DC416 Physical Security Workshop with Physical Security Village

About this Event

DC416 is excited to bring to you a two day Physical Security workshop with hands on and theoretical components facilitated by the DEF CON Physical Security Village team and hosted at the EY Tower at Bay/Adelaide!

This workshop is sponsored by EY and Toronto-based GGR Security!

Individuals of all skill levels are encouraged to attend. Those working in cybersecurity, IT and facilities management will get the most value out of this workshop.

Lunch and refreshments will be provided.

Student Scholarship

DC416 is committed to providing students with interest in the cybersecurity and technology field with opportunities to learn and network at our events.

We welcome students that meet the below requirements to apply and be considered for a free ticket ($75~ value) at this form: https://forms.gle/okFSrpTF4PScpmaj7 (Note: You will need to authenticate with a Google account to complete the form).

Requirements:

1. Must provide copy of verifiable proof of full-time academic status at an accredited college or university.

2. Must be able to provide copy of valid and current college or university ID card.

Please Note:

Failure to follow instructions will result in disqualification. Students will need to provide Valid College/University ID and verifiable full-time academic status at this time.

All submissions must be received by Friday, January 13 at 6PM. All accepted applicants will be notified via email by Monday, January 16.

Bio on Workshop Instructors

This workshop is run by a team of physical security experts from GGR Security, a Toronto based physical security and pen testing firm, with extensive experience performing physical red team engagements and vulnerability assessments, site security design and guard management. The team also does a lot of security education and outreach: most notably, running the Physical Village at conferences around the world. They come from a wide range of backgrounds including cybersecurity, telecom, management consulting, financial crime fighting, military, engineering and law enforcement.

Background on Physical Security Village

The Physical Security Village brings physical security knowledge into traditionally cyber hacker communities, most visibly at DEF CON each year. Village attendees can try their hand at door hardware bypass techniques, disabling alarm systems and cameras, and applying a hacker mindset to secured physical spaces. Come learn advanced methods for physical red-teaming in today's world - or just learn the ropes (and we mean that literally, too)!

Who is this workshop for?

This workshop is geared towards anyone who works in, or is interested in, hacking or security in general; it will assume comfort with basic infosec concepts and will work from the ground up on physical security. We will be covering a large amount of content in a fast-paced, hands-on manner: come prepared to learn!

Workshop Details

This 2-day intensive workshop focuses on all the ways that security affects the physical world, and in particular protection of facilities. Through a hacker’s mindset, it looks at not only traditional physical security hacking like lock picking, lock bypass, social engineering and alarms, but also at real-life threat models such as forcible entry, and advanced blue-team concepts to keep facilities secure. There will be countless hands-on activities and exercises at the workshop that you can try your hand at to truly gain a feel for how these attacks are carried out.

You will receive your own your own Lock pick set and shove it tool for loiding latches from this workshop.

What should I bring? What can I keep?

Laptops or tablets are recommended for a few activities which will be conducted online, however it is not required, and these activities can be conducted on a smart phone or in conjunction with other attendees.

Note that long-range RFID readers will be used in this workshop - participants are recommended to leave their work badges at home, or to keep them in an RF shielded container.

You will receive your own lock pick set, practise locks and shove it tool for bypassing latches from this workshop!

What can I expect at this event?

This event will be a mixture of presentations on each topic, interleaved with activities in which participants will be able to try their hand at each new skill. In addition, the following hands-on stations will be open throughout the event:

• Lock Picking
• Lock Picking with Lishi Picks
• Forcible Entry
• Lock Bypass - Lever Handle
• Lock Bypass - Doorknob
• Lock Bypass - Crashbar
• Lock Bypass - Deadbolt
• Lock Bypass - Double Doors / Surface Bolt
• Lock Bypass - Maglock
• Building Entry Intercom Hacking
• Reconnaissance of Surrounding Area
• Elevator Hacking
• Re-wiring Alarm Wires
• Lock Decoding and Key Creation
• Master Key System Hacking
• RFID Cloning
• RFID Long Distance Reading

Concurrent to learning each skill, this workshop is designed to teach a pragmatic security mindset that participants can apply to real-world problems at their homes and workplaces. This is done by building up from purely skill-oriented sessions, such as lockpicking, to full scale security integration considering the real world threats and how the building, occupants and security staff work in conjunction to defend against them.

DAY 1

8:00-8:30 Arrival, Coffee & Refreshments

8:30-8:45 Opening remarks

Part I - Facility Hardening

8:45-9:10 Lock Bypass. There are loads of ways to get through a door without actually attacking the lock itself, including using the egress hardware, access control hardware, and countless other techniques to gain entry. Try these out for yourself on a wide range of practise doors we’ll bring in to the workshop!

9:10-9:25 Elevator Security & Hacking. Elevator floor lockouts are often used as an additional, or the only, layer of security. This module will focus on how to hack elevators for the purpose of getting to locked out floors – including using special operating modes, tricking the controller into taking you there, and hoistway entry.

9:25-9:45 Forceable Entry. Learn about the common methods of forcible entry employed by emergency services, locksmiths and criminals, and how to harden building perimeters against these techniques. Then try your hand at them on our specially-built forcible entry practise door that allows you to snap wood simulating the jamb and supports to get a feeling for the techniques and difficulty of forcing different types of doors open.

9:45-10:15 Bio break, hands-on activities for lock bypass, forcible entry, elevator hacking

10:15-11:15 Lockpicking. Learn the basic techniques for picking common pin and wafer locks, using both standard lockpick tools, as well as trying out the industry-disrupting Lishi picks. You will get two clear practise locks to keep (a padlock and euro-cylinder), which illustrate what is happening on the inside; using the Lishi tools will give you an unparalleled insight into the feel and sound feedback from single-pin picking.

Part II - Intrusion Detection & Response

11:15-11:45 Alarms and Intrusion Detection. As you will learn in Part I, any unmonitored facility can eventually be breached by a determined enough attacker. Now learn about the options to monitor a site, and detect intruders; different types of sensors, and the communication protocols used to relay those signals. Then examine common pitfalls in these technologies, and how to hack poorly designed systems to evade detection. This section will focus on the most common systems in use in North American residential and commercial settings - magnetic contact sensors, passive infrared detection, and EOLR supervision of the communications line. Finally, try your hand at defeating these technologies.

11:45-12:15 Hands-on time for alarm defeat and everything else so far

12:15-1:00 Lunch; more hands on time

1:00-1:20 Surveillance Cameras - Layout and Exploits. Learn about common layouts for surveillance cameras, pitfalls in their placement, and what red teams can do to evade any useful information from being collected on their activities.

1:20-1:35 Red Team Tactics against Security Guards & Police Response. There is much more to defeating security guards than social engineering – learn about avoiding detection, avoiding intervention, making them work for you, and various physical and legal limitations of guards that make hacking them easier for a red team.

1:35-1:50 Designing Effective Guard Rounds, Protocols & Training. Managing a guard force effectively is a very challenging task, particularly against the Red Team techniques above. Learn how to design effective guard rounds and schedules, and how to train guards to monitor and respond to alarms, and make effective contact with potential intruders.

1:50-2:05 Intrusion Timing - Detection & Response. By now, your security mindset will have matured enough to understand that all of the hardening of walls, doors and locks we did in Part I does not keep determined intruders out - it merely delays them. Now, we’ll learn how to calculate and combine these delays with detection technologies, and response procedures, to not only detect, but stop an intruder before unacceptable damage can be done.

2:05-2:35 Red exercise about everything so far. Take what you’ve learned so far to design a red team attack plan against a well-secured facility. What path will you take? What tools and techniques will you use? How will you handle contingencies and what will you do once you get in?

2:35-2:45 Bio Break

2:45-3:30 Blue exercise: defend a facility. Now, you’ll be tasked with designing an alarm and camera layout, hardening critical doors and walls, and assigning guard behaviors to defend a site against a well-equipped attacker.

Part III - Access Control

3:30-5:00 Social Engineering. Not all of security is about keeping everyone out - some people must be granted access for the site to function! Rather than performing all the technical attacks so far, an intruder could instead convince someone that he is one of those people. Learn common pretexts for social engineering, the psychology behind why they work and how you can defend against them.

DAY 2

8:00-8:30 Arrival, Coffee & Refreshments

8:30-8:45 Access Control Fundamentals. Keeping everyone out of a space is difficult on its own, but letting only some people in is even more difficult. Learn about systems used to control who can access spaces when, common vulnerabilities of those systems, and how to defend against them.

8:45-9:05 RFID Systems Security + Exploits. Electronic access control using contactless systems are all around us, and they can seem like magic at a first glance. Ever wondered how you can present a plastic card to a door and have it pop open? How you can pay at a store, without even touching the payment terminal? Learn the basics of RFID contactless systems, what can go wrong in their implementations, and how to make sure your systems are as secure as they can be.

9:05-9:25 Key Control and Keying Systems Design and Exploitation. Due to cost and reliability, old school mechanical keys for access control are here to stay. Learn about how master keying works, how to derive a master key from low-level keys, or from nothing at all, and how to get the key to a lock from photographs and other covert methods. Then learn how to design a master key system to resist these attacks and support the needs of different sites.

9:25-9:35 Keying systems hacking (Red) exercises

Part IV - Security in Context

9:35-9:45 Integrating Security into the Operations Within a Facility. A facility’s purpose is not to keep intruders out; it’s not even to let authorised users in! It is to enable useful work by those users within the space, and to advance the goals of the facility’s operator. This impacts almost all security decisions, and imposes constraints on the defenders - cost, staff morale, logistics, operational efficiency, liability, and laws such as the Building Code all limit how we can defend a site.

9:45-10:15 Blue exercise: Industrial Security Layout. Lay out an electronic access control system and design a keying system, and locate critical assets to support both security and the operation we’re securing.

10:15-10:45 Bio Break + Hands on for RFID hacking + Hands on for all other activities

10:45-11:00 Threat Modeling & Risk Assessment. This module is designed specifically for the cybersecurity professionals in the audience - although it is accessible to everyone. Cyberspace and the physical world have vastly different threat actors using different skillsets and tools - and applying a cyber mindset to physical security will result in unnecessary cost and degraded security. All of the Red Team tactics learned so far will help frame how we assess and plan for threats.

11:00-11:20 OSINT of Physical Sites. Open source intelligence may sound like something you’ve never done, but even something as simple as finding your old friends on social media overlaps with skills required for the job. Learn about what OSINT is, how to start an investigation, and resources used by experts to collect the maximum amount of data on a facility before ever visiting the site.

11:20-11:50 OSINT Exercise

11:50-12:05 Reconnaissance & Penetration Test Planning. Before engaging on a physical red team operation, the team should scout out the site and collect information on their operation, security controls, layout and vulnerabilities. This module will cover intelligence doctrine, useful reconnaissance techniques, and how to apply them to a red team engagement. Upon completion, participants will be able to look at the outside of most buildings, and know where they’re going once inside despite never having set foot in it before!

12:05-12:15 Reconnaissance Exercise

12:15-1:00 Lunch, Hands-on Time

1:00-1:10 Crime Prevention Through Environmental Design. CPTED is an overly used buzzword, but its principles are well founded, initially coined after interviews with dozens of burglars to find out how they got in, and what factors influenced their decision to attack one site over another. Learn how inexpensive upgrades and changes can prevent your site from being targeted in the first place.

1:10-1:40 Blue exercise: Site Visit, applying CPTED principles while hardening a facility.

1:40-2:00 Residential Security. You may not be in charge of security at any highly-secured top-secret facilities with a sophisticated nation-state backed threat horizon (or maybe you are?)… but you are in charge of security at your own home. Learn how all of the exploits discussed over the weekend apply in a residential setting (for both detached homes and multi-tenant buildings), and what the typical home invasion threat model is: so you can walk away from the weekend and start putting your new knowledge to use! We’ll also touch on vehicle security at home - common tactics of carthieves and simple procedures you can follow to make sure it doesn't happen to you.

2:00-2:15 Utilities Security. We rely on power, phone, internet, water, gas, transport, and a host of other utilities to keep our lives chugging both at work and at home. What can a malicious actor do to disrupt these, and how can they be defended?

2:15-2:55 Red/Blue exercise: Home Security. Think like a typical home invader for an example property, then apply principles you’ve learned to secure that property.

2:55-3:00 Bio Break

3:00-4:00 Red/Blue Capstone exercise. Put it all together to design an attack plan, and then secure the site against that plan. Iterate on site security until no viable attack path exists that could be reasonably executed by our threats. The most advanced participants will start to think outside the box in defending against threats we have not covered this weekend, such as blast, vehicle and CBRN attacks.

4:00-4:30 Hands-on time

4:30-5:00 Closing remarks, Networking

Registration Info

Registration will take place between 8:00am and 8:45am in the EY Tower lobby of 100 Adelaide St. on Jan 21st. Note: Late arrivals after 9:00AM will not be admitted to the event.

How to Get to the workshop?

EY Tower is located at 100 Adelaide St W. in between Bay and York and the workshop will be held on the 31st floor. Please note that you will need an EY staff member to escort you up the elevator from the ground floor.

1. Public Transit Options

• Walk 5-minutes from St. Andrew Subway Station
• Walk 10 minutes from Union station.

2. Parking Options

• First Canadian Place/Exchange tower – 118 York St (Details here)
• Richmond Adelaide Centre – 130 Adelaide St W. (Details here)
• Bell Trinity Square - 483 Bay Street - (Details here)