|
How to defeat security
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
AL SECURITY.TJ
The LOD/H Technical Journal: File #3 of 12
Lex Luthor and The Legion Of Doom/Hackers Present:
Identifying, Attacking, Defeating, and Bypassing
Physical Security and Intrusion Detection Systems
PART I: THE PERIMETER
The reasons for writing this article are twofold:
1) To prevent the detection and/or capture of various phreaks,
hackers and others, who attempt to gain access to: phone company central
offices, phone closets, corporate offices, trash dumpsters, and the like.
2) To create an awareness and prove to various security managers,
guards, and consultants how easy it is to defeat their security
systems due to their lack of planning, ignorance, and just plain
stupidity.
In the past, I have written articles on "Attacking, Defeating, and
Bypassing" Computer Security. Now I take those techniques and apply
them to Physical Security. The information contained herein, has
been obtained from research on the different devices used in physical
security, and in practical "tests" which I and others have performed on
these devices.
INTRODUCTION:
-------------
Physical Security relies on the following ideas to protect a
facility: Deterrence, Prevention, Detection, and Response. Deterrents are
used to 'scare' the intruder out of trying to gain access.
Prevention tries to stop the intruder from gaining access. Detection
'sees' the intruder while attempting to gain access. Response tries to
stop and/or prevent as much damage or access to a facility as possible
after detection. There are 3 security levels used in this article and
in industry to designate a facility's need. They are: Low, Medium, and
High. The amount, and types of security devices used by a facility are
directly proportional to the level of security the facility 'thinks' it
needs. When I use 'facility' I am refering to the people in
charge of security, and the actual building and assets they are trying
to protect. This article will be primarily concerned with the protection
of the perimeter. I have 2 other articles planned in this series.
The second is the security concerning the exterior of a facility: cipher
locks, window breakage detectors, magnetic contact switches, etc. The
third part will deal with security systems inside a facility: Passive
Infra-Red detectors, ultrasonic detectors, interior microwave systems,
and the various card access control systems.
THE PERIMETER:
--------------
A facility's first line of defense against intrusion is its'
perimeter. The perimeter may have any or all of the following:
* A single fence
* An interior fence coupled with an exterior fence
* Regular barbed wire
* Rolled barbed wire
* Various fence mounted noise or vibration sensors
* Security lighting and CCTV
* Buried seismic sensors and different photoelectric and microwave systems
Fences:
-------
Fences are commonly used to protect the perimeter. The most common fence
in use today is the cyclone fence, better known as the chain link fence.
Fences are used as a deterrent and to prevent passage through the
perimeter. Common ways of defeating fences are by cutting, climbing,
and lifting. Cutting is not usually recommended for surreptitious
entry, since it is easily noticeable. In this article, we will be
taking the 'Stealth' approach. Climbing is most commonly done, but if
the fence is in plain view, it may not be advisable since you can be seen
easily. The higher the fence, the longer it takes to climb. The longer it
takes to climb, the longer security has to detect and respond to your
actions. Lifting is better since you are closer to the ground, and
not as easily spotted, but the fence must be very flexible, or the sand
very soft so you can get under the fence quickly and easily. Whenever
you see a somewhat 'unclimbable' fence (or one that you just don't want
to climb) you should check the perimeter for large trees with uncut
branches hanging over the fence or other objects which will enable you
to bypass the fence without ever touching it. You could use a ladder
but you don't want to leave anything behind, especially with your
fingerprints on it, not that you plan on doing anything illegal of
course.
Electric fences are not used for security purposes as much as they were
in the past. Today, its main use if to keep cattle or other animals
away from the perimeter (either from the inside or outside). There are
devices which send a low voltage current through a fence and can detect a
drop in the voltage when someone grabs onto the fence. Again, not too
common so I will not go into it.
For high security installations, there may be 2 fences. An outer fence,
and an inner fence which are 5-10 yards apart. It isn't often that you
see this type of setup, it is mainly used by government agencies and the
military. You can be very sure that there are various intrusion
detection devices mounted on the fence, buried underground between
them, and/or line-of-sight microwave or photoelectric devices used.
These will be mentioned later. If you insist on penetrating the
perimeter, then you should try to measure how far it is between fences.
Now find a 2 foot by X foot board where X is the distance between the 2
fences. Very slowly place the board on top of both fences. If there
are no fence vibration sensors you can just climb the fence and step onto
the board to walk across the top. If there are fence sensors, you will
need a ladder which cannot touch the fence to get you on top of the
board. You can then walk on the board, over the ground in between, and
jump down, being careful not to disturb the fences. This will work if
there are no sensors after the 2 fences. Identi- fying sensors will be
mentioned later. Obviously the method of using a long board to put on
top of the two fences will not work if the fences are spaced too far
apart. Also, you and the board can be seen very easily.
Barbed Wire:
------------
There are two common types of barbed wire in use today. The more
common and less secure is the type that is strung horizontally across the
fence with three or more rows. The 'barbs' are spaced about 6" apart,
enough for you to put your hand in between while climbing over. Also, it
is thin enough to be cut very easily. If you think you will need to
leave in a hurry or plan on problem free surreptitious entry and the only
way out will be to climb over the fence again you can cut the wire from
one post to another, assuming the wire is tied or soldered to each post,
and replace it with a plastic wire which looks like the wire you just
cut. Tie it to each post, and come back anytime after that. You can then
climb over it without being cut. The other type of wire, which is more
secure or harmful, depending on how you look at it, is a rolled, circular
wire commonly called Razor Ribbon. One manufacturer of this is the
American Fence Co. which calls it 'the mean stuff'. And it is. The
barbs are as sharp as razors. Of course this can be cut, but you will
need very long bolt cutters and once you cut it, jump as far back as you
can to avoid the wire from springing into your face. As mentioned
earlier, cutting is irreparable, and obvious. If the wire is loosely
looped, there may be sufficient room in between to get through without
getting stitches and losing lots of blood. If the wire is more tightly
looped you may be able to cover the the wire with some tough material
such as a leather sheet so you can climb over without getting hurt. This
method is not easy to accomplish however. You may want to see if you can
get under the fence or jump over rather than climb it.
Fence mounted noise or vibration sensors:
-----------------------------------------
Let's assume you have found a way to get past the fence. Of course you
have not tried this yet, since you should always plan before you
act. OK, you have planned how you would theoretically get over or past
the fence. You are now past the deterrent and prevention stages.
Before you put the plan into action you had better check for the things
mentioned earlier. If a fence is the first step in security defense,
then fence mounted sensors are the second step. The types of detection
equipment that can be mounted on the fence are:
Fence shock sensors: These mount on fence posts at intervals of 10 to 20
feet, or on every post. They are small boxes clamped about 2/3 up from
ground level. There is a cable, either twisted pair or coax running
horizontally across the fence connecting these boxes. The cable can be
concealed in conduits or inside the fence itself, thus, making it hard
to visually detect. Each fence sensor consists of a seismic shock
sensor that detects climbing over, lifting up or cutting through the
fence. So if the fence is climbable, it would not be wise to do so
since you may be detected. Of course it doesn't matter if your
detected if there is no security force to respond and deter you.
Another type, is called the E-Flex cable. It's simply a coax cable
running horizontally across the fence. This cable can not only be used
on chain link fences, but can also be used on concrete block, brick, or
other solid barriers. It may be on the outside, or mounted inside the
fence, thus, making detection of the device harder. Of course detection
of this and other similar devices which cannot be seen, doesn't make it
impossible. A way to detect this, is by simply repeatedly hitting the
wall with a blunt object or by throwing rocks at it. If nothing out of
the ordinary happens, then you can be reasonably sure it is not in place.
This is basically a vibration sensor.
Low frequency microphones: This is essentially a coax cable that
responds to noise transmitted within the fence itself.
Vibration sensors: These are based on mercury switches, a ring or ball
on a pin, or a ball on a rail. Movement of the fence disturbs the
switches and signals alarms. A hint that this is in use is that it
can only be used on a securely constructed and tightly mounted fence,
with no play or movement in it. Otherwise, they will be getting false
alarms like crazy.
OK, you know all about these types, how the hell do you get around it?
Well, don't touch the fence. But if there is no alternative, and you must
climb it, then climb the fence where it makes a 90 degree turn (the
corner) or at the gate. Climb it very slowly and carefully, and you
should be able to get over without being detected by these sensors!
Make sure you climb on the largest pipe and don't fall.
Security lighting and CCTV:
---------------------------
Sometimes, fences may be backed up by Closed Circuit TV (CCTV) systems to
make visual monitoring of the perimeter easier and quicker. By
installing an adequate lighting system and conventional CCTV cameras,
or by using special low light sensitive cameras, the perimeter can be
monitored from a central point. Security personnel can then be
dispatched when an intruder is detected on the monitors.
Some systems are stationary, and others can be moved to view different
areas of the perimeter from within the central station. It would be
in your best interest to determine if the camera is stationary or not.
If so, you may be able to plan a path which will be out of the view
range of the camera. If it is movable, you will have to take your chances.
Light control sensor: This utilizes a Passive InfraRed (PIR) sensor to
detect the body heat emitted from someone entering the detection
area, and can activate a light or other alarm. PIR's will be discussed
in Part II of this series. The sensor has an option called: 'night
only mode' in which a light will flash when a person enters the area,
but only during night hours. It can tell if its dark by either a
photoelectric sensor, or by a clock. Of course if its daylight savings
time, the clock may not be totally accurate, which can be used to your
advantage. If it is photoelectric, you can simply place a flashlight
pointing directly into the sensor during daylight hours. When it gets
dark, the photoelectric sensor will still 'think' its day since there is
sufficient light, thus, not activating the unit to detect alarm
conditions. This should enable you to move within the area at will.
Buried Seismic Sensors:
-----------------------
Seismic detectors are designed to identify an intruder by picking up the
sound of your footsteps or other noises related to passing through
the protected area. These sensors have a range of about 20 feet and are
buried underground and linked by a cable, which carries their signals
to a processor. There, the signals are amplified and equalized to
eliminate frequencies that are unrelated to intruder motion. The signals
are converted to pulses that are compared with a standard signal
threshold. Each pulse that crosses this threshold is tested on count
and frequency. If it meets all the criteria for a footstep, an alarm is
triggered. These sensors can even be installed under asphalt or concrete
by cutting a trench through the hard surface. It is also immune to weather
and can follow any type of terrain. The only restriction is that the area
of detection must be free of any type of obstruction such as a tree or a
bush.
Electronic field sensor:
------------------------
These detect an intruder by measuring a change in an electric field. The
field sensors use a set of two cables, one with holes cut into the cable
shielding to allow the electromagnetic field to 'leak' into the
surrounding area. The other cable is a receiver to detect the field and
any changes in it. Objects passing through the field distort it,
triggering an alarm. This sensor can either be buried or free
standing, and can follow any type of terrain. But its very sensitive
to animals, birds, or wind blown debris, thus, if it is very windy
out, and you know this is being used, you can get some paper and throw
it so the wind takes it and sets off the alarm repeatedly. If it is done
enough, they may temporarily turn it off, or ignore it due to excessive
false alarms.
It is not hard to tell if these devices are in use. You cannot see
them, but you don't have to. Simply get 3-4 medium sized stones. Throw
them into the place where you think the protected area is. Repeat this
several times. This works on the lesser advanced systems that have trouble
distinguishing this type of seismic activity from human walking/running.
If nothing happens, you can be reasonably sure this is not in use. Now
that you can detect it, how do you defeat it? Well as far as the
electronic field sensor is concerned, you should wait for a windy night
and cause excessive false alarms and hope they will turn it off. As far as
the seismic sensors, you can take it one step at a time, very softly,
maybe one step every 30-60 seconds. These sensors have a threshold,
say, two or more consecutive footsteps in a 30 second time interval
will trigger the alarm. Simply take in one step at a time, slowly, and
wait, then take another step, wait, until you reach your destination.
These detectors work on the assumption that the intruder has no
knowledge of the device, and will walk/run across the protected area
normally, thus, causing considerable seismic vibrations. The problem with
this method is that it will take you some time to pass through the
protected area. This means there is more of a chance that you will be
seen. If there are a lot of people going in and out of the facility,
you may not want to use this method. Another way would be to run
across the protected area, right next to the door, (assuming that is
where the response team will come out) and drop a large cat or a dog
there. When they come out, they will hopefully blame the alarm on the
animal. The sensor shouldn't really pick up a smaller animal, but odds
are the security force are contract guards who wouldn't know the
capabilities of the device and the blame would fall on the animal and
not you, assuming there were no cameras watching...
Microwave systems:
------------------
In an outdoor microwave system, a beam of microwave energy is sent
from a transmitter to a receiver in a conical pattern. Unlike
indoor microwave detectors, which detect an intruders' movement in
the microwave field, the outdoor system reacts to an intruders' presence
by detecting the decrease in energy in the beam. The beams can protect
an area up to 1500 feet long and 40 feet wide. All transmission is
line-of-sight and the area between transmitter and receiver should be
kept clear of trees and other objects that can block the beam. Microwave
systems can operate in bad weather, and won't signal an alarm due to
birds or flying debris.
These systems work on the Doppler effect, in which they detect motion
that changes the energy, and sets off an alarm. These devices will usually
be placed inside a fence to avoid false alarms. These devices are very
easy to visually detect. They are posts from 1-2 yards high, about 6
inches by 6 inches and there are 2 of them, one receiver and one
transmitter. In some cases there will be more, which enables them to
protect a larger area.
To defeat this, you can enter the field, very slowly, taking one step at a
time but each step should be like you are in slow motion. It doesn't
matter how hard you hit the ground, since it doesn't detect seismic
activity, only how fast you approach the field. If you take it very
slowly you may be able to get past. Detectors of this type get more and
more sensitive as you approach the posts. Ergo, choose a path which will
lead you furthest away from the posts.
Photoelectric systems:
----------------------
These systems rely on an invisible barrier created by beams of infrared
light sent from a light source to a receiver. When the beam is
interrupted, the alarm sounds. The beam can have an effective range of up
to 500 feet. Multiple beams can be used to increase the effectiveness of
the system, making it harder for you to climb over or crawl under the
beams. Photoelectric systems can be prone to false alarms as a result of
birds or wind-blown debris passing through the beam. The problem can
be corrected by the installation of a circuit that requires the beam
to be broken for a specified amount of time before an alarm is sounded.
Weather conditions like heavy fog, can also interrupt the beam and cause
an alarm. This can also be corrected by a circuit that reacts to gradual
signal loss. These systems should not face directly into the rising or
setting sun since this also cuts off the signal beam.
As you can see this system has many problems which you can take advantage
of to bypass this system. As with any system and method, surveillance of
the facility should be accomplished in various weather conditions to
help verify the existence of a particular detection device, and to see
how they react to false alarms. Many times, you will be able to take
advantage of various conditions to accomplish your mission. If there is
only one set of devices (transmitter and receiver), try to estimate the
distance of the sensors from the ground. You can then either crawl
under or jump over the beam. This also works on the assumption that
the intruder will not recognize that the device is in use.
MISCELLANEOUS:
--------------
Guards: There are two types, in-house or company paid guards and
contract guards. Contract guards are less secure since they do not work
for the facility and if they make a mistake they simply get transferred
to another facility no big deal. In-house guards know the facility better
and have more to lose, thus, they are probably more security conscious.
Be aware of any paths around the perimeter in which guards can/will
walk/ride to visually inspect the exterior of the facility.
Central monitoring: Monitoring of the devices mentioned in this
article is usually accomplished at a 'Central Station' within the
facility. Usually, guards *SHOULD* be monitoring these. If you have
planned well enough, you may find that the guard leaves his/her post to
do various things at the same time every night. This would be an ideal
time to do anything that may be seen by cameras. Unfortunately, there
will probably be more than one guard making this nearly impossible.
Gates: Probably the easiest way to pass through the perimeter is to go
through the gate. Whether in a car, or by walking. This may not be too
easy if it is guarded, or if there is a card reading device used for entry.
Exterior card readers: An in-depth look at the types of cards used will
be in part 3 of this series. But for now, if the card used is magnetic
(not Weigand) it is quite possible to attack this. If you have an ATM
card, Visa, or other magnetic card, slide the card thru, jiggle & wiggle
it, etc. and quite possibly the gate will open. Reasons for this are that
since it is outside, the reader is subjected to extreme weather
conditions day in and day out, thus, the detecting heads may not be in
the best of shape, or since it is outside it may be a cheap reader. In
either case, it may not work as good as it should and can make
'mistakes' to allow you access.
Combinations: The devices listed in this article do not have to be used
alone. They can and are used in conjunction with each other for greater
security.
Diversions: In some cases, a diversion could better insure your passage
through the perimeter. Keep this in mind.
Extreme weather conditions: All devices have an effective operating
range of temperatures. On the low end of the scale, most devices will
not operate if it is -30 degrees Fahrenheit or lower. Though, quite a
few will not operate effectively under the following temperatures: -13
f, -4 f, +10 f, +32 f. On the other side of the scale, they will not
operate in excess of: +120 f, +130 f and +150 f. It is unlikely that
the outside temperature will be above 120 degrees, but in many
places, it may be below freezing. Take this into consideration if
a facility has these devices, and you cannot bypass them any other way.
I could not have possibly mentioned everything used in perimeter
protection in this article. I have tried to inform you of the more
common devices used. Some things were intentionally left out, some were
not. I welcome any corrections, suggestions, and methods, for this
article and the future articles planned. I can be contacted on a few
boards or through the LOD/H TJ Staff Account.
CONCLUSION:
-----------
This article primarily dealt with the identification of various 'tools'
used in physical security for the deterrence, prevention, detection, and
response to an intruder. There also were some methods which have been used
to attack, defeat, and bypass these 'tools'. None of the methods
mentioned in this article work 100% of the time in all circumstances,
but ALL have worked, some were under controlled circumstances, some
were not. But all have worked. Some methods are somewhat crude, but they
get the job done. Some methods were intentionally left out for obvious
reasons. Even though this article was written in a tutorial fashion, in
no way am I advising you to go out and break the law. I am merely
showing you how to identify devices that you may not have known were in
place to keep you from making a stupid mistake and getting caught. The
Establishment doesn't always play fair, so why should we?
ACKNOWLEDGEMENTS:
-----------------
Gary Seven (LOH)
|
|
