All tagged physical pentest

Sometimes you don't know what you agree to until it's too late. In this particular project we were testing physical security around the customer's building. The customer asked us to try to bypass their physical security measures and if possible reach a certain room and leave a note there.

It sounded like a fun project.

The next 3 weeks were spent researching the target, recon during the day and night, trying to get the right names for some social engineering attack if needed and gear, techniques and planning.  

At the end we discovered a vulnerability and we thought we could exploit to get us in. The only problem was that in order to get that potential point of entry we needed to get to the roof.

Once in a while you have a project that you know will be a lot of fun. One of the biggest telecom providers dropped a project exactly like that a couple of years ago.

They wanted a full red team assessment, including external and internal digital assessments as well as a physical one. The scope: the entire company. This included the corporate HQ and its employees, the service stores across different cities, local offices, mall stores and the factory. This was a HUGE project. They time allotted? 6 months. Perfect.

Checking your customers via open IP cameras

If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.   

With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become… complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it’s possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the ‘Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it. Feel safer yet?