Sunday, August 30, 2009

When the time has come to think about your keypad

Thanks to Norb, who mailed me the link to an interesting entry on Bruce Schneier's blog. With the permission from ABruce Schneier we will present you his pictures from some keypads.

Can you guess the right combination?

What about this one?


In the first picture the numbers are 1-6-8-9. Of course, someone could try out every combination, but there are combinations that are more likely than others. Perhaps you have guessed them already, the most common ones would be 1986 or 1968, perhaps depending on the age of the admin or the company. :) The second one is easier and the most likely combination is 1234.

There are also some very interesting comments to the blog entry. One user said, that on some keypads you don't have to try out all the possible combinations. Just press all four numbers at the same time. After pressing a few times within a short interval the keypad will get confused and will think that the correct combination was given.

Another user states that most of the locks just check the last four numbers. Therefore, by pressing the combination 123412314231243121342132413214321 an attacker would just need to press 33 times instead of 96.

Tuesday, August 25, 2009

Solutions must be applied to every situation individually

I got these two pictures from JG - thanks for sending them in - that lead to a very interesting discussion regarding security solutions.

This door is leading to a beach volleyball court. Most of the time the door is unlocked and open for anyone to play. At the time, when this picture was taken, the door was locked, but did of course not have any effect on people playing or not. So, what's the intended goal of this door?



If the goal was to stop cars from entering the court, it would fulfill its purpose under normal circumstances. People trying to break the door by driving through with a truck would not consider the door as a great obstacle. Looking at the issue that one side of the door was open most of the time, but locked at specific dates, raises another interesting question: What was the purpose of locking the door? The door is not high enough to keep people from jumping over it. If the owner just wanted to indicate, that he doesn't like anyone to play there, but doesn't care if someone does - then it fulfilled its purpose. If he really wanted to keep people from playing he either didn't want to spend more money on building higher walls, he didn't want to build higher walls because the would look bad or he just didn't think of someone climbing over closed doors. Of course, the intention of locking the door could have also been to have legal possibilities to sue people using the court without asking. Or, he just didn't think anything when leaving the place locked or unlocked. 

As you can see, security must be applied individually to each situation, purpose and financial situation. Therefore finding appropriate solutions after doing an assessment can only be done in cooperation with the responsible persons to ensue that the solution really fits the needs and means available.

Wednesday, August 19, 2009

Unattended cars

It seems our unattended category is growing. Thanks to Flo who sent in some pictures he had taken from a private parking space owned by the company 'Lidl' in Austria. He was driving past this building, as he recognized, that no one was here to look after the car, the goods inside and the open entry to the building. So he stopped and took some photos for us, showing that having no policies concerning leaving cars without locking them in place can lead to secrity risks.

In this first picture you can see the parking lot and the opened car and building.
Of course, there is a sign saying something like "Entering this site is prohibited!" ...
... but would an attacker care?
Flo, who took the pictures, didn't enter the area more than this, but I think the picture makes it clear that an attacker could easily get access to the car, the goods or the building. This are just some ideas to get you to think. Some might say "There could be people inside and no goods in the car at all - so this is not a risk".

What if the driver of the car or the driver of the forklift left his buch of keys in the vehicle? Perhaps there are also some keys not only for the vehicle, but for some doors to the company? An attacker would just need a few seconds to a few minutes to grab some good impressions of all keys and leave without any notice to make his own access keys to the company at home. 

Thursday, August 13, 2009

High-secure vending machine

I found this one at the train station in Glendalough, Perth, Western Australia. These vending machines are wrapped in some kind of container - i suppose to prevent vandalism. The two video cameras look great in this picture, but I think they are for observing the train station and not especially the vending machines. :)

There might be a few problems with this high security station. First it just protects against acts from drunken people, as they just kick or push against the machines. Attackers who first think about possible attack points will enough to go further. For example - there must be some openings for selecting the goods, paying and taking the selected drink. In this case these openings are very generous and you have enough space to get your whole hand or some tools in. You can't see this in this picture, but the machines are placed about 20-30 cm behind the first door, which gives enough room for attacks. 

Second, the whole security is built upon the security of the padlock you can see in the middle of the picture. It doesn't look like a high-security padlock. I leave the rest to you imagination. 

The third point to mention is that the hinges are accessible for the attacker. This might or might not be a problem. As attacking the hinges will take some time and make some noise, so that security personell will perhaps recognise the attack. I have not and will not try out this scenario.

Perhaps you might come to some additional attack points or have an other opinion. In such a case, don't hestitate to write your opinion as comment to this article.

Saturday, August 8, 2009

Sometimes the easiest way in is through the front door

Thank you very much to Sup for sharing his experiences he made in a chemical company. It's a very great example of how companies should NOT design their entrance areas.

Unbelievable, but true: This chemical company has a non-locked entrance door. The anteroom is neither staffed nor camera monitored. There is a plate with the information that this would be the status quo for the next few weeks. Nothing easier than that for visitors - they can issue an identity (visitor) card (!!!) themselves. All that you need is directly placed on the desk (even blank cards to fill in). After that you can try to open the next (main) door by lockpicking (I guess it is not so easy to use the given electronic possibility) or you'll wait until the next friendly person gets out of the main building and holds the door open for you.

BTW: You'll find all telephone numbers of all staff members ready for the next social engineering attack right next to the blank ID-cards. And, something positive, the telephone was not free for numbers outside the company.

Thursday, August 6, 2009

Secure small entry points

The following pictures were shot in Austria. It's all about getting entry through a small leakage. As you can see in the next picture this is the back side of a police station. These doors are the entry to the police cars of this station.



Unfortunately, you can't see the switch for opening the main gates in this picture. It's a little more on the left side, just between the entrance to the police station itself and the door to be openend.
Although the attacker isn't able to get through this hole herself, she just would need to dismount the outer and the inner grid of this leakage and pull the switch to open the main gates with the help of some experienced tools like a stick. 
Please, also look at small leakages when you are doing an assessment or planning the security of a building.

Saturday, August 1, 2009

The presence of a lock doesn't mean that the door is locked

Thanks to Trixi for sending in those pictures. These are taken in Hagenberg for about 2 weeks ago. I think it's the entrance to a cellar near the castle in Hagenberg.


 think the message of these photos is pretty clear - the presence of a lock doesn't mean that the door itself is locked.


The question is, what should you do in such situations? The most important point is to take a photo and send it to Securitypitfalls.org as Trixi did. :) Afterwards you could keep it as it is, lock the door or replace the lock with a peace of wood to show the owner the value of his lock and put it on the ground. Choose whatever option you want. :)