Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/14/2009
03:51 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Physical Penetration Testing Tells All

Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the mo

Rob Enderle had a great post here on Dark Reading on the discrepancies between physical and system security and what happens when they don't match up. The problem is most companies just don't understand physical security and how it can fail. They often think they do, but then they end up putting in flawed physical security controls that can't keep out even the most unintelligent criminal -- let alone experienced penetration testers like Johnny Long and Chris Nickerson.The motives behind most of the physical security installs I've seen were either the threat of vandalism, or there was an item on a checklist that had to be checked off to meet some sort of compliance requirement. Very few of them were concerned with the sensitivity of data on the systems, and were instead more worried about downtime caused by theft of equipment.

A recent physical security audit I performed involved two server rooms that both had keypads on the door. After talking with the head sysadmin, I learned that the keypads weren't even being used--which was obvious after a bit of recon where I could see that every one who entered had used a key. The keypads were there because of a checklist that was being followed when the server rooms were installed. The funny thing is that I don't think they've ever been programmed, but I've not confirmed that--yet.

A similar audit was being conducted by a team who invited me to tag along to see a few of their tricks and techniques. After bypassing a motion sensor activated door using a coat hangar and sheet of paper, we were in the "clinic" area that had a poorly locked door (unlocked with a Leatherman) leading straight into the server room. Quick inspection revealed that even if the door had been secured with biometrics, RFID, and a keypad, the drop ceiling was a shared space that would have allowed us to climb right over the wall and bypass any security on the door.

But hey -- at least they could get a check mark saying they had an auditable security mechanism in place. The first group had auditable keypads, while the other required ID cards with a magnetic strip to be swiped before entering the area where the "locked" door to the server room was located.

For a fun crash course in physical penetration testing, watch the first episode of Tiger Team available at the TruTV website featuring Chris Nickerson (one of the hosts from the Exotic Liability Podcast), Luke McOmie, and Ryan Jones. And for interesting ways to bypass security systems using low-tech or no-tech methods, watch Johnny Long's "No-Tech Hacking" presentation at DefCon 15 and pick up his book of the same name. Now how safe is your company really?

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...
CVE-2019-11644
PUBLISHED: 2019-05-17
In the F-Secure installer in F-Secure SAFE for Windows before 17.6, F-Secure Internet Security before 17.6, F-Secure Anti-Virus before 17.6, F-Secure Client Security Standard and Premium before 14.10, F-Secure PSB Workstation Security before 12.01, and F-Secure Computer Protection Standard and Premi...