Breaking into Banks Like a Boss

I'm sorry reintroduce my name is Brice self I'm birth rendition InfoSec again we wear these awesome t-shirts we have a booth over here we're one of the sponsors here this year as we usually are here besides we love besides thank you so much for having me in particular so today my talk is breaking into banks like a boss so if you're not if you didn't read kind of the summary of my talk I'm gonna be talking about physical pin testing on your body a physical pin tester in here we're done a little bit awesome so if you haven't it's really fun and we're going to kind of talk about it if you've seen any physical pin

test talks before they really talk about really cool guys stuff so they talk about kind of like Mission Impossible stuff I have put on this mask and then I went in and and I kind of LOC picked these doors and I have cracked their safe and all this really cool stuff and that's all well and good but if you heard me they just kind of breeze over oh I got in so this talk is going to be kind of leading up to that point the point where you look at the physical building in person or you're looking at it on Google and then you notice kind of things about it and you start putting it

putting that plan together of how you're going to attack and get into that building okay so again my name is Bryce self if you want to talk to me on Twitter I don't have anything except for my co-workers who are awesome but if you want to talk to me on Twitter you can find me at be selfless and so yeah so I'm a forensic team lead here on the team I also do the physical pin test as well as I said earlier if you're in here I do the wireless pin testing I was in the Navy where I did some pretty cool guy stuff worked with a three-letter agency where they kind of taught me some

of this stuff that relates to the physical pin testing which i think is why I've been successful at it I'm batting a thousand right now so come at me I'm just good and and I'm actually getting married a week from today so thank you thank you noelite get out while you still can none of that alright so what we're going to talk about we're going to talk about physical security penetration testing what it is kind of why it's important to me especially so I have a job for you guys so you can learn about your own company and environment or where you can just kind of play around with it legally mind you that's a big big step so some

of this you can do legally it's kind of passive we'll talk about that and whenever you start getting the active stuff it does get illegal so make sure you you don't do that unless you're under contract or something so we're going to talk about some common misconceptions again where we were talking about kind of you know just different things where people really don't talk about leading up in that planning we're going to talk about understanding the art of physical pin testing that that planning phase and then how to stop all this from happening how to prevent someone from like me getting into your building oh alright so Rob Joyce said it best well-run networks make our job hard it really

does which is great right that's why we're all here we have a passion for this field we want to make sure everyone's better and together increase the security of our networks and make sure those vulnerabilities or patch two don't exist and just help each other out and make sure we make this a safe world a safe cyber world right so so how do you do physical assessment

sweet alright so physical pin testing what is it so Webster's dictionary is the primary objective for a physical penetration test is to measure the strength of existing physical security controls and uncover their weaknesses before bad actors are able to discover and exploit them simply put break into a building is what you're doing legally right you're doing a breaking and entering essentially and there's a there's an objective inside that building or maybe the objective is just to get in that building but usually it's go after the gold right go after our servers maybe access our CEOs office as something like that I have an objective and I need to physically get through that door bypass security guards

whatever it is and then get to that goal so why is it important so I think there's an old wives tale I've heard where there was a CTF capture the flag anybody want that CTF is I think there's a couple going around here get involved they're really fun maybe don't do what I'm about to say but just just check it out I haven't checked it out yet so all old wives tale is there's a CTF going on you have team a and Team B and the the the guy says hey there's a server right here all you got to do is own it all you got to do is make sure you have complete control of the server cool team a they

start hacking away we got any uh pen testers hackers couple so you guys backing away port scanning seeing what's vulnerable right you guys are plugging away man I can't get I can't get it team be that kind of just sit there and they go we just have to completely take control of that server right okay and they go over and they walk up and they unplug the server and they got it right there were no physical security around that server I have that data team a certainly doesn't anymore right so that's what I'm talking about that's why it's so important is because you have to make sure there are physical security controls protecting that data because

it's just as easy for me to grab it and probably a lot easier for me to grab it especially what I've dealt with and when I'm going to talk about actually trying to hack in a port no it's it's just one of the most overlooked overlooked areas in our in our field is physical security I can't tell you how many times we've been on site and we kind of go through some things and we say hey have you thought about doing a physical security pin test and they're like no and I'm like well I looked at your doors and your hinge is kind of weak and I could easily just kind of kick through that and you don't

have an alarm system and they're like man I didn't think about that

okay so common misconception so again I go to these talks and and I I I'm sorry if you've had a physical pin test talk and you have talked about this I just haven't seen it yet but they do they talk about a lot of cool guy stuff lock picking picking safes maybe breaking down doors what-have-you all certainly important all tool definitely to know when you're when you're physically penetration testing however there's a lot of steps that lead up to actually getting access to those doors and which door are you actually going to go to there's a plan there's a method there's a reason why they're actually doing these things so we will talk about reconnaissance surveillance and then the

the canaries its kind of testing and probing so another common misconception you were lucky get inside knowledge there's no way you could have got in you were just lucky someone was just working yeah they were just lazy maybe they're sleeping no there was a reason why I went in the way I did and there was a reason why I talked to the person the way I did and how I dressed and all these other things that it was very skilled is very strategic it was a vulnerability a little one that I exploited so I broke into banks like a boss I really did break into banks physically into banks I got access to a computer with a sticky

note with the password where I could just say I want this millions of billions of dollars into my account and you're thinking Bryce why don't you do that well I don't like jail it's not fun if you've ever seen it or a documentary it's not cool I promise maybe I'm like another country I don't know maybe it's cool I don't know I don't want to be there all right another one hey man there's no way you're getting into my building I got 24 by 7 security guards they Rove around right I got alarm systems and laser beams I got pressure pads and your fat so I know you're gonna put you know trigger those right say okay well somebody controls

that there's an off switch for all these things I'm gonna try to be that person's best friend because maybe I'm gonna a july enough like Catherine zeta-jones right to go with uh know a couple people come with me but older people got it so maybe I do do that no I don't that's not me that's Tom Cruise I don't know if you ever heard of them he does movies not me okay so I kind of booked this into my own steps right so first step is observation so this is your very passive mode you're gonna do your google research first you're gonna have an address obviously of the physical building that you want to attack and you

kind of look at it in Google view okay what's around there any any good visual points like a Dunkin Donuts I can just kind of have a coffee I'm just gonna kind of relax it back kind of look at who's going in what they're wearing do they have a badge can I see it can I get up close to it right is it all women is it all men what's the race are there cleaners is there deliveries are there going in the back are they going in the front what's normal right and I'm gonna look at all these things to build that plan and see how I'm going to attack okay and then

so it took them five minutes

small dude right I kind of have to play on that you know women have a certain way of kind of persuading men to let them do whatever they want right I mean it's been done I've seen it happen you know honey pots right so you kind of have to play on that whenever you're whatever you're thinking of your character who am I going to be you're literally taking on a person you're doing that method acting of taking on a role and be that person talking and talk walking or walk so what I did right during OSR we've done it two ways we the found on the internet we found there

you

[Music]

and half 87 microphones up here in a second I look like Robocop last year my little clicker thing didn't work so every year I come here they they they screw with my stuff okay so back to tool so not all tools are technical okay so let's talk about cover story you have to make yourself and and everyone Eve that you're supposed to be there and yourself believe that you're supposed to be there so there's called a cover for action and a cover for status you may be heard these things before I got one a couple so so everyone does this surveillance teams you get into the government agencies law enforcement they they understand these things because whenever

you're kind of sitting out and about and maybe you look kind of weird you have to have a reason for being where you're at why do you go into Dunkin Donuts right to get a doughnut and coffee right so I'm not gonna walk into condone 'its to look at that building and not get any doughnuts or coffee that's just gonna look so what's the reason for me being in that building I'm an AT&T employee I got to fix some stuff right okay well that's my cover for status that's the status that's why I'm there okay well at this price you again Melissa USB into that computer you're only supposed to be this why are you

under there right that's a gym well my cover for action is I'm tying my shoe or maybe from really deeper than that I just throw something under there real quick and it stays there until someone catches me and I go what are you doing man I drop my pin right that's your cover for action it's a little cover for every single thing that you're doing right be good liar like the best lie or act the truth a little bit of lie and what I mean is it's I don't point to a building as another person I embrace self I'm from I fully tap right I sound like a hillbilly whatever but but they're gonna say

whenever you check-in hey can I see your ID and you're in Auto right doing this Oh North Carolina yep just moved here right it's just a little bit why why it's just moved here good one because if they ask you o have you been to Baba nope just moved here don't they're right you got to think about these things because you will get challenged stuck with change and you have to have it pretty foolproof but generic enough okay so how to stop me as we have to police ourselves if someone coming in behind you slam that door behind them right from their face right rude and it's Jan from a you know IT and yeah sorry Janice

you know I don't wanna get in trouble but self it means I yeah you could be whoever it may be go to mask up oh you know your Tom Cruise soon enough so you have to police yourself you have to you have to challenge everyone make sure everyone has a badge if you look if you see something suspicious you just the biggest thing is your policies and your procedures go to your go to your company today and say hey this guy talking the other day what do we do if if someone just comes in after hours and who do they talk to and what if it's in a murder they say it's emergency what do

we do who they contact so a good one is have a rotation of a 24 by 7 contact someone that actually knows what's going on and then your front desk people could just have a list of those cell phone numbers Oh tom is Tuesday okay let me call his cell phone number so no matter what number I give that person it's just not going to work right and I'm gonna call Tom instead that suspect hide them you want to conceal them um I'm out there he's out there we're taking pictures we made a fake badge that looked like that company's badge because I try to walk through me and that guy over there we walk through and the woman goes whoa

whoa where you guys going I said I'm sorry here you go she goes employees you're good to go right questions that a lot okay so have we ever gotten caught and had to deal with law enforcement I have never gotten caught we do in the event whenever you're preparing this with your client you will have what's called a get out of jail letter get out of jail free letter right and what this is is it's signed by your client that says if Brecht's off and whoever from rendition if they're showing you this they are supposed to be here legitimately contact me if you have any questions don't hurt them don't touch them right and and that will cover a lot I

will say thank you for the question it reminds me you can have a fake get a jail letter right so you can get caught it but continue on you say those physical pin test you're great I'm gonna make sure when I talk to Joe the CEO I'm gonna make sure that you get a bonus protection but right now I have to finish my job or else we're not gonna get the money's worth at the company you can understand that right yeah absolutely okay why don't you go up to the server room no prob right just like that sir

that's it gets sticky

absolutely you sir

yes sir mm-hmm yeah absolutely okay so the question was we were supposed to have badges so we can challenge each other Bryce you said to hide your badge how do you go about that well keep your badge on obviously within the spaces but anything publicly accessible I've been to places where the lobby is connected to a public where it is that's when you start tucking it in your pocket and anytime you can leave the building because I'm gonna be hanging in the reconnaissance phase and there's I'm gonna be kind of hanging outside the building and kind of looking and and see enough okay that's their badges and and you can kind of tell because you can see

maybe a lanyard with the company name because maybe there's several companies in that building it's a big building but then I can start saying oh the red badges are these guys those are the ones I I just walk up to okay how you doing sorry and then yep right right yes ma'am

yeah

absolutely so the question is hey with all these really cool lasers and biometrics and everything how do you get past that it's it's pretty much what I'm just going to make sure Joe who has access to everything and his biometrics are in the or in the the database right that they just I go with Joe and Joe just lets me in I convinced Joe that I'm supposed to be here and obviously my stuff's not get me in the system but I got to do what I got to do so Joe you go ahead and let me in well I I think that would be updated in their database right cuz he would be an employee with a

company so right right exactly I'm just gonna be with Joe I'm gonna be a visitor Joe's gonna let me go we're all one so yeah I think done a couple more questions I'll take I'll take them real quick respect ma'am in the front it depends if it's one building I would say like a lot of Google beforehand right but I would say two days so I would say max for me and like a team of two and we can kind of spread out parking decks different vantage points whatever clear buildings you get on a parking deck you can see right through sir the questions yes sir

sorry one more time I'm sorry what's the pitch that right there where where I mean essentially hey hey have you thought about this we can go on site and a lot of a lot of it gets caveated into other things where maybe we're doing thank you we're doing the other pin pin testing and then it's just a on site visit where I say hey your doors look weak or hey I could definitely do this and it piques their interest where they say oh yeah let's let's go ahead and test that out let's see what you can do and that's really where where it really shocks them because they think they've got their network kind of set up and and it

doesn't matter you know cuz I don't I don't need to get past your network I just need to get physical access to your your server so yes sir anybody else thank you yes ma'am

yes ma'am so so that one in particular there was a man trap right so you have to scan it and it kind of lets you in and whatnot we just kind of scooted by it right with that particular one just because you kind of sell yourself right you start getting in commerce say hey you even watching the the game who's winning the game I had to leave I have to do this I'm so can you tell me the score oh yeah yeah and you just kind of screwed it off right through I actually had like a denial sound that went off and she still letting me on like it was like and nope and I was like you know

she does I have a good one thank you I mean these guys like you sell yourself these guys would really rotate the security guards and you just say Joe so I think there was one more times up one more sir don't be motivated attention to detail have some technical knowledge and and just on it's just be just and stop a booth if you are looking for a job I'll give you my car we can talk more about this and and yeah say thank you so much for everyone comment I wrote [Applause]