Tag: Badge

  • Why Our Team is Excited about the Purchase of Boscloner

    If you haven’t heard the news yet, Raxis has purchased the industry-dominant Boscloner electronic access badge-cloning technology from our friend and frequent colleague, Phillip Bosco.

    For the benefit of those outside the pentesting world, Boscloner is basically the iPhone of physical hacking technology – except with fewer real competitors.

    WARNING: If advanced technology worries you, this next part might be terrifying.

    Our CEO, Mark Puckett, calls the Boscloner technology a “master key to corporate offices and server rooms.” That’s because it enables a penetration tester, often on a red team engagement, to read someone’s security badge data, copy it, and then make a duplicate with all the same permissions.

    While that’s impressive by itself, Boscloner can do it without ever touching the badge and from six feet away. Even better (or worse, depending on your perspective), Boscloner eliminates the need for a badge entirely in some situations and can use captured data from one badge to employ ‘smart brute force’ to hack and duplicate others with greater privileges.

    If you have a chance, visit Boscloner and check out its capabilities. When you do, you’ll be very glad that Phillip Bosco is a former Marine who truly is on the side of good and right.

    You’ll also see why our own team is pumped that we’ve brought this technology in house. In fact, we did an informal survey just to get everyone’s reactions and here’s what they said:

    • Bonnie Smyre, Chief Operating Officer: “Raxis has used the original Boscloner on social engineering and red team engagements for years. I’m incredibly excited to now include Boscloner in the list of products and services we offer to our customers. Nothing beats experience… and the experience of witnessing unauthorized access to your premises using Boscloner technology is an experience that motivates our customers to upgrade their badge technology to be more secure.”
    • Scott Sailors, Vice President of Security Consulting: “I am a huge fan of the first generation Boscloner. The ease of use on a high-pressure Red Team can make a big difference. The mobile apps are a game changer. Phil Bosco did an amazing job and the next generation Boscloner is even better. I’m excited to see Raxis take over the project and build on what Phil created.”
    • Brad Herring, Vice President of Business Development: “I’m excited about the Raxis acquisition of Boscloner. I’ve used several versions of badge replicators on SE jobs, and this is by far the best one out there. It matches the excellence that customer expect from the Raxis brand and is going to be a great tool for anyone wanting to test their electronic locks and physical security systems.” 
    • Tim Semchenko, Senior Manager of Operations: “As we return to normalcy, I have been looking forward to the team having the opportunity to conduct more physical social engineering tests. With the addition of the Boscloner to their respective utility belts, Raxis now has a HUGE differentiator over the competition.”
    • Adam Fernandez, Lead Developer: “Boscloner opens up a world of opportunities for Raxis as part of our physical social engineering engagements. It’s already an amazing tool for helping our customers secure physical access to their premises, and I’m looking forward to where Raxis will be able to take the product in the coming years.”
    • Scottie Cole, Lead Penetration Tester: “It is great to be working with Boscloner. Is it an extremely powerful tool to help us show customers how their physical security can be breached very quickly if they aren’t prepared.”
    • Matt Dunn, Lead Penetration Tester: “The acquisition of Boscloner is another great example of Raxis identifying top tier security tech and utilizing it to help our customers. Staying on top of current threats is paramount in penetration testing, and the Boscloner will continue to allow Raxis to do just that.”
    • Sean Brown, Senior Penetration Tester, “I enjoy working for a company that is always on the hunt for new and innovative tools that will help provide the most comprehensive security test on the market. The Boscloner is the most recent example of Raxis’ investment in new and cutting-edge security technology. As a security consultant for Raxis, I am looking forward to using the Boscloner on my Red Team engagements, as it outperforms any other RFID cloner available on the market.” 

    There’s one other reaction that’s worth sharing as well. This one from Phillip Bosco himself. As I said earlier, Phil is a friend, and we enjoy working with him frequently. Here’s what he had to say about the sale of his company to Raxis:

    “As a penetration tester, the Boscloner was built out of necessity to render physical security assessments easier and more streamlined. With the industry leading talents and vision that Raxis brings to the brand, the Boscloner now has a more exciting future than ever before. There is no other group of individuals that I would rather trust with a project that has been as close to my heart as this than the folks at Raxis. I am blessed and grateful for my ongoing personal and professional relationship with this team that has spanned many years. I cannot wait to see the Boscloner grow and transform as it continues on under the direction and leadership of team Raxis.”

    Phil Bosco

    Red teams are Raxis’ flagship offering, and Boscloner is a force multiplier in that space. Acquiring Boscloner allows us to continue Phil Bosco’s innovative vision of bringing next generation RFID attacks to market.  It’s a chance for us to raise the bar for the industry overall and really transform how organizations look at premises security.

    Security is an exciting place to be, and as the team’s enthusiasm demonstrates, we can’t wait to up the ante.

     

  • Physical Security Pitfalls: What our physical assessments show us

    A Strong Front Door

    An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breach your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breach become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.

    We average an 85% success rate on internal network penetration tests

    We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectiveness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility: 

    Poorly Trained Employees / Employees with a Casual Approach to Security:

    At the end of the day a company’s best defense is a well-trained and vigilant employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of awareness training is to re-train employees to practice heightened vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become. 

    Proximity Badges

    Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.

    For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.

    In many cases, an old fashioned tumbler lock and key would offer greater peace of mind. 

    Lack of Photo Badging

    To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it.  Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe. 

    Unmonitored Cameras

    The use of video surveillance systems is another means by which a false sense of security can manifest.  In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breach don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security. 

    What You Can Do

    The importance of awareness training can not be overstated. Understanding the role that company culture contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamlining response efforts. Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.