Category: Exploits

  • Cross-Site Scripting Vulnerability in ManageEngine AD Self Service Plus (CVE-2021-27956)

    I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.

    Summary

    Recently I discovered a stored cross-site scripting (XSS) vulnerability in the Zoho-owned ManageEngine AD Self Service Plus for Version 6.1 (CVE-2021-27956). The vulnerability exists in the email field of search results on the page: /webclient/index.html#/directory-search. After searching for a user, if the “More” tab is clicked, the email field is loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this on one such user is shown here:

    Stored XSS Payload

    After searching for that user, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded is shown here:

    Unescaped JavaScript Tags

    After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:

    XSS Payload Executed
    Affected Versions

    Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.

    Remediation

    Upgrade ManageEngine AD Self Service Plus to Build Version 6104 immediately. The ServicePack can be found here with release notes here.

    Disclosure Timeline
    • February 19, 2021 Vulnerability reported to Zoho
    • February 19, 2021 Zoho begins investigation into report
    • March 5, 2021 CVE-2021-27956 assigned to this vulnerability
    • May 8, 2021 Zoho releases patch for this vulnerability

    CVE Links

  • LDAP Passback and Why We Harp on Passwords

    Hackers are like anyone else in that they would rather work smarter, not harder – picking the low-hanging fruit first. Oftentimes, we find companies who put it in front of them without even knowing it.

    In today’s video, I demonstrate how to conduct a Lightweight Directory Access Protocol (LDAP) passback attack, essentially using third-party hardware or software as an access point to a company network. I’ll show you three different ways to conduct the attack and offer some helpful tips on how to defend against it. 

    What I believe is important to add here is the common thread that links all of them: access to a password. If you want to know why our discussions seem to always circle back to that concept, it’s because an improperly protected password is a master key for hackers, whether their hats are white or black. 

    One is usually all we need to get inside your network. From there, the possibilities are limited only by our imaginations (and our scope of work). As I discuss at the outset of the video, too many of our customers make it easy by leaving devices like printers set to their default passwords or even null passwords, meaning they never created a password to begin with.

    Once we control the device, capturing legitimate passwords is easy. The Raxis team has conducted several internal network tests where discovering an admin interface with default or null credentials got us full domain admin access to the network. In one case, a vendor told the company that the default password was okay to use for a few weeks until things were all set up. On another, we found a password file on a sensitive file share that was set up without a password while the IT staff moved it to a new server. And still another company had no clue a system had a default password. They said it had always been that way. 

    LDAP passback attacks can be prevented, but it takes companies implementing robust security protocols for everything with an IP address on your network – including printers and other devices. 

    Remember, if it’s connected, it must be protected. 

    Make sure all your devices are locked down with a strong password — no matter how innocuous the device may seem. It’s a hacker’s job to find their way in. It’s Raxis’ job to identify these vulnerabilities so that you can correct them before that happens. 

    Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • New Metasploit Module: Microsoft Remote Desktop Web Access Authentication Timing Attack

    Editor’s note: Congratulations to Raxis Lead Penetration Tester Matt Dunn for discovering the following exploit and publishing it as a Metasploit Module. This is a tremendous professional milestone for Matt and for Raxis.

    “RD Web Access is susceptible to an anonymous authentication timing attack that can validate usernames within an Active Directory domain. Furthermore, RD Web Access exposes the connected domain name if the Remote Procedure Call (RPC) endpoint is accessible on the target server.”

    Raxis Lead Penetration Tester, Matt Dunn

    Microsoft’s Remote Desktop Web Access application (RD Web Access) is a popular web-based remote desktop client. It allows an organizations’ users to access their remote desktop services through a web browser. Recently, I discovered that RD Web Access is susceptible to an anonymous authentication timing attack that can validate usernames within an Active Directory domain. Furthermore, RD Web Access exposes the connected domain name if the Remote Procedure Call (RPC) endpoint is accessible on the target server. An anonymous attacker can exploit this behavior to gather intelligence about an organization’s Active Directory environment and build a list of valid domain users for use in secondary attacks.

    Description

    A similar timing-based authentication vulnerability exists for the Outlook Web Application (OWA), that reveals valid usernames based on comparing the response times between authentication attempts using both valid and invalid usernames. Valid usernames are likewise identified by the RD Web Access application by the differences in these response times. An example of an incorrect username authentication attempt with a response time of over 4 seconds can be seen here:

    Long Response Time with Invalid Username Authentication Attempt

    However, when authenticating with a valid domain and username pair but an incorrect password, the response time is much shorter (232 milliseconds), as seen here:

    Quick Response Time with Valid Domain and Username Authentication Attempt

    By analyzing how quickly the target server responds to these requests, we can determine that login attempts with valid usernames have significantly shorter response times than login attempts with invalid usernames. The timing difference is significant enough that we can use it to determine username validity.

    Note that knowing the target’s Active Directory domain is a prerequisite for this attack. However, if RPC is accessible, retrieving this information from the server is trivial. After issuing a specially crafted NTLM challenge, the encoded response will reveal the target’s Active Directory domain, as seen here:

    Active Directory Domain Revealed in Response

    With the Active Directory domain in hand, we can now fully enumerate the valid usernames for the domain.

    Affected Versions

    Raxis has confirmed the following Windows Server versions running the Remote Desktop Web Access application are vulnerable to this attack:

    • Windows Server 2016
    • Windows Server 2019
    Metasploit Module

    The original OWA/CAS timing authentication vulnerability was disclosed in 2014, and published tools are available to enumerate usernames and discover the domain from servers hosting the OWA. However, my research found that there were no readily available tools to exploit this vulnerability against a hosted RD Web Access instance. I took this opportunity to create a Metasploit module to automate and streamline the attack workflow. The module provides options for domain discovery, username enumeration, and password login attempts. The full module configuration options are shown below:

    Module Configurations for rdp_web_login Auxiliary Module

    After performing the enumeration, the module stores the discovered credentials in the database. An example of this Metasploit module successfully being used to enumerate valid usernames and passwords is shown below:

    rdp_web_login Metasploit Module in Use Against a Test Environment

    The new auxiliary module (auxiliary/scanner/http/rdp_web_login) has been approved by Rapid7 and merged to their master branch. The following links provide details to the module, its documentation, and the original pull request:

    Remediation

    The remediation for this attack is similar to the remediation for the related OWA authentication timing attack. Raxis recommends any of the following actions to mitigate the threat this attack poses:

    • Protect the Remote Desktop Web Access service from the Internet by requiring a VPN connection to access it.
    • Proxy the Remote Desktop Web Access traffic either through an ISA or Microsoft Federation Service as this mitigates the time-based attack.
    • Enforce Multi-Factor Authentication (MFA) for Remote Desktop Services to prevent unauthorized logins from discovered usernames
    Disclosure Timeline
    • January 6th, 2021 Vulnerability reported to Microsoft
    • January 6th, 2021 – Microsoft begins investigation into report
    • February 4th, 2021 – Microsoft declines to service this vulnerability
    • February 24th, 2021 – Metasploit Module accepted and merged by Rapid7

    Be sure to check back for updates to this post as the status may change.

  • How to Pull Off a Mousejacking Attack

    What’s an easy, effective and potentially devastating cyberattack . . . that’s also named for a rodent?

    If you guessed mousejacking, you are a star student today. 

    A mousejacking attack occurs when an attacker scans for the wireless transmissions sent from your wireless mouse to the USB dongle plugged into your computer. These transmissions from a mouse contain data that describes the mouse’s actions. When an attacker is able to scan and find these transmissions, they may also be able to quickly intercept and, with a few quick keystrokes and clicks, impersonate the mouse and begin sending their own malicious commands through the wireless dongle and into the computer. 

    Users may see a brief pop-up screen with code, but things returns to normal quickly, and many times they don’t think it’s significant enough to notify their security team.

    To add a little insult to injury, an attacker doesn’t even have to be in the building or in close proximity to the workstation to pull this off. They can be in your parking lot or maybe that park across the street.

    Now, there are a lot more technical things that go into it, so take a look at the video above to learn the details.

    So how do you prevent a mousejacking attack? Since this attack only can occur on workstations that are open and running, remember (and remind your colleagues) to always lock your station if you are walking away or not actively working on it. Also, let your colleagues in IT security know about anything suspicious you see. Trust me, they want to know.

    Remember it only takes a few minutes for attackers to get into your network and start causing trouble. 

    Please share this blog and video with your team so they know what to look for and how quickly it can happen, and encourage them to report it immediately. 

    With years of penetration testing and general mischief making behind us, we at Raxis have learned that there is always a way in. And we can find it. Our team of experts are ready to help you and your organization find its weaknesses and help you strengthen your security. Talk with our team today.

  • Imminent Threat for US Hospitals and Clinics, RYUK RansomwareAlert (AA20-302A) – Updated 11/2/2020

    Earlier this week rumblings were detected of a RYUK attack against US based hospitals and clinics. As the week has progressed, we have started to see this attack unfold.

    On October 29, 2020 a confidential source on the attack described this as “Increased and Imminent Cybercrime Threat”.

    What we know:

    This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends that heightened vigilance be  applied across all attack vectors and instrumentation.

    Who:

    The attack appears to be targeted at U.S. based hospitals, clinics, and other health care facilities. All health care operations should be on heightened alert for anomalous behavior or other Indications of Compromise (IOCs).

    When:

    Imminent. As of the time of this writing several US hospitals are already under attack.

    What to do:  
    • Immediately disseminate threat awareness notifications to all users and establish an update cadence to keep them aware of the threat as it continues to evolve.
    • Isolate critical systems where possible.
    • Review Incident Response (IR) plans and confirm accuracy of the plans to the extent possible.
    • Verify systems are patched and up to date.
    • Adjust instrumentation to detect known ransomware IOCs.
    • Use Multi-Factor Authentication (MFA) wherever possible. Consider temporarily enforcing MFA in instances where users have the option of bypassing it.
    • Enforce cybersecurity hygiene including: Audit user accounts with admin privileges and close all unnecessary ports.
    • Backup all critical data and verify restoration capabilities.
    • Verify endpoint protection measures are up to date and functioning properly.
    Technical details of the attack:
    • The initial insertion point is through a phishing campaign.
    • Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
    • RYUK actors use common tools to steal credentials. These tools allow the actors to dump cleartext passwords as well as password hashes that can be brute forced offline.
    • Payloads may establish persistence based on DLL injection or other common techniques.
    • RYUK has been known to use scheduled tasks and service creation to maintain persistence.
    • RYUK actors will conduct network reconnaissance using native tools such as Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
    • RYUK actors also use tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network. IT personnel should be on alert for any suspicious traffic on the network.
    • RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
    • Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing. Secondary monitoring on these processes may enhance detection fidelity.
    Updates
    November 2, 2020

    New information has been released specifically around Indicators of Compromise (IOC). Latest information indicates threat actors are targeting the HPH Sector with TrickBot and BazarLoader malware. This malware often leads to ransomware, data theft, and disruption of services. These are often loaded through malicious links and/or attachments via phishing.

    TrickBot IOC:
    TrickBot often installs an achor toolset identified as anchor_dns that creates a backdoor for sending and receiving data from compromised machines using Domain Name Systems (DNS) tunneling. Anchor_dns uses a single-byte X0R cipher to encrypt communications which have been observed using key 0xB9. This decrypted traffic can be found in DNS request traffic.

    TrickBot copies itself as an executable file with a 12-character randomly generated name and places this file in one of the following directories:

    • C:\Windows
    • C:\Windows\SysWOW64
    • C:\Users\[Username]\AppData\Roaming

    Once the executable is running, it downloads hardware-specific modules from the Command and Control server (C2s). These files are placed in the infected host’s %APPDATA% or %PROGRAMDATA% directory.

    The malware uses a scheduled task running every 15 minutes to maintain persistence with the host machine. Reports indicate the tasks typically use the following naming conventions:

    [random_folder_name_in_%APPDATA%_excluding_Microsoft]
    autoupdate#[5_random_numbers] 

    After successful execution, anchor_dns deploys malicious batch scripts using PowerShell commands: 

    cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
    cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

    The following domains have been associated with anchor_dns:

    • Kostunivo.com
    • chishir.com    
    • mangoclone.com
    • onixcellent.com

    This malware has been known to use the following legitimate domains to test internet connectivity:

    • Api.ipify.org
    • Checkip.amazonaws.com
    • Icanhazip.com
    • Ident.me
    • Ip.anysrc.net
    • Ipecho.net
    • Ipinfo.io
    • Myexternalip.com
    • Wtfismyip.com

    There is also an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/

     Anchor_dns historically used the following C2 Servers:

    • 23.95.97.59
    • 51.254.25.115
    • 87.98.175.85
    • 91.217.137.37
    • 193.183.98.66

     BazarLoader/BazarBackdoor IOC:

    Typically deployed through phishing and contain the following:

    • Typically deployed in a PDF attachment through an actor controlled online hosting solution
    • Often references a failure to create a preview of the document and contains a link to a URL that is hosting a malware payload
    • Emails are often routine in appearance and often employ a business pretext
    • Typical social engineering tactics are in use with email content 

    The following filenames have been identified for installing BazarLoader:

    • Document_Print.exe
    • Report10-13.exe
    • Report-Review26-10.exe
    • Review_Report15-10.exe
    • Text_Report.exe 

    Bazar activity can be detected by searching system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key:

     %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk 

    The following C2 servers are known to be associated with this malicious activity:

    •  5.2.78.118
    • 31.131.21.184
    • 36.89.106.69
    • 36.91.87.227
    • 37.187.3.176
    • 45.148.10.92
    • 45.89.127.92
    • 46.28.64.8
    • 51.81.113.25
    • 62.108.35.103
    • 74.222.14.27
    • 86.104.194.30
    • 91.200.103.242
    • 96.9.73.73
    • 96.9.77.142
    • 103.76.169.213
    • 103.84.238.3
    • 104.161.32.111
    • 105.163.17.83
    • 107.172.140.171
    • 131.153.22.148
    • 170.238.117.187
    • 177.74.232.124
    • 185.117.73.163
    • 185.68.93.17
    • 185.90.61.62
    • 185.90.61.69
    • 195.123.240.219
    • 195.123.242.119
    • 195.123.242.120
    • 203.176.135.102
  • Why Tailgating is an Effective Hacker Tactic

    Picture it – you see someone with their arms loaded down trying to get into your office building – what do  you do? 

    A. Quickly rush over to open the door for them and lend a hand

    B. Walk right by and enter the building

    C. Ask them for their employee badge before allowing them to enter or entering yourself

     Human nature would tell you to pick A. Of course you would offer to help and hold the door for them. 

    And for some B might be the answer because they are in a hurry and maybe have a suspicious nature. But, if you chose C, you could very well be your company hero since you could be the reason a hacker did not gain access to your building and ultimately your network. Sure it may be uncomfortable to question people, but I promise a security breach will be much worse. 

    Raxis’ group of ethical hackers have found that this technique of tailgating by a hacker is successful time after time. Hackers know, if they spend just a little time watching the practices of a company’s employees and the general pattern of how people gain access to the building, that they have a pretty good shot at getting in as well. 

    Check out the video above from Raxis’ VP of Sales Brad Herring as he explains how hackers manipulate our fundamental desire to be helpful: 

    We have said it time and time again – if someone with ill intentions is able to gain access to your building, it can only take a matter of minutes for them to find an open port, put a device on the network, and gain access to your sensitive data. 

    If you are ready for Raxis’ elite team of professionals to put your security to the test (did we mention we have successfully breached some of the most sophisticated corporate networks in the US?), then reach out to us through our contact page.

    Also, if you enjoyed this video, please be sure to subscribe to our YouTube page for more videos that can help you improve your security posture.  

     

  • AttackTek: How to Launch a Broadcast Resolution Poisoning and SMB Relay Attack

    Welcome to our first AttackTek installment, where we’ll go deeper into the tech side of our penetration testing. We’re going to start with a couple of the easiest and most consistent ways we’ve found to get inside corporate networks and gain domain admin rights – sometimes before we finish our coffee on Day 1.

    The first is broadcast name resolution poisoning, known more simply as the broadcast poisoning attack. The second, which we often use in tandem, is the SMB relay attack. 

    For those unfamiliar with these attacks, a broadcast poisoning attack targets users’ credentials as a means to further access corporate networks and data. An SMB relay attack is basically a man-in-the-middle attack in which the malicious actor tries to make the target machine believe that it is the authenticating server.

    These two attack methods work really well together and can be put into motion in a matter of minutes. 

    In this video, I will walk you through an entire attack chain and break down both of these attacks as I’m conducting them.

    Just a friendly heads-up: A lot of the ‘action’ in this video is code on a screen. If you’re a pen tester or a defender, you’ll probably find it very interesting. But if you’re a non-techie and you clicked here after watching your favorite surf video, well . . . enjoy!

    At Raxis, we offer a variety of penetration tests to help you and your company identify vulnerabilities and close the gaps before a cybercriminal finds them. During these tests our team of experienced, professional hackers use every trick in the book – plus some they make up on the fly – to get past your security. 

    If you are ready to explore more penetration testing and assessment options with Raxis, be sure to visit our contact page.

  • Understanding the Why Behind Password Management

    In this video, Brian will help you understand password management from the viewpoint of a hacker. It’s more than a how-to; it’s also a why-to. We’re hopeful that by seeing a little of what we see, you’ll make password management a high priority for your company.

    Despite years of warning, cajoling, and even begging by security professionals, password mismanagement is still one of the most reliable (and one of our favorite) ways to breach a company network. This week, our chief technology officer, Brian Tant, continues his video series about the most common vulnerabilities we see during hundreds of penetration tests each year.

    Remember: Complex passwords, unique to each account, and changed frequently are keys to effective password management and security. Also remember to check your service accounts and make sure that old passwords aren’t lingering on your devices.

    Effective cybersecurity is a matter of behavior as much as it is technology. Let’s make strong password management a habit that catches on. 

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • 3 Steps You Should Take Right Now to Reduce Your Risk of a Cyberattack

    Hi everybody, it’s Brian with Raxis, back with another video today!

    This is a busy time for us all, with no signs of slowing down. Do you know who else is busy now? Hackers – especially ones that know just how easy it is for thousands of us to forget to update passwords, patch operating systems, and scan for new viruses.

    I get it. Life happens. Seniors are graduating, families are acclimating, dogs are crashing Zoom meetings, and many of us are adjusting to completely new work environments. But if you can remember to lock your doors at home, you can get in the habit of locking out cyber attackers at work.

    Watch the video above for the top 3 things I wish every company would do today to keep out intruders online:

    These steps are the basics that every company should be taking, but, as hackers know all too well, not everyone does. Your company’s security is a 24-hour-a-day responsibility. Make sure your employees and your IT department know how critical it is for everyone to use the tools you already have to stay one step ahead of criminals.

    If this video made you wonder how secure your company’s data is, contact Raxis and learn how our tests can help you assess and improve your cyber defenses. We partner with small- and mid-sized businesses, as well as Fortune 500 companies, to help protect your employees, your data, and your bottom line.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Here’s How Hackers Can Get Through Your Doors and Onto Your Network

    Watch my video to see how easy it can be to bypass your company’s sophisticated security system. You might assume I’m just a guy who left something at work and had to run back in. But that’s not my office, that’s not my badge, and, at sunset, my day is just getting started. 

    We’re all familiar with employee badges – plastic proximity cards that contain a unique identifier that tracks when and where an employee is on company property. Businesses around the world depend on this technology to prevent unauthorized access, yet most would be shocked to see how simple it is for those badges to be scanned, cloned, and used to access a secure server.  

    In truth, I’m the chief technology officer at Raxis, a team made up of ethical hackers who can get in and out of your secure office quickly and quietly. If we wanted to, we could walk away with access to every single file stored on your network. Luckily, we are not actually there for the files, we’re there to fix your vulnerabilities to a cyberattack. 

    Badges that use RFID technology can be scanned from a few feet away, then cloned in seconds using a handheld copier/reader/writer – a relatively inexpensive device that’s easy to find if you know where to look. Add a small hidden camera to capture the PIN code on an alarm, then drop a backdoor implant device onto your network, and you’ve got a budget-friendly break-in method that a competitor or a kid on the dark web could use to ruin your reputation. 

    Until it’s tested, security is only perception. Raxis assessments identify real-world vulnerabilities that may otherwise go unnoticed. We partner every day with companies like yours to harden their security through process and technology enhancements. The most important asset in any business is a customer’s trust. Secure it with effective, battle-tested solutions from Raxis.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Can This Simple Trick Outwit Your Smart Security?

    Armed with nothing more than an ordinary can of cool, compressed air, a hacker can gain entry to a key-card-only access facility in just 19 seconds. Skeptical? See for yourself in this video.

    Fortunately, the guy in this video is me. Our company, Raxis, is a team of ethical hackers and penetration testing experts who evaluate and identify solutions that help businesses safeguard their sensitive data, from healthcare to finance to innovative product and app development.  

    Some folks forget that physical security is the first line of defense for a cyberattack.  If someone can get inside your business, they can find your servers, and in seconds they can steal, sell, and destroy data you’ve invested thousands in protecting.  

    Our cybersecurity specialists have studied for years to find hidden, unscrupulous techniques that the world’s most sophisticated hackers use. Solving these puzzles and preventing cyberattacks is what we love to do – but often we find security vulnerabilities long before we get to delve deep.  

    Finding a failure in your company’s security isn’t something to fear; it’s something to fix. And you can only fix something when you know it is broken.  

    Follow us on this blog or social media and we’ll share more ways that hackers can get in — and how we can help you keep them out. 

  • Windows 10 Vulnerability Highlights Need for Physical Security Testing

    During our more advanced Red Team penetration testing attacks, Raxis customers are often shocked to discover that we’ve not only been inside their network, but we’ve also been inside their buildings, their server rooms, and even their individual offices. It would take days to explain all the tricks and techniques we use to do that, so let’s focus on the more important question of why we do it.

    The simple answer is that physical access to devices opens up a world of possibilities to an attacker. In fact a recent Forbes article about a Windows 10 security problem offers an excellent example of what can happen when a bad guy gets to spend a few minutes alone with your computer.

    Notice in the article that Bjorn Ruytenberg says that a hacker with the right equipment needs less than five minutes of access to exploit the Windows 10 vulnerability… even if the computer is not on. The attacker only needs physical access to the device. This is an important finding because 95% of the time when Raxis conducts a physical, social-engineering assessment, we succeed in gaining unchallenged physical access to facilities and devices – even when armed guards are employed. Security is often perception, and our techniques commonly bypass guards, electronic devices, and employees. We often find unmanned workstations and usually find ourselves with these devices for far longer than the 5 minutes that Ruytenberg says it takes.

    What’s the takeaway? In the real world, cybersecurity must complement physical security. In other words, patch your Windows but don’t forget to lock your windows as well.