Tag: Physical Security

  • Why Our Team is Excited about the Purchase of Boscloner

    If you haven’t heard the news yet, Raxis has purchased the industry-dominant Boscloner electronic access badge-cloning technology from our friend and frequent colleague, Phillip Bosco.

    For the benefit of those outside the pentesting world, Boscloner is basically the iPhone of physical hacking technology – except with fewer real competitors.

    WARNING: If advanced technology worries you, this next part might be terrifying.

    Our CEO, Mark Puckett, calls the Boscloner technology a “master key to corporate offices and server rooms.” That’s because it enables a penetration tester, often on a red team engagement, to read someone’s security badge data, copy it, and then make a duplicate with all the same permissions.

    While that’s impressive by itself, Boscloner can do it without ever touching the badge and from six feet away. Even better (or worse, depending on your perspective), Boscloner eliminates the need for a badge entirely in some situations and can use captured data from one badge to employ ‘smart brute force’ to hack and duplicate others with greater privileges.

    If you have a chance, visit Boscloner and check out its capabilities. When you do, you’ll be very glad that Phillip Bosco is a former Marine who truly is on the side of good and right.

    You’ll also see why our own team is pumped that we’ve brought this technology in house. In fact, we did an informal survey just to get everyone’s reactions and here’s what they said:

    • Bonnie Smyre, Chief Operating Officer: “Raxis has used the original Boscloner on social engineering and red team engagements for years. I’m incredibly excited to now include Boscloner in the list of products and services we offer to our customers. Nothing beats experience… and the experience of witnessing unauthorized access to your premises using Boscloner technology is an experience that motivates our customers to upgrade their badge technology to be more secure.”
    • Scott Sailors, Vice President of Security Consulting: “I am a huge fan of the first generation Boscloner. The ease of use on a high-pressure Red Team can make a big difference. The mobile apps are a game changer. Phil Bosco did an amazing job and the next generation Boscloner is even better. I’m excited to see Raxis take over the project and build on what Phil created.”
    • Brad Herring, Vice President of Business Development: “I’m excited about the Raxis acquisition of Boscloner. I’ve used several versions of badge replicators on SE jobs, and this is by far the best one out there. It matches the excellence that customer expect from the Raxis brand and is going to be a great tool for anyone wanting to test their electronic locks and physical security systems.” 
    • Tim Semchenko, Senior Manager of Operations: “As we return to normalcy, I have been looking forward to the team having the opportunity to conduct more physical social engineering tests. With the addition of the Boscloner to their respective utility belts, Raxis now has a HUGE differentiator over the competition.”
    • Adam Fernandez, Lead Developer: “Boscloner opens up a world of opportunities for Raxis as part of our physical social engineering engagements. It’s already an amazing tool for helping our customers secure physical access to their premises, and I’m looking forward to where Raxis will be able to take the product in the coming years.”
    • Scottie Cole, Lead Penetration Tester: “It is great to be working with Boscloner. Is it an extremely powerful tool to help us show customers how their physical security can be breached very quickly if they aren’t prepared.”
    • Matt Dunn, Lead Penetration Tester: “The acquisition of Boscloner is another great example of Raxis identifying top tier security tech and utilizing it to help our customers. Staying on top of current threats is paramount in penetration testing, and the Boscloner will continue to allow Raxis to do just that.”
    • Sean Brown, Senior Penetration Tester, “I enjoy working for a company that is always on the hunt for new and innovative tools that will help provide the most comprehensive security test on the market. The Boscloner is the most recent example of Raxis’ investment in new and cutting-edge security technology. As a security consultant for Raxis, I am looking forward to using the Boscloner on my Red Team engagements, as it outperforms any other RFID cloner available on the market.” 

    There’s one other reaction that’s worth sharing as well. This one from Phillip Bosco himself. As I said earlier, Phil is a friend, and we enjoy working with him frequently. Here’s what he had to say about the sale of his company to Raxis:

    “As a penetration tester, the Boscloner was built out of necessity to render physical security assessments easier and more streamlined. With the industry leading talents and vision that Raxis brings to the brand, the Boscloner now has a more exciting future than ever before. There is no other group of individuals that I would rather trust with a project that has been as close to my heart as this than the folks at Raxis. I am blessed and grateful for my ongoing personal and professional relationship with this team that has spanned many years. I cannot wait to see the Boscloner grow and transform as it continues on under the direction and leadership of team Raxis.”

    Phil Bosco

    Red teams are Raxis’ flagship offering, and Boscloner is a force multiplier in that space. Acquiring Boscloner allows us to continue Phil Bosco’s innovative vision of bringing next generation RFID attacks to market.  It’s a chance for us to raise the bar for the industry overall and really transform how organizations look at premises security.

    Security is an exciting place to be, and as the team’s enthusiasm demonstrates, we can’t wait to up the ante.

     

  • Five Red Flags for Black Friday

    ‘Tis the shopping season!  First up, Black Friday, followed by Shop Local Saturday, Cyber Monday, and all the shopping days that follow. 

    Did you wake up early to stretch out your “add to cart” fingers so you can snag that hard-to-find, hot item of the season at a discounted price? Planning on heading out to that cute little boutique next to your office during lunch? 

    Before you do, there are a few things you need to remember. Most important is that cybergrinches are out there year-round, just waiting for the perfect opportunity to steal your holiday joy. The holiday season is big business for them, and they are waiting for you to drop your guard. (And, no, they don’t care if it lands them on the naughty list.)

    In the video above, I detail five red flags you should look out for on Black Friday — and all the other shopping days of the year. I’m hopeful these tips will help keep you and your company’s network secure this holiday season.

    Let’s review, if you are going to be holiday shopping in the coming weeks, it is imperative you take the proper precautions to keep yourself and your company secure. 

    • Don’t click on links within emails, and be very suspicious of any emails that discuss your credit cards or bank accounts.
    • Be wary of phone calls seeking donations to various charities. Be vigilant, and do your research on the charity. Even then, donate directly, not from the email.
    • If you are out shopping on your lunch break or after work, make sure your work badge is in a protective sleeve to help prevent cloning.
    • Strangers are still strangers in the holiday season. Make sure everyone in your building and anyone trying to get in has the proper credentials to be there – or that they have an escort.
    • Stay vigilant with your security practices, even when your office is short-staffed. When we get busy, it’s easy to skip locking computers and returning sensitive documents to a secure location. Take the extra few seconds to do cybersecurity right.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company far more secure and giving you additional peace of mind.  

    Ready to find out how secure your network really is? Reach out to us, and let’s discuss your needs and how we can help.

  • Why Tailgating is an Effective Hacker Tactic

    Picture it – you see someone with their arms loaded down trying to get into your office building – what do  you do? 

    A. Quickly rush over to open the door for them and lend a hand

    B. Walk right by and enter the building

    C. Ask them for their employee badge before allowing them to enter or entering yourself

     Human nature would tell you to pick A. Of course you would offer to help and hold the door for them. 

    And for some B might be the answer because they are in a hurry and maybe have a suspicious nature. But, if you chose C, you could very well be your company hero since you could be the reason a hacker did not gain access to your building and ultimately your network. Sure it may be uncomfortable to question people, but I promise a security breach will be much worse. 

    Raxis’ group of ethical hackers have found that this technique of tailgating by a hacker is successful time after time. Hackers know, if they spend just a little time watching the practices of a company’s employees and the general pattern of how people gain access to the building, that they have a pretty good shot at getting in as well. 

    Check out the video above from Raxis’ VP of Sales Brad Herring as he explains how hackers manipulate our fundamental desire to be helpful: 

    We have said it time and time again – if someone with ill intentions is able to gain access to your building, it can only take a matter of minutes for them to find an open port, put a device on the network, and gain access to your sensitive data. 

    If you are ready for Raxis’ elite team of professionals to put your security to the test (did we mention we have successfully breached some of the most sophisticated corporate networks in the US?), then reach out to us through our contact page.

    Also, if you enjoyed this video, please be sure to subscribe to our YouTube page for more videos that can help you improve your security posture.  

     

  • Why Worry About Unauthorized Entry?

    We’ve posted several videos recently that demonstrate how easy it can be to defeat some common physical security barriers by cloning badgesmanipulating sensors with air, and  using hidden cameras. In case you’re wondering, it is every bit as fun as it looks, and lots of folks tell us it’s cool to see it demonstrated. 

    Check out this video and watch how quickly a company’s data – and its customers’ data – can be compromised.

    If you think about it, it also raises the so-what question. What’s the worst that can happen if someone gets access to a secure area inside your office? Somebody’s bound to notice before they can cause any real trouble, right? 

    Unfortunately, no. Even if the hacker isn’t also an experienced social engineer (and Raxis team members are), they can still cause untold damage. Once inside, it only takes an intruder seconds to install a network backdoor device on an open network port. At that point, network traffic is being diverted to or through the hacker mother ship. 

    Fortunately, in this scenario, I was the hacker conducting the attack. Although this was only a demonstration, I should point out that I’ve done the same thing in many red team engagements with clients. As you can see, the computer skills necessary are more in line with a 7-year-old’s than 007’s. Oh, and that special equipment I was using? It’s readily available online for $50 to $100. 

    The point here is that you need multiple, effective layers of cybersecurity to protect your network. How do you find out what you’re missing? Simple. You call us.

    Raxis’ team of experts is ready to help your business evaluate and identify solutions to help safeguard sensitive data. Follow us on this blog or social media – FacebookTwitterLinkedIn and YouTube –  and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Here’s How Hackers Can Get Through Your Doors and Onto Your Network

    Watch my video to see how easy it can be to bypass your company’s sophisticated security system. You might assume I’m just a guy who left something at work and had to run back in. But that’s not my office, that’s not my badge, and, at sunset, my day is just getting started. 

    We’re all familiar with employee badges – plastic proximity cards that contain a unique identifier that tracks when and where an employee is on company property. Businesses around the world depend on this technology to prevent unauthorized access, yet most would be shocked to see how simple it is for those badges to be scanned, cloned, and used to access a secure server.  

    In truth, I’m the chief technology officer at Raxis, a team made up of ethical hackers who can get in and out of your secure office quickly and quietly. If we wanted to, we could walk away with access to every single file stored on your network. Luckily, we are not actually there for the files, we’re there to fix your vulnerabilities to a cyberattack. 

    Badges that use RFID technology can be scanned from a few feet away, then cloned in seconds using a handheld copier/reader/writer – a relatively inexpensive device that’s easy to find if you know where to look. Add a small hidden camera to capture the PIN code on an alarm, then drop a backdoor implant device onto your network, and you’ve got a budget-friendly break-in method that a competitor or a kid on the dark web could use to ruin your reputation. 

    Until it’s tested, security is only perception. Raxis assessments identify real-world vulnerabilities that may otherwise go unnoticed. We partner every day with companies like yours to harden their security through process and technology enhancements. The most important asset in any business is a customer’s trust. Secure it with effective, battle-tested solutions from Raxis.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Windows 10 Vulnerability Highlights Need for Physical Security Testing

    During our more advanced Red Team penetration testing attacks, Raxis customers are often shocked to discover that we’ve not only been inside their network, but we’ve also been inside their buildings, their server rooms, and even their individual offices. It would take days to explain all the tricks and techniques we use to do that, so let’s focus on the more important question of why we do it.

    The simple answer is that physical access to devices opens up a world of possibilities to an attacker. In fact a recent Forbes article about a Windows 10 security problem offers an excellent example of what can happen when a bad guy gets to spend a few minutes alone with your computer.

    Notice in the article that Bjorn Ruytenberg says that a hacker with the right equipment needs less than five minutes of access to exploit the Windows 10 vulnerability… even if the computer is not on. The attacker only needs physical access to the device. This is an important finding because 95% of the time when Raxis conducts a physical, social-engineering assessment, we succeed in gaining unchallenged physical access to facilities and devices – even when armed guards are employed. Security is often perception, and our techniques commonly bypass guards, electronic devices, and employees. We often find unmanned workstations and usually find ourselves with these devices for far longer than the 5 minutes that Ruytenberg says it takes.

    What’s the takeaway? In the real world, cybersecurity must complement physical security. In other words, patch your Windows but don’t forget to lock your windows as well.