2: 36:36

So this is why I differentiate between black and red team. A red team, so you can have red teams that are 100% cyber, right, we're going to run a red team, okay, yeah, fine, and we're going to attack you through the cyber, through the email server, through phishing, social engineering, phone websites, the internal network, the Wi-Fi, all that right, but it's all CIDR. But then maybe, maybe in the tender or in the project, it says, oh, and you can do 5%, 10% of a physical engagement. Well, we only have Bob, the web app guy, who's even interested in this, but he's seen a few YouTube videos and he's got a set of lockpicks and a flipper. So send him to go break into the bank, right, and it's like they're not transferable skills. In the same way that if I'm a pen tester, I don't know how to do incident response right, they're not. It's not a one-for-one thing.

Speaker 2: 37:21

So what I recommend is first find people who are even interested in it. That might be your cyber people usually is, but it could be anybody. I've had project managers at companies who are like that's what I want to do, right, it's like I want to break into buildings, I want to do this kind of stuff. It's anybody who has an interest in it. Anybody can learn these skills. Anybody can get good at it. So grab whoever it is you have. And the most important thing is have a team. Have a team of people who know what they're doing. Do not just have one guy who knows what they're doing and he's just going to take a whole bunch of people who are interested in it on a live engagement because somebody's going to mess it up. And here's the reason why I say do an audit first to most companies the vast majority of physical pen tests today not all of them, but a lot of them what happens is this you will sell a red team engagement. There will be a small physical component to it and you will usually take somebody on your cyber team to go do that physical component. They'll do their best.

Speaker 2: 38:19

Usually, that is, we try to tailgate into the building and maybe we use an underdoor tool or we try to pick a lock and that's it. That's all we do. If it was successful, great, if it wasn't, fine. But either way, that's the only thing in the report and, as any consultant will tell you, if it's not in the report, the client assumes it's not an issue. So the client gets a report and they say well, we tried to tailgate in and it didn't work, okay, great, then we don't need to do anything else, right? So we're totally secure on the physical side of things, and that's clearly not correct. So it's no more correct than if I took a cross-site scripting payload and I threw it at your login portal and that was the only thing I did to test your website. That would be ridiculous, but that's kind of what you're doing here.

Speaker 2: 39:00

So you really want to test as much as you possibly can in the time that you have allotted, and usually that's where I say start with an audit, do that first, because the audit also gets your team practice. They get to practice what they're doing, they get to practice all the things and hopefully, by the time they've done a few audits, they can walk through a building and they can literally just say that's vulnerable, that's a dead zone, and they can just start pointing out all the stupid stuff that they would have taken advantage of and they can really increase their security. Then you can come back a few months later and say, okay, let's see if what you're doing now is actually working right. Now your security is at a high level, but before we go, I will say this, and I've been saying this for 10 years, I'm going to keep saying it. I will ask you this question what do you think is the best, most cost-effective thing that a company could do to increase their security?

Speaker 1: 39:50

I'm going to say two-factor, but I guess that's not the answer.

Speaker 2: 39:53

Okay, it is employee interaction and awareness, and it's not the way you think of it, right? So here's the two things that you have to do for this. One every employee, in writing, give them a promise from the company that under no circumstance will they ever get in trouble. If they stop somebody in a professional way and say I don't know you, or you're not wearing a badge, or you seem suspicious to me, stop somebody in a professional way and say I don't know you, or you're not wearing a badge, or you seem suspicious to me, we have to go to security. Under no circumstance will they ever get in trouble for that. Because that's one thing. People are legitimately concerned Like it's not my job, I might get in trouble. I don't know who that person is, whatever.

Speaker 2: 40:23

Second, you have to incentivize them. If I was in the pneumonic office and we were doing this live and I said okay, by the way, I have hidden a piece of garbage somewhere in this building with my signature on it and if you bring that back to me, you're going to leave here with $500,000. You would stop this interview right now and go look for that and the entire place would be clean, like it would be spotless. Right, because you've incentivized people with what they really want. Now, companies cannot afford to just give out hundreds of thousands of dollars to people, right, they just can't. So you have to give them something they can't. That the companies can afford and they want, and it's usually time. So what you do is you say, okay, so once a quarter or once a month, have somebody who's not supposed to, who's not an employee or not supposed to be here, walk through the building and if you're the employee who stops them and professionally says, hey, I don't know you, you get a week paid vacation. Now, the reason why that's so effective is because it turns all your employees because, first off, it turns it into a game.

Speaker 2: 41:17

Second, it incentivizes them with something they want Paid vacation. Everybody wants that right. And it also it means that every single employee is constantly looking. They think of it as a game. They're looking everywhere saying like, who is this person? Maybe that's the guy I can go stop them. And I know for a fact, having broken back into buildings after companies have implemented the strategy if you break in during the day every 10 or 15 feet, somebody stops you with like I don't know who you are, you've got to come with me Like it really makes your job a living hell if you're trying to break in during the daylight hours, and so it's it. Really. It costs the company next to nothing, right? You don't have to give them a full week of paid vacation, that's up to you, but I mean, it turns it into a game. It costs you next to nothing and it also improves employee morale a lot, Because now the employees are having fun with it.

Speaker 2: 42:02

They think they can get a reward which they can but, yeah, I tell employees to do that all the time, and you can extend that to like devices devices, you know. So if you're running a physical engagement, well, what are you doing you're? You're really bugging the building right like I'm gonna break into the corporate boardroom and I'm gonna put like an hdmi man in the middle behind the big tv you know to and you know, got a listening device in there and hdmi device, so stealing basically the presentation right, because you know that that's a huge threat.

Speaker 2: 42:28

Uh, things that are set in boardrooms and such are usually very sensitive information, so you can also extend that to like hey, I'm also going to plant little devices here and there around the building periodically and if you find one, bring it to me. Hey, a couple of days pay vacation. It's little things like that that cost you next to nothing, that drastically increase your security. So I just hope that companies adopt that and start doing it.

Speaker 1: 42:50

When it comes to boardroom stuff. I mean it wouldn't be a completely stupid idea. Have you ever given advice to clients that like, by the way, next board meeting, before you start the board meeting, have somebody go around with a little thing just to? Is that ever a piece of advice you've given? Do you think that's overkill?

Speaker 2: 43:06

Yes, it is. So when you are assessing the very first stage of your physical engagement, when you were talking to the client and you're trying to familiarize yourself with who they are and what their threats are when it comes to the boardroom or sensitive information, maybe that's the boardroom, maybe that's a client meeting room, maybe that's a research department, whatever, you can do things through physical access that you just can't through digital. So I'll give you an example. Right In the Western world there's something called PCI compliance. This is payment card industry compliance. Basically, it just says that organizations like banks, for instance, you have to have a network segmentation so that you can't go directly from the internet to the mainframe where all the PCI data is right. And that's just an example. There's more to it than that, but that's a component to it. So usually what that aspect of it is is that the banks or somebody will hire a third-party consultant company. They'll come in, they'll say congratulations, you've changed nothing about your network technology for last year. I can't go from the internet to the mainframe and therefore you pass your PCI compliance, or at least a section of it. Good for you, gold star. But it's like but somebody at that company or that bank has to be talking to the mainframe. Of course they do. There has to be some communication. So if I break into your bank and I figure out who's doing that usually through something like a Citrix environment and I bug their workstation, well then I can get all the mainframe and it's usually not very hard to figure that out. So when you go through that process it's like, okay, so you passed PCI compliance as long as they only attacked you through the internet, but you failed it if I include a physical component to the text, and that's an aspect that people don't seem to understand.

Speaker 2: 44:42

So like boardroom, boardroom hacking, right? So if I were to break into your boardroom and I were to put an HDMI man in the middle behind the big TV that every boardroom in the world has and it has I'm recording audio in HDMI, I'm stealing every presentation you have. Well, okay, how hard would that be through the internet to break into that TV and steal that exact thing? It might literally be impossible, or it may be something that you need to work for years to develop various zero-day exploits to get to that point. But through physical access it's trivial. I can go buy, you know, a Hack 5 HDMI man in the middle a small little audio recording device that will send over on the cell line or something, and it's like, yeah, I can absolutely do that.

Speaker 2: 45:21

So when you, if that's the threat level, yes, tell the boardroom like, look here's, if I, if it were me, here's where I would be planting devices. So if it were me, this is where I would just check. Right, you don't need a sweeping team to go through and check. You know every last outlet and every lamp and everything. But here are the places that I would check, right, and it's, it doesn't take much time. And yeah, I mean, it's basically when you do and this goes to anybody who's running physical pen testing when you do that, make sure in the report you tell them things like them, things like if I was doing this, this is where I would plant devices, this is where I would do this. So these are the things that you should check. These are the things that you should look for Because, keep in mind, loss of reputation can be just as damning to a company as loss of intellectual property.

Speaker 2: 46:05

It just depends on what their business model is or worse, yeah, if I bug a room, that's not the boardroom, but it's like a client meeting meeting, where clients are having confidential meetings with that company and they're divulging really sensitive information and I start putting that on the internet. That reputation is permanently damaged and you may completely lose leaking that information. And it's like, yeah, there are a lot of potential threats through physical access that people are not aware of or don't think about when it comes to the internet, because you wouldn't think about that through the internet, right? If you're asking like, okay, what's a network? If I'm running an internal network pen test, you don't think about bugging the, you know, the audio or the HDMI of a board room or a client meeting room or other things. That's just not something you would ever think of, but it is something that you should think of through physical, and there's lots of things like that.

Speaker 1: 46:58

Do you have a blog post or anything that you go through? Some of these like initial yeah.

Speaker 2: 47:03

If you go to my website there's a. At the very top there's a thing that says blog and it'll take you to my sub stack and you can read all that all kinds of stuff.

Speaker 1: 47:11

Well, listeners, you will find that in the show notes, mr. Harris we went way over time. I appreciate every minute, every second I got out of you. This is awesome and I have a lot of discussions and a bunch of homework to do myself. I'm going to run away with everything that I learned from you here over the summer and see if I can bring some value to others. Thank you so much.

Speaker 2: 47:30

Thank you, it was great to be here.