The LOD/H Technical Journal: File #3 of 12

The LOD/H Technical Journal: File #3 of 12

Lex Luthor and The Legion Of Doom/Hackers Present:

Identifying, Attacking, Defeating, and Bypassing
Physical Security and Intrusion Detection Systems

PART I: THE PERIMETER

The reasons for writing this article are twofold:

1) To prevent the detection and/or capture of various phreaks, hackers and
others, who attempt to gain access to: phone company central offices, phone
closets, corporate offices, trash dumpsters, and the like.

2) To create an awareness and prove to various security managers, guards, and
consultants how easy it is to defeat their security systems due to their
lack of planning, ignorance, and just plain stupidity.

In the past, I have written articles on "Attacking, Defeating, and Bypassing"
Computer Security. Now I take those techniques and apply them to Physical
Security. The information contained herein, has been obtained from research
on the different devices used in physical security, and in practical "tests"
which I and others have performed on these devices.

INTRODUCTION:
-------------

Physical Security relies on the following ideas to protect a facility:
Deterrence, Prevention, Detection, and Response. Deterrents are used to 'scare'
the intruder out of trying to gain access. Prevention tries to stop the
intruder from gaining access. Detection 'sees' the intruder while attempting to
gain access. Response tries to stop and/or prevent as much damage or access to
a facility as possible after detection. There are 3 security levels used in
this article and in industry to designate a facility's need. They are: Low,
Medium, and High. The amount, and types of security devices used by a facility
are directly proportional to the level of security the facility 'thinks' it
needs. When I use 'facility' I am refering to the people in charge of
security, and the actual building and assets they are trying to protect. This
article will be primarily concerned with the protection of the perimeter. I
have 2 other articles planned in this series. The second is the security
concerning the exterior of a facility: cipher locks, window breakage detectors,
magnetic contact switches, etc. The third part will deal with security systems
inside a facility: Passive Infra-Red detectors, ultrasonic detectors, interior
microwave systems, and the various card access control systems.

THE PERIMETER:
--------------

A facility's first line of defense against intrusion is its' perimeter. The
perimeter may have any or all of the following:

* A single fence

* An interior fence coupled with an exterior fence

* Regular barbed wire

* Rolled barbed wire

* Various fence mounted noise or vibration sensors

* Security lighting and CCTV

* Buried seismic sensors and different photoelectric and microwave systems

Fences:
-------

Fences are commonly used to protect the perimeter. The most common fence in use
today is the cyclone fence, better known as the chain link fence. Fences are
used as a deterrent and to prevent passage through the perimeter. Common ways
of defeating fences are by cutting, climbing, and lifting. Cutting is not
usually recommended for surreptitious entry, since it is easily noticeable. In
this article, we will be taking the 'Stealth' approach. Climbing is most
commonly done, but if the fence is in plain view, it may not be advisable since
you can be seen easily. The higher the fence, the longer it takes to climb. The
longer it takes to climb, the longer security has to detect and respond to your
actions. Lifting is better since you are closer to the ground, and not as
easily spotted, but the fence must be very flexible, or the sand very soft so
you can get under the fence quickly and easily. Whenever you see a somewhat
'unclimbable' fence (or one that you just don't want to climb) you should check
the perimeter for large trees with uncut branches hanging over the fence or
other objects which will enable you to bypass the fence without ever touching
it. You could use a ladder but you don't want to leave anything behind,
especially with your fingerprints on it, not that you plan on doing anything
illegal of course.

Electric fences are not used for security purposes as much as they were in the
past. Today, its main use if to keep cattle or other animals away from the
perimeter (either from the inside or outside). There are devices which send
a low voltage current through a fence and can detect a drop in the voltage when
someone grabs onto the fence. Again, not too common so I will not go into it.

For high security installations, there may be 2 fences. An outer fence, and an
inner fence which are 5-10 yards apart. It isn't often that you see this type
of setup, it is mainly used by government agencies and the military. You can
be very sure that there are various intrusion detection devices mounted on the
fence, buried underground between them, and/or line-of-sight microwave or
photoelectric devices used. These will be mentioned later. If you insist on
penetrating the perimeter, then you should try to measure how far it is between
fences. Now find a 2 foot by X foot board where X is the distance between the 2
fences. Very slowly place the board on top of both fences. If there are no
fence vibration sensors you can just climb the fence and step onto the board to
walk across the top. If there are fence sensors, you will need a ladder which
cannot touch the fence to get you on top of the board. You can then walk on the
board, over the ground in between, and jump down, being careful not to disturb
the fences. This will work if there are no sensors after the 2 fences. Identi-
fying sensors will be mentioned later. Obviously the method of using a long
board to put on top of the two fences will not work if the fences are spaced
too far apart. Also, you and the board can be seen very easily.

Barbed Wire:
------------

There are two common types of barbed wire in use today. The more common and
less secure is the type that is strung horizontally across the fence with three
or more rows. The 'barbs' are spaced about 6" apart, enough for you to put your
hand in between while climbing over. Also, it is thin enough to be cut very
easily. If you think you will need to leave in a hurry or plan on problem free
surreptitious entry and the only way out will be to climb over the fence again
you can cut the wire from one post to another, assuming the wire is tied or
soldered to each post, and replace it with a plastic wire which looks like the
wire you just cut. Tie it to each post, and come back anytime after that. You
can then climb over it without being cut. The other type of wire, which is more
secure or harmful, depending on how you look at it, is a rolled, circular wire
commonly called Razor Ribbon. One manufacturer of this is the American Fence
Co. which calls it 'the mean stuff'. And it is. The barbs are as sharp as
razors. Of course this can be cut, but you will need very long bolt cutters and
once you cut it, jump as far back as you can to avoid the wire from springing
into your face. As mentioned earlier, cutting is irreparable, and obvious. If
the wire is loosely looped, there may be sufficient room in between to get
through without getting stitches and losing lots of blood. If the wire is more
tightly looped you may be able to cover the the wire with some tough material
such as a leather sheet so you can climb over without getting hurt. This method
is not easy to accomplish however. You may want to see if you can get under the
fence or jump over rather than climb it.

Fence mounted noise or vibration sensors:
-----------------------------------------

Let's assume you have found a way to get past the fence. Of course you have not
tried this yet, since you should always plan before you act. OK, you have
planned how you would theoretically get over or past the fence. You are now
past the deterrent and prevention stages. Before you put the plan into action
you had better check for the things mentioned earlier. If a fence is the first
step in security defense, then fence mounted sensors are the second step.
The types of detection equipment that can be mounted on the fence are:

Fence shock sensors: These mount on fence posts at intervals of 10 to 20 feet,
or on every post. They are small boxes clamped about 2/3 up from ground level.
There is a cable, either twisted pair or coax running horizontally across the
fence connecting these boxes. The cable can be concealed in conduits or inside
the fence itself, thus, making it hard to visually detect. Each fence sensor
consists of a seismic shock sensor that detects climbing over, lifting up or
cutting through the fence. So if the fence is climbable, it would not be wise
to do so since you may be detected. Of course it doesn't matter if your
detected if there is no security force to respond and deter you.

Another type, is called the E-Flex cable. It's simply a coax cable running
horizontally across the fence. This cable can not only be used on chain link
fences, but can also be used on concrete block, brick, or other solid barriers.
It may be on the outside, or mounted inside the fence, thus, making detection
of the device harder. Of course detection of this and other similar devices
which cannot be seen, doesn't make it impossible. A way to detect this, is by
simply repeatedly hitting the wall with a blunt object or by throwing rocks at
it. If nothing out of the ordinary happens, then you can be reasonably sure it
is not in place. This is basically a vibration sensor.

Low frequency microphones: This is essentially a coax cable that responds to
noise transmitted within the fence itself.

Vibration sensors: These are based on mercury switches, a ring or ball on a
pin, or a ball on a rail. Movement of the fence disturbs the switches and
signals alarms. A hint that this is in use is that it can only be used on a
securely constructed and tightly mounted fence, with no play or movement in it.
Otherwise, they will be getting false alarms like crazy.

OK, you know all about these types, how the hell do you get around it? Well,
don't touch the fence. But if there is no alternative, and you must climb it,
then climb the fence where it makes a 90 degree turn (the corner) or at the
gate. Climb it very slowly and carefully, and you should be able to get over
without being detected by these sensors! Make sure you climb on the largest
pipe and don't fall.

Security lighting and CCTV:
---------------------------

Sometimes, fences may be backed up by Closed Circuit TV (CCTV) systems to make
visual monitoring of the perimeter easier and quicker. By installing an
adequate lighting system and conventional CCTV cameras, or by using special
low light sensitive cameras, the perimeter can be monitored from a central
point. Security personnel can then be dispatched when an intruder is detected
on the monitors.

Some systems are stationary, and others can be moved to view different areas of
the perimeter from within the central station. It would be in your best
interest to determine if the camera is stationary or not. If so, you may be
able to plan a path which will be out of the view range of the camera. If it is
movable, you will have to take your chances.

Light control sensor: This utilizes a Passive InfraRed (PIR) sensor to detect
the body heat emitted from someone entering the detection area, and can
activate a light or other alarm. PIR's will be discussed in Part II of this
series. The sensor has an option called: 'night only mode' in which a light
will flash when a person enters the area, but only during night hours. It can
tell if its dark by either a photoelectric sensor, or by a clock. Of course if
its daylight savings time, the clock may not be totally accurate, which can be
used to your advantage. If it is photoelectric, you can simply place a
flashlight pointing directly into the sensor during daylight hours. When it
gets dark, the photoelectric sensor will still 'think' its day since there is
sufficient light, thus, not activating the unit to detect alarm conditions.
This should enable you to move within the area at will.

Buried Seismic Sensors:
-----------------------

Seismic detectors are designed to identify an intruder by picking up the sound
of your footsteps or other noises related to passing through the protected
area. These sensors have a range of about 20 feet and are buried underground
and linked by a cable, which carries their signals to a processor. There, the
signals are amplified and equalized to eliminate frequencies that are unrelated
to intruder motion. The signals are converted to pulses that are compared with
a standard signal threshold. Each pulse that crosses this threshold is tested
on count and frequency. If it meets all the criteria for a footstep, an alarm
is triggered. These sensors can even be installed under asphalt or concrete by
cutting a trench through the hard surface. It is also immune to weather and can
follow any type of terrain. The only restriction is that the area of detection
must be free of any type of obstruction such as a tree or a bush.

Electronic field sensor:
------------------------

These detect an intruder by measuring a change in an electric field. The field
sensors use a set of two cables, one with holes cut into the cable shielding to
allow the electromagnetic field to 'leak' into the surrounding area. The other
cable is a receiver to detect the field and any changes in it. Objects passing
through the field distort it, triggering an alarm. This sensor can either be
buried or free standing, and can follow any type of terrain. But its very
sensitive to animals, birds, or wind blown debris, thus, if it is very windy
out, and you know this is being used, you can get some paper and throw it so
the wind takes it and sets off the alarm repeatedly. If it is done enough, they
may temporarily turn it off, or ignore it due to excessive false alarms.

It is not hard to tell if these devices are in use. You cannot see them, but
you don't have to. Simply get 3-4 medium sized stones. Throw them into the
place where you think the protected area is. Repeat this several times. This
works on the lesser advanced systems that have trouble distinguishing this type
of seismic activity from human walking/running. If nothing happens, you can be
reasonably sure this is not in use. Now that you can detect it, how do you
defeat it? Well as far as the electronic field sensor is concerned, you should
wait for a windy night and cause excessive false alarms and hope they will turn
it off. As far as the seismic sensors, you can take it one step at a time, very
softly, maybe one step every 30-60 seconds. These sensors have a threshold,
say, two or more consecutive footsteps in a 30 second time interval will
trigger the alarm. Simply take in one step at a time, slowly, and wait, then
take another step, wait, until you reach your destination. These detectors work
on the assumption that the intruder has no knowledge of the device, and will
walk/run across the protected area normally, thus, causing considerable seismic
vibrations. The problem with this method is that it will take you some time to
pass through the protected area. This means there is more of a chance that you
will be seen. If there are a lot of people going in and out of the facility,
you may not want to use this method. Another way would be to run across the
protected area, right next to the door, (assuming that is where the response
team will come out) and drop a large cat or a dog there. When they come out,
they will hopefully blame the alarm on the animal. The sensor shouldn't really
pick up a smaller animal, but odds are the security force are contract guards
who wouldn't know the capabilities of the device and the blame would fall on
the animal and not you, assuming there were no cameras watching...

Microwave systems:
------------------

In an outdoor microwave system, a beam of microwave energy is sent from a
transmitter to a receiver in a conical pattern. Unlike indoor microwave
detectors, which detect an intruders' movement in the microwave field, the
outdoor system reacts to an intruders' presence by detecting the decrease in
energy in the beam. The beams can protect an area up to 1500 feet long and 40
feet wide. All transmission is line-of-sight and the area between transmitter
and receiver should be kept clear of trees and other objects that can block the
beam. Microwave systems can operate in bad weather, and won't signal an alarm
due to birds or flying debris.

These systems work on the Doppler effect, in which they detect motion that
changes the energy, and sets off an alarm. These devices will usually be placed
inside a fence to avoid false alarms. These devices are very easy to visually
detect. They are posts from 1-2 yards high, about 6 inches by 6 inches and
there are 2 of them, one receiver and one transmitter. In some cases there will
be more, which enables them to protect a larger area.

To defeat this, you can enter the field, very slowly, taking one step at a time
but each step should be like you are in slow motion. It doesn't matter how hard
you hit the ground, since it doesn't detect seismic activity, only how fast
you approach the field. If you take it very slowly you may be able to get past.
Detectors of this type get more and more sensitive as you approach the posts.
Ergo, choose a path which will lead you furthest away from the posts.

Photoelectric systems:
----------------------

These systems rely on an invisible barrier created by beams of infrared light
sent from a light source to a receiver. When the beam is interrupted, the alarm
sounds. The beam can have an effective range of up to 500 feet. Multiple beams
can be used to increase the effectiveness of the system, making it harder for
you to climb over or crawl under the beams. Photoelectric systems can be prone
to false alarms as a result of birds or wind-blown debris passing through the
beam. The problem can be corrected by the installation of a circuit that
requires the beam to be broken for a specified amount of time before an alarm
is sounded. Weather conditions like heavy fog, can also interrupt the beam and
cause an alarm. This can also be corrected by a circuit that reacts to gradual
signal loss. These systems should not face directly into the rising or setting
sun since this also cuts off the signal beam.

As you can see this system has many problems which you can take advantage of to
bypass this system. As with any system and method, surveillance of the facility
should be accomplished in various weather conditions to help verify the
existence of a particular detection device, and to see how they react to false
alarms. Many times, you will be able to take advantage of various conditions
to accomplish your mission. If there is only one set of devices (transmitter
and receiver), try to estimate the distance of the sensors from the ground. You
can then either crawl under or jump over the beam. This also works on the
assumption that the intruder will not recognize that the device is in use.

MISCELLANEOUS:
--------------

Guards: There are two types, in-house or company paid guards and contract
guards. Contract guards are less secure since they do not work for the facility
and if they make a mistake they simply get transferred to another facility no
big deal. In-house guards know the facility better and have more to lose, thus,
they are probably more security conscious. Be aware of any paths around the
perimeter in which guards can/will walk/ride to visually inspect the exterior
of the facility.

Central monitoring: Monitoring of the devices mentioned in this article is
usually accomplished at a 'Central Station' within the facility. Usually,
guards *SHOULD* be monitoring these. If you have planned well enough, you may
find that the guard leaves his/her post to do various things at the same time
every night. This would be an ideal time to do anything that may be seen by
cameras. Unfortunately, there will probably be more than one guard making this
nearly impossible.

Gates: Probably the easiest way to pass through the perimeter is to go through
the gate. Whether in a car, or by walking. This may not be too easy if it is
guarded, or if there is a card reading device used for entry.

Exterior card readers: An in-depth look at the types of cards used will be in
part 3 of this series. But for now, if the card used is magnetic (not Weigand)
it is quite possible to attack this. If you have an ATM card, Visa, or other
magnetic card, slide the card thru, jiggle & wiggle it, etc. and quite possibly
the gate will open. Reasons for this are that since it is outside, the reader
is subjected to extreme weather conditions day in and day out, thus, the
detecting heads may not be in the best of shape, or since it is outside it may
be a cheap reader. In either case, it may not work as good as it should and
can make 'mistakes' to allow you access.

Combinations: The devices listed in this article do not have to be used alone.
They can and are used in conjunction with each other for greater security.

Diversions: In some cases, a diversion could better insure your passage through
the perimeter. Keep this in mind.

Extreme weather conditions: All devices have an effective operating range of
temperatures. On the low end of the scale, most devices will not operate if it
is -30 degrees Fahrenheit or lower. Though, quite a few will not operate
effectively under the following temperatures: -13 f, -4 f, +10 f, +32 f. On
the other side of the scale, they will not operate in excess of: +120 f, +130 f
and +150 f. It is unlikely that the outside temperature will be above 120
degrees, but in many places, it may be below freezing. Take this into
consideration if a facility has these devices, and you cannot bypass them any
other way.

I could not have possibly mentioned everything used in perimeter protection in
this article. I have tried to inform you of the more common devices used. Some
things were intentionally left out, some were not. I welcome any corrections,
suggestions, and methods, for this article and the future articles planned. I
can be contacted on a few boards or through the LOD/H TJ Staff Account.

CONCLUSION:
-----------

This article primarily dealt with the identification of various 'tools' used in
physical security for the deterrence, prevention, detection, and response to an
intruder. There also were some methods which have been used to attack, defeat,
and bypass these 'tools'. None of the methods mentioned in this article work
100% of the time in all circumstances, but ALL have worked, some were under
controlled circumstances, some were not. But all have worked. Some methods are
somewhat crude, but they get the job done. Some methods were intentionally left
out for obvious reasons. Even though this article was written in a tutorial
fashion, in no way am I advising you to go out and break the law. I am merely
showing you how to identify devices that you may not have known were in place
to keep you from making a stupid mistake and getting caught. The Establishment
doesn't always play fair, so why should we?

ACKNOWLEDGEMENTS:
-----------------

Gary Seven (LOH)

Downloaded From P-80 International Information Systems 304-744-2253 12yrs+