home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
miscpub1
/
phys.tj2
< prev
next >
Wrap
Text File
|
1992-09-26
|
31KB
|
704 lines
The LOD/H Technical Journal: File #5 of 10 (ISSUE #2)
Lex Luthor and The Legion Of Doom/Hackers Present:
Identifying, Attacking, Defeating, and Bypassing
Physical Security and Intrusion Detection Systems
PART II: THE EXTERIOR
INTRODUCTION:
-------------
The 'exterior' refers to the area directly outside of a building and the
things
within the building which are on the exterior. These obviously are: doors,
air
conditioning ducts, windows, walls, roofs, garages, etc. I don't believe the
word 'exterior' is the exact definition of what this article will encompass,
unlike the 'perimeter', but it's the best I could come up with. This article
primarily is of an informative nature, although methods of "attacking,
defeating, and bypassing" will be explained. Its purpose is not specifically
to
encourage you to breach a facility's security, although I acknowledge that it
could be used as such. Some of the devices mentioned in the physical security
series are used in homes as well as corporate, industrial, and military
installations, but my aim is specifically towards the commercial aspect of
buildings, not homes and apartments. Entering a facility to obtain
information
such as passwords or manuals is one thing, breaking into someones' home to
steal their personal belongings is another.
THE EXTERIOR:
-------------
A facility's second line of defense against intrusion is its' exterior. The
exterior may have any or all of the following:
* Window breakage detectors
* Keypad systems
* Card access control systems
* Magnetic locks and contacts
* Security lighting and CCTV
CCTV which is also used, was mentioned in Part I: The Perimeter.
Card Access Control devices will be mentioned in Part III: The Interior.
WINDOWS:
--------
Windows are a large security hole for buildings. You may notice that many
phone
company buildings and data processing centers have few if any windows. There
are two things that can be done to secure windows aside from making sure they
are locked. One is to make them very difficult to break, and the other is to
detect a break when and if it occurs. Here is a quick breakdown of the common
types of glass/windows in use today:
Plate glass: Can be cut with a glass cutter.
Tempered: Normally can't be cut. Breaks up into little pieces when broken.
Safety: You need a hatchet to break this stuff.
Wire: This has wire criss-crossed inside of the glass, making it very hard to
break, and even harder to actually go through the opening it is in place of.
Plexy: Very hard to break, doesn't really shatter, but can be melted with the
use of a torch.
Lexan: This is used in bulletproof glass. One of the strongest and most
secure
types of glass.
Herculite: Similar to Lexan.
Foil tape:
----------
This is by far the most common, and probably the most improperly installed
form
of glass breakage detection, which also makes it the most insecure. This is
usually a silver foil tape about 5/16" wide which should be placed on the
whole
perimeter of a glass window or door. In the case of plexyglass or a similar
material, the tape should be placed in rows separated by 6-12 inches.
The older foil was covered with a coating of eurathane or epoxy which enabled
it to stick onto the glass. The newer foil has an adhesive back making
installation much easier. There should be two connectors which are located at
the upper top part of a window, and the lower part of the window which
connects
the foil to the processor, thus, completing the circuit. Foil may or may not
have a supervised loop. If it is supervised, and you use a key to scratch the
foil (when it is turned off) making a complete break in it, an alarm will
sound
when it is turned on.
Foil is commonly used as a visual deterrent. Many times, it will not even be
activated. The easiest way to determine if the facility is trying to 'B.S.'
you
into thinking they have a security system, is to see if there are any breaks
in the foil. If there is a clean break, the 6-12V DC current which is
normally
making a loop isn't. Thus, breaking the glass will do nothing other than make
some noise unless you take steps against that happening.
As was stated, foil is the most improperly installed type of glass breakage
detection. When it is installed improperly, it will not cover all the area it
should. An easy way to defeat this is by the following diagram:
+-------------+
! ........... !
! . . ! . = foil tape
! . put . ! - = top/bottom of door
! . contact . ! ! = sides of door
! . paper . ! / = dividing line between 2 pieces of contact paper
! . in . ! $ = ideal places for initial breakage
! . this +-! ' = clear area or outline of second piece of contact paper
! . area ! ! <-- door handle
! . +-!
! . . !
! ........... !
!/////////////!
!'''''''''''''!
!' '!
!$'''''''''''$!
+-------------+
As you can see, the installer neglected to place the foil all the way down to
the bottom of the glass door. There is enough room for a person to climb
through. They may have thought that if someone broke the glass, it would all
break, which is normally correct. But if you obtain some strong contact
paper,
preferably clear, adhere it to the glass as shown, and break the bottom part
at
the '$' it will break up to the '/' line and thats it. Thus, leaving the foil
in-tact. This will work on tempered glass the best, and will not work on
Lexan
or Plexyglass. There is a transparent window film with a break strength of up
to 100 pounds per square inch which can be obtained from Madico, Inc. It is
called, Protekt LCL-400 XSR, and makes glass harder to break and stays
essentially in place even when broken. This can be used in place of the
contact
paper. Obviously, it is also used to protect glass from breakage.
Audio discriminators:
---------------------
What these do is to compare the frequency of the sound that glass makes when
it
breaks, to the actual breakage of glass. This frequency is relatively unique,
and can accurately determine when and if glass actually breaks. Your best
shot
at defeating this, is to do the same thing as mentioned above. Cover the
glass
with a film which will keep the glass in place after breaking it. If you
break
it properly, the frequency will not match that of glass breaking when it is
not
held in place.
Glass shock sensors:
--------------------
These devices detect shock disturbances using a gold-plated ring that
"bounces"
off a pair of normally closed gold-plated electrical contacts. This will send
a signal to a Signal Processor (SP) which determines whether an alarm
condition
exists. There are two settings the SP can be set to which are:
SHOCK-BREAK: This mode requires an initial high energy shock, followed by a
very low engery shatter. The shatter must occur within about 1 second before
an alarm can occur.
SHOCK-ONLY: An alarm will occur once the first shock is detected. This may or
may not be accompanied by a shatter.
Obviously the more secure setting for a facility would be shock-only. Though,
both are equally dangerous for an intruder. The methods mentioned earlier
about
preventing the glass from shattering will not work when this device is used
in
the shock-only mode. It may work, depending on the type of glass, if it isn't
in the shock-break mode.
These devices are usually found protecting large plate glass and multi-pane
windows. They are roughly 2 inches by 1 inch and can be mounted on the frame
of
a window, between two windows, or on the glass itself. These sensors can
cover
up to 150 square feet of glass.
These are the best of the lot for window breakage detection. Most devices
have
a constantly supervised loop, and if you cut a wire, that loop will break,
and
cause an alarm condition. They are typically placed somewhere on the window
pane and not on the window, thus, making them harder to visually
detect...from
the outside that is. Though from close inspection, you may be able to
determine
if these are in place. Obviously they can easily be seen from the inside...
The sensor is normally placed no more than a couple of inches from the glass.
If it is too far away, or if you can move one over 4 inches from the glass,
its
detection capability is somewhat diminished. It is probably screwed in, and
has
an adhesive backing, so moving it may not be too easily accomplished. False
alarms are not common, unless the windows rattle. There are sensors available
which are not as sensitive, and will not "overreact" to slight vibration,
these
are called "damped" sensors.
MAGNETIC CONTACT SWITCHES:
--------------------------
The word "contact" is somewhat contradictory to how these devices are
commonly
used. In most cases, the magnet and the switch are not in physical contact of
each other, rather, they are in a close proximity of each other, although
there are some models which are indeed in contact with each other. There are
various types and levels of security that these devices possess.
They can be surface mounted (floor or wall mounted) or concealed (recessed).
The most common are surface mounted which are placed on top of the door. When
inspecting for these devices, examine the whole perimeter of the door, from
top
to bottom. Most doors have a +/- 1/4" gap all the way around, in which you
should also check for concealed contacts. These are round cylinders that are
recessed into the door or wall, which obviously makes them less visible. The
other contacts range from miniature, with dimensions as small as 1x1/4x1/4"
to the larger ones at 5x2x1". They are usually in colors of off-white, grey,
and brown and are mounted with nails, screws, double sided tape, or are
epoxied
onto the door or wall surface(s). The switches are hermatetically sealed, as
are the glass breakage detectors mentioned earlier, can operate in moist or
dusty areas, are corrosion resistant and have indoor/outdoor use. They can
also
be used on windows, fence gates, truck trailors, boats, heavy equipment,
safes,
and vaults.
The different types of devices in order of least to most secure are:
1) Standard Magnetic Contacts: These consist of one reed switch and one
magnet.
They may be defeated with the use of a second magnet which would be placed
in the vicinity of the switch, while opening the door or window and while
closing them also. This way, the switch never detects the abscense of the
magnet, thus, no alarm occurs.
2) Biased Magnetic Contacts: These consist of one reed switch with a
"biasing"
magnet that changes the state of the reed switch. The magnet is then
placed
at the correct distance to offset the bias magnet, creating a "balanced"
condition. The switch can be defeated with the use of a single magnet. The
trick is to:
A) You must have the correct size magnet, which can be accomplished by
obtaining the same type or model as what is in place.
B) You must determine the correct polarity which may be accomplished
with
either a compass, or if the alarm is not activated, (possibly during
normal business hours), by opening the door and placing your magnet
near the device's magnet and determine the polarity. If you do not
have
much time, then its a 50-50 shot.
C) The last criteria is to keep the magnet at the same or close to the
same distance from the switch as the original magnet was. In some
cases
the device will be placed in such a manner that correct placement of
the second magnet will be difficult if not impossible.
3) Balanced Magnetic Contacts: These consist of one biased reed switch and
one
unbiased reed switch. The second reed will be of the correct sensitivity
and position so as to not operate with the actuator magnet. It must also
operate with the addition of a second magnet. It could be defeated by a
single magnet that is moved into place as the door is opened. This
requires
coordinated movement of the door and magnet.
4) Preadjusted Balanced Magnetic Contacts: These consist of three biased reed
switches and may have an optional fourth tamper reed. Two reeds are
polarized in one direction and the third is polarized in the opposite
direction. The housing consists of three magnets with the polarity that
corresponds to the switches. It is preadjusted to have a fixed space
between
the magnet and the switch. This is the most secure type of magnetic
contact
switch. The three-reed type could be defeated by using one of its own
magnets, but not a bar magnet. The type with four reeds cannot be defeated
with either of the two magnets because the fourth reed will activate when
a magnet is brought within actuating distance. If you are able to
determine
which is the tamper reed, you can try to keep the three magnets in contact
with the corresponding reeds. At the same time you must have the correct
polarity, and in the process, not activate the tamper reed. If you
accomplish those, you may be able to defeat it. This will most likely
require two people and a bit of luck.
The most secure devices are made of die cast aluminum instead of plastic,
are explosion proof (for vaults and safes), have terminals mounted inside
the housing which provides protection from tampering and shorting, and
have
armored cabling.
A wider break distance will prevent fasle alarms due to loose fitting doors,
thus, if the door is loose fitting it may have a wide break distance. The
wider
the break distance, the easier it is to defeat. This will allow you to
introduce another magnet in cramped places since the door can be opened a
wider
distance before an alarm condition occurs.
Some devices allow the installer to adjust the gap with a screwdriver instead
of placing the switch a certain distance from the magnet. In some devices,
use
of any ferrous (Iron) material in the vicinity of the switch can cause a
change
in gap distance. As a gap is increased, the switch may bias and latch. When
latched, the switch will remain closed even when the magnet is removed!! This
means that when you open the door, it thinks that the door is closed, and you
are able to stealthily go thru the door. You can test for a latched condition
by removing the magnet (opening the door) and using a Volt Ohm Meter, if it
reads INFINITY, the switch is OK. If not, it may be latched. If you can
adjust
the gap to the point of it being latched, without being noticed, you've got
it
made.
Wireless Switch Transmitters:
These are essentially the same as the other devices mentioned except that
they
use an FM digital signal for alarm conditions (a door or window open) and for
maintenance conditions (low battery, transmitter malfunction/removal, long
term
jamming, etc). There should be continuous polling and a maintenance alarm
will
occur if the signal is missing for a few minutes. The transmitters are
usually
powered by a couple of AAA 1 1/2V pen cells, which can last a few years. Most
devices will send out a signal after a specific interval. Common intervals
are
about every 30 seconds. You can verify if the device is indeed sending out a
signal by placing a milliammeter capable of reading 10 ua in series with the
batteries and reading the discharge current. If it occurs every 30 seconds,
then it is sending out a signal every 30 seconds. A hint that this type of
device is in use, is since range generally decreases as a transmitter gets
closer to the floor, the transmitter will be placed as high as possible. The
transmitter probably has a range of about 200 feet, although some
environments
may reduce this range due to construction materials inherent in the building.
The frequency should be in the 314 MHz range.
As was mentioned, these are the same as regular magnetic contact switches
except that there is a transmitter instead of a wire for transmitting alarm
and
maintenance conditions, thus, the switch can be defeated in the same manner
as
has been previously stated. Defeating an X-mitter is much easier than
defeating
a wire. You can defeat the transmitter if you can sufficiently block or
diminish the signal strength so that the receiver is unable to receive it.
Radio waves have a tendency to bounce and reflect off of metallic surfaces,
which includes foil, and pipes. If you have located the transmitter, which
should be attached to or near the actual contact, you can block or jam the
signal as you open the door. Hopefully this will be between the 30 second
interval that it sends an "i'm ok" signal to the receiver, but it's not
critical to do so. As was stated, most receivers will not cause an alarm
condition if it doesn't recieve a signal once or twice, but after a few
minutes
it will. So, as you open the door, it tries to send the signal, you block or
jam it, and you slip through without detection.
This information can also apply to security relating to the 'interior' of a
facility, ie. Part III of this series. Many of the techniques for defeating
magnetic contact switches are geared toward being inside the facility. Many
facilities have switches on doors to monitor movement of personnel within the
facility. But it also is used on the exterior and some methods will work on
doors and possibly windows on the exterior. Of course, you have to have a way
of opening the door, and that follows.
DOORS AND LOCKS:
----------------
As you know, doors are the primary entrance point into a building. Since they
are the primary target for unauthorized entry, they have the most security
added. I am not going to mention anything about the art of picking locks.
Although mechanical locks and keys have been the most common type of security
used in the past as well as today, I am going to concentrate on the more
advanced security systems in use.
Pushbutton keypad locks:
------------------------
There are two types, mechanical and electronic. I will go into detail about
each. I will give you a few examples of these devices which comes directly
from
brochures which I have been sent. I am merely summing up what they said.
Electronic:
Securitron DK-10:
This is a unit which has dimensions of 3x5x1". It has a stainless steel
keypad
which is weatherproof, mounts via hidden screws and has no moving parts. The
keypad beeps as each button is pressed, and an LED lights when the lock is
released. It is slightly different in appearence than most other electronic
keypads:
+----+
! 1A ! Each block (1A/B2) is one button. Thus, there are 5 buttons total on
! B2 ! this device. The "/"'s at the bottom of the device represents the
name
! ! of the company and possibly the model number of the device.
! 3C ! (ie. Securitron DK-10). It has 2-5 digit codes. Thus, a 2 digit code
! D4 ! will have a maximum of 5 the the 2nd power (5 squared=25)
combinations.
! ! Of course it increases as the number of digits used increase.
! 5E ! This unit has an 11 or 16 incorrect digit threshold. If it is reached
! F6 ! a buzzer sounds for 30 seconds during which it will ignore any
entries.
! ! When a valid code is entered, the lock is released for a 5, 10, 15 or
! 7G ! 20 second interval.
! H8 !
! !
! 9K !
! L0 !
! !
!////!
!////!
+----+
Sentex PRO-Key:
This device has a keypad resembling one of a payphone. It is a sealed, chrome
plated metal keypad. It has the standard 10 digits with * and #. It can have
up to 2000 individual codes with a lenght of 4 or 5 digits. It allows 8 time
zones, "2-strikes-and-out" software which is its invalid code threshold, and
anti-passback software.
Obtaining codes--
Your aim is to obtain the correct code in order to open the door. Plain and
simple. There are various methods in which you can accomplish this. You can
try
to obtain a telescope or similar device and attempt to get the exact code as
it
is being entered. This is obviously the quickest method. If you cannot
discern
the exact code, the next best thing is to determine exactly how many digits
were entered, since most devices have variable code lengths. If you can make
out even one digit and when it was entered, you will substantially reduce the
possibilities. Another method is to put some substance on the keypad itself,
which preferably cannot be noticed by the user. After someone enters a code,
you can check the keypad to see where there are smudges or if you use what
the
police use to find fingerprints, you can see what digits were pushed,
although
you will have no idea in what order. This will drastically cut down the
combos.
Say that someone enters a 5 digit code on a 10 digit keypad. You check the
keypad and see that, 1,2, 4, 7, and 9 were pushed. If you attempted brute
force, you will have 25 combinations to try. If a 4 digit code 'appeared' to
be
entered, as 0, 2, 4, 8 were 'smudged', it is possible that one of the digits
were pushed twice. Keep that in mind. A way to know for sure would be to
clean
the pad and 'dust' it, most fingerprints will be clear, but one will be less
clear than the others. Thus, you can be reasonably sure that the digit which
is
smudged was pressed twice.
Thresholds--
Brute force attempts on electronic keypads is suicide. Once a certain number
of
invalid attempts has been reached, it will probably be logged and a guard may
be dispatched. Your best bet is to try once or twice, wait (leave), try once
or twice again, wait, etc. Sooner or later you will get in.
Auditlogs--
Many of these devices are run on micro's. The software that runs these
devices
allows for an increased ability to monitor the status of these devices. They
can track a person throughout the facility, record times of entry and exit,
and when the maximum invalid code threshold is reached.
Anti-passback--
This term is commonly used in card access control, but it applies differently
to keypads. This feature prevents the use of two codes being used at the same
time. That is, Joe Comosolo uses code #12345 and enters the building. Then,
you enter Mr. Comosolo's code, #12345 but the system knows that Joe is
already
in the building, and has not entered his code before leaving. Thus, you do
not
gain access, and that action is most likely recorded in the audit log. This
option will only be in effect when:
1) Each individual has a different code.
2) There is a keypad used for entry, and a keypad used for exit.
Tailgating--
This occurs when more than one person enters through a controlled access
point.
Joe enters his code, and goes into the building. You follow Joe, and make it
in just before the door closes, or in the case of the devices waiting 10 or
20
seconds before the door locks again, you let it close, and open it before it
locks.
Open access times--
During peak morning, noon, and evening hours, a facility may set the system
to
not require a code during, say, 8:55AM to 9:05AM, thus, enabling most anyone
to
gain entry during that time.
Hirsch Electronics Digital Scrambler:
This has a 12 button arrangement with the addition of a 'start' key. This is
probably the most secure type of keypad security system in use today. It only
allows a viewing range of +/- 4 degrees horizontally and +/- 26 degrees
vertically. This means that it would be very difficult to watch someone enter
their code, thus, eliminating the 'spying' technique mentioned earlier.
The buttons on the keypad remain blank until the start button is pressed.
Then,
instead of the numbers appearing in the usual order, they are postitioned at
random. A different pattern is generated each time it is used. The numbers
are
LED's in case you were wondering. This eliminates the 'dusting' technique
which
can be used on the other types of keypad systems.
The Model 50 allows control of 4 access points and has 6 programmable codes.
The Model 88 controls 8 doors and has thousands of codes. The features that
this device has makes it very difficult to do anything but use brute force to
obtain the code, but since it is controlled and monitored by a computer, the
audit logs and maximum invalid code threshold can put a stop to that method.
The other alternative, which applies to any of these systems, is to socially
engineer the code from someone, or if you know someone, they may give you it.
Both methods are not ideal. I have come up with a way to reduce the
possibilities to a very reasonable level, but I will not explain it here. If
you are really interested, contact me via the LOD/H Technical Journal Staff
account on the Sponsor boards.
Mechanical Keypad locks:
The best thing about these types of locks, is that they are 100% mechanical.
This means that it is not computerized, and there is no monitoring of bad
codes
or the door staying open for too long, or anything! All you have to worry
about
is getting a correct code. Probably the largest manufacturer of these
devices,
is Simplex Security Systems, Inc. The devices are called, Simplex Keyless
Locks. Every lock of theirs that I have seen, has 5 buttons. Combinations may
use as many of the five buttons the facility cares to use. The biggest
problem
with this type, is that there is the option of pushing 2 buttons at the same
time, which would be the same as adding another button to the lock. Thus,
button 1 & 5 can be pushed simultaneously, then button 3, then buttons 2 & 4
would be pushed at the same time.
These are supposedly, 'keyless locks' but on many models, a 'management key'
can be used to override the security code, so obtaining the key, is a way to
bypass the code. Both the spying and dusting methods apply to these devices,
and the best thing is that you can try all possiblities you want without an
alarm signalling.
Magnetic locks:
---------------
These are commonly called 'Magnalocks' and use only the force of electro-
magnetism to keep a door shut. Typically, the magnet is mounted in the door
frame and a self aligning strike plate is mounted on the door. These locks
provide the capability of up to a few thousand pounds of force for security.
They are not only found on doors, but can be put on sliding doors, glass
doors,
double doors and gates. The magnet and plate is roughly 3 inches by 6-8
inches.
There are a few things you should try to findout about these devices before
attempting anything:
Is there backup power? (ie. Usually a 12-24V battery can be used) Obviously,
if
there is no backup power and there is a power outage, there will be nothing
to
stop you from opening up the door.
Most devices have the capability to monitor whether the door is closed, which
is what magnetic contact switches do. But there is another option, which will
provide a voltage output signal on a third wire, which determines whether the
lock is powered and secure. If there is no monitoring of whether the door is
secure, then there is no way of knowing it is locked, unless it is physically
checked. There are optional LED's which can be mounted on the lock to
indicate
its status. For the Securitron Magnalock, an amber LED will indicate that the
lock is powered. A green light shows the lock is powered and secure. Red,
shows
that the lock is unlocked, and no light means there is a violation, ie. the
power switch is on, but the lock is not reporting secure. You can use these
lights to your advantage.
If a magnalock is tied into a fire alarm system, such that it is
automatically
released in the event of fire, then you or an accomplice can signal a fire
alarm and sneak in while the lock releases.
MISCELLANEOUS:
--------------
LED's: Some devices or models of devices have LED lights built into/onto the
device. They are usually used to indicate a secure or insecure condition.
This applies to magnetic contacts, shock sensors, and other devices. Even
when
the security system is not in a secure mode, (for example, during regular
business hours a system may be off, but after 6pm it is turned on) the LED
will
light when an alarm condition occurs. For example, you bang on a window that
has a shock sensor, and the red LED lights, or blinks for a few seconds. You
can use this to your advantage to test theories or methods during a time
which
a receiver pays no attention to the signals sent to it. Then when it is
turned
on, you will have more confidence in what you are doing.
Supervised loops: Most if not all devices will have supervised loops for
constant monitoring of battery power, electrical shorts, and defective
devices.
If the security system of the facility is very old, loops may not be
supervised, and simply cutting a wire will disable the alarm.
Naming of devices: For large orders, manufactures of security devices may put
the facility's name on the product instead of their own. This is probably for
esoteric purposes. This hampers your efforts in obtaining the name of the
maker of any type of product for purposes of geting additional information
and
brochures on the device.
Single person entry: These devices include mechanical and optical turnstiles
which meter people in and out one-by-one. Mantraps, usually found in high
security installations are double-doored chambers which allow only one person
in at a time, and will not allow the person out until the system is
satisfied
he is authorized.
Extreme weather conditions: Unlike perimeter security devices, most exterior
security devices are either placed inside the facility, or can withstand just
about any type of environmental condition, so there is not much that you can
take advantage of.
CONCLUSION:
-----------
People typically make security a lower priority than less important things.
Those who do not upgrade their systems because of spending a few dollars are
rewarded by being ripped off for thousands. I have no pity for those who do
not believe in security, physical or data...
ACKNOWLEDGEMENTS:
-----------------
Gary Seven (LOH)
And of course, the information from brochures, and questions answered by the
nice technical support people for the companies specifically mentioned in
this
article.
(>
Downloaded From P-80 International Information Systems 304-744-2253 12yrs+
