You’re Probably Not Red Teaming... And Usually I’m Not, Either [SANS ICS 2018]
HTML-код
- Опубликовано: 21 сен 2024
- In a world where it seems everyone and their dog is doing “penetration testing” nowadays, many individuals have started attempting to distinguish themselves by referring to their work as “red teaming.” Heck, that’s wound up in some bios which have been written for me in the past. However, this term is over-used and often misapplied.
In this talk, I will offer up a straightforward metric for untangling these terms, and then share tips, stories, and advice on tools that can help you in future Pen Tests or (if you’re truly performing them) Red Team Engagements.
![Deviant Ollam "Mastering Master Keys" [HOPE Number 9]](http://i.ytimg.com/vi/aVPSaKLKHd4/mqdefault.jpg)
I really hope all this comes up in the zoology exam I'm taking tomorrow.
If it doesn't, that exam is lacking. :-)
Piece of cake! Didn't even have to "red team" my teacher, if you know what I mean.
I usually expect crime, law to show up on my physics exams
what was in the exam in the end I wonder?
haha i have a pharmacology exam tomorrow
So i am an actual technician, but the number of times ive turned up at a business and said i'm here to work in the comms room and they just let me in is astonishing.
same. i work in fire protection and have to check every smoke detector tied to the central in building. so i usually get to go places i probably shouldnt be unsupervised, even as a 'technician'. now what could i do in an elevator control room? a server room? people these days.
I'm a volunteer for (public safety organisation) and we do building safety compliance checks from time to time. Half the time I just show up in the service t-shirt, which anyone that volunteers has at least 2 of, and they give me a master key and let me wander around no questions asked. There's like 5 of us in the area who have the qualification to do these inspections out of over 2000 volunteers. And it's not like those t-shirts are a secure item, I'm sure dozens have been misplaced.
But here's the kicker: Those of us who are qualified inspectors have an ID card that is separate to the normal one issued to volunteers and the paperwork the building manager needs to sign states they must check the inspector's ID BEFORE providing access. It's also in the service agreement and plastered everywhere on the panels we inspect. These people don't understand opsec at all.
A couple years ago I was a tech on a job to refresh routers/switches in banks for a few different companies. They gave us a piece of paper from an email that basically explained who we were and what we were doing. 99% of the time there was no discussion, they just immediately took me to the server room, then locked up and left me alone in the building.
One bank the manager asked if I needed to be in the vault, even offered to open it and leave it open for me.
Used to deliver laundry.
Show up in a white van with a hi-vis vest on and 99% of the time we'd get free run of anywhere, sure we'd have to sign in and maybe do a site induction for some of the big sites but yeah not once asked to actually prove I had laundry with me.
@@phimuskapsi the vault is a secure room, it doesn't just have money and gold laying out in the open. At my bank there are 3 rooms. One is safety deposit boxes, one is storage of documents and the smallest of them all is the strong room with cash. Weirdly there is another floor vault in that room of which I don't know what is in it.
I use the "look like you belong there" when I get into the VIP area in clubs with just a GA ticket. I've used the back side of water bottle labels and napkins, folded into the right size around my wrist as a fake VIP band and followed a group into the VIP area. My favorite time was buying the same wrist bands on Amazon that the club uses, and looked at Instagram to see what color VIP was using that night. I have more fun figuring out how to get into the VIP area in different ways, than dancing or partying with friends in the club.
Those are some solid plans... Love the water bottle label. :-)
When I was 18 I became a bouncer (6'4" 280ish college athlete) after being shot at, slashed at and burned I quickly realized that no one else had issues like me. Slept on it, realized quickly that your intellect and knowledge are much more powerful and versatile than physical.
I'll cut to it. Owner says "People are getting in VIP filling it up and we only sold 2 VIP bracelets, must be security letting them in for a tip" it was $100 to get in for males, $50 for females (I never charged females, stupidest thing ever) found my buddy outside selling those bracelets for $20 so I quit and joined him :D
I know super low key and bland.... but there was a fair next door to my house when I was younger. They sold wrist bands they gave you unlimited access to all the rides. Well I walked over 1 day and saw everyone walking out had hot pink wristbands on so I figured that was the color choice for the day (each day they changed it). As I was walking back home to find a suitable fake band I walked past a trash can in the parking lot that had a poster in it. And wouldn't ya know it was hot pink. I ripped off a piece of it and folded it to look like a nice wrist band and at the time I wore themed rubber bands (all had different colors and quotes). So I tucked the hot pink wrist band in with all the rest and never was questioned. A quick flash of the wrist and I had free access to all the rides.
We used send one guy in to get the stamp, then use sharpies and highlighters to mimic it. worked every time. Once had a group of 20 get in that way. Shout out to the Castle Crashers.
"cannon based assailants are not in our risk model" is now my favorite sentence of all time.
Thank you... I enjoyed that one, too. :-)
"A good pen tester isn't meant to show how much of a badass they are. It's to help the person prepare for the next badass that doesn't share the same goals."
Wqqq
Wqwwqqwwwww
I caught a pen tester once pretending to inspect fire extinguishers. Except he wasn't in the right uniform and he wasn't quite doing it right. Called security, and got an attaboy, and told to let him continue on to see if anyone else caught him (no one did).
So the actual goal was to *see if employees caught him*?
#ImLovinIt
@@baylinkdashyt correct
@David Harmon It's pen testing, the point is to make sure security isn't being lazy, the building is able to slow or even stop them, and they can't hack in
@Addict that's not true. They have dated inspection tags. They get regularly inspected per code, and have an expiration date. At such date they must be replaced.
@@ThinkFreely2012 But yet never once has anyone actually seen it happening.
That last sentence was the key difference between an actual attacker and someone just pen testing...
"Getting in is fun but getting caught is the goal."
Indeed.
But stealing can set you for life
getting caught can never be the goal with pen testing. otherwise you're not pen testing, you're just having fun.
@@ChoChan776 Getting caught MUST be the goal in pen testing, else you've not discovered the limits, merely proven you are awesome enough to exceed them... its fun to break into places that never even know you where there, but to pen test you need to work with a client to keep THEM improving till THEIR needs are met, which is FAR below what you could theoretically demonstrate is possible, as referenced in the 40mm speel (I've shown using a battery powered electromagnetic pulse device can be manufactured in a couple of hours to overpower door snarks, it was not a reasonable attack vector, instead recommending window bars so idiots couldn't smash their way in WAS). That means getting caught.. besides where and how your busted can add LOTS of weight to statements you make that middle managers ignored in previous reports. See waiting in a chair for 20mins, if the guard doesn't see a stranger sitting at a PC in an empty office in that time, its a PROBLEM, if they didn't wait with expectation to get caught, they'd have not tested that, and client wouldn't gotten that value, which cost them literally one third of a billable hour total to find out.
@@thatdudnum67potatoe45 yep. Life in prison that is. Especially if you steal from other thieves
I love that your daily carry key ring is full of real keys (and only two jigglers). Most people wouldn't even notice the jigglers and no one is going to call it a lock picking kit. It isn't. It's just a bunch of inconspicuous keys.
Yep yep!
For half of his adult life, my Dad carried around key rings with about 3 pounds of brass on them. Gotta wonder if he could have gotten by with just a half dozen keys.
He would have loved this kind of stuff. Subtly deflating over-inflated egos was a hobby of his. Once on a fire alarm install, he was going around the building with the client and the security alarm vendor, who was bragging up his system. My Dad asked the security alarm guy if his sensors worked when they're installed upside down. The security alarm guy goes "What do you mean upside down?" My Dad goes "Well these have this part pointing up, but those have it pointing down." The security alarm calls the electrician over and growls at him to reinstall the upside down sensors. My dad cracked up when he told us the story.
I did the security guard thing for a while. It was an open secret that we were just eye-candy for the insurance company.
i own a security company and totally capitalize on that very thing :-)
Yep, like most locks, a security guard basically functions as a sign saying "please don't enter". Though security guards can be damn useful for monitoring for fire, broken pipes, and all sorts of other random "this can't be right" stuff. Of course, going 3rd party and/or not paying them well is a great way to encourage a "not my problem/job" approach instead.
You need a monetary reward for the guard that stops an incident with sufficient evidence that its happening and couldn't have been caused by the guard.
@@Dracolith1 Purely monetary incentives are probably not sufficient. Facing any sort of perceived danger, especially danger coming from other individuals, strongly triggers parts of our brains quite different from the self-interested cost-benefit sort of thing. It is a huge topic and I'm not an expert, but I'd guess that security having a sense that they are "part of the team/family" with the enterprise they are guarding is pretty important. Of course, paying someone crap is a great way to ensure you don't get that sort of loyalty.
Anyways... I'm getting way off topic
@@travcollier You've also got to deal with both equipping that guard to function to the level you want (both training and equipment wise) and what happens after a use of force incident. You can get a guard that injures someone (with varying degrees of excess and injury) or gets themselves hurt or worse killed. If you've got a lone guard with a baton that's been instructed to stop everyone that then gets killed trying to do that you're in a position where you can be liable for their deaths.
It's not an impossible one but it tends to be an expensive one and it's hard to do halfway.
weird style of stand up comedy but i liked it
whatever, best TEDx talk yet
I think it is important to emphasise the difference between a secure lock and a signalling or token lock. The stock keys are great when you want to stop stupidity, rather than malice. We keep the key to the medicine cabinet at work in the lock, but it still does an important job. Junior staff are aware that they do not have permission to open that lock. We are more worried about a horse being disqualified from an event for being medicated than losing the medicine. I would imagine the cabinet locks are designed mostly to avoid the servers being handled routinely or by mistake, rather than stopping an attacker that has already breached the server room.
I've seen a padlock on a chain that could be lifted off, and it still sort of did it's job. The field wasn't secure anyway, and if somebody wanted to break in they easily could. The chain was there to signal that going in there was not allowed (it is at some times of the year), rather than secure the field.
It only becomes a problem when people use signalling locks as part of a perimeter.
This is exceptionally well put!
yea specially server rooms main reason is to protect from your own employees without malicous intent.
but in most networks you can do anything from the cable closet what you can do in the server room, except maybe steeling harddrives.
but who needs to steel harddrives when your employees walk around with unencrypted laptops, having offline sync on the "secure" network folders :) shure certain things might be more secured, but the overall dataleakage everywhere is not even funny anymore.
you can put all your intrusion detection, encrypt your local lan, send a marine sqad to protect cable closets and server rooms,
i will simply go in and service the printer, and change hardrives, to get those highly confidental documents you try to secure
specially for the digital side, i would always assume that you can get in. if its not encrypted its not important, and it never leaves its container
or the goverment agencys forget terrabyte of sensitive data on an open amazon ftp :)
@Cassandra They actually cover those in the training for some security certs. Courts and legal recourses are absolutely a viable part of an overall comprehensive damage mitigation strategy. Now, there are huge limits here, many criminals are in countries that won't prosecute people attacking businesses in other states whatsoever, and even if they're not in those nations there are legal obstacles to crossing jurisdictions-- but all mitigation strategies have gaps and holes that's why you use them in concert. Having that disclaimer there gives your lawyers more attack surface, including the potential threat of criminal, not merely civil, action because the federal law uses a terrifyingly vague "without authorization" standard rather than anything objective (technically something as easy as browsing to someone else's /user partition in Windows Explorer could be illegal by federal law). It's a very cheap and easy way to extend your mitigation a little, in concert with your HR and legal teams.
once found an RFID dongle outside a government building and the dongle worked, tested it and immediately returned it... the person was neutral even when I asked "what if I wanted to gain illicit entry?" she replied "oh, we have a security alarm"
As this person points out, all I needed was a shirt, a box of RJ45 and a ladder and I have myself a cover story between 9-5 so yes... when someone doesn't know your alarm code, doesn't mean they don't need it to start robbing you or worse, compromising your security to the point where you might as well leave the passwords on the screen, don't bother locking the doors because they are mine... I can basically have an all access season pass to your building.
An alarm is for when people are not there not as a first response, contractors don't mind being questioned "hey, should you be here? can you provide proof?" because it's 2 minutes of their job and they will know not to rob the place
"Im not exactly sure what security guards are trained to do."
I recently worked security in Florida, one of the strictest states for security ever since an event in 2016 where a gay club got shot up by a security guard.
we are trained to walk around and write reports.
Our training focuses heavily on what we can legally NOT do (ie. avoiding lawsuits and COA)
In practice, it's mostly preventing crime by simply wearing a uniform and walking around, checking for broken lights, taking readings from water pumps, and cleaning up the pool area after it closes - anything for the client to get their money's worth.
Exactly the same in Texas. Guards are a token measure to make simple minded folk think that there is opposition. Walk right in peeps. They're not going to stop you, and they're not paid to. They will witness in your trial though. Good guards are better than stationary cameras I guess.
Texas commissioned guards are armed though, and are paid to stop intruders. They aren't paid enough in my opinion.
@@Eye_of_a_Texan Everyone in Texas is armed and will stop intruders with fire and brimstone.
@@Djorgal..... Sure why not
I worked as a guard in a monitoring center for an international security company. Most of the job was monitoring alarms and reviewing video to ensure no illicit entry occurred and doing lots of random BS for the client execs. But, sometimes, we would work as regular security in local properties of they were short staffed.
Absolutely no training whatsoever on how to identify or question people to determine if they were supposed to be in the building. The client basically said that entry security was good enough and didn't want security guards harassing potential employees inside who entered normally.
Thank you for emphasizing that a test team must work with the blue team in the end to deliver the most value to the client. It's not just good it's good business - a test team that takes the time to work with the blue team and further ask "can we help you fix those things?" can rake in up to 10x what the test cost in terms of follow on business as long as they continue to show value in helping fix the problems found.
I've been a security guard. We got no training other than the legal limits of our authority/responsibilities we have and an hour class on "physical intervention". We always got forgotten about, nobody would go through proper channels and tell us about guests visits or keep us in the loop about work going on so it isn't out the ordinary to have a bunch of randoms wandering into the building unexpectedly
It's so easy to sink hours watching your lectures. You're an entertainer.
I've watched a few of your presentations over the last few days. Even though they're very similar and not really relevant to me, they're entertaining, informative, and easy to watch. Keep up the great work.
Thanks! I'll keep on presenting, for sure. :-)
As a impresinable kid should I pursue this as a career
I remember watching your elevator video, and it got me really thinking about who's pretending to be who.
and it got me talking with the boss, now I've put up a sign at work where it says "show ID if asked for ID".
Every time some random dude comes in and says "yeah I'm from X and supposed to do X", we tell them oh do you have an ID?
Every single time they say "what?", so we reply "you know it's for security, then point to the sign".
The thing is that the sign is located kinda "randomly" on a shelf, so you kinda have to look up. and since you're looking up, the security camera is there to look right back at you.
Most of them actually pull out their state issued ID, because obviously a badge is not an ID, the one that point to their badge usually get's told, "I could also print out a badge".
It's a small step to counter potential security flaws, but honestly even if you show the ID and we take it down, it's not like we're checking if it's valid, by cross refering it with some database...
but at least we try to trick people to either show a valid ID or look up by giving them an unfamiliar scenario, if we are the one getting tricked then shame on them :)
Way to fuck over anyone with a good plan. What do you care if your job gets knocked off for?
We all know you don't make that badge comment either.
E Dogg who pissed in your Cheerios?
@@Davvg Seems like the cheerios had rotten milk maaaan
This is the equivalent of bringing an apple for your teacher, unless you are responsible for security then it shouldn't concern you. And if you are then good job in taking pointers from the video and applying them.
This was an interesting one, I always enjoy physical pentesting. What I'd really like to hear is a talk about how to fail at it, though. Sort of a "Pentesting dont's" type of deal.
Sounds like it would get boring pretty quick.
Why would he do that? He is selling his services to a wider audience so good idea to appear competent at what our demonstrating.and selling.
@B B it seems like everyone has grown up in this extremely online mindset that they don't process the real world ramifications for what they are doing.
@B B Pen testers are hired to do stuff that would normally be illegal. If they are good professionals they'll make sure their contract allows them to do everything they need.
@@FreeStuffPlease I pity the person that doesn't see any value in observing the mistakes of others.
How casually you talk about your wife having reader implants.
[Posthumanism intensifies]
Yeah. I have them, too. Many folk I know do. They're fun, not gonna lie. :-)
@@DeviantOllam i know they are a thing, but hearing someone talk so casually about cloning creds into their hand still sounds a little bit like some scifi shtick to me. Not that i don't think it's incredibly awesome, mind you.
Now we just wait wait for the subvocal/cochlea communications units and the cybernose :D
If I ever see this guy near my property I'm going to be immediately suspicious
As a security guard, this hits close to home. Most of the time we get put on sites as replacements or fill ins with zero training aside from "Just check doors 1,2,3,4... every hour and call 555-5555 if there is a fire. We all pretty much accept that we're a cog in the liability system and there to be blamed when shit breaks. (Well, that's company side, I'm sure the client was sold a lie about "Highly trained professionals" and pays $90 an hour for us to walk around) armed guards are even worse, the standards are non existent and using your gun is a fast track to unemployment and possibly court no matter how justified it was. (Client probably pays $190 an hour for that skill)
Please, people, *NEVER HIRE THIRD PARTY SECURITY CONTRACTORS*
Please just hire me.
I enjoyed being security because I loved social engineering. I 100% took pride in being one of the newest but also one of the best on our team. I got kudos from our clients for my detailed reports and insight into potential problems that ithers could exploit. Sadly, the job wouldn't compensate for the extra accolades and skill set, so I moved on to greener pastures. Boss begged me to stay, I told him I would happily for $x more, but "i can't afford to pay any more". Sorry boss, you were a good dude, but gotta do me
The most satisfying red team engagement I have had in 20+ years was when the client's developers started helping us with attack steps during the kickoff meeting. They bought into our slogan, "The Red Team is your friend". And, with their help, we achieved our goal - "Make life hell for the bad guys".
ok putting a jumper wire on your key ring is a genius idea. I've always just kept one in my wallet because people in theory won't see it there. nobody's gonna question you using one as a lanyard though
Hands down my favorite security lecturer. And, I don't even do this kind of work. But, if you have any role in security--any, you're going to benefit from this stuff, and I'm always sharing this stuff with our team.
“Yes, thank you, cannon-based assailants are not in our risk model.”
"Look like you belong" works in some frightening ways. I did Delivery for Jimmy Johns and was literally badged in to the local Homeland Security Office because I was on delivery. They didn't ask for ID, didn't check if the order was legitimate, simply saw a uniform, matching bag in my hand, and swiped me through and gave me directions.
When it comes to security guards- they are usually paid to do two things- Observe a property, and report what happens. In the case of an actual problem they call the cops. Armed guards are only slightly higher (at least in Ohio) in that they can restrain someone if their is suspicion, if there's an actual threat to someone's life they can shoot. Personally I enjoy the work but I'm happy that I do not have anywhere near the obligations of a cop even as an armed guard.
great talk! it's critical to not forget the entire reason companies want a pen test in the first place. this definitely keeps that in perspective
When you come back, and can't get in, then you did a good job.
Deviant Ollam and LockPickingLawyer are two of my favorite people who specialize in blowing massive holes in everyone's sense of security. Now just imagine if they teamed up.
we have. =)
@@DeviantOllam It won't be long before one of you figures out how to bypass a lock using telekinesis. LPL is already using kitchenware.
amazed that you used TF2 but not any images of Spy
fjshdf there is no end to my dissatisfaction from this. HE LITERALLY WEARS A MASK THAT TURNS HIM INTO OTHER PEOPLE, IT'D FIT SO WELL IN THIS TALK.
How do you know there isn't a blue spy in there?
All of the TF2 images are of Spy.
he's the spy
4:30 a spy on the right of the image
Re: "look like you belong there." -- I can get onto the sidelines of any college or lesser sporting event just by waving my Nikon D7000 and saying "I'm with [local newspaper]." They asked to see my press badge maybe twice in the ten years I worked for the paper, never called the number on it to verify me. Related tip for photographers, make friends with a publisher who will back you up, so if they DO call to verify your credentials, your buddy will say "Oh, yeah, he's a freelancer working on a thing for me."
Dude legitimately you can get in the back of so many places (Who are utilizing A/V equipment, especially through a third party) by wearing a black shirt and just holding a roll of gaff tape- For all anyone else is aware, you look just like one of the event technicians. Bonus points if you have a cable wrap and look like you're in a hurry.
This comment, real this whole comment section, is the embodiment of Hitman.
honestly watching your videos have made me better at my job (i'm a Private Security Contractor), thank you for your security talks and all you do man
what a lovely thing to say. Thank you so much, I appreciate hearing it and I appreciate being able to be helpful element of Your world. :-)
Oof, a new deviant talk. There goes my next 44 minutes
GarrukApex hah, I hope it was worth it for you!
DeviantOllam oh it definitely was!
You can learn twice as fast. In fact, open two Deviant talks and do this.
You'll learn 4x as fast
@@DeviantOllam ALWAYS. Love your talks. Cheers!
when i worked part time as an unarmed guard, we literally got told, "you are only there to lower the insurance rates. dont try to stop whoever breaks in, your life isnt worth it. just call the cops/hq/whatever and be done with it"
stepdad is a locksmith of 30 years..ive learned alot of how insecure stuff really is by going on jobs...the keys you list i have seen in places and im like " why do you even do that?"..people never think a about security i until there is a break in, or they hire a company like yours...and its scary, that security(physical especially) isnt on peoples minds...
I flip houses for a living. The amount of times I've had neighbors call cops on me for breaking into a vacant house I just bought is astonishing. What's even more astonishing is in every single case, I have just told the cop I just bought the house and he just left, no further questions asked.
Ironically, the RED team graphics used in the presentation are "blue team" defense, in actual gameplay.
Tomatoes, tomatoes.
If you pronounced those differently, give yourself a gold star, because you're awesome
I'm never hugging anyone again after this talk.
Pandemic didn’t do that already?
Having worked as a security guard: Yeah you get no training. MAYBE you have to read a company binder on report procedure, or watch a corporate training video. You're there to be a visible uniform and/or car, that's it. It's a deterrent, you're not actually enforcing anything lol. I think the most I was ever asked to take an active hand in things was, once there was a site where it was a gated community and they wanted me to kick people out of the pool after 11. Sometimes they'd even listen! If anyone got belligerent with me my orders were to just stand down and note it in my log for the next morning. Once my boss sent me to a gig with a company car and my job was to just sit in the parking lot. If anyone hung around, I was supposed to turn my car's lights on and see if it scared them off. It's a weird job.
Points for somebody plugging a usb device being into the presentation computer 3:35 into the video, nothing to worry about folks, no really, im from HQ. ^^
Love your talks, keep em coming, as somebody from the Netherlands i'd love to hear a presentation about any work you ever done here and/or in neighboring countries
7:13 Marry the girl who will break into buildings for you
My dad is a contractor and my first car was an old work truck, I drove around and looked at new construction all the time, no one questions a guy in a truck with hardhats hanging in the window
A cool attack vector that I discovered in my company randomly.
Prerequisites:
1. Be physically there. They have desks. Desks have company phones.
2. On the back of the phone there is a NAME of the person who owns the desk.
3. Often in the reception desk there is a list of common phone numbers. 24/7 IT support is your target.
Attack:
1. Go to desk of the target person, get their name, make sure that the GENDER matches. If you're playing extra safe - try one who would (from their name) have presumably your accent (or an accent that you can fake).
2. Call 24/7 IT from the phone on the desk. Say "Oh my name is X, I can't log in. Something's wrong with my password. Could you reset? ... Yeah I know it's 10PM. I'm working on this report for tomorrow, just went out for a smoke and now login fails."
3. They will just SPELL YOUR NEW PASSWORD OUT TO YOU BY PHONE. Without any further need of ID, because they see that the phone number and name match in their registry.
4. BOOM. You have now logged in as person X. Perhaps person X is a finance clerk or HR. Or maybe a director? Or the local IT guy? Go wild, mate.
And you'll be forgiven in thinking that my company had a shoddy service deal and it was just a fluke and it's not probable at all in a normal setting. Yep. It was shoddy. After all it was serviced by the shadiest of the companies: I.B.M.
”Nobody ever got fired for buying IBM“
Meanwhile, trans women with male-sounding voices and female names get fucked over (yet again) lol. I've literally had IT help desks say they cant help me because I dont "sound like that person". I've passed the phone to my girlfriend, impersonating me, and that works 😉
One time I did a job with my granddad, we were installing and troubleshooting a phone lane line routing issue and a cam system. We happened to go past the main server and network system for their internet, and I noticed a LAN turtle with the literal stereotypical bullshit tag on it saying I.T. do not remove so I brought it up and we don't know how long their network was compromised and it was a hotel that touted a secure internet system. I only knew it was a LAN turtle because I wanted (and still do) to get my hands on one. Although I do not know what finally became of it I know they got their ISP out the next day to look into it. for those wondering the problem with the phone system was that over half of the room phones were routed to the wrong portions of the building and almost all of them were miss labeled.
Really interesting talk, and it gives you a lot to think about. I've had a Paxton maglock fail open at work before and no one mentioned it - even when the system emailed the reception and site staff to say the controller had fallen over. Reception ignored it, site assumed IT would deal with it and the rest of the staff just found it more convenient to have that door open all the time!
Now it's integrated with the CCTV and sets off two audible alarms in the reception and main office from the CCTV head unit on a door failure or tamper and the master control unit for the site which is in a false ceiling in the office. Now they don't ignore it, as they can't. The noise gets extremely grating after a minute or two!
Im addict3d to these deviant talks. Hes just great to listen to.
"It'll getcha through everything… half the time"
So a Soldier with a rocket launcher got into an elevator.
"It's cool, it's cool 🖐 😑🖐 *clears throat, kneels to the intercom* This is just a test."
You're missing a Key for electrical cabinets. But that often hangs on a wire next to the cabinet and is more there to ensure it stays closed when nobody tries to open them
In Team Fortress 2 Red team is often on defence and Blu(e) on offence. Except symmetrical gamemodes.
My favorite example of bad security was at a Detroit hospital. I came in with a Badge (from a different hospital) and in scrubs, and they flagged me through security. No questions asked.
Dude
your one of my favorite presenters and I just realized it
i feel like a dummy
I had a step father in the 80's who would steal big screen TV's. He would walk in the store, then 20 minutes later he'd be walking out with a store employee, pushing a cart with 4 or 5 on it. The employee would load them in the back of the truck and we'd drive off. Did this ALL the time, in different stores in 3 states.
So, not red teamming, but still breaking into a house (power outage, and my friend had gotten into a very bad habit of using the garage door)
now, doing a little first responder, and having some pretty basic breaking in skills due to my security work, and having worked in real estate, and seeing how successful people got into places
I was f*in floored at her rental, and the either dumb luck or care that went into securing this house (sunday night, and locksmith was going to charge 150 for the call out, and 150 for every part hour on the job)
the security door was shimmed open in seconds, and thats where all the promising progress ended,
the main door was hung corrected, and a recess added to make pulling the latch hard, but also, the striker plate was installed correctly (the first time other I'd come across that in a rental)
so, that wasn't an option (only took two coke cans to find that out)
hinges on the other side
right, went onto the garage door, an electronic roller door, no worriers, many of these you can either lift them with force they "pop" and you're just holding up the weights of the door, and a little spring
I still havent worked fully how, but I managed to just slip a car jack under and short of damaging the door, that was no longer an option
right, screw it, I will bend out the track, and pop the door out of the track, and get the much thinner than me renter to shimmy past and bam
nope, i bent out the track with a hammer and screw driver, but it would not pop, because as I found, there was re-enforcing ribs bolted into the house frame every 15cm holding off the the door ever being able to skip off the track!
it was an tin roof, so the other normal route of lifting tiles, and getting in the roof space (an oft overlooked easy quick way in) was off the table
no, the method to get it was three coat hangers, a length of string, and enoscope and hooking onto the manual over ride from the top, dropping string, lifting the door, getting the other end, (and the real trick!) pulling back down on the door to take all the upwards load off the door, and pulling the override!
i was pretty impressed (and I was happy as I have no clue where my lock picks are, and it is a skill I've not using in ten odd years, and I think it would have been something I dont think I would have been good enough to do at mu rusty arse state)
One time when I worked as a network engineer contractor, and needed to verify switch ports on multiple floors of a hotel to plan out the number of wireless APs needed. Got to the front desk and did not even show ID, although presented myself and whom I worked for, asked for the IT person on site to get access to some closets. I was told the IT person is also their accountant and is tied up in an offsite meeting, gave me an access card. I expected keys and was told that all doors use HID readers and the card is the master card that will open ANY door so I should have no issues getting what i needed. I was sort of in a shock and wanted to tell the person, what the hell is wrong with you. However did my job, and reported it to the main IT guy who said that is just standard to give contracts unlimited access. Insane.
Looking like you belong is a method my father has used to legitimately enter restricted areas. High-vis vest and a toolbox (that could have literally anything inside), but no ID or anything. Just walks right in, looking like he knows what he's doing, and never gets stopped or asked for ID. Granted, he was actually doing jobs there, so he had a legit reason that could actually be verified by contacting his employer, but the point still stands.
With me, I dont even try to break in anywhere. In fact i dont even really care about social engineering. BUT, I do deliver pizza. The amount of places i've been let in is sort of funny. I remember being in a retrirement home sort of facility and there was a door that said it was alarmed etc.. I knew I had to get in there because its what the ticket said. I waited, an employee saw me standing there with food in hand and just put in the code and let me in. Even had to wait for an employee to let me out too or the door would have set off an alarm. Food delivery drivers are trusted quite easily ive come to notice.
In an elder care home that lock is almost certainly to keep the dementia patients safely in, rather than to keep anyone out really. At least during the day hours.
So let me get this straight. The security holes today were the same as three years ago? And I found old guides for people building their own homes, where those are talked about as well. (From the '70s) Not the digital stuff, but the physical. I remember the tip to change the lock on the case for the electricity and to position the letterbox in a way, the postman can access it without having keys to your property. xD
Actual implants for cloning RFID... That's dedication!
It's pretty fun... There's video on this channel of me getting the needle. :-)
I don't see why customers do not sue Dork-king etc. since their product is essentially worthless now with the key being publically available.
awesome, congrats, perfect talk. With all the whiskey video shorts I had forgotten why I subbed, now it's clear (again)
Can you just say what the red team is supposed to be please??? I know the team fortress reference but that's it
"Gets you through everything, half the time" best sales pitch ever
good talk, but a minor correction: that was a 40mm Bofors, it's Swedish and not Austrian.
that is all, cheers!
Ha, good catch. Thanks!
Well, Bofors is a Swedish company, but all through the 20th century, they subcontracted to everyone and their dog. America made Bofors, Austria made Bofors. Heck, Australia probably made a couple back in the 30's.. On the other hand, I haven't watched enough gun-jesus videos to be able to pick the country-of-origin of a Bofors on sight, so this one example? Could have come from anywhere to take out that nasty "bullet resistant" shirt...
I used to be an auditor for one of the Big 4 and simply wearing a suit, being well-spoken and confident was enough to get me into almost anywhere except data centres. Getting onto the trading floor of a major investment bank ought to be difficult but it wasn't. In my whole career I was only once asked to prove my identity.
If I were a baddy, I'd go for social engineering every time.
I don't know what a red team is, but this was still interesting.
Glad you enjoyed :-)
A red team or the red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role or point of view. It is particularly effective in organizations with strong cultures and fixed ways of approaching problems. In the context of these talks, A red team is sent to test the security, both physical and virtual, of a site or company.
Does that name go back to ex-SEAL Team CO, Dick Marcinko? Red Cell?
@@StopMoColorado I can't speak with firsthand knowledge. I have heard there were instances of red team-like tactics dating back to the 1930's, but as far as the orgin of the "red team" term, I do not know.
Just got this recommended to me randomly, but from what i picked up I'd assume blue team handles security while the red team are the guys who try and bypass it.
I love your vids dude! I've worked at so many facilities where nobody bothered reading our shift reports and it got to where at a data center, one person would badge in then hold a door leading to a "man trap", the next facility employee would badge open the other door and whole depts would enter/exit on 2 badges lol
Amazing.
So glad I saw you guys on the Modern Rogue.
Goodwill is a great place to get official collard uniforms. I have seen them all from sewage and water board, Entergy, Cox, AT&T Verizon Tyco, DHL you name it
First, big fan. That said, I would argue that your keys may arguably be a little too James Bond-ish of an advantage. They shouldn’t be, but I think they are. The other thing is after a half a century in I.S. Management, big and small, for every employee that is commended for following security protocols, (and I always made sure a written commendation when into the person’s file), you have 10 that were yelled at because they were being too pedantic, rule-following, too much wanna-be cop, someone didn’t let the security know a vendor was coming, or some big mukidy muck didn’t like being hassled. Learning to not raise an alarm or question seems to be a learned behavior of veteran security personnel......
29:40 - the red shirt of that artillery dude is perfect for the context :D
Artillery guy is FPSrussia
Now host of the PKA podcast
Deviants words about scope and not really red teaming makes me immediately think of that talk from Jayson Street from Stratagem. Talking about making bombs with cleaning supplies or poisoning the entire building because he had access to a work fridge. The dude is the absolute definition of overblowing scope and renting the 40mm cannon for the bulletproof vest test. I'm glad Deviant really gets it, that other dude just makes me cringe.
3:30 drove me crazy, wtf is my pc connecting oh wait
Ah heck, that FPSRussia vid is a freakin' classic.
"no one notices" talking about locking out an elevator for hours...followed by "had people calling me all day about this" :-\ Good presentation, just thought this was funny.
No one notices meaning that nobody suspects a security issue, but instead casually assume a benign mechanical issue, which is beneficial to the breach plan.
I kind of always hate seeing these because every person they get over on likely got fired and in the case of things like security personnel are only near minimum wage employees.
I get that it's a performance failure, but often things like that are best addressed through coaching and raising pay, but those take time, resources, and effort. So much easier just to fire and bring someone else in or fire the company and bring another in.
Deev seems like the guy that will actually fix your elevator while breaking in.
whoever added that usb disconnect reconnect sounds - i love and hate you XD
That moment you realize the red-team defends in Tf2
Your presentations and stories are great! Very interesting.
Thanks! Glad you enjoy them!
I was gonna say, hiding from a guard seems like the worst thing to do, like
even if he isn't super helpful in telling his buddies that you're good to be there, or pointing you to important things/getting you places, even if he's suspicious of you, at worst he's gonna escort you out and cost you some time
maybe he calls a supervisor and you have to improvise
if you mess that up, you get booted out for awhile
if you do well, you have Joe the Supervisor, who okay'd you being in the server room
just being friendly solves a stupid amount of problems
I like the image he used for the security truck is my old company that died due to a lawsuit for abusing a loophole to take away guard's lunch.
I sure hope the security guards didn't get scolded for that --- guards are mainly around as a deterrent and keep the common criminals at bay before a small incident turns into a large one; not to deal with technically adept PROFESSIONALS with badge cloners who know how to tamper through a keyswitch and a thorough knowledge of common lock bypasses.
Would the team have been so careless about the door contacts and so quick to try and trick the guard if you'll didn't have a "Get out of Jail Free card" ?
"Yup that's the guy he has a matching colored hat" 😂
39:29 local school district uses these to secure their laptop carts. each about 700 dollars at retail, easy to access with one of those 3 keys, a few crash bars, and one door per ~35 laptops you can get through with shim, under door, pick, jiggler, or pry bar if you're feeling spicy. there are something like 2-3,000 laptops in the local district. be a shame if...
ch751: electrical panels, ATVs, scissor lifts, boom lifts, cabinets, sheds, elevator disable.
years later I still think about "cannon-based assailants are not in our risk model"
He is so right! Learn to at least id an improperly installed deadbolt i see them everywhere corporate ugh
I find it funny that you showed a Las Vegas police car in your presentation about 1284x, because they don’t use keyed alike cars.
Source: owned one and know several others who did as well.
another great presentation bro...nice.
Kelly Alwood thanks, man! this was a really fun one to write
If i was mr ted talk i would get Mr Ollam on... every "episode"
Love your videos, and as a copier tech, but ex mil and aware of security, it amazes me how often just saying I'm so and so from copier world lets me in probably 90% of the time without even a credential check. Yes, I am supposed to be there but if I weren't no one would be the wiser.
great talk.
Thank you!
Awesome video and great way of presentation! My compliments.
Masterfully well-done! Thank you for sharing.
My opinion of the CH751 is that its to prevent the thing from being opened by people who do not intend to open the thing
"Yes, thank you, cannon-based assailants are not in our risk model" lol
Aaaaaannnd... I now have an EK333 key on the way ;)
Fantastic presentation as always!