Physical Security Hack Chat

Deviant Ollam will let himself in

Wednesday, June 3, 2020 12:00 pm PDT Local time zone:
Hack Chat
Similar projects worth following

Deviant Ollam will host the Hack Chat on Wednesday, June 3, 2020 at noon Pacific Time.

Time zones got you down? Here's a handy time converter!

Join Hack Chat

You can throw as many resources as possible into securing your systems -- patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system -- but it all amounts to exactly zero if somebody leaves a door propped open. Or if you've put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you're just inviting trouble in.

Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn't directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.

To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he's a fixture on the security con circuit and denizen of many lockpicking villages. He's well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he'll share his insights on keeping stuff safe in a dangerous world.

  • Hack Chat Transcript, Part 3

    Dan Maloney06/03/2020 at 20:05 0 comments

    morgan12:58 PM
    heh, classic 'get into the gated community party' trick

    Which is why I installed my own ;-) Just wondering if there are any undocumented surprises that got slipped in there

    anfractuosity12:58 PM
    sorry, i'm a bit confused you mean, you attach a metal plate, and use a microphone + amp? What's the metal for?

    Eric12:59 PM
    Speaking of default codes. Many safes use 50-25-50 before installation... Also common but less so, 25-50-25 and I've seen 25-50-75 in one case

    Deviant Ollam12:59 PM
    @Eric this is correct... but we've used it when in a building during the daytime to add a new user =)

    Eric1:00 PM
    I have seen safes in the field where that code wasn't changes. Employees actually using 50-25-50 as "their" code.

    Deviant Ollam1:00 PM
    @anfractuosity so that my mag-mount audio pickup has something to which it can attach

    anfractuosity1:00 PM

    anfractuosity1:00 PM
    sorry :)

    Deviant Ollam1:00 PM
    @Eric yes, those are all common. i have a list somewhere, standby...

    Deviant Ollam1:01 PM

    anfractuosity1:01 PM
    haha cool

    Deviant Ollam1:01 PM
    @anfractuosity no worries@!

    Eric1:01 PM
    These are fun. I have access to one if I need it...

    Welp, that was a wicked fast hour! We usually like to let our hosts get back to life at this point, but of course everyone is free to stay on and chat as long as you like. I want to thank @Deviant Ollam for his time today and for sharing his expertise. This was a fun one!

    Deviant Ollam1:01 PM
    @Eric the ITL-2000 is a nice unit, but the Combi blows it out of the water

    anfractuosity1:02 PM
    do some of those dialers, use acoustic analysis?

    Eric1:02 PM
    The "Soft-drill" You don't see those very often however.

    Deviant Ollam1:02 PM


    Combi QX3 Autodialer Preview

    Lockmasters, Inc: 859-885-6041 - MBA USA, Inc.: 859-887-0496 - Combi QX3 is a high-speed, wirelessly controlled safe lock dialer (autodialer) for opening Group 2 mechanical combination locks. 8 Hour Average Opening Time Combi QX3 uses a precision step motor with an optical encoder to maintain accuracy even at exceptionally high speeds.

    Read this on Qtactical® Tools and Technology

    anfractuosity1:02 PM

    Deviant Ollam1:02 PM
    thank you @Dan Maloney for having me here!

    FYI, I'll post a transcript in a few minutes, in case anyone missed any links. And don't forget next week, when we'll be talking about Rapid Prototyping (sorry, no link yet)

    Deviant Ollam1:02 PM
    (the combi was made by guys we know at Q-Tactical specifically to be an ITL-2000 competitor)

    Eric1:03 PM
    Softdrill I think we <13 minutes. They took them off the market except for limited 'special' customers

    Thanks Dev and all!

    tonkas641:03 PM
    @Deviant Ollam cheers for your time and knowledge, awesome as always :-)

  • Hack Chat Transcript, Part 2

    Dan Maloney06/03/2020 at 20:04 0 comments

    Deviant Ollam12:26 PM

    when i say "any one" i mean any super clear one

    anfractuosity12:27 PM
    silly question, do you ever use a stethoscope ?

    Deviant Ollam12:27 PM
    @anfractuosity something similar! i use an audio pickup amp at times

    anfractuosity12:27 PM
    ooh, cool i wasn't sure if they where really used

    anfractuosity12:28 PM
    i saw some safe locks which claim to be resistant against x-ray which sounds interesting i thought

    Deviant Ollam12:28 PM
    think of it as a stethoscope but it mag-mounts to the safe door. and it's not like a little cup on the end... it has a metal probe that hears vibrations within the safe. (and you're mostly hearing contact points where the nose interacts with the drive cam, as opposed to hearing the "wheels" as it were)

    oz12:28 PM
    I'd buy safe cracking 101 if I could. I have a couple of tell coin safes I'd like to open and put to use.

    anfractuosity12:29 PM
    neat @Deviant Ollam :)

    Douglas Henke12:29 PM
    Do you have any tools that caused a "where has this been all my life?" moment. (For me, the recent answers are Knipex cutters and step drills.)

    Deviant Ollam12:29 PM
    @anfractuosity Grade 1R safes, yes. "resistant to Radiographic attack" ... often Delrin plastic wheels. they have other vulnerabilities

    Tametomo12:29 PM
    Safe against x-rays could just mean they're lead lined.

    Deviant Ollam12:29 PM
    @Douglas Henke the A-1 pak-a-punch and the new Lishi 2-in-1 decoder picks

    anfractuosity12:29 PM
    @Deviant Ollam heh neat, could you expand on other vulnerabilities, if you can

    Deviant Ollam12:29 PM
    @Tametomo shielding became a ladders-and-walls game during the cold war. new materials, like polymer wheels, were the solution

    Deviant Ollam12:30 PM
    @anfractuosity you can melt the wheels... enough heat or even acid injected in the right spot, and the wheels just fall apart, lol

    anfractuosity12:30 PM
    haha wow

    anfractuosity12:30 PM
    that's very cool

    oz12:31 PM
    Aren't most modern containers electronic locks?

    thomas.august12:31 PM
    @Deviant Ollam Can you point me to any case studies or news articles where poor physical security practices have directly led to thefts or data breaches? I know it's implied, but sometimes its good to have independent sources to show that not focusing on this stuff has real consequences.

    Eric12:31 PM
    Get the safe too hot and the fusible link goes and triggers relockers and no one is opening that safe!

    thomas.august12:32 PM
    Management folks are not always the most tech savvy

    Deviant Ollam12:32 PM
    @oz i would say that most modern "building security solutions" are moving to electronic. and electronic locks are making in-roads even in residential spaces, yes. but mechanical locks will still be with us for quite a while

    Deviant Ollam12:32 PM
    @thomas.august most stories like that are ones that entail stolen laptops or other endpoints

    Eric12:32 PM
    To anyone who thinks they might try drilling a quality safe, watch out for tempered glass between the door and the lock. Break it and relockers trigger.

    Deviant Ollam12:33 PM
    @Eric yes, it's a delicate balance, that kind of attack

    Tametomo12:33 PM
    The security industry isn't often what outsiders think it is. You have to deal with risk bars, which are just a way of saying "will the solution cost more than the potential problem"? So depending who does the calculations, something can either be critical to fix, or something just worth ignoring.

    pop1312:33 PM
    Do you think that electronic systems have higher a higher barrier to entry for the common criminal?

    Here's a question: do electronic safes have built-in back doors, like service technician codes so they can get in no matter what the owner does?

    oz12:34 PM
    @Deviant Ollam I was thinking of modern classified document storage containers. I thought that mechanical locks could not meet the requirements. \

    Eric12:34 PM
    Really really really old safes had explosives loaded in them. Watch out.

    Deviant Ollam12:34 PM
    here's another interesting kind of auto lock with a specialized entry pick tool...

    ... Read more »

  • Hack Chat Transcript, Part 1

    Dan Maloney06/03/2020 at 20:04 0 comments

    Deviant Ollam12:00 PM
    Good evening, good morning, and good 'morrow... depending on what time zone you're in while reading this! 👍

    Hello all, welcome to the Hack Chat today. I'm Dan Maloney, I'll be moderator today for our chat with Deviant Ollam. We'll be talking about physical security - locks, lockpicking, etc.

    Hi @Deviant Ollam, welcome to the Hack Chat! Perhaps you can start us off with a little aboutyourself and how you got into the security game?

    cdecde57 joined  the room.12:00 PM

    Tametomo joined  the room.12:01 PM

    Deviant Ollam12:01 PM
    Sure thing

    Deviant Ollam12:01 PM
    Thank you for having me, BTW

    Deviant Ollam12:01 PM

    Deviant Ollam12:02 PM
    I get a lot of folk who reach out to me or approach me at events and speak with awe over the idea that my career exists -- that I get paid to break into secure facilities -- and the first thing I try to always tell folk is that I got here by tripping over backwards into opportunities that I wasn't expecting, and that some of the best things you will get to do in your life are things you haven't even considered yet.

    Deviant Ollam12:03 PM
    I started as a computer and network engineer, with lockpicking merely as a hobby. That hobby became my full-time work (in a manner of speaking) and I credit this almost entirely to my attempts at giving away knowledge and teaching as much as possible

    Dang, that's what I've been trying to tell my son for years now. You put it way better than I ever could have.

    31337Magician joined  the room.12:03 PM

    thomas.august joined  the room.12:04 PM

    Zack Freedman joined  the room.12:04 PM

    t.w.otto12:04 PM
    looking forward to hanging out @Deviant Ollam

    Deviant Ollam12:04 PM
    How did others get involved with "hacking" (Depending on your definition of it)

    31337Magician12:05 PM
    I wanted to make airplanes do stupid things in flight simulator when I was a kid.

    pop1312:05 PM
    Mostly by just messing with stuff and discovering there is a community around it

    t.w.otto12:05 PM
    for me it was BBS's and it seemed like something super interesting, i like to tinker. then defcon. now its part of life

    Deviant Ollam12:05 PM
    @31337Magician oh totally! seeing how far straight up it could fly, etc? (or crashing it into things, or trying to)

    For me, it's just wanting to know how everything works. Can't really do that with tearing it apart, whether it's hardware or software

    31337Magician12:06 PM
    I used to switch physics profiles of airliners and aerobats then join public servers and freak people out at the airfield.

    Deviant Ollam12:06 PM
    @pop13 absolutely... it's one thing to tinker and want to disassemble and learn, but meeting with communities of other folk who are resources is so rewarding

    t.w.otto12:06 PM
    and im teaching my spawn to tinker and question everything

    Tametomo12:06 PM
    Got into programming when I was 5, and was fascinated with breaking things in unusual ways.

    Nicolas Tremblay12:06 PM
    I always was interested in electronics and how stuff was built. The my boss wanted to know more about 3D printers. That got me to find Make magazine and the whole community.

    Tametomo12:06 PM
    Never grew out of that.

    Lennaert Oudshoorn12:07 PM
    Started programming when a teacher gave me a book about basic and let me sit behind the computer because I always finished my assignments early, rolled in to the rest from there.

    Deviant Ollam12:07 PM
    @t.w.otto do you find that you're buying kits or items specifically for that or using things around the house? my wife and i were saying recently how modern products (a remote control, for example) are all tabs and not screws and usual fasteners anymore, etc.

    thomas.august12:07 PM
    Officially, during an special IT audit for a DOD contractor. Unofficially, I learned a lot about radio and telephones as a kid.

    pop1312:07 PM
    And by taking stuff apart as a kid

    Deviant Ollam12:07 PM
    @Nicolas Tremblay what 3D printers do you have or use, may i ask? Our firm has a PRUSA

    t.w.otto12:08 PM
    that is a challenge....

    Read more »

View all 3 event logs

Enjoy this event?



slimcatpharm wrote 06/03/2020 at 19:07 point

I read a lot of stuff and i found that the way of writing to clarifying that exactly want to say was very good so i am impressed and I like to come again in future.

  Are you sure? yes | no

Interested in attending?

Become a member to follow this event or host your own