 So this is the talk. This is advanced physical security beyond dumpster diving and social engineering or screw the firewall and the secretary to Which is the alternate title that didn't make it into the program now this talk is predicated on the idea that What do we what we do if all we care about is the information at the end of the rainbow? What happens if we don't care about looking like lead actress to her friends what happens if you don't care about breaking the law What happens if all we want is the information we don't care how we get it Now first a bit about myself I'm a member of tool which is the open organization of lock pickers you may want to get this by my t-shirt If you come up to lock pick village who will happily teach you how to pick locks. It should be open some point I don't know if it's open right now. It should probably at this talk I'm a student at the Massachusetts Institute of Institute of Technology or as the Boston Herald has called it the Massachusetts Institute of Terrorism now I'm a comparative media studies major which has nothing to do with any of all this so I can't lay claim to any kind of Academic credential in fact most the time I'm one of these you've probably already guessed by my taking pictures of the audience Subsessively this generally doesn't overlap with security except when I do portraits like this one or perhaps shoot one of these and I do a whole lot of lock photography because while I'm a lock guy In fact if you want to look at lock porn just go to Eric Schmiedel dot com slash locks I have a whole lot of lock pictures up there for your enjoyment Now the reason you actually came here was not to hear but hear me talk about myself is to hear about the talk and The reason I thought started doing the thing we're doing is talk is the realization that hacking is becoming more Mercialized not because people are getting hired to protect systems But because information thieves have figured out that information often obtained through hacking is a great way to make money Now remember this is both the information. It's not about the hacking Which means that as computer systems become more and more secure, of course never be going to become secure Otherwise Defconn is going to be in a business and it's never going to happen as Computer system become more and more secure. There's greater and greater incentive to get the information by any means necessary Which means doing whatever it takes Which does not necessarily mean hacking This means that we can take advantage the fact of say the fact that you and everybody else around you are the weakest link Social engineering people love to drive this point home with cool demos at hope and the social engineering talk Which I'm sure you guys all went to but in reality the problem with social engineering is that well You have to lie and you have to lie convincingly and not everybody's going to believe your lies. So What happens when social engineering doesn't work? Well If social engineering doesn't work and you can't get them get someone inside the organization to tell you the information Because they believe you to speak somebody you aren't you might as well pretend to be somebody you aren't And get them to formally become a spy for you by recruiting them as a spy Now half you guys are thinking great awesome idea really cool I'm gonna go recruit spies and all the cool companies get all their cool data and either half you're thinking well great idea, but not a lot of people like to spy and The solution to this is the process of recruiting spies It's been formalized over many decades by many intelligence agencies and it basically boils down to subtly as James Jesus Engelton CIA counterintelligence director with one point so elegantly put it subtly entrapping them in this web of irresistible compromises so that while they start out not realizing that they're a spy by the end They know they're a spy and they realize they don't really have much choice in the matter Actually recruiting them as a spy is a five-step process with the six-step added in for the slash dot trolls and First of all you want to spot the potential recruits figure out who your target is You want to do your homework get all the background information you can on them Figure out what their habits are and such you want to get access to them in a way that you actually go up and talk to them And they won't think you're some weirdo You want to develop them as a crew to get them more and more into the game and then finally recruit them as a spy now What you're looking for in many cases in all cases in fact is either somebody who has access to the information that you want or Someone who can get you access to the people who have themselves access the information that you want These are called access agents You also want to make sure that the people that you're looking at recruiting aren't counter spies who are going to either feed you false information or send the cops Now once you've identified someone who's a plausible spy or seem like a good idea You want to learn about them. This means learning what makes them tick Why do they do what they do are they in it for the money are they in it because they're They believe in the organization they're working for or are they in it because they're they just want to help people and Then from this you can figure out why it is that they're going to work for you now Why some why should someone work as a spy for some random sketchy person that's asking them to pass on information They really shouldn't be passing on Well, it's a whole bunch of reasons first of all because you're offering them offering them a whole crap ton of cash People like money and people are willing to do a lot of stuff for money That's one of the common reasons But also some maybe they want to get revenge on somebody Maybe they want to get revenge on the boss who's been bossing them around and really been treating them like crap Passing on information that's going to help take down that person is a great way for them to get back at them And you can take advantage of that. Maybe you want to get revenge on their government Maybe they're really they're really dissatisfied with the political system that they work in or maybe the dissatisfied with the company They're a part of if they work for Walmart. Well, maybe they don't like Walmart very much and you can take advantage of this fact Maybe you can put them in a blackmail or a hostage situation where they're passing on information to protect their reputation or protect their family Maybe there maybe they'll spy for national pride if you can pretend to be from the government that they were of the country They were originally born in if they're proud of that country and they're working somewhere else They're working for some other country you can take advantage by pretending to be from that government or maybe you actually are You can get them emotionally involved if they're really boring humdrum day-to-day job with no excitement Spying can add a lot of excitement to their life and one of the reasons that some people spy if they're naive You can convince them we're working for some great cause working for peace That was one of the favorite lines of the KGB back in the day to people who are working in the West Well pass on information on on whatever defense activity you're involved in and you'll be helping the cause of world peace Well, that's great. If you're really naive People will pass on information as long as they get late people are willing to do a lot for getting in exchange for getting late And passing on information is one of these things and of course Ideology again the KGB loved this back in the 1930s in Cambridge Some of you guys are perhaps aware they talked to a couple of very clever Cambridge students in England and persuaded them these were pretty serious communists that they should renounce Communism publicly and get jobs in the British government passing on information to the so into the Russians One of these guys was HR Kim Philby John Karen Cross and these people other people cause an enormous amount of damage Because they were incredibly effective and they were just working because they believe that communism really was the answer Now the other kind of agent you might have on our route is an access agent This is somebody who can get you access to somebody who can pass it on information that you want This means that somebody who has connection the target group perhaps Hopefully they work for the same company the same organization But perhaps they just go to this they just hang out of the same bar remember the same club But could just be a prostitute a high-class call girl who you're who you're paying a lot of money to pretend That there's some kind of something going on that really isn't or make an introduction The job of this access agent is to figure out for you who has access to the information you want this often times isn't public information The job of an access agent could be to make an introduction Perhaps you want to be pretending to be from some government and you want them to introduce you as if you're from that government as if You're actually a secret agent when you're really some random hacker or it could just be to have sex because let's face it people trust people they have sex with and I mean this has been taken advantage of many many times everybody knows how this works But few people know the actual details and how the KGB would do it for example if a Western businessman was miss was visiting Soviet Russia and The KGB knew that this guy had access to information. They want it sometimes perhaps he might get he might run into some very cute pretty girl at a bar and They would start talking and one thing would lead to another They would go back to her room her apartment or some hotel room and they would have sex They'd be a couple of times and then the Western businessman would go back home and a few days few weeks later He'd get a distraught letter from this girl being like, oh my god I'm pregnant my father finds out about this. He's gonna kill me like literally kill me I string me up and hang me kind of feel this is the Russians. They're really brutal. You got to help me I'm in deep shit. I'm gonna lose my job. My life's going to hell You're responsible for this. You got to help me And by the way, my friend, you know normally like Russia Abortions are totally legal in soviet Russia, but I've got this friend. He's with the KGB. He's got connections He can get me an abortion, but he needs a reason to do this So can you please just give him something a little bit so you can go to his boss and get them to give me an abortion? Well, sometimes this was a nice Upstanding honest businessman who would happily give a little bit of information to rescue his one-time Soviet girlfriend If he wasn't well that hotel room that apartment happened to be set up by the KGB for with video cameras and microphones to make some very Very nice home movies that the KG would then hold over the businessman and threaten to expose to his wife Which could be very persuasive Unfortunately, it's only really worked one one time maybe twice and The West East Germans were a bit more clever than the KGB and they realized that a long-term Emotional relationship with target could get a whole lot more and a whole lot more useful intelligence than a quick encounter So they invented the concept of the Romeo spy. This was a smooth talking guy Usually whose job it was to make Contact with some secretary who had access to top-level high security information generally in the West German government and Get into a relationship with her get her to bed because let's face it Germany after the Second World War there weren't a lot of guys around a lot of these secretaries were very lonely And so some some nice-looking guy who seemed pretty cool Well, they started dating them and in many cases they got married And so for decades and decades and decades these secretaries would either be passing on a bit of information their husband That they thought was totally innocuous because both their boyfriend or their husband or perhaps even the Romantic interest was able to recruit them formally to spy for the Soviet Union Of course, we don't have this luxury. Most people don't so how Generally recruitment works in the world of espionage if you're not talking about sex is Two ways there is the nice way and there's the mean way nice way is you get to know them establish some kind of friendship and Over the course the friendship you ask for some kind of innocent or innocuous favor that you then reward generously generally with lots and lots of cash and This happens over and over again until the target gets so used to Getting your cash for doing little favors getting you little bits of information that they can do Getting you telling you when there's gonna be some big news happening so you can buy or sell stock or whatever That they come to depend on this money that you're giving them and The more they come to depend on this money that you're giving them the more you can ask for Until finally you ask them for something that's over the line Not a lot over the line just a little bit over the line like the internal company phone book something that would give you information that you really shouldn't have and You pay them a crap ton of money for this on some some kind of Some kind of pretense for perhaps you're asking them for some plans Which will allow you to towards a terrorist attack quote-unquote and Of course, that's you know logical and they want to help their government toward a terrorist attack, right? So they think well I should okay, and there's big there's good money in it So they do it at this point you've got them hooked and you can recruit them The mean way of doing this on the other hand This is what happens a lot in foreign countries when someone goes to visit these days Make their life hell get them arrested get them in some kind of really deep shit that they have to get their way out of somehow And there's no obvious way of doing it Maybe they got maybe they got involved with some convened woman who now turns out to be an enemy agent and now They're at risk of losing their clearance or whatever and so you approach them and you offer to fix their life Perhaps get them out of jail by you know knowing by having the connections But all they got to do pass on a little bit of information so you can satisfy your superiors Once that happens you can wash friends repeat steps I told you about earlier get them to pass on more and more information until finally you can make the pitch recruit them formally as a spy for for your organization or for some plausible organization that doesn't actually exist and When approached like this, of course a lot of people They refuse people don't really want to be spies in many cases And so it might be necessary to have a folder there with lots of incriminating photos of all the stuff they've been doing for you that could get them in really deep shit if they don't Play along and don't keep doing what you want How does this work in practice? Well, these are there's a whole lot of tools that I told you about and things don't always get used some of Sometimes other things get used. It's a question of adapting to the particular situation Like the KPMG guy and right diligence incorporated thing that happened a while ago I'm a private investigation firm firm called diligence incorporated Okay this piece is retarded If anybody has any idea how to get little snitch from throwing a boring dialogue it's about NMB D trying to connect out. I'd love to hear it anyway so the private investigation firm diligent incorporated was hired to get some dirt on this other company the Ipoc International Growth Fund and diligence did some digging and figured out that Ipoc the target company was being audited by this huge international accounting firm KPMG So they figured well the best way to get some dirt on Ipoc Which has really good security is to get a spy inside KPMG, which doesn't have such good security So they sent down two ladies from their New York office to Bermuda, which is where the eye which is where the audit was taking place and These two young ladies pretended to be from a very high powered high-end well-known New York law firm called Whiten case and They contacted KPMG's Bermuda offices saying hey, we're planning this legal conference Can we get some lists? Can we get a list of your employees in the area who should contact this legal conference and KPMG did their digging and figured out that this law firm was legit and they sent along a list of employees for a diligence to use it well White in case to use in the course of planning their legal conference, which was actually figured out who they wanted to spy for them They looked at this list ran through the usual databases which tell them anything and everything. It's amazing what you can get these days and Figured out that well There was nobody in KPMG's Bermuda office who had access to the information on ipoc Who would actually be an ideal match for their profile of like an ideal spy some? Certainly some guy in his mid-20s who liked to risk and like to gamble and like women in sports and probably needed some money there was one a guy a British born accountant named Guy Enright and So a couple days later Guy Enright gets a call from a guy claiming to be Nick Hamilton Nick Hamilton speaks in a clip Very high-end high-class British accent and he says he needs to meet a guy and right for a matter of the utmost importance that's all he says a couple of days later they meet for lunch and Nick Hamilton who by the way is actually Nick Day the co-founder of diligence incorporated and A former British agent for real but not a current British agent at all Says that he wants to recruit Guy Enright for a matter concerning British national security But he can't say any more he first need to do some background investigation work on Enright So he hands guy this official looking form asks for all the personal information political affiliations Credit history you name it back criminal history and gets guy a guy to fill out the form goes away and a couple of days later meets Guy Enright in the bar They said they sit down have a couple of beers Nick Hamilton tells a couple of war stories from back when he was part of the British equivalent equivalent of the Navy SEALs Which may or may or may not have been the case and After an hour or two gets down to business as well Guy Enright's been inspected detected infected and finally selected for the mission past all the clearance checks and What does Guy Enright know about the KPMG audit of IPOC? Simple question I'm pretty soon Guy Enright has agreed to start passing over information to his mother country At least what he thinks is his mother country both this audits and So to maintain operational security Nick Hamilton says well, I've set up this thing It's called the dead drop so you don't ever have to meet me again All you do is put the documents in this watertight container under this rock in a field This this field happens to be on on the path here daily commute every day And I'll pick them up and leave some money or leave some leave something for you there and We'll keep this up as this works for a couple of months Nick Nick Hamilton tells Guy Enright leave me a little notes or whatever what information he wants Guy Enright copies the documents or brings documents leaves them in the watertight box and Nick Hamilton picks them up some other point This would have worked great And it would never have been discovered except for one minor problem Somebody we don't actually know who left a packet of documents internal diligence incorporated documents at the KPMG New Jersey offices These documents contained all the details on this little thing. They called project Yucca, which was the whole Ipoc spy thing and KPMG wasn't so happy about it. In fact, they filed suit and This documents became public and we we learned a couple of things as well as what was going on We also know that for example diligence wasn't very trusting of Guy Enright They figured they wanted to make sure he wasn't a KPMG counter spy so they followed him to and from every meeting and To make sure that Nick Hamilton wasn't being followed every time he went went to and from a meeting He would walk this predefined path through Bermuda where he would walk past several check for several choke points Where diligence operatives could make sure there's nobody following him We also know that while diligence was being paid $25,000 a month for this operation. It's very effective all Guy Enrights got in addition to being publicly humiliated was a Rolex watch Now if you're not diligence incorporated, perhaps you don't want to and maybe you don't want to prove to spy inside the organization Perhaps you just want to send one of your own guys in the organization This is a really popular tactic for use by that corporations use and the government uses to infiltrate political Political protest groups they send in some guy who's got logging here who starts volunteering and helping out and starts passing out information And what where the next protest is going to be a very successful example of this is Mary Lou McVate There's a story that broke pretty recently about this woman who infiltrated the entire anti-gun movement and was actually an agent for the NRA If you Google her you can find her lots of cool information on the other hand how you shouldn't do it is What this other private investigation firm called C2I International did And send a guy into this British anti-aviation group called plain stupid Said his name was Ken Tobias Said he really didn't like aviation He just came in from China and man Heathrow Airport was really annoying if we wanted to do anything he could to hurt them It was a really enthusiastic guy really wanted to get more make the group more radical I really wanted to get everybody to you know take take more risks and live life to the fullest and all that but they got a little suspicious because Not only was he really enthusiastic and but he was really clean cup looked kind of like you exactly expected undercover cop to look And well he showed up for meetings 10 minutes early and if that isn't a warning sign, I don't know what is So they did some digging and they figured out that even though he claimed to live in London He wasn't on the London electoral register and well he claimed to have played rugby He wasn't on the records of rugby team. He said he played for They fed him some fake information figured when this guy was actually spy and pretty soon The exact tactics that they'd said they were going to use in this protest against airports were Distributed to all the lead to all the British airport security checkpoints as things to watch out for and Then of course the Manchester Evening Standard published all the details of the meetings that he attended They figured they had a rat So they sat him down in Japan's restaurant and asked him, you know, at least could he verify his identity? So he said well, you know, I just lost my wallet and with my that was my ID was in there, too and you know my passport said my mom's and she lives a long way off, but like You're personally you're persecuting me you're persecuting me because of my background and you got really whiny and emo so they kicked him out and They still realized despite all this they knew he was a spy, but they didn't know who he worked for They did some they did some investigation They took a picture of him at a protest And since he said he'd gone to Oxford he they gave the picture to some guy they knew at Oxford Who recognized him as Toby Kendall? Completely different person who whose name they googled which brought up a Bebo page the Bebo page linked to a LinkedIn page which identified him as an Analyst at the special risk management company C2I International and apparently he was involved in security and investigations So if you're gonna be a spy, whatever you do, don't make sure your social networking pages don't reveal who you are Other thing you can do is get a job as a temporary employee The classic example of this is construction workers who are pretty transient to begin with and a construction worker on the night shift Filling his lunch box with a couple of radio transmitters and a whole bunch of microphones Can work pretty much unsupervised doing whatever the heck he wants which makes for a night shift full of a whole lot of fun You want to get physical access to the facility? Well, there's a couple things you can do first of all people are pretty polite If even if it's a secure door or transfer, they're gonna hold the door open for somebody who looks legit so you can take advantage of this If this is a building which is protected by photo IDs Photo IDs are notoriously vulnerable. In fact, there was a case some time ago where the guy in charge of physical security at a military base which used only guard checking photo IDs as their security Figured he'd test his own basic security So he called up a couple of friends of his who worked in military intelligence told them hey guys I'll buy you a whole night of beers if you can go if you pick up these badges I've had made up for you and all you all you got to do is get into work every day for two solid weeks not get found out well these special badges replaced the picture the photo ID picture on the badge with that of your average African baboon and and Not only did this guy have to buy a whole night of beers for these guys because they got in for two solid weeks These badges weren't discovered for two solid months and the only reason they were discovered It's because the guard was butter. It was a butterfingers and dropped one of the badges and when he bent down to pick it up He finally took a look at the picture and said hey, we've got a problem here Now if secure door, there's this thing called the request to exit sensor in theory This is designed to allow people who are leaving a facility to open the door because it automatically unlocks the door when the motion detector gets Set off and in reality This is a great way for an attacker to get in and save the trouble attack or trouble of picking luck because all he has to Do is inflate a balloon under the door tied to a rope let it float up and wave it around until the motion sensor goes off And the door unlocks for him Depending on the door mechanism you can bypass in a wide variety of ways that don't involve lock-picking You can slide Lloyd's or card the door you've seen this in movies James Bond doing this In many cases the lock has this thing called the dead latch and my laser pointer doesn't work But you can see the arrow the dead lashes designed to prevent you from sticking a card in the jam of pushing back the latch Unfortunately not only are not all locks that's equipped with this feature But many strike plates were installed by incompetent locksmiths who installed the wrong kind of strike plate Which means the dead latch doesn't work and you can still card door Some lock sets of course you can go into the keyway Not pick the lock but instead stick a wire into the right place and trip the latch Because it's accessible from the back of the keyway and open the lock And this is the atom's right bypass for example some photos the idea is that the wire goes back in and just literally flips The bolt back and the lock and the door opens In many cases electronic locks have a lot of vulnerabilities. There's plenty of talks on this this for example as a scramble keypad It's highly secure because the keys change every time you enter the combination So you never know what key was pressed if you were say watching with a camera on the other hand Some some keypads aren't quite so secure for example You can take some highlighter which the highlighter ink stays pretty tacky for a long time It also is invisible in normal light So if you light it up under UV you can see the ink getting tracked from key to key and figured what the Combination is of course sometimes you don't even need highlighter because say with fingerprint sensors You can sometimes just breathe on the sensor and the condensation will cause the fingerprint or register to the electronics Now I'm not deviant alums. I'm not going to talk about lockpicking, but if you go up to lockpicking village We will help you teach you how to do this There is one thing I do want to mention on a side note is Master key systems well if you get access to One of the keys in a master key system This could be the key to the bathroom in a skyscraper which happens to be on the same master key system with the rest Relox in the skyscraper you can then take an impression this key or decode the key and Assuming you can get blanks or make keys out of credit cards as Mark Tobias showed us You can then make seven different keys or six different keys or five different keys depending on how many different pins are in the lock Go back to the skyscraper and then over the course of trying all the different keys Cutting them down in a certain way Derive the master key which will allow you to open every lock in the whole building and all you needed was the bathroom key Which you got by asking receptionist One thing you shouldn't do is take over the locks and the building hoping that you can get in at the end of the day This is how the Watergate burgers were caught Former CIA guy who really should have known better name was James McCord He put duct tape on the stairwell locks leading out of the Watergate building the idea being that everybody could come back in the whole bugging team could come back into the end of the day and Bug the offices without having to pick the locks which were apparently somewhat of a bitch Well this nine dollar an hour security guards Frank Willis saw the duct tape and was like, huh? On his wall makings daily rounds of the building so I pulled off the duct tape and it continued on the way and James and McCord who really needed Handy beating with a clue bat came back so the duct tape had been removed and put some more on the door Well, so security guard comes back in an hour. She's duct tape had been added and caused the cops Well, they found the Watergate bugging team in the offices of the Democratic National Party and They were not in the offices of the Democratic National Party chairman, which was in fact the target The reason was the Democratic chairmen's office was really secure had some good locks on it And they really couldn't get in they were in the adjacent office And when the Washington DC police found them they had the ceiling tiles removed as it turns out all that security and the Democratic chairmen's office was Pointless because you could go in over the drop ceiling and get into the office that way If you don't want to play Watergate burglar You can try a little more legal approach many place in many places if you can get legit access to the neighboring building a pair of binoculars or a long telephoto lens will get you this kind of view of whatever is going on in the office You're looking at as It and as a result if you can see the screens you can see what's on them You might as well be running some kind of I don't know other attack which I'm going to talk about later This is incidentally a photo as a result of a present Some preparations my friends some friends of mine did they did some research on it on the MBTA. That's the Boston transit system Headquarters, this is a photo through the window of the MBTA operations building just terribly secure There's no there's not even a front desk. It's all locked on the security cameras all over the place But well you can look at the window, but nobody ever expects anyone to look for a skyscraper window, right? If you can get a cell phone into the building Because this is one of this is the kind of society where now all now all of a sudden everybody's carrying their own bugging devices There's two websites for about a hundred euros a piece They will sell you pre-manufactured pre-coded pre-compiled software Which will turn most cell phones into bugging devices that will dial out and let you listen to in on whatever is happening in The room in which the cell phone is left The classic application of this is the businessman who is in the middle of some difficult contract negotiations He's just sitting in the conference room and he's got his cell phone on the table briefcase on the table. He's like hey guys Let's take a break. I gotta use go use the bathroom He go use the bathroom and you know I don't know maybe he has some diarrhea or something because he's gone for about 15 20 minutes and at the same time his cell phone is in fact Recording whatever they whatever his negotiating adversaries are talking about in the room while he's listening in or hearing from a Compatriot who's summarizing everything everything he needs to know to go in and have a much greater advantage in the negotiating table Of course, some cell phones aren't so easy to get access to like Carl Rose iPhone as it so turns out Though the iPhone has a number of remote vulnerabilities if you Google Rick Farrow iPhone you can figure out how to remotely root an iPhone and As Rick Farrow demonstrates you can easily upload some software which will cause the iPhone to send you an Audio recording of whatever is going on around the iPhone I would sure love to hear what's going around Carl Rose iPhone if anybody can get me Of course the problem with all this is it's really illegal wiretapping laws and Audio interception laws have been around for a while and this is the kind of stuff Which is office-based but it is not going to send you to what color resort prison It's going to send you to federal pound me in the ass prison For example in the in the US. It's illegal to possess manufactured distribute devices Which are primarily useful for the surreptitious interception of wire oral or electronic communications Got a wonder if that with that little keyboard key loggers that I bought off eBay Of course this could end or extend to something as innocuous as your average intercom Radio shack sells these intercoms which were designed for communicating from room to room or listening in on like what's happening like with baby monotype thing plug them into the wall and You plug everyone into the wall and somehow some magic happens and over the power line the audio goes and gets extracted and you can listen to it Well anybody using an hf band ham radio can hear that too Anybody who goes online and buys himself one of these little handy-dandy recording device little audio recorders. I mean they're marketed at recording meetings They just don't say what kind of meeting and how the recording is being done They advertise features like capturing audio of meetings interviews and other critical information expected of digital recorders With featuring amazingly long recording times of 136 hours up to 32 hours of continuous operation Even featuring a timer recording mode for those who do not do not want to call attention to the fact that they're making a recording Sounds really useful to me Parental protection. Yeah, there you go Of course your voicemail if even if you don't want to drop in with a recorder is kind of vulnerable sometimes Most voicemail boxes are protected by a numeric code which has no at all no precautions against brute-forcing Your lens cap is undue Yeah, I'm No protections can produce brute-forcing and think what kind of messages people are leaving on your voicemail And what those messages are gonna it's gonna say about you? Speaking of things that give you more give give the adversary more information than you might have desires If you want to get information on this top-secret presentation this CEO is giving perhaps perhaps the board of directors and You know, it's gonna be held in a very secure room and You know, there's gonna be a counter-surveillance sweep team going through looking for bugs So you find one of the plant a bug it would be awfully nice if you could get a bug on the CEO's person This of course the problem with this is you've got to get X and CEO's clothes and That could be kind of a problem. So really you'd much rather if the CEO just up and volunteered to carry in a bugging device for you Like one of these This is your average conference body pack wireless microphone And these things are so vulnerable to interception that the reason I'm walking around with a microphone up here on stage Like Elvis Presley as opposed to carrying a little lavalier mic is because in the past people have started broadcasting on them On the frequency at DEF CON and giving their own talks over the presenter Get a little more advanced if you like with Bluetooth key loggers PBX voice over IP. I'll talk about that a bit later But when I come down to it, these are the kind of attacks where really you end up parking a van outside out in front one That hopefully doesn't look too suspicious and looking at what comes out of the target facility perhaps from a bug You don't even have to plant a bug. There's this thing called tempest is discovered back in the 80s The also known as van ekk freaking this guy named win van ekk discovered that your average CRT emanates the kind of information that all you that all you need is especially designed radio receiver and you can reconstruct all The information on that CRT and watch as someone is typing in all the secret plans and whatever Well, Elsie's are a little bit more difficult to intercept like this So great excuse to tell your boss to buy you that cinematous play you've always wanted because it's immune to tempest At least in theory on the other hand, there's other stuff. What's going on in your average office, which is a little less secure Like say the Microsoft optical wireless one thousand two thousand keyboards It's transmit on 27 megahertz, which means it'll go through lots and lots of buildings and obstructions like 900 megahertz won't and They use an incredibly secure encryption technique called XOR and As it turns out they only use one of 256 possible keys And the Swiss security research firm called dream lab figured out that well not only can you intercept one keyboard But if you have three separate keyboards next to each other You can filter out key filter them all by keyboard and on your screen watch three different keyboards being used simultaneously or more Of course, Bluetooth isn't really safe either. This is a quick shortcut link to a Bluetooth paper talking about the fine art of Causing Bluetooth connections be interrupted causing the repairing process to happen Which point you can start keys and get some interesting information This is a little bit beyond the scope of this talk, so I'll leave it up to you and your research skills Phone taps classic example. Everybody knows I'm here and clicks on my phone there for the tapping my phone Well These days phone taps are probably a little more sophisticated Unless there's actually a guy sitting outside tapping into your phone box linemen's handset like for example Walmart Who not only did they configure their email system to look for any? Outgoing keywords which might suggest that one of their employees was communicating with a protest group or reporter They set up their PBX to automatically intercept and report intercept and record calls coming to and from the New York Times Because they're looking for a leak. Well, this got public when they fired a guy named Bruce Gabbard He told the story to the media and Walmart wasn't so happy You can do this too if you want if you go online You can get all sorts of hidden cameras and hidden microphones for nominal fee These things aren't terribly secure when it comes to resistance to bug sleeping team Let's face it if you can hide a camera in a birdhouse a clock radio potted plant teddy bear Glasses even a hairdryer and of course for 700 bucks Even if you're just in case your cell phone camera wasn't good enough you can get a cell phone wireless video camera This is I think the first example I've ever seen of meta cameras Which are a camera hidden inside a diaper device that already contains a camera? Yes, recursion. So what do you do with this kind of video? Well, there's the usual incriminating footage There we go Like happened in sandwich elementary schools is a case from which the principle here was videotaped from a hidden camera It was concealed in the in the ceiling of his his camera Getting tight the principle is videotaped by a hidden camera concealed in the heating dunk heating duct above his office It got some very interesting home movies That were held on to by this unknown party for a couple of months and then emailed out in DVD form to a couple of parents five days before the school board elections This week a lot of havoc and the cops were called in and they figured out that because there was no audio on the DVDs They didn't fall under eavesdropping law and so they couldn't actually open an investigation to who did this But that's not all you can do with wireless video cameras. So And okay, so I'll let you show I'll let you see the one of the cooler application this from one of them from the experts This is one of the TV shows I would actually watch if it ever got back on the If it ever got back on the air called Tiger team On the way out I planted a small wireless camera next to the alarm keypad so that we could watch it remotely from the hotel And this is the alarm keypad which controls the alarm system to a very high-end audio auto dealership This is what happened get to watch thing and this and for bonus points Can anybody guess where the camera was hidden one more reason not to have lots of bling around your office? Let me let let's say that you can hide a transmitter pretty much anywhere There's a case a while ago. I mean involving Air France and The Concorde this is back when the Concorde was still running the French got the French government's Intelligence arm bugged the first-class seats in the Concorde Every single one of them they could listen to the conversations between businessmen who are flying to France to negotiate deals with French companies and from this information get something which would give an advantage to the French companies Of course, you can hide a bug outside the room with lasers. Thanks to modern technology. You can bounce the laser off the window record Take the reflected beam Read it with a three dollar radio shack photo cell plug it into an audio amplifier and listen to whatever was going on inside It's been around for a long time this books have been using it for ages. It was recently featured on hackaday.com But NASA figured out that what if you use terror Hertz radio waves that have a laser you can Listen to vibrations that are caused in metal objects in the room like the laptop. I'm talking to In that it's in front of me Because the vibrations the metal objects caused the beam to get modulated and using a whole lot of DSP You can listen to the vibrations in the metal object inside of the room Which means that the old trick of attaching a speaker to the window to defeat the laser bounce window listener no longer works This for your information is pattern number two zero zero five zero two two zero three ten if you look it up online You can make your very own Of course once you've got this bug inside the room What do you do as it turns out you can reconstruct anything that's typed on a computer keyboard from a microphone in the room This research which was done by a since researchers at UC Berkeley Using a cheap $10 PC microphone They figured out that not only do you know can you read what the user is typing on their keyboard from the sound of the keys tapping? You don't even have to know what the heck it is. They're typing in the first place because you can use Statistical analysis techniques developed originally for cryptography To determine assuming you know the typing English text that based the certain frequency of keys will happen in a certain way map the sound to key and Then get 90% of the English text We're sorry 90% accuracy with English text and once you have the system trained you can then Recognize given 20 guesses 90% of all five character passwords 77% of all eight character passwords and seven and 70% of ten character passwords kind of a problem Especially when you can hijack a computer with the Trojan Recording the microphone input on the computer and then listen to all the all the keystrokes that are happening in the room For example, the government is a big fan of the idea of segregating networks This means you have a computer connected to the regular network for people to do their I am meaning You know my space stuff on you have another computer connected this to the top secret network and the two are never connected The idea being that anybody who acts into the unsecured computer can't access the secure computer Well, if the unsecured computer has a microphone on it You can hear what anybody is typing into the secure computer in the same room. It's kind of a problem So you might be interested in figuring out how to find a bug This is called in the industry technical server technical surveillance countermeasures and generally involves hiring very high-priced Experts to come in with some esoteric equipment and sweep the room looking making beeping noises and hopefully find bug You may be tempted to do this yourself using spy shop bug finders. These things are universally crap No, really don't even bother the phone line analyzers. They sell are totally useless If you actually want to do this you might you might start with this thing called a spectrum analyzer For twenty fifty thousand dollars, and it shows you on this on the display all All the signals in the local area as a form of peaks where there's a signal you see a peak There's no signal. You don't use don't see peak and you can therefore analyze What is there and what shouldn't be there by looking at what's going on in the room radio wise? The cool thing about a spectrum analyzer is also spot things like frequency hopping or spread spread spectrum bugs Which you can't spot with your average radio radio Shack scanner Because you'll see the the the little bit of extra radiation in that area There are systems like Oscar which are sold as like all-in-one TSTM tools for companies that want to do their own in-house stuff Basically, they work by doing two different things They will compare the radio the local radio spectrum at some previous time to whatever is to the radio spectrum Whenever the secret meeting the idea being that a bug would just turned off at night to save battery power He turned back on during the secret meeting and therefore you'll see that extra spike in the spectrum And they'll also look at the spectrum and compare it to the local audio The idea being that will be something given if there's a bug in the room There'll probably be some correlation between the radio emissions the bug and the local audio inside the room And therefore they'll find the bug A real TSTM specialist will probably walking with one of these guys looks like a very fancy metal detector It's a nonlinear junction detector, and it uses a spectrally pure generally about two watts radio frequency emission out of the metal detector head that then It's what and then which also acts as an antenna and then there's a audio There's a RF amplifier and some sophisticated DSP circuitry Which is then looking for odd order harmonics in the return signal the idea being that any kind of nonlinear linear junction in Silicon which is a junction that you're going to find in any kind of diode transistor And therefore in any kind of bug is going to return an odd order harmonic and therefore locate the bug for you This is great when you're looking at a wall and you find this kind of junction in the middle of a wall That really shouldn't have any kind of junction in it and you notice are digging It isn't so great of course when you're dealing with something that already has electronics around you like say your average server room So you need someone other other Technology to go out for that so it's one one tool in toolkit the other problem with these non Nonlinear junction detectors is that they will detect rust on screws for example which form their own nonlinear junctions They'll detect the springs in a car will detect any bit of metal in a foot in furniture because of corrosion So false positives are kind of a big problem Voice over just about anything this is what I was talking about earlier with the radio shack intercoms a lot of bugs Are designed to run in place forever they run off wall power and they transmit the audio down the power line So that you can pick it up by plugging in the receiver into anything on the same circuit And if they're well-designed they'll run in just about the 50 50 kilohertz to you know a couple hundred kilohertz range They don't get filtered out by filtering which is applied power line Which means to detect them you use a high an hf band and radio receiver If you have extra thermal imager you can take advantage of the fact that a lot of radio transmitter transmitters give off heat a lot of hat A lot of cameras give off heat So if you see a hot spot where there shouldn't be one you should probably take a look Most important of all in TSCM though is physical security physical search taking the room apart piece by piece looking everywhere This is probably the easiest to do because all you need to do is use some elbow grease That will find the most bugs of any put of any different method because you're looking for the physical bug But you have to particularly thorough in fact you should probably check the car in the home There have been some high-profile cases for example where the Scottish politician Tara Tommy Sheridan discovered a tiny little box with what he described as a wee antenna on it in his car Which was a presumably recording his cell phone calls because well the GSM is pretty difficult to intercept unless you have about a hundred thousand dollars It's pretty easy to listen in on When someone's talking and what do people do in their cars they talk on their cell phones Did it with their home the CEO of the UK? insurance company Equitable Life found a bug in the apartment he used during the week and that caused a big hoopla Which means that he got to hire a very expensive TSCM specialist These guys charge several thousand dollars a day because the amount of equipment they towed about is 200,000 to 200 million dollars all together The reason you want to spend that much is because sometimes things go wrong like the time kid rocks Entourage security entourage found what they thought was a wireless camera in his dressing room They're right there by you know uploading porn of kid rock getting dressed to the random internets well turns out this wireless camera Was actually part of the nightclub's regular security system their law the resulting lawsuit backfired horribly and everybody's very embarrassed If you want to try it yourself, of course You can go down to Radio Shack and buy yourself a scanner and listen to all the local transmissions and see if you can find Something which is picking up audio in the in the target room This will of course only detect the most rudimentary bugs like the ones I showed you earlier that the bug in the Hair dryer bug in the birdhouse type deal Which of course would never is never going to be used against a high-value target like say the Porsche CEO who found a Baby monitor under the sofa in his rich Carlton hotel room He was very infuriated by this because it was on the batteries were fresh They went to the risk Carlton guys where they were like oh it must be a family But then they check their records and no family had actually stayed in the hotel room for several weeks before So some it was trying to bug the Porsche CEO with baby monitor That's all I've got for you right now Which is probably bringing a lot of relief to the deaf people who've been waving at me if any questions There's no microphone system, but you're welcome to come up and ask