Key lesson

By Tom on February 4, 2010 8:52 PM | No Comments | No TrackBacks
Berni sent us the following story from Steyr in Upper Austria. On a visit at the University of Applied Sciences she found an accessible, locked room on one of the floors. The only drawback, somebody left the keys there. 

FH_Steyr_01.JPG

Now, the question is, how much value does access to this room have? 

FH_Steyr_02.JPG

First of all, you can steal paper, but that shouldn't leave too much damage to the company. Secondly, an intruder could wait for some important documents printed out. As this room is locked during the day, it could be an interesting place for getting information. Another source of information is the key itself. Even if an attacker can't get much value out of the information in the room, she could try to copy the key or just take notes about the cuts of the key. This can enable the attacker to duplicate it or use in combination with some other keys to rebuild the master key of the university's locks.

So the key lesson of this story: never leave your keys unattended - and never leave it on the doors. :) Thanks to Berni for sending in this story and the pictures. 

Update (7/2/2010): Churchy added another security issue that wasn't mentioned in the blog posting above. An attacker could use the printer's network cable to get access to the network. This could be interesting especially in situations where you just have access to a secured WLAN that is separated from the internal LAN.

Security in Hostels

By Tom on January 1, 2010 11:00 PM | No Comments | No TrackBacks
As we've already seen, there's very little security in hostels. Another example is given by Norb who discovered the next few situations in a hostel in South Korea. 

A system that might look pretty secure for a hostel, at first, ...

Hostel_Korea_01.JPG

... is pretty useless, if all authentication credentials are given on a sheet nearby.

Hostel_Korea_02.JPG

But it seems that the owners of the hostel are not aware of possible threats ... 

Hostel_Korea_03.JPG

... or they are just very trustful to all the people around. :)

Hostel_Korea_04.JPG

Stupidity of guessable Access Codes

By Tom on December 1, 2009 12:32 PM | No Comments | No TrackBacks
During my trip through Australia I've discovered different security and access control systems of hostels all over the country. Unfortunately, most of them are not very secure and as a proof, I'd like to show you some of the access codes of my last hostel.

Hostel_AccessCode.JPG

Actually, these access codes are retrieved from the doors of my rooms "40" and "35" where I have slept in. "CX90" and "CI15" are the id from the floor where the rooms are located, whereas the last part is set to the last room on the floor "48" or "38". Some of my friends have slept in room 32 and got room code "C15Z32". 

As you see, the codes are not very hard to guess and offer no security for the backpackers sleeping in there. As there was no locker available, you just could hope everybody was so friendly not to steal anything while you've been out for a few drinks.

Therefore, if you have access codes in place, they should never be guessable and of course, they should be changed from time to time, so that, in case somebody publishes the codes or gets access to these codes, your company still remains secure. 

Would you trust this ATM?

By Tom on November 19, 2009 1:08 PM | No Comments | No TrackBacks
Looks good from the front...

ATM_01.JPG

... but would you use it after you've seen that it's unprotected from the back?

ATM_02.JPG

I haven't thought too much about ATM security before, but it doesn't look very trustworthy, does it?

Trustful Austria

By Tom on November 8, 2009 6:35 AM | No Comments | No TrackBacks
Thanks to Berni, who sent us the following pictures from the Beachvolleyball Grand Slam in Klagenfurt. Impressingl, these pictures have been taken in 2 subsequent years - 2007 and 2008 - and nothing has ever changed. 

Have you already recognised the issue in this picture?

Grand_slam_1_2007.JPG

It's really impressive, that you can still leave your keys at your bike in Austria, but I wouldn't recommend that. :)

Grand_slam_2_2007.JPG

One year later, at nearly the same spot, at the same time, at the same event - people haven't learned anything. 

Grand_slam_3_2008.JPG

As long as nothing happens, all seems to be fine, but don't get upset, when someone steals your bike.

Configured to leak data

By Tom on October 30, 2009 9:19 AM | No Comments | No TrackBacks
The Stellenwerk Newsletter of the University of Hamburg was leaking data from some of their users. Because of a configuration error the mailing list relayed replys to their e-mails to all subscribed users. Unsubscribe messages and advertisement were spread over the mailinglist within this period of time. The responsible persons apologised for the inconvenience caused and already fixed the problem.

The original e-mail in German:

Subject: Entschuldigung vom Stellenwerk

 

Sehr geehrte Damen und Herren,

 

unsere gestrige E-Mail an Sie und andere Kunden hatte aufgrund eines Systemfehlers unangenehme Folgen: Einige Antworten wurden nicht nur an uns, sondern an andere Empfänger gesendet. So sind sie eventuell auch in Ihrem Postfach gelandet.

 

Dafür möchten wir uns bei Ihnen entschuldigen und können Ihnen versichern, dass der Fehler mittlerweile behoben werden konnte und dass es nicht wieder vorkommen wird.

 

Wir sind alle sehr betroffen und hoffen, dass Sie auch zukünftig unseren Service gerne nutzen.

 

Wir bitten um Ihr Verständnis und verbleiben  

mit freundlichen Grüßen

xxxxx xxxxxxxx 
Leitung Stellenwerk 
_______________________________________


Thanks to Sup for reporting this incindent.

Not even Security by Obscurity

By Tom on October 16, 2009 3:34 AM | No Comments | No TrackBacks
Got the link to this image from vmorbit - thanks for your contribution to the project. 

Is this really working? Can't add anything more to this - check it out yourself. 

epic-fail-wifi-network-fail.jpg
(c) by Cheezburger Network (Failblog.org) - pls contact them, if you want to use the image in further documents

Unattended Working Places - Part 1

By Tom on October 9, 2009 5:21 AM | No Comments | No TrackBacks
Our unattended series goes on and this time we discovered an unattended working place at the airport in Munich. At first, I was not really shure what was going on, should have people really left the place unattended or was she just around the corner?

Unattended_WP_Munich_01.JPG

But, indeed, after 5 minutes of waiting, no one was showing up and the blue sign on the desk saying "Be right back." seemed to be there for a reason. I took a second, closer picture of the working place, noticing that all the screens were not locked and paper sheets were lying on the desk. 

Unattended_WP_Munich_02.JPG

Apart from the possibility that an attacker could exploit this situation to try to get access to the systems, it may have been enough for an attacker to study all the information presented to him by the paper sheets and the computer screens.

Therefore, companies should raise awareness for such problems and insist their employees to always lock the computer desktops when leaving the working place and to hide important working papers when there's the possibility that attackers could get advantage by reading them. 

Join the network

By Tom on September 24, 2009 3:46 AM | No Comments | No TrackBacks
Best greets to Norb, who sent us pictures from Seoul, South Korea. He is living together with some other students in a student housing. One day, he made an interesting discovery. He found a white case in the recreation room of this house. 

LanSwitch_Seoul_00.jpg

After opening he found the LanSwitch of the whole floor unprotected and unlocked. Of course, Norb didn't actually connect to the switch, but an attacker could gain access to the whole network, install a sniffer and collect usernames and passwords from all students living in the dormitory.

LanSwitch_Seoul_01.jpg

Additionally, there was a surveillance camera installed in the room, which was recording the entrance, but not the area around the central LAN switch. 

LanSwitch_Seoul_02.jpg

Unattended Cars - Part 2

By Tom on September 15, 2009 4:01 PM | No Comments | No TrackBacks
The unattended cars series goes into round two. Thanks to Flo, who has sent in some pictures he had taken from an unattended car in Austria. Obviously, the owner doesn't really care about the security of his transport vehicle. The rear door isn't really closed, allowing attackers easy entry into the car.

Unattended_Car_Part2_1.jpg

A clever attacker wouldn't start opening the car right away, without investigating further, thus finding out that it isn't locked at all.

Unattended_Car_Part2_2.jpg

The obvious problem in this situation is of course the unlocked car or poorly closed door. However, a much greater problem can cause the free accessable contents of this car. People tend to have keys in their cars, f.e. to the garage. Sometimes there are USB sticks for the radio that have also data from their work stored on it. Or, more simple, an attacker can find old invoices that he can use for social engineering attacks. From a corporate espionage point of view, it's an invitation to install bugging devices to gather information.

I think, the main problem here is, that just a few minutes of unthoughtfulness can have long-term affects on the security of a whole company or household. So, when you leave your car open and unattended, be aware of the possible outcomes. Especially for all private people, who are reading this blog, don't be paranoid, just be aware. :)

Archives

Search

User ranking

User     Reported Pitfalls
Flo3
Norb3
Berni2
Sup2
Ali1
Churchy1
JG1
Nuuz1
Trixi1
vmorbit1

Idea behind SecurityPitfalls.org

SecurityPitfalls is an educational, supportive and fun project and depends strongly on the community that drives this project. For further information visit the article What's the basic idea behind SecurityPitfalls.org

Find recent content on the main index or look in the archives to find all content.

Recent Comments

  • philipp: A link to the original blogpost of Schneier would be read more

Recent Entries

Categories

Monatsarchive Archives

Send in your photos and stories

SecurityPitfalls.org is a community project where we work together and collect situations where security fails, primarily for educational purpose, as source for discussions and presentations and fun. Send your photos (digi cam/handy), stories or movies to incoming {at} securitypitfalls.org and we will post your experiences you want to share with other people.

Recent Comments

  • philipp: A link to the original blogpost of Schneier would be read more