Home The News
Follow us on Twitter

Sponsored Links

Regulatory Updates

Follow us on Twitter
The News
Lockpick Grinding PDF Print E-mail
Written by Jeromie Jackson   
Thursday, 28 January 2010 19:05

Lockpick_Grinding
I am obsessive compulsive when it comes to hobbies. I find an interest, get completely immersed in it, and then generally move on. Luckily this was not the case for my interests in information security! A great example is bass fishing. I went from enjoying simply pulling crankbaits through the water to melting my own plastic and creating my own creature molds to make plastic worms out of. Not too off-base, I did the same with lockpicking. I went out and bought a bench grinder, hacksaw blades, and utilized my existing belt sander to create my own lockpicks.

 

I have thus far made picks out of hacksaw blades, butter knives, and sawzall blades. The hacksaw blades work very well and were cheap to make. The butter knives I bought, cheap ones, did not seem to have adequate tinsel strength which resulted in the picks breaking off in the lock. The sawzall blades were fat and required grinding to thin the width of the shank out, but I liked the result a lot! I later made an electric lockpick out of a woman's razor.

 

Since then I've purchased a set of commercial lockpicks, a lockpick gun, a Dyno-Quick pick rake, and many books. I have noted that the type of metal makes a big difference in the feel of the pick. Much like the sensitivity difference between Fluorocarbon & Monofilament fishing lines, the qualities of the metal in the pick changes the feel. For raking I definitely prefer a softer metal- the Dyno & the sawzall blanks are my favorites for rakes. For single picking I prefer the commercial or hacksaw sets. I also noted in torque wrenches you obtain different sensitivity. I ground down an Allen wrench and love the high sensitivity of the device!

 

You can check out videos of how I made the picks here

 

 

Follow-me on Twitter and stay up-to-date with my latest shenanigans. I've acquired a RFID read/write device and plan on spending some quality time with it. I equally have been studying a good payload to drop-off during Red Team assessments. I'm currently working with either Netcat or Metasploit with various types of packing/compiling/encryption techniques to evade antivirus software.
 
Sushi & Sake- An OWASP Hacker Dojo PDF Print E-mail
Written by Jeromie Jackson   
Wednesday, 20 January 2010 17:31
OWASP Meeting
Last Updated on Thursday, 28 January 2010 19:09
 
Securing Data Centers by Breaking Into Them PDF Print E-mail
Written by Jeromie Jackson   
Monday, 28 December 2009 18:17

The locks on the building were of good quality.  They were 6 pin Schlage tumbler locks that incorporated 1 or more security pins.  Here's what the internals of a lock look like:

Lock

Theoretically any lock of this type is pick-able.  Raking is the first technique we used, unsuccessfully.  We then began trying to single pick the pins.  Over 30 minutes went by between the two methods used.  While impatiently waiting I looked around, hunting for other avenues into our goal.

Lockpicking

While standing there, I noted the screws in the window were on our side of the door!  After unscrewing a screw we found the shank appeared to be long enough to go through he door.  Removing the other 9 screws, and a weather seal, out came the window, and we were on the 3rd floor.  From our reconnaissance earlier in the day we knew there was motion sensors run the length of the hallway.  Crawling over to the closest door, in order to evade the sensor, my partner began picking the interior door on the office.  After 20 minutes, without progress, we decided for him to make the LONG crawl down the hallway to where we had identified a poorly installed door that exposed the plunger.  Popping the plunger with a “Lucky-7,” house number from Home Depot, the door was opened.  He came around to the other door closer to me, opened the door, and I crawled my way over to the now opened interior door.

With no interior motion sensors we had free reign in the office.  We obtained several documents containing social security #'s and other confidential data.  Taking several tables that were available we stacked them and I jumped over the drop ceiling into the datacenter- mission completed!  We took some video, gathered evidence, and left a note for our point of contact on a monitor in the datacenter.  Everything was put back the way it was originally, the window in the hallway door was re-installed, and we made our exit through to the stairwell onto the main street- a clean getaway!

Our contact arrived at 7:30 the following morning, just as every other day.  He went to his desk, found nothing out of the ordinary, and worked through the morning.  Around noon he had to enter the datacenter for a task that needed physical access to one of the servers.  He looked over to the monitor and found our note: “Dear <Point of Contact>, Please call us to discuss your physical security.  Jeromie & Eric.”

I will be following up with several articles about circumventing several physical security devices such as HID Proximity cards, some good info and sources for lock picking, creating lockpicking tools, and definitely more on my infosec penetration testing as well.  Be sure to follow-me on Twitter!
Should you need any security assessment, regulatory compliance, web-application testing, social engineering, or red-team engagement, I would certainly appreciate the opportunity to earn your business!
Last Updated on Monday, 28 December 2009 18:20
 
20,000 Social Security Numbers Compromised in Physical Security Breach PDF Print E-mail
Written by Jeromie Jackson   
Tuesday, 15 December 2009 21:14

 Physical_Security

 

An organization in California recently found a note in their data center one morning. It said “Dear Administrator, Please Call XXX-XXX-XXXX in order to discuss last night's physical security breach.” "This has to be a joke," the administrator thought. The organization has security guards, cameras, motion sensors, and interior locks on everything including the bathrooms. No alarms were tripped, no sensors showed any error or warning conditions.

The organization had hired us to conduct an Internal & External Vulnerability Assessment & Penetration Test, along with a Physical Security Penetration Test. The goal was to see if we could physically penetrate the organization and reach the data center in the middle of the night. This is a brief synopsis of our methodologies, the attack, and take-aways. This will be a multi-part Blog. Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 

Remote Reconnaissance

Our initial site discovery was conducted on line. By reviewing information available on the Internet we were able to identify employees, vendors, high-level building information, and areas of interest and concern. Senior titles and emails were acquired. These could be use for a variety of email and phone based social engineering ruse. Maltego is an awesome graphical way to analyze information on the Internet, and relationships between content. It was used to graphically, and quickly, assess relationships the organization holds with business partners, associations, and manufacturers.  Below are a couple of screenshots from  Maltego.

 

Maltego-1 Maltego-2

Maltego-3

Google Maps showed the businesses in the immediate area. Identifying how big the street was, the types of adjoining and nearby businesses, and the type of neighborhood helped determine foot traffic levels at night, the amount of car traffic, etc. A review of the physical location via Google Site Maps Street View showed the rear of the building would have less visibility than the street-facing stairwell. There is an apartment complex behind the building- this may heighten the amount of potential people monitoring/seeing the building throughout the night.

 

Reconnaissance Day

Our customer occupies the entire 3rd and 4th floors in a 4-story multi-tenant building. We took a variety of pictures and videos during this day, identifying and documenting the countermeasures and areas of weakness. One of my favorite new toys is a video camera, microphone and 3 megapixle camera that is housed in a pen. Not only does it produce a good picture and video, it was VERY cheap! I also walked several areas using my Blackberry, acting as though I was texting while walking, when in reality I was video taping the environment. Primary take-away's were large gaps in the front doors, the lack of motion detectors on the 1st floor, access to the plunger on a poorly installed interior door, and identification of the datacenter. Monitoring the location we noted was the guards who leave at 10PM. The cleaning crew appeared to set all of the alarms on their way out.

My next blog will be about the hit the following night, I'm just about done writing it.  Make sure to follow me on Twitter at www.twitter.com/Security_Sifu.

 
Last Updated on Monday, 28 December 2009 18:21
 
Metasploit & Rapid7- Nexpose Beta Test Results PDF Print E-mail
Written by Jeromie Jackson   
Thursday, 22 October 2009 01:35

Rapid7-and-Metasploit

Download the Vmware Virtual Appliance

I have been conducting security assessments since 1995. When I started my consultancy, Garrison Technologies, in 1994 commercial firewalls did not exist. That being said, the ride has been interesting. I had seen the ISS scanner well before it was commercial- often shared amongst the hack and phreak crowds in the late 80's. I utilize a combination of open source and commercial tools when conducting my assessments. For the last year Rapid7's Nexpose has been one of the more prominent tools in my bag.

I was approached back around August 13th to beta test and give any feedback I may have. I installed the application on a Vmware virtual appliance running Ubuntu 8.10. Installation basically consisted of installing Rapid7, and then installing Metasploit with the web interface. It was straight forward- no stumbling blocks yet..

Upon launching the scanner, and logging into the console, nothing appeared noticeably different. When reviewing scan results is when the integration was revealed. The # of exploits available were shown along with the # of vulnerabilities in the environment. Equally, when diving into results there was an additional Exploitation box where exploits where indeed available within Metasploit. Clicking through the URLs launched the Metasploit web interface, pre-loaded with results from the scan. While it was clear the UI was not written by the same group, the functionality worked great!


Download the Vmware Virtual Appliance if you:

  • Are using Nessus to scan your environment
  • Have a SAAS solution that is using Nessus as a back-end scanning engine
  • Looking to validate the results of your vulnerability scans
  • Are looking for a comprehensive vulnerability & penetration testing toolset

Those of you who are running Nessus, or leveraging vendors who use Nessus as the underlying scanning engine, I urge you to at minimum try a virtual appliance. I personally see huge reductions in false positives, and identification of vulnerabilities that Nessus does not. Equally, if you need to validate the results of your scans, to ensure the results are accurate & compromise is indeed possible, this is a great merger.
Last Updated on Thursday, 22 October 2009 01:39
 
More Articles...
<< Start < Prev 1 2 3 4 5 Next > End >>

Page 1 of 5

Valid XHTML and CSS.