 Yes, come on. Give me a clicky clicky. Clicky clicky, man. Got to do it. Got to do it. He's trying to figure out how to turn his mic on, I think. He's pushing all kinds of buttons. Everybody point and look. Shit, it worked. Cool. Ah, picture. Thank you. Ah, yes. In case anyone hasn't seen my title suggested afterwards, it is, uh, how to put this. Pig's fucking. In many cartoon character positions. So if anyone would like to view it after, it is my Defcon official pig's fucking tie. Okay, let's get started. It's just about time. Talking to my shirt, talking to my pants, pull up my ass. Okay. All aside, I want security. Welcome, everyone. I'm Michael Glasser. Most people call me Lazarus or Lazarus. I'm here to speak. These are a couple of my buddies here. One on the end is a goon who decided to sit on stage and he has a broken hand, so I let him. Next one is Jeffrey, who's going to be a part of this speech a little bit later. And we're still waking on one more, Jeffrey, who is not quite here yet, but that's okay. No problems. First thing to note here is what OSI layer 1 security is in my mind. I'm not talking about, like, bit stream level protection. I'm talking about the fact that in 99% of the security rooms and the IT rooms I go into, I can walk into a company and gain access to privileged data by physically getting there, physically. Either dumpster diving, which is just the last topic, or actually breaking in via huge vulnerabilities. Beer guy! Beer goon! Thank you. I'd like to go a lot more now, goons. Especially this goon. Everyone buy him beer and give him women. Or men if he likes it, but that's cool. Whatever your lifestyle changes, it's cool. Okay, so let's go on to our first slide here. That's my disclaimer. Read it at your own leisure. Dude, you suck. He just referenced that if my physical security was better, he wouldn't have been able to steal my beer. He's quite right. But if you try it, I will whoop you because you got a broken hand. Okay. Now, as I was saying, this is my disclaimer. It's a standard disclaimer. I stole it from some guy that's noted it at the bottom of this, Philip Wynn. And you can read it at your own leisure. Let's go on to the next one. Here's my outline. Access control. Access control is a card system, as many of you've seen, when you procs card into your room, keypads, hand reader, fingerprint reader, all of that. I'm going to go over the basic design components. CCTV is a standard camera systems. I'm sure they have something in here, which I'm sure now I look like an asshole if they don't, which they don't, asshole. Anyway, okay, that's a basic components of that. And a huge security vulnerabilities in both. And considering that is security hardware, it should be secure, which it's not. Okay, we'll get to all that good shit. Proximity detectors. I'm using HID, or HID, as some gamers call it. It is one of the more standard brands out there, very popular. I'm in no way supporting or being against HID. They just happen to be what I chose because they're easy to gain access to. On the right side, right side of your screen, is a Maxi Prox reader. That's large of their readers. Proximity technology works, which I'll show in your next presentation or slide, by taking a card and presenting it in close proximity to a reader. It then transfers data through and identifies the card's ID number. Go on the right would be a Maxi Prox reader, which has approximately a three to eight foot read range, depending on what card. Next one, it would be one of the mini Prox readers, which has usually a three to three inch to one foot read range. And the next one is usually about a one to three inch read range. The way it works is that when you present your card, which I will be passing something around, I beg to all of you, I'm going to pass something around with the trust I'll get it back. It's not cool to say the physical security guy got his shit stolen because he was stupid. So I really appreciate getting it back. What I'm giving away is, or passing around, I should say, are some proximity cards and whatnot. Not giving away, passing around. Okay. As I was saying here, start on that end. Not that delicate. Okay. Hey, dude, find my other one. Jeffrey, find my other one. I can't find it. Okay. The way it works is that on your card, you have a small chip that basically is just, we'll get to what that is, find the other proximity pack. It's a great pack in there. It says HAD on the side. Looks like a proximity pack. There's a huge antenna, which is just that, an antenna, which works off 125 kilohertz. When you come to presenting your card close to a reader, the reader has a huge antenna and some power flowing through RF energy. When you present your card closely, it charges the card with the RF energy. Once the card is charged, the circuitry inside then turns around and spits out a number. So it works like this. The handshake is, reader's here constantly outputting, card is passing, put the card into the field, card is then charged, and output's a number. That number is sent via the data lines and then we'll get to where it goes. That's basic proximity in a nutshell. Now, not all are worked at 125 kilohertz, but considering that HID is the most popular, that's what I'm going to stick with for this speech. And this is once again done in microsecond, very quick. Proximity pros. The reader can be concealed in walls, since it is reading electrically, as long as you're not buying metal of any nature. With a long range reader, I've actually gone through two feet of concrete of actual cinder blocks where we need a secure environment. There was a bad neighborhood. We mounted the reader on the inside and I have a guy who, he's cool. So he walks up with his card and he touches it to the cinder block and he walks in and it works every time. You can keep the card in your pocket. It reads through your pocket. It all depends on what reader you get. Cards can be read through purse or wallet, as we said. Cards are hard to duplicate. The technology behind the card itself, in my experience, is very hard to duplicate. It is possible to buy a card programmer and actually do it, but it's very rare and very expensive compared to other technologies out there that are much harder to duplicate. Unless you're quite knowledgeable, you're not going to build a copier in your basement. Cards really fail. They're very, very versatile cards, not very tough cards. They rarely break. Cards can be stolen without contact, or code can be. We'll get there. We'll explain that in a few more slides. Cards can be used by an unauthorized person. Anytime that you have a device that's non-biometric in certain other things, it's not in there. Someone fucked up security guy and stole his badge. Anytime you have something that's non-biometric, it's very easy for it to be given to someone else to be used. It works with proximity tags as well. Wigand or Wigand, depending on who you are. Wigand is another technology that's a very interesting one. It looks a lot like a magnetic stripe. The thing with Wigand is that the way it works is as such. You have a card. Everyone see the card? It's imaginary. Okay. On the left side, you'll have what looks like a bar code, only you can't see it. It's concealed in the card of metal strips. Everyone, Jeff, who's a little bit late here, but welcoming. Come on, clap. And we have some small changes we haven't told you about, but you'll be amused. Yeah, it whisper very quietly. Okay, regardless. So what you have is what virtually is a bar code. When you swipe the card through the reader, in the beginning of the reader is a charging circuit, which charges those pieces of metal with a small amount of capacitance I would use. When it then gets farther into the reader, there's a read head. So as you're swiping it through, you get the charged wires at separate distances, and then you get the read head, which reads the gaps between the wires by simply taking the energy out of that. So it more or less is an electronic bar code. This was extremely popular many years ago, well not many, probably 10 or 15 years ago. Not really used for new installations anymore. It was actually invented when they had the oil industry need the way of counting oil. Every X amount of miles down the pipeline, they would add a certain amount of metallic substance, and when it went through, they would have a charging circuit which would charge up that metallic substance, and slightly farther down the line, it would have a reader, which would read up how much of that metallic substance went through at that specific time and gaps and whatnot. Okay, Wiegand. By the way, Wiegand was created by Dr. Wiegand. He's a nice guy, unfortunately he's passed away. He's a nice guy. Beer. Beer? Okay, cool. Bros, cards are hard to duplicate. That wasn't me. Cards are hard to duplicate. They're very hard to duplicate. Physically, they're pieces of metal embedded in the card. You need very good technology to duplicate them. Cards really fail. They're very, very tough cards. The cards are however expensive, let's just move that over there. Cards are expensive, comparable to other technologies. One, because the manufacturing process it takes to make both the reader and the card, and two, because they're becoming less popular compared to proximity, so simple need-demand kind of scenario will make them more expensive. Excuse me. Beer. Dude, take a picture of me with the beer. Come on. I'll show my mom. Oh, no, no, no, not on stage. This isn't jeopardy. I'm not homeridic, dude. I'm not doing pictures. Okay. Cards are expensive. You must keep the reader clean. It can be used by unauthorized people. Once again, you can hand your card to someone else. Let's bang this through a little bit quicker so we can get some fun going. Magnetic stripe. Every one of you here has an ATM card or a credit card or perhaps a driver's license with a mag stripe on the back, and almost everyone has a VCR. It's basically the same thing, a small piece of magnetable, that's a real word, magnetable, but terrible. And it's encoded with a specific piece of data on the back of there, and when you swipe it through, it transmits the data. That's all a mag stripe is. I'm not going to get into too much detail there. Most of the problems here are the good things are it's inexpensive because it's so mass produced. People are used to it from banks and hotels, and your ATM cards, you're quite used to it. People can use their existing card in some cases. I stated Caesar's the first three nights I was here. They have a safe in the hotel. Now, if you want, you can go to the safe and open it, put your stuff in, swipe your credit card. Now the only card that will open it until three set is your credit card. That way you'll never have to trust hotel security for any of those things. Okay. Have to keep your reader clean. It's a physical reader. You're physically swiping through it and it must be kept clean. High failure rate of cards due to a scrapes of the line. Everyone's scratched the mag stripe and it stops working. High failure rate of readers, shit happens. They get dirty, they get clogged, reader heads go bad, they take lightning hits. Technology just happens to have a lot of failures. Cards can be easily duplicated. Anyone who has access to the internet and old VCR can build a card copier. All it is is read-write heads with magnetic heads which are once again available in the VCR. You can easily online buy a card reader rather. Cards can be used by an unauthorized person by hand either way. Key pads. The key pad in the fold in the middle is a little bit interesting. It uses, okay, how do you pronounce it? Piso, piezo, piezo. He says piezo. I said piezo. Let's call the whole thing off. That's called the whole thing. Damn right. Okay. Well, it uses piezo, electronic technology for that key pad. That key pad is actually both bullet resistant, small gauge for you, not small gauge, small caliber for him because I know him. And it's acid resistant, it's bodily fluid resistant, it's very vandal resistant. It's on the cut sheet. I have to say that. It actually says it resists bodily fluids. Now it's, I haven't yet put bodily fluids on the key pad, but one day. You'll see. You'll all see. That's a question for you. Yes, sir. Is your mic on? I believe so. I think it's on the opposite of it. Okay. Why is there so much reverb on your microphone? I don't know. I was going to smack the AV guy because I can hear myself. I sound like God. Hello. Hello. Okay. Well, since, is it getting better? I don't know. Well, I'm not the AV guy and I don't see the MACD sound board they're probably using. They got off of eBay. Oh, well. Okay. Key pads. Key pads are very convenient because you can never leave your card home. You can never forget to take your card with you. You can't forget your code, but that's going to be rare. It can also, so let's go through my pros. Inexpensive. You don't have to issue a card to every single person there. You can give one code for many people or many codes for free. Almost unlimited codes. Well, I do the math of how many with a nine-digit keypad or 10-digit keypad. And you can do that many codes without having to issue every single person a card. And people are used to pushing keypads from telephones. It's very common technology. People can make up their own pin codes. Understanding that the security might not be the best if they're using their birthday or the last four digits of their social or the last four digits of the phone number. But in certain applications where you're using keypads, it does come in handy. People can use the same code. You are a cleaning crew. You can have 10 different people come in and clean your place, and everyone of them can just say, hey, what's the code? Okay. And they clean it. The code has never left home, as I said. Now, the code is kind of that you can give the code to anyone simply by telling them, and you can still have the code yourself. The code can be overseen, shoulder-surfing and whatnot. The keypads are often installed improperly, and I'll get to why that is and how that is a little bit later in this presentation. And the codes can be used by an unauthorized person. Biometrics. Everyone awake in here? Okay, good, because, okay, bear, hold on. What if someone forgets what? We beat them up. You know, you ask if anyone forgets the codes, and yeah, but like I said, we beat them up. Yes, sir. Ah, yes, yes, yes. There's a keypad out there called, that actually will help with the code to be overseen problem. There's a few of them out there. One of the common ones is called the Hirsch scramble pad. Come on, okay, he's smiling, a couple other smiles. The way the Hirsch...Feds, yeah. Okay, the way the Hirsch scramble pad works is it looks like a regular keypad, except instead of having buttons, which it does have buttons, it only has LED displays. And now, instead of having one, two, three, four, five, six, seven, eight, nine, it'll randomly scatter all the numbers around the keypads. It'll have eight, three, two, one, seven, whatever. Bunch of code in. Hit enter. The next time you come up to it, it's randomly scattered again. That way, no matter what you do, you're never punching the same combination over again. And they also have a Fresnel lens on each button so that you can't look from the sides to see what the code is. It's quite a good product. I happen to like it. Yes, sir. Does it take long to punch your code in? Well, if you close your eyes and go one, two, three, four, enter. Yes. If you open your eyes and go one, two, three, four, enter. It's, unless you're dealing with large codes, it's not really an issue. It's kind of like if you change your keyboard configuration around, it would take you longer. But if you only have four buttons, what's the big deal? There is scramble pad as far as I know does not resist bodily fluids. However, I believe as you can go out to pool too, there are about 15 or 20 condoms still laying around. If you coat the keypad, you'll be good. Yes, it's extremely more expensive than a standard keypad. Okay. Let's get out the biometrics here. On the left side of your screen, you have the LG Iris Access 3000. I like this device. Unfortunately, a lot of people don't because they're afraid of having laser beam shot into their eye. Now, realistically, this isn't what it's doing. It's simply taking a photo of your eye. But most people don't know that. So if you go into any building where they have this thing, just start screaming laser beam to my eyeball and see what happens. See how fast you can get out of that one. Okay. Next one in is the Bioscript fingerprint proximity reader. That's a good reader. It's one of the most popular for a fingerprint. And along your right side there is the IR hand geometry reader. It's a really low-res crappy image, but screw IR because I couldn't find a good one. Okay. Biometrics. All a biometric is is something that is really you. It's not something that you're carrying like a card. It's not something that you know like a pin. It's you. It's a physical characteristic of your body, such as your voice, your fingerprint, your shape, your hand geometry, your eyes size, your facial geometry. And that's all a biometric is. The reason why it's great is the fact that you're probably not going to cut your hand off and hand it to your friend. And if you do, you're pretty fucked up. Okay. Bros, higher security than other methods because you can't do all those other things. The verification is a lot harder to fake a fingerprint reader. Don't start. It's a lot harder to fake a fingerprint reader than it is to fake other devices. It's also harder to fake most biometric devices than it is other things. Voice recognition has kind of gone out with the times a little bit more than it used to be kind of popular. And now with digital recorders, it's a lot easier to break them. There's still our methods that use the timbre of the voice and certain things of that nature and frequencies you can't hear that still will work. But I'm not seeing it as much as I used to. And the credential was never left home. You can't... Let me change that. You shouldn't leave your fingers home. It hurts. Oops. See? No, that's... Ah, you got you. Okay. Cons. Very expensive. Biometric readers comparable to other readers are very, very expensive. Privacy issues with fingerprints is the fact that a lot of people, particularly unions and government, want to control where fingerprint information is stored. And their fingerprints are used for a whole million of things. Now, depending on which reader you use, some readers can have the data taken out and used in the ASIF FBI system or ASIF government fingerprint identification system. Some readers can't. Choose carefully. Ask for paperwork. Always ask for paperwork. Let me get there before I go any further. Anything in physical security, most of us... Now, I've been doing physical security a long time, just been doing a little bit longer than me. I'd be confident in saying half the guys in the industry are scumbags. The other half are really nice, but half the guys out there are. Ask for paperwork to back up everything. Well, if there's two of us here and half of the people are scumbags, which one is the scumbag? Beer. Beer. Is that a question over here? Yes, sir. Comparable to... On the scale of 1 to 10 of security in physical security being the vault in the bottom of the mountain as 10 and DEF CON is 1. Sorry, guys. I'm going to get hit by a goon later for that one. Okay. The real deal is that biometrics are probably... Compared to a proximity reader being at... Let's say a magstribe being at like a 4, a proxy reader being like a 6, biometrics would be like an 8. It still can be beaten by faking out the fingerprint reader, faking out the facial recognition, but the hell a lot harder. And the knowledge to do it is much less common. Unfortunately, the people here... Let me change that. Fortunately, the people here happen to be very intelligent and breaking most types of security, and it doesn't seem like a big deal. Most physical security is targeted against the idiot, which is most of the rest of the world, unfortunately. And you have to realize that there's a lot of dumb people out there in case you haven't noticed. That's who we're really looking to keep out. If you can find some guy off the street and randomly take him, give him half an hour to beat a fingerprint reader and if he can do it, I'll buy that guy a beer. Okay, next. Privacy issues with fingerprint readers. We went through that. Most readers must be maintained. They usually have some kind of a lens or some other device or a microphone in these maintenance. And you're right. This mic has terrible amounts of reverb on it or something. Tweak it, dude. Tweak. Tweak, tweak. No, you can't. Well, fuck you. Maybe if you sang the presentation, it would sound better. I'm not singing my fucking presentation to make it sound better. You haven't heard my voice. Okay. Most readers are easily damaged. The majority of the fingerprint readers out there, if you take your knife out and scrape across the reader, you're in a lot of trouble. That really needs to be replaced 90% of the time. Optical readers are now using a plastic cover or sometimes a glass cover so that that's not as much of an issue, but you still took that reader out of commission until they replaced that lens. Okay. Overview of system design. Door controllers. Now, later on in my presentation, this is going to be my human door controller when we simulate how a system actually would work if we have that much time, which I hope we do. By the way, official timer, dude. What's our official time? Aren't you the official timer, dude? It's 12.20. Okay. So we're going to bank through the rest of this real quick, then. Door controls it. What? 30 minutes to bang this through really quick. Okay. Every access control system has a door controller. This is basically a control panel where you have all your inputs coming back to, such as your door position switch, which tells you if the door is open or closed. Your reader, which so far we've gone through many different types, biometrics, card, keypad, request to exit, which when the door controller is sitting there, it says is the door open or closed? It's closed. Good. Next time it opens, it should be told to open, such as by a card or someone requesting to exit through that door. Well, auxiliary inputs for whatever you may need, power to turn it on and come to come. Outputs. Main door relay. That's where you connect your door to. Well, auxiliary relays for whatever you may need it for, such as you card in and turn the lights on. That's a popular use. Or you card and you turn the alarm off. Communications, once again, there's two types of communications for this panel commonly. Excluding the newer panels, which do use TCPIP for everything. The first type of communications is generally an RS-485 bus, can be 232, between the different controllers to network them internally. And the second type is between the computer and the controller itself. Small system design here. Systems under the 50 doors are what I consider small. Most access card systems out there actually block 32 doors as a small system, but 50 is a good number because I like 50. They usually use two or four door controllers. And instead of having a door controller for each door, you have a two or four door controller. There's a basic design. Rexx detectors request to exit push button or motion detector, which will get some of the security vulnerabilities of the motion detectors a little bit later. Door contact tells you if the door is open. Door locking mechanism is the door locking mechanism. It locks the door. The reader reads the data in. The access control panel is the access control panel. And the alarm is for certain things such as if someone had propped the door open. You walk over the door, you just leave it open. There's no point in having access control if you just leave the door open. Or if someone comes up the door and forces it physically open with a crowbar. Now, you haven't seen a card in and you haven't seen a request to exit, so it will set off an alarm. And the computer, I think you guys can figure out. Large system design. Let's skip over this. Okay. When you get into large system design, you get into some serious problems with the amount of data that's got to be processed to any single time. So I have a couple of examples here of what can happen and has happened in real-world environments in the past that is a real issue. For example, I'm not going to read the word for word here. But your access control system is a big system. You're in New York City, you're in Times Square, you're in Los Angeles and Hollywood. You've got a large system with a lot of doors. In the front of your building, you have 20 turnstiles for the inflow of the people. You have 15 or more turnstiles across the street for those people. You've got 10 doors in the building down the block. You've got 25 doors somewhere else. You've got another 120 doors in another off-site location, all being controlled by the same centralized computer. You do have door controllers everywhere, but all the data and all the logs and all the files are coming back to the centralized computer. They're making 9 a.m. on Monday morning. You've got people coming in everywhere. You've got people coming in through the turnstiles. Every door is operating. Everything's going at once. Now all these log files have to go somewhere. So they're coming in this control panel, immediately getting spit out into this access computer. This computer is chugging along. It's age 50. No problems. Getting maybe 100 reads a minute. That's fine. Suddenly it starts getting thousands, literally thousands of reads a minute. And it just starts to smoke and crashes on you. Whose responsibility is it that they decided to stick this access control panel on the shitty 46 from the basement? It's usually the IT director who had, well, you need another computer in the network room. We've only got some rack space over there here. And stick something in there that had just happened to find. And nine times that it tends to the shittiest thing they have laying around. And the power supply, half works and half doesn't. I mean, you've got a lot of issues with these things. So okay, this thing crashed nine in the morning. All your log files are down. Okay, that's no problem. The controls are storing it. So you reboot it, comes back up. Didn't really lose too much. As soon as you restart your program, hey, there's still the log files there. Takes all the log files to the controller, dumps them into the computer, computer crashes. Once again, you're out. It's really, you have to be careful of how much of a load you're going to be putting on these computers. We do give you minimum specs. Please use them. Seriously. Okay, you've resolved the issue. It's 1 p.m. You just hired two new employees and gave them their cards. Wonderful. You still have all those logs downloading from before though. It's a little bit slower now, but still have logs coming in. Now they go downstairs, go out to lunch, grab some lunch, come on back in. You go to swipe through. The card doesn't work. Why doesn't it work? The controllers are still busy downloading all the logs back to the computer. They haven't had a chance to update from the computer to the controller to the new card jet because they're so damn busy because you guys didn't have good enough computer. So it's still just waiting there. This guy's downstairs at the door, swipe. Doesn't let him in. Swipe. Doesn't let him in. What does he do? He goes to the security guard. The security guard goes, well, the card doesn't work. What's the problem? Well, the card doesn't work. I can't let you in. This is my new job. I have to. Okay. Well, who should I call? He's out to lunch. So now you're standing by the front door. You finally get in. It's been half an hour. You go upstairs. The boss is sitting there. Looks at you and goes, you guys are half an hour late on your first day. You're fired. Whose ass is it? I think when they come back with the machine guns next week at your ass. Stand-alone devices. Beer. That's a very important part of all this. Okay. Stand-alone devices. On the left, you have an IEI keypad slash proximity reader. On the right side, you have a stand-alone device made by IEI as well with a keypad and a lock built together. Other devices out there, which I've seen in this hotel, is the Trilogy T3, which is another one that looks very similar to that. There's also, I saw at Caesars, which where I was out a couple of days ago, they had the Ingersoll Rand version. There's many different ones. Bless you. Okay. Sometimes you can't get wires to a door with these stand-alone devices, such as if right here, we didn't have a drop ceiling. This was all a vaulted ceiling. This was a church. And you have an old, old, old door. At the side door, you want to get access control on that door. You don't really, really need immediate log return. You don't need alarms to go off. You just kind of want something so that you don't have to carry a key. Pop a stand-alone device on that door, and you're good to go. Change the batteries once every three years, and you're ready. Otherwise, you're going to have to run conduit along the walls and everything else. It's not a good thing. Okay. Before we get to problems with security vulnerabilities, any questions? No, no, no, no, no, no, no, no, no. Price ranges. Price ranges are hard to judge. You can really go in the close to under $100 if you go on eBay, all the way up to, I've seen stand-alones in the multiple thousands. It really, really is hard to judge, depending on your needs. I'd say a good ballpark is to say, in the middle of a five to six hundred list price, uninstalled off the shelf. You probably can, you can go a lot higher than that, depending on what you do. Yes, sir. Yes, there are devices that use wireless. There's a company called, used to be called Wireless Access with a Y. I believe they changed their name to RF Access or something like that. Or Recognition Systems now, I believe it is. No, Recognition Source, and it used to be called Wireless Access. They use RF to transmit between all the readers and then back to a control panel. I've had minimal experience with this, but I've heard it's good stuff. Another question? Hotel locks are a whole other beast entirely. They are considered stand-alone devices, but on a device such as one of these, you would have a code that would be your code. On hotels, on the card itself, you're programming in times of dates of loud, not disallowed. So more or less when you have a card printer, it's printing on this room key, is for this room. It's for this date, to this date, at this time, to this time. And depending on which system you go with, it may or may not be protected in any way. On some of the older systems, you could just take a reader and rewrite that when this is allowed to, when that's not allowed to, and get access to hotels. But that's not too common anymore, having that vulnerability. What was that? One more? Okay, two more. You first, then you. Samelton happens to make some very good stuff, but they're just like any other company. I'm not going to say one is better than another, but they happen to have a person they like for some of their stuff. Yes, sir. Because they have a, in on that new card, it says, turn off the old cards. It's basically that there's a one-time session key. I use big fancy computer words that I don't know what they mean, so if I'm wrong, just pretend. It basically has a one-time session key that says, when this card is working, that's good, until there's a new card. That is valid. Once this new card is valid, all old cards stop working. See, I use a fancy computer word. I like that, session key. One for you, and then I got to keep going. Wait till I get there. I didn't see it. I will be getting there. I'll get there right now. What he's saying is that no matter how high the access control system gets with all kinds of fancy things, a lot of times people will put a key back up, a physical hardware key back up. Just in case the access system goes down. Now, this is a huge vulnerability if it's not done properly. The proper way to do it is on that key back up, it's got a double-pulled double-throw switch. One side throws an alarm, the other side releases the door, or there's a tamper switch that when it is done, you should definitely have some sort of a burglar alarm or a violation alarm go off when a key back up is used. I personally always back key back ups. I usually use high security cylinders with tamper-proof screws and everything else, but I always do because shit breaks. That's where you have to leave it. Shit does break. Key backs up are good, but protected properly, because anyone who can get access to the key back up can get access to your door. Hey, a photograph dude, cool. Okay, improperly designed systems. Putting the controller on the insecure side of the door. Okay, everyone's laughing, but screw you guys because I see this every day. For example, an IEI keypad, oh, I'm sorry, a brand-name keypad happens to have a relay on the back of it. You go to the door, you mount the next to the door, you punch in your code, it throws the relay. There's two wires. If you trace those wires, they go to the lock. So what do you do? Take the two flat-head screws out, pull the keypad off the wall, touch the wires together. Throw them locks. Put the keypad back on the door, they thank you, and go in. Controlling the wrong side of the door. Huge issue. See you all the time. Protecting only one of many entrances. Okay, the front door has this big fancy burglar alarm on it. It's got a card access system on it. The back door has got a big-ass bolt. I come up with my crowbar and that big-ass bolt ain't doing nothing. Okay, excuse me. I'm having a prop-to-door alarm. If the door is open, access doesn't mean shit. I can walk through an open door no matter what you do. You got to close the door. Make sure you have a door closer on top that automatically will close it. On these access doors have a prop-to-door alarm that tells you if the door has been left open. It's very important in any real access system. And not instructing the employees of proper security protocols. Don't let the dumb fucks leave the door open. It really is bad. It really, it's not good. Make sure they don't let their buddy who forgot his card borrow the card because he probably just got fired yesterday and he's coming back to blow the place up. Just make sure your employee has no proper security protocols. Database server vulnerabilities. On these access control systems, all your logs in general are stored on your database server for the access system, which is then put onto the network for ease of use and is then forgotten about by the IT guy. What nobody ever remembers is it's a computer like anything else. The majority of these systems are now running on Windows platforms, which means that if Microsoft puts out a security patch, there's probably a reason. If this server doesn't have that security patch, there's probably a hole. And if some wily hacker inside the company decides he wants to rip off the 2,000 computers that just came in the shipment into the warehouse, he's going to go scan the network and map and... Find that server and just kill it. Wipe out all the logs. Take it down for the night. What's going to happen? You have no more log files. No one ever protects the server. It really, really is important. Easy duplication of credentials. Magstripe, we went into how you can do it with a VCR. Keep edge. You can look over the shoulder. Biometrics. There was a wonderful presentation about two years ago on how to clone most biometrics. I don't remember by who, but it was a great presentation. I'd suggest you go on the... I believe it was a Black Hat presentation. You can go on the Black Hat website and do a search for it. Easily circumvented credentials. Okay, this is one of the most interesting parts of my presentation I feel once you understand basically how an access system works. I'm a card reader. All I output is a number. It's used as a weekend protocol, which is not necessarily weekend card. It's the weekend protocol. He invented two things. He invented a nice guy. So it's outputting a bit stream here. You're going to be my door controller. Sit down. He's my door controller. All I do, I just scream yes and no. You'll figure out when. I sent through a card number to him. He recognized the card number. So I sent through one, two, three, four, five. He said yes, cool. Okay, I sent that through. I'm sent on a piece of wire. So here's what I do now. On that wire, halfway along, I clip it. I parallel those wires out to a second door controller as well as the first door controller. Now, in both of their log files, when I swipe that card the next day, I'm going to get yes and yes. Now, I have two people who both acknowledge the fact that the card reader was red. This one's not going anywhere. That one still works fine. But now this one has the log files. I come back at three o'clock in the morning, take this one home. I have the card numbers of everyone in the system now. Uh-oh. Uh-oh. It's good. Beard. He was the weakest type. Okay. So now this works. One second we'll get there. Now this works with the proximity card. So let's go to biometrics now. Put that same fingerprint reader on there. What's it spinning out? It's spinning out one, two, three, four, five when that finger is put. So, no matter what, he's still getting that same one, two, three, four, five. One attack will work against any of those. It's a huge vulnerability. No matter what type of security prevention device you're using, or access control fingerprint reader or card reader, they're all just outputting the same string. There are some technologies now that have fixed this problem. I'm not limited to say which, but they're out there very rarely and very under marketed. Excuse me. Boy, this beard is making me burp. Cool. One of the best ways to protect it against this is, one, tamper switches. On some of the larger access control systems, they actually have terminating resistors that it'll tell if the lines are paralleled off of. It's pretty rare, but it is used. Besides tamper switches, you also have a camera system, which you can simply watch to see if someone's cutting the wires. But we'll get there on the camera system section. How are we doing on time? I have 10 minutes. Okay, we're going to rush. I did an hour and a half of black hats, man. Okay. Here's an example of a proximity reader attack. Someone has a proxy card in their pocket. Let's say the president of the company, ABC, wannabe, whatever, Corp. You walk into the elevator with a maxi proxy reader, as I showed you in the briefcase, with a card reader. As you walk in, it scans the old card in the elevator. It can read through their pockets and everything else. You walk out, and now you've got their card numbers. Come back the next day with a regained out keypad. Take the reader off the wall, punch in the keypad number, okay. That's one. You had a real quick question. Still going or no? Yes. Where can we read up more? You can read up more on the Internet. Um... There's this place called Google. Also, I do have some references at the end of this, but you can all take. But there really is nowhere to read up on this. Honestly, as far as security vulnerabilities go, I've yet to find a resource on the Internet that goes through any of these. And I'll tell you all kinds of good stuff. Okay, we're going to have to bang through this. I know you can have my beer. Okay, that's one. Okay, defeating improperly installed locking devices. Crowbar. There we go. Okay, overview CCTV. We're going to bang through this one real fast. Real real fast. But I'm sure everyone will get this, because I'll go slower for them to understand. Cameras. They look like that. It's a camera. If you don't know what it is, go home. Camera formats. 330 lines is generally considered a low res. Medium is 380 to 420. High is 470 to 500. Multiplexers. Multiplexers take multiple cameras, put them onto one wire. That way you don't have... On older VCRs, you only had one input. It would multiplex the signal onto that one input. And then when you would... Mux and demux, when you would demux it, you would take those one input and make it many again. Usually you'd either use time division multiplexing, or low res, and then bring it back up when you need it. VTRs. It's a VCR that actually cuts the time up into smaller sections. DVRs. DVRs are an electronic version, a computer, basically, that replaces a VTR doing digital video recording. Now, these are basically the newest thing out there. This is what everyone's using. There's very few capture cards. That's the input boards for the computer being made. There's about six Korean companies. The Koreans pretty much have the hold on this marker right now. The Korean government is sponsoring their research into doing security work. I don't know if it's North or South Korea. I am hoping South, I'm assuming South. Okay, let's bang through this. Frame rate. The frame rate is how many frames per second the recorder is actually recording. What that means is, real live viewing, I'll use the number 30 for an example. In reality, it can vary, but real life is considered 30. You can see me fluidly, that's fine. Now, when I go into... I would want to do two frames a second, you'd see me like this. A robot from the 80s. Cool. Resolution. How does your picture look? You can figure that out. Compression. How compressed is the video? Hard drive space. I'm sure you can figure that out. Okay, that's just how much of the video do you actually want to store and how long can you store it for. What kind of feature set do you have? How am I doing on time? Nine past? We'll do one past, nine minutes left. We're going to run 30 seconds later anyway. Four camera VTR system looks like that. If your four camera is going to a multiplexer, multiplexer has one output wire, it goes to your VTR. I'm going to talk faster. Everyone's going to stay with me here too. The VTR, the VTR then stores all the data over that one channel. When you want to play it back, you take the VTR's output channel which goes to the multiplexer, which demoxers it goes to the monitor. Next one. Four camera DVR. Everyone have questions? Good. Screw you guys. Four camera DVR system. Same type of things. You're cutting out the multiplexer. Four cameras go in into the digital video recorder stores all the data. If you want to view it, you simply output to a monitor. If you want to do playback, you simply out to a monitor. All computer control. That's a high ten minute sign. What does it mean if you do this? Clap hands! Clap hands! You've known you guys because you couldn't see them. Okay. Four plus camera network system. This is more important. This is what you guys are going to run across. This is where you're going to have your problems. That's why I want to get to this part very quickly. We'll slow down in a moment. The internet cloud. I'm bad at trying clouds. Okay. On the right side, you have two DVRs in two separate locations. Each one's recording four cameras, let's say. What do you want to do? You want to view the material. Do you want to view it locally? You want to view it remotely? It doesn't matter. It's streaming through your CAT5 network. CAT5 to the internet, to the TCPIP, to the Homeboy G, all that. And the flow is through there. You can view it on the computer and check all that. Now this is how most DVR systems are being set up nowadays. Okay, improperly designed systems. Don't put cameras where it's dark if you're not going to put in any light. They don't work. There are some infrared cameras out there, but they're pretty rare unless you specifically order one. You're not going to get one. Be careful with lighting situations. In a room like this, if someone put one moving camera in the middle and went like this, they're only going to get a third of the room at a time, and they're going to be losing two-thirds all the rest of the time. You're much better off putting a fixed camera in each corner of the room. You'll get the whole room. Most people do that because they think it's going to save price by buying only one PTZ. One PTZ is equivalent to probably ten standard non-moving cameras in price. The only other difference is the fact that on the recorder now, you're taking up ten channels of data and ten times the amount of storage by having ten cameras instead of one PTZ. Record of vulnerability. This is what I want to get to. Digital records are hooked up onto your network. Protect them. If I want to break into your place, I'm going to take out your DVR first so that there's no recording that I did it. Most of these systems are Windows-based. Some of them are Linux-based now. Both of them suck. Fix them, dude. Okay. Vandalized cameras. People can break the shit. It happens. If it's going outside, make sure it's a vandal-proof housing. People do throw rocks and people do smack them. Network bandwidth. Here's a big one. Let's say I'm the guard at your company. I'm sitting down at my front lobby drinking beer on the job, of course. And I decide I want to check on the location in California. I click on California and bring up 16 streaming videos. Wonderful. Not too bad for my network bandwidth. Just sucking up all of it already. So then I click on Oklahoma, bring up 16 more. Now I'm watching 32 cameras. Then I click on New York, bring up 16 more cameras. Then I click on Texas, bring up 16 more cameras. I now have 64 streaming video signals. Am I getting high sign? No? No? Okay. 16 more cameras. So now I have 64 streaming video streams coming over my network. Your network is going to be in a lot of trouble if you have 64 streaming video signals flowing through. So I'd suggest putting network bandwidth limiters on these things and smacking the hell out of the guard who did that. Okay, network bandwidth we did. Covert video. Where are you allowed to put hidden cameras? Don't put hidden cameras. Why? Well, do put hidden cameras. Screw it. Jeff covered hidden cameras. Let's speak quickly. I'm going to drink. Well, hidden cameras are a very good idea. Can everybody hear me okay? Hidden cameras are a very good idea because people just don't know where they are. Somebody once told me they never worry about the cameras that they see and they only worry about the cameras that they don't see. And in a robbery that took place at the World Trade Center about nine years ago, a couple of guys went into one of the banks in there and walked out with about three million dollars in cash and suitcases. The guys all had masks on. The cameras were really not particularly helpful identifying these average height guys and average weight guys that had big black masks over their face and they just had the two eye holes. Then they took an elevator or a back stairway down to another floor, pulled their masks off and the covert cameras on the other hallways had pictures of all of these guys full frontal face shots. It was on the news and by the next day all these people's neighbors and people that knew them had identified them to the police and of course they've got another probably a good ten more years to serve on their sentences for armed robberies. So covert cameras are a very good thing. Okay, before we get any further, I love tradition and specifically my physical security talks which I've done a few of. I always get a hug from a girl on stage. So who wants to hug me? Come on, somebody raise your hands. Come on, hug me, see? I always get a hug. It's for good luck. Thank you. Okay, next slide here. Conclusion, look at that. I'll give you some links for you. Maybe four. We've been practicing this all day. I like to show King of the Hill and it made me think of a security demonstration. He's going to be our human access control panel in showing inventory control systems. Can you help me with this? Did you explain this? Okay, this is my purse. It has to be where I keep my cigars and my pipes and whatnot. He's going to play the access control system. This is going to be a man who is in there without an access card. Don't open it. Without an access card, but the purse itself is tagged with a security tag. Get up and go walk over there. Now, as the man without the access card walks through the door with the purse, stop right there, the door controller detects the purse. That's my purse. Then the door controller detects the person. At that point, the door controller concludes security measures. Now, that is my inventory control security demonstration, which we've been practicing. I pretty much had a time. King of the Hill, it's a great show. Bobby went to the women's training class and learned defense. Everybody go home and buy me more beers, please. Thank you very much. You can reach me online at lasatctech.org or just look at my damn thing and you can hit me. Thanks very much. Anyone who needs security consulting anywhere in the U.S., give us a call.