Physical damage resulting from poor intrusion detection systems at facilities is the subject Jayson E. Street focuses on here, providing his real-world examplesWell, here’s the real warm and fuzzy side. We’re actually talking about how, you know, to kill everyone, because that always brings up a crowd on a Sunday night. This picture was taken at 2.30 in the morning, I’m in a hotel somewhere, different hotel than the car I mentioned earlier. And I’m inside a mechanical room, I’m wearing Pepsi pajama bottoms over some cargo pants with some really bad things, and a white T-shirt. And I’m barefoot because I took all my clothes off in the bathroom in the guest area of the hotel, and changed into that. Then I started walking around to see what I could do. I could do a lot because – do you notice one important fact in this picture? There are no padlocks on any of the switches. If that switch is on, I’m turning it off. If that switch is off, I’m turning it on. And if, by golly, there’s a red button – I’m pushing it, twice! That’s just how I roll. Now, I want you to understand I’m not a total jerk. Yes, I’m going to start a fire in this room; and yes, it’s going to have some poisonous chemicals in it, so the smoke will go through the ventilation system that is right there. But I’m not totally terrible because it’s 2.30 in the morning. Who wants to get woken up at 2.30 in the morning, listening to this alarm sound going off? So I’ll turn off the alarm system for you because I don’t want to be rude. The only thing worse than having that alarm going off in your ears and stuff is someone throwing cold water on your face when you’re trying to sleep. So I’ll turn the sprinkler system off for you too, okay. I don’t want to get everyone all wet and drenched and stuff – there’s a fire going on, that would be dangerous. Another place that I think is great to kill people is the kitchen. This guy didn’t even ask who I was, but, you know, most people don’t. So, just to bring that home, here’s a nice little video. Is there any law enforcement from Malaysia in here? Okay. This is a video that I took in a Malaysian hotel. I was wearing my Defcon shirt and I’m in Malaysia, I don’t blend well. So, let’s see what happens (watch Jayson’s video below).
So I come up against this door here and I’m thinking: oh, this is awesome. The reason is because it’s secured, so it’s got stuff in there that you want protected, so you put a padlock on it. But then, you don’t padlock it…So, well, thank you for that! What could you be protecting? I don’t know, let’s see here. Oh… (says “WARNING! Hazardous chemicals”). I did not go in there with an Uzi or an AK-47, I did not bring C-4 with me – I just walked out of that closet with napalm, I just walked out with poison. So let’s see what I can do.
Well, first I got to find a place to do that; that’s gonna be a long search looking for the proper place to deploy this kind of stuff, let me turn around. Oh, I’m in the kitchen. That was quick. So, let’s walk through here. If I wanted I could destroy their food supply by poisoning the stuff that’s in the fridges. Here’s the mechanical area, this is where I start my mechanical fires using the napalm. You notice those 2 guys there? I have to use social engineering countermeasures, so I say: “Hey, how’s it going?” It was going okay, and I kept moving. Some more places where I could use napalm. One of the things I noticed was that they protect guest information very well in their computer systems. You know, you can’t go up to the front desk and ask where someone’s staying, but obviously you can walk into the kitchen because every person, their room number and their name is right there for room service. So, that’s pretty low-tech.
Now, I’m going through this and I’m thinking to myself: why just walk around the place? Let’s go try do some social engineering to see what happens if someone notices me. So I’m gonna go talk to the head chef and the manager of the hotel. I asked one of them if he was using Wi-Fi or cable. I got an iPad and I’ve got my hacker shirt on…He just says he’s using cable. And then I just left, that was it! That’s how easy it can be. In terms of social engineering, it’s just as easy as just saying: “How’s it going?” and stuff, and talking to someone. People don’t expect bad things to happen until they happen.So, some of the countermeasures. One of the key ones is to make sure people understand that workplace violence happens. I mean, for gosh sakes, I got this information off of workplaceviolencenews.com. It happens so often that they put up a website for it, for gosh sakes – that’s depressing. So you got to understand that it happens. So, set up a code. I tell people, especially the receptionists, that the code “Oh my God, he’s got a gun – run, panic, or we’re all gonna die” – is not the best code. It is effective, it does raise the thing, but it may not be the best. I always tell them to suggest something like a code “perrywinkle”: “Mr. Perrywinkle to HR; Mr. Perrywinkle to HR”. And I’m hoping that someday someone institutes an actual code “perrywinkle” because I think that’s just funny saying “perrywinkle”.
Another one is conduct routine safety checks, not just safety checks of your equipment, but of your people as well. When I walked around for an hour I noticed one thing at that facility: there was just one door that I could easily jimmy, and it had a camera that was right over it but I couldn’t tell what the angle was. Because where the other 2 cameras were spaced, if I walked diagonally from the other parking area, they wouldn’t see me except for that one camera. And if that camera was angled at the wrong way, I could totally bypass it. So I talked to the former head of security there and told him about it. He’s like: “Whatever…Come with me.” He takes me into his office, the security office. It was empty. He showed me the computer screens – they were all turned off. He turns them on, and the one camera that was not working was that one…I did mention he was the former head of security at that facility.