physical security in the cyber arena unclassified//for official use only

Physical Security

In the Cyber Arena

UNCLASSIFIED//FOR OFFICIAL USE ONLY


Security Notice

This presentation is classified


Redistribution outside US Government channels is prohibited without proper authorization.

This document contains information that may be exempt from mandatory disclosure under the

Freedom of Information Act

UNCLASSIFIED

UNCLASSIFIED

Agenda• Why it Matters – Part 1• Guards, Gates and Guns• What is a Network• Attack Surfaces• Network Infrastructure Threats• User Equipment Threats• Users• Wireless and Mobile• Why it Matters – Part 2• Recommendations



Why Physical Security Matters (1)• We spend billions securing our networks

– Almost always localized malware (AV/PSP)– Usually by segregation (Firewall or Air-Gap)– Sometimes from internal propagation (IDS)– Rarely from physical threats (how??)

• Most networks are a Cadbury Crème Egg– Hard and crunchy on the outside– Soft and gooey on the inside

• So let’s attack the weak point:

From the inside out!



Don’t UnderestimateGates, Guards and Guns

• An attacker can do a lot of damage remotely

• They can do even more physically!• "Then we need physical access”

– Create a fake badge and ‘tailgate’ in– "Thanks to all the smokers out there for

leaving doors unlocked”• In the simplest case, just steal the HDD

– Full Disk Encryption (FDE) is important



http://www.tomsguide.com/us/hack-power-grid,news-18397.html






What is a Network?• A collection of computing equipment that can

communicate electronically• Where your data lives

– Servers and data storage– User computers, laptops, and mobile devices

• How your data moves– Routers, switches and firewalls– Cabling and wireless links

• Peripherals– Keyboards, Mice, Thumbdrives– Printers, Scanners, Cameras

UNCLASSIFIED

UNCLASSIFIED

Attack SurfacesInfrastructureUser-Space

Wireless



Infrastructure Threats• Hit the core of your network• Are often harder to identify and isolate• Can provide access to everything

– If not well-secured• Are more often intentional

– Although misconfiguration is still a concern• Can be readily prevented with:

– Proper physical security– Appropriate configuration/controls



LAN/WAN Infrastructure Eqpt.• Rarely has antivirus tools you can run• Is infrequently updated• Is usually in-place for many years

– Often in a neglected network/server closet• Frequently have provisions for back-

channel communications (eg console port)– Sometimes even USB 3G dongle support

• Frequently now includes built-in wireless• And the case is rarely ever opened

… Use your imagination



Cable Threat: Pwnie• Man-in-The-Middle (MiTM) on Ethernet

– Intercept, add, drop, or modify packets in-transit

– Full bi-directional exploit capability• Can NAT attacker directly in• Not just passive collection

• Masquerade as a trusted computer• Cellular back-channel

– Bypasses your firewall• Or uses your own internet-connected WiFi• Built-in WiFi exploits (more on that later)

UNCLASSIFIED

UNCLASSIFIED

https://www.pwnieexpress.com/product/pwn-plug-r2-penetration-testing-device/

PwniePlug r2 - $395UNCLASSIFIED

UNCLASSIFIED© Pwnie Express

PwnPhoneUNCLASSIFIED

UNCLASSIFIED© Pwnie Express

How could they use it?• When was the last time anyone moved

that heavy cabinet or safe???– But the cabling runs behind it– And there’s a power outlet back there

• How about looked under the floor tiles?• Or above the drop-ceiling?• Or gave a second-thought to that surge-

protector that also has Cat5 protection?

• And it can be carried in a pocket…



Passive Attacks Exist Too• Trivial to build a $10 passive Ethernet tapThe Throwing Star LAN Tap is a passiveEthernet tap, requiring no power for operation.There are active methods of tapping Ethernet …but none can beat passive taps for portability.To the target network, the Throwing Star LAN

Tap looks just like a section of cable.

The monitoring ports are receive-only … Thismakes it impossible for the monitoring station to accidentallytransmit data packets onto the target network.

The Throwing Star LAN Tap is designed to monitor 10BASET and 100BASETX networks. It is not possible for an unpowered tap to perform monitoring of 1000BASET networks, so the Throwing Star LAN Tap intentionally degrades the quality of 1000BASET target networks, forcing them to negotiate a lower speed (typically 100BASETX) that can be passively monitored.

UNCLASSIFIED

UNCLASSIFIED

© HakShop

https://hakshop.myshopify.com/collections/gadgets/products/throwing-star-lan-tap?variant=104425562

User-Space Threats• Hit the periphery of your network

– But can then spread via software

• Are harder to prevent via physical security, because:– Users each have physical access to more equipment– There are many more users than sysadmins, who are

the only ones with access to infrastructure equipment

• Are often unintentional by legitimate users– But don’t discount malicious activity

• Can be prevented with:– Security software– Appropriate configuration/controls



User-Space Equipment• History: GUNMAN

– Soviet bugging of IBM Selectric typewriters in US Embassy Moscow

– Accessed due to poor shipping security

“All of the implants were quite sophisticated. Each implant had a magnetometer that converted the mechanical energy of key strokes into local magnetic disturbances. The electronics package in the implant responded to these disturbances…and transmitted the results to a nearby listening post. Data were transmitted via radio frequency. The implant was enabled by remote control… Engineers estimated that a skilled technician could install an implant in

a typewriter in a half hour.”

UNCLASSIFIED

UNCLASSIFIED

http://www.nsa.gov/about/_files/cryptologic_heritage/center_crypt_history/publications/learning_from_the_enemy_the_gunman_project.pdf

User-Space Equipment• Commercial keyloggers are readily

available, even on Amazon, with wireless– To hide completely, order it

built-in– Or a “USB Charger” that snoops

on wireless Microsoft keyboards• You can also get screengrabbers• Keyloggers are bad, but not

nearly as dangerous as…

UNCLASSIFIED

UNCLASSIFIED

© KeeLog

© KeeLog

https://www.keelog.com/

http://www.amazon.com/KeyGrabber-USB-KeyLogger-8MB-Black/dp/B004TUBOKW

http://www.keyghost.com/securekb.htm

http://arstechnica.com/security/2015/01/meet-keysweeper-the-10-usb-charger-that-steals-ms-keyboard-strokes/

https://www.keelog.com/vga-hdmi-dvi-capture/

USB Peripherals• If an attacker can hide a keylogger in a

keyboard, how about:– A USB 3G modem?– A USB WiFi adapter?

• Windows built-in driverscan automaticallyconnect to the internet



© Amazon

© Intel

http://www.u-blox.com/en/wireless-modules/umtshsdpa-modules/sara-u2-series.html

http://www.amazon.com/Edimax-EW-7811Un-Adapter-Raspberry-Supports/dp/B003MTTJOY/

http://www.pcmag.com/article2/0,2817,2464864,00.asp

http://www.pcmag.com/article2/0,2817,2464864,00.asp

USB to Another Level• Most PC motherboards usually have open

USB headers, even servers– Opening a PC case is easy– A “header-to-connector”

adapter costs $10• It’s not hard to install USB

Devices inside a computer– How often do you open the

case and inspect inside??



© Newegg

© GameSpot.com

More USB MADNESS• A USB Business Card that’s been re-flashed

to download malware• Program an Android phone to be a

keyboard,and launch malware

• Modify a COTSthumbdrive to attack

• These are all items users think are innocent

UNCLASSIFIED

UNCLASSIFIED

© IntelliPaper

http://hackaday.com/2014/08/25/ask-hackaday-can-paper-usb-business-cards-exist/

http://hackaday.com/2012/02/28/reprogramming-promotional-usb-dongles-to-launch-custom-urls/

https://github.com/pelya/android-keyboard-gadget

https://github.com/pelya/android-keyboard-gadget

http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

Users• Are an unavoidable reality• Naïve and generally trusting• Frequently choose convenience over

security, even when educated on threats– They often break the rules due to frustration

with slow/bureaucratic processes

The Unavoidable Reality:

Users need to be protected from themselves, but they’ll work with you



Malicious Users• Not going to dive into the counter-

intelligence implications of the trusted insider threat– But be cognizant they do exist, albeit in VERY

low percentage of the population• Two very different types:

– “Smash-and-grab”– Long-term penetration

• Best defense is a good offense



Wireless• Is, fundamentally, giving an attacker a way

to bypass your physical safeguards• WiFi Pineapple can

– Auto-spoof networks– MiTM the data– Or redirect to attack sites

• Anybody can break your WEP/WPA/WPA2 passwords today with CloudCracker for under $20

UNCLASSIFIED

UNCLASSIFIED

© HakShop

https://hakshop.myshopify.com/products/wifi-pineapple

https://cloudcracker.com/

“Secure” WiFi• Can still leak data

– Assume they manage to get malware on your laptop somehow…

– Now, adjust the timing of transmitted packets in a known way, leaking the crypto key

• Is still running on physical hardware that could be compromised

• Is likely accessible from outside your controlled spaces– Gee, now I can just park outside the

building…



Mobile Devices• Pocket-sized computers

– With built-in wireless and USB– Easily hackable– Rarely running effective antivirus

• No such thing as “just charging” a phone– The USB port is a data connection!– This is one of the most frequently violated policies

• Can easily create a network connection:

PC USB Phone Cell/WiFi Internet• Either overt (tethering), or covert (hacked

phone)– Already discussed phone hacking PC as keyboard– Phone can also act as thumb-drive, carry malware



Why Physical Security Matters (2)• All networks must ingest data to be useful

– Generally far more low high transfers than the opposite

– So you WILL get malware, inevitably• The challenge is therefore preventing

exfiltration of your sensitive data– The exception is Computer Network Attack

(CNA) threats…• Good physical security, combined with

good policy and electronic security, keeps your data where it belongs



Best Practices• Practice good security in procuring IT equipment

– This is antithetical to contracting policies • DON’T assume your computers are trusted –

Especially in user-space• Double-down on physical security and Technical

Surveillance Countermeasures (TSCM) inspections for the core equipment

• Use encryption on the wire– Renders MiTM moot

• Isolate things that don’t need to talk– Why should a user be able to ping a database server?

They should only see the front-end



The ideally secure network• Has core all in 2-person controlled closets• Does controlled purchasing and incoming TSCM

inspection for core eqpt

• Uses thin-clients in user-accessible space• Firewalls all connections leaving the closet

– Only allow RDP in/out– Use IPSEC to the thin-client terminals

• Uses port-security, internal VLAN’s and firewalls– Don’t let attackers propagate everywhere

• Locks-down USB device permissions, and includes alerting/auditing to the sysadmin

• Is isolated from other networks



Questions?

UNCLASSIFIED

UNCLASSIFIED

physical security in the cyber arena unclassified//for official use only

Documents