Stupidity of guessable Access Codes

During my trip through Australia I've discovered different security and access control systems of hostels all over the country. Unfortunately, most of them are not very secure and as a proof, I'd like to show you some of the access codes of my last hostel.

Actually, these access codes are retrieved from the doors of my rooms "40" and "35" where I have slept in. "CX90" and "CI15" are the id from the floor where the rooms are located, whereas the last part is set to the last room on the floor "48" or "38". Some of my friends have slept in room 32 and got room code "C15Z32". 

As you see, the codes are not very hard to guess and offer no security for the backpackers sleeping in there. As there was no locker available, you just could hope everybody was so friendly not to steal anything while you've been out for a few drinks.

Therefore, if you have access codes in place, they should never be guessable and of course, they should be changed from time to time, so that, in case somebody publishes the codes or gets access to these codes, your company still remains secure.

Would you trust this ATM?

Looks good from the front...

... but would you use it after you've seen that it's unprotected from the back?

I haven't thought too much about ATM security before, but it doesn't look very trustworthy, does it?

Trustful Austria

Thanks to Berni, who sent us the following pictures from the Beachvolleyball Grand Slam in Klagenfurt. Impressingl, these pictures have been taken in 2 subsequent years - 2007 and 2008 - and nothing has ever changed.

Have you already recognised the issue in this picture?

It's really impressive, that you can still leave your keys at your bike in Austria, but I wouldn't recommend that. :)

One year later, at nearly the same spot, at the same time, at the same event - people haven't learned anything. 

As long as nothing happens, all seems to be fine, but don't get upset, when someone steals your bike.

Configured to leak data

The Stellenwerk Newsletter of the University of Hamburg was leaking data from some of their users. Because of a configuration error the mailing list relayed replys to their e-mails to all subscribed users. Unsubscribe messages and advertisement were spread over the mailinglist within this period of time. The responsible persons apologised for the inconvenience caused and already fixed the problem.

The original e-mail in German:

Subject: Entschuldigung vom Stellenwerk

Sehr geehrte Damen und Herren,

unsere gestrige E-Mail an Sie und andere Kunden hatte aufgrund eines Systemfehlers unangenehme Folgen: Einige Antworten wurden nicht nur an uns, sondern an andere Empfänger gesendet. So sind sie eventuell auch in Ihrem Postfach gelandet.

Dafür möchten wir uns bei Ihnen entschuldigen und können Ihnen versichern, dass der Fehler mittlerweile behoben werden konnte und dass es nicht wieder vorkommen wird.

Wir sind alle sehr betroffen und hoffen, dass Sie auch zukünftig unseren Service gerne nutzen.

Wir bitten um Ihr Verständnis und verbleiben  

mit freundlichen Grüßen

xxxxx xxxxxxxx
Leitung Stellenwerk
_______________________________________

Thanks to Sup for reporting this incindent.

Not even Security by Obscurity

Got the link to this image from vmorbit - thanks for your contribution to the project.

Is this really working? Can't add anything more to this - check it out yourself. 

(c) by Cheezburger Network (Failblog.org) - pls contact them, if you want to use the image in further documents

Unattended Working Places - Part 1

Our unattended series goes on and this time we discovered an unattended working place at the airport in Munich. At first, I was not really shure what was going on, should have people really left the place unattended or was she just around the corner?

But, indeed, after 5 minutes of waiting, no one was showing up and the blue sign on the desk saying "Be right back." seemed to be there for a reason. I took a second, closer picture of the working place, noticing that all the screens were not locked and paper sheets were lying on the desk. 

Apart from the possibility that an attacker could exploit this situation to try to get access to the systems, it may have been enough for an attacker to study all the information presented to him by the paper sheets and the computer screens.

Therefore, companies should raise awareness for such problems and insist their employees to always lock the computer desktops when leaving the working place and to hide important working papers when there's the possibility that attackers could get advantage by reading them.

Join the network

Best greets to Norb, who sent us pictures from Seoul, South Korea. He is living together with some other students in a student housing. One day, he made an interesting discovery. He found a white case in the recreation room of this house.

After opening he found the LanSwitch of the whole floor unprotected and unlocked. Of course, Norb didn't actually connect to the switch, but an attacker could gain access to the whole network, install a sniffer and collect usernames and passwords from all students living in the dormitory.

Additionally, there was a surveillance camera installed in the room, which was recording the entrance, but not the area around the central LAN switch. 

Unattended Cars - Part 2

The unattended cars series goes into round two. Thanks to Flo, who has sent in some pictures he had taken from an unattended car in Austria. Obviously, the owner doesn't really care about the security of his transport vehicle. The rear door isn't really closed, allowing attackers easy entry into the car.

A clever attacker wouldn't start opening the car right away, without investigating further, thus finding out that it isn't locked at all.

 

The obvious problem in this situation is of course the unlocked car or poorly closed door. However, a much greater problem can cause the free accessable contents of this car. People tend to have keys in their cars, f.e. to the garage. Sometimes there are USB sticks for the radio that have also data from their work stored on it. Or, more simple, an attacker can find old invoices that he can use for social engineering attacks. From a corporate espionage point of view, it's an invitation to install bugging devices to gather information.

I think, the main problem here is, that just a few minutes of unthoughtfulness can have long-term affects on the security of a whole company or household. So, when you leave your car open and unattended, be aware of the possible outcomes. Especially for all private people, who are reading this blog, don't be paranoid, just be aware. :)

Sometimes the easiest way in is through the front door

Thank you very much to Sup for sharing his experiences he made in a chemical company. It's a very great example of how companies should NOT design their entrance areas.

Unbelievable, but true: This chemical company has a non-locked entrance door. The anteroom is neither staffed nor camera monitored. There is a plate with the information that this would be the status quo for the next few weeks. Nothing easier than that for visitors - they can issue an identity (visitor) card (!!!) themselves. All that you need is directly placed on the desk (even blank cards to fill in). After that you can try to open the next (main) door by lockpicking (I guess it is not so easy to use the given electronic possibility) or you'll wait until the next friendly person gets out of the main building and holds the door open for you.

 

 

BTW: You'll find all telephone numbers of all staff members ready for the next social engineering attack right next to the blank ID-cards. And, something positive, the telephone was not free for numbers outside the company.

Captcha protection at its best

Great thanks to Churchy for submitting this nice programming mistake. Unfortunately, this is not a singular case and the one or the other will find himself trapped into the same sort of problem. But don't bother, Churchy is explaining the pitfalls.

A common way to protect web forums or blog comment areas from unwanted spam without the need of manually checking all new messages before publishing them is to include captchas. Captchas are intended to be readable by humans only, thus preventing automated bots from submitting forms with spam content. However, a mechanism intended to rise the security level can also suffer from flaws that make the mechanism useless. A german news site seen in the first picture lets users post comments and includes a captcha. The first pitfall is obvious.

 

 

The letters and numbers in the captcha can be read easily. They look exactly like typed letters, are perfectly ordered, do not include optical noise, always have the same background, have the same size and are not rotated at all. No OCR software should have any problems in reconstructing the contents of the image. However, the second and probably even worse pitfall lies in the way the images are generated. Have a look at the source code of the site:

 

Who would need to find a way to reconstruct captcha images, if all you need to know is already waiting in the source code, easy to be parsed using regular expressions? Maybe the shown web site is not quite popular and submitted spam can easily be removed again by an admin, but why would you want to include a security measure that does not add any real security value at all? However, as flawed as the shown implementation might be, it may protects against bots that to not target this specific site (and flaws) but just randomly submit forms on any web site they find. Or, as Ted Humphreys would have said: Whether this solution is appropriate depends on the risk you are facing. :-)

When the time has come to think about your keypad

Thanks to Norb, who mailed me the link to an interesting entry on Bruce Schneier's blog. With the permission from ABruce Schneier we will present you his pictures from some keypads.

Can you guess the right combination?

What about this one?

In the first picture the numbers are 1-6-8-9. Of course, someone could try out every combination, but there are combinations that are more likely than others. Perhaps you have guessed them already, the most common ones would be 1986 or 1968, perhaps depending on the age of the admin or the company. :) The second one is easier and the most likely combination is 1234.

There are also some very interesting comments to the blog entry. One user said, that on some keypads you don't have to try out all the possible combinations. Just press all four numbers at the same time. After pressing a few times within a short interval the keypad will get confused and will think that the correct combination was given.

Another user states that most of the locks just check the last four numbers. Therefore, by pressing the combination 123412314231243121342132413214321 an attacker would just need to press 33 times instead of 96.

Solutions must be applied to every situation individually

I got these two pictures from JG - thanks for sending them in - that lead to a very interesting discussion regarding security solutions.

This door is leading to a beach volleyball court. Most of the time the door is unlocked and open for anyone to play. At the time, when this picture was taken, the door was locked, but did of course not have any effect on people playing or not. So, what's the intended goal of this door?

If the goal was to stop cars from entering the court, it would fulfill its purpose under normal circumstances. People trying to break the door by driving through with a truck would not consider the door as a great obstacle. Looking at the issue that one side of the door was open most of the time, but locked at specific dates, raises another interesting question: What was the purpose of locking the door? The door is not high enough to keep people from jumping over it. If the owner just wanted to indicate, that he doesn't like anyone to play there, but doesn't care if someone does - then it fulfilled its purpose. If he really wanted to keep people from playing he either didn't want to spend more money on building higher walls, he didn't want to build higher walls because the would look bad or he just didn't think of someone climbing over closed doors. Of course, the intention of locking the door could have also been to have legal possibilities to sue people using the court without asking. Or, he just didn't think anything when leaving the place locked or unlocked. 

As you can see, security must be applied individually to each situation, purpose and financial situation. Therefore finding appropriate solutions after doing an assessment can only be done in cooperation with the responsible persons to ensue that the solution really fits the needs and means available.

Unattended cars

It seems our unattended category is growing. Thanks to Flo who sent in some pictures he had taken from a private parking space owned by the company 'Lidl' in Austria. He was driving past this building, as he recognized, that no one was here to look after the car, the goods inside and the open entry to the building. So he stopped and took some photos for us, showing that having no policies concerning leaving cars without locking them in place can lead to secrity risks.

In this first picture you can see the parking lot and the opened car and building.

Of course, there is a sign saying something like "Entering this site is prohibited!" ...

... but would an attacker care?

Flo, who took the pictures, didn't enter the area more than this, but I think the picture makes it clear that an attacker could easily get access to the car, the goods or the building. This are just some ideas to get you to think. Some might say "There could be people inside and no goods in the car at all - so this is not a risk".

What if the driver of the car or the driver of the forklift left his buch of keys in the vehicle? Perhaps there are also some keys not only for the vehicle, but for some doors to the company? An attacker would just need a few seconds to a few minutes to grab some good impressions of all keys and leave without any notice to make his own access keys to the company at home. 

High-secure vending machine

I found this one at the train station in Glendalough, Perth, Western Australia. These vending machines are wrapped in some kind of container - i suppose to prevent vandalism. The two video cameras look great in this picture, but I think they are for observing the train station and not especially the vending machines. :)

There might be a few problems with this high security station. First it just protects against acts from drunken people, as they just kick or push against the machines. Attackers who first think about possible attack points will enough to go further. For example - there must be some openings for selecting the goods, paying and taking the selected drink. In this case these openings are very generous and you have enough space to get your whole hand or some tools in. You can't see this in this picture, but the machines are placed about 20-30 cm behind the first door, which gives enough room for attacks. 

Second, the whole security is built upon the security of the padlock you can see in the middle of the picture. It doesn't look like a high-security padlock. I leave the rest to you imagination. 

The third point to mention is that the hinges are accessible for the attacker. This might or might not be a problem. As attacking the hinges will take some time and make some noise, so that security personell will perhaps recognise the attack. I have not and will not try out this scenario.

Perhaps you might come to some additional attack points or have an other opinion. In such a case, don't hestitate to write your opinion as comment to this article.

Sometimes the easiest way in is through the front door

Thank you very much to Sup for sharing his experiences he made in a chemical company. It's a very great example of how companies should NOT design their entrance areas.

Unbelievable, but true: This chemical company has a non-locked entrance door. The anteroom is neither staffed nor camera monitored. There is a plate with the information that this would be the status quo for the next few weeks. Nothing easier than that for visitors - they can issue an identity (visitor) card (!!!) themselves. All that you need is directly placed on the desk (even blank cards to fill in). After that you can try to open the next (main) door by lockpicking (I guess it is not so easy to use the given electronic possibility) or you'll wait until the next friendly person gets out of the main building and holds the door open for you.

BTW: You'll find all telephone numbers of all staff members ready for the next social engineering attack right next to the blank ID-cards. And, something positive, the telephone was not free for numbers outside the company.

Secure small entry points

The following pictures were shot in Austria. It's all about getting entry through a small leakage. As you can see in the next picture this is the back side of a police station. These doors are the entry to the police cars of this station.

Unfortunately, you can't see the switch for opening the main gates in this picture. It's a little more on the left side, just between the entrance to the police station itself and the door to be openend.

Although the attacker isn't able to get through this hole herself, she just would need to dismount the outer and the inner grid of this leakage and pull the switch to open the main gates with the help of some experienced tools like a stick. 

Please, also look at small leakages when you are doing an assessment or planning the security of a building.

The presence of a lock doesn't mean that the door is locked

Thanks to Trixi for sending in those pictures. These are taken in Hagenberg for about 2 weeks ago. I think it's the entrance to a cellar near the castle in Hagenberg.

 think the message of these photos is pretty clear - the presence of a lock doesn't mean that the door itself is locked.

The question is, what should you do in such situations? The most important point is to take a photo and send it to Securitypitfalls.org as Trixi did. :) Afterwards you could keep it as it is, lock the door or replace the lock with a peace of wood to show the owner the value of his lock and put it on the ground. Choose whatever option you want. :)

Unattended entries

This issue was reported by Florian. It was taken at a university and shows an completely unattended entry to the internal heating system. 

So please, don't forget to define and enforce rules in your company that no entry to restricted areas should be left unattended. Neither for long nor for short time.

Next picture in locking practices

We've already commented on some locking alternatives, this picture is another one taken from Markus during his trip around the Hubertussee in Styria, Austria. I suppose that's pretty obvious, but to be sure "Guys, keeping the door closed with a wire doesn't mean that the door is locked". Nothing more to say, I guess - hardwired. 

Thank you for sending in the picture, Markus. :)

The weakest lock

Some of you might know this picture from my presentations with Ali about physical security. It's all about the weakest link or the weakest lock. There are 2 to 3 refrigerators in every kitchen in the hostel in Hagenberg. You can see it in the next picture. All the students have their own box where they can place their drinks and food. The box can be locked with their key from their room. I can't remeber it exactly but I think it's a Winkhaus lock with some side-pins to add security to the lock. 

As you might have noticed, the Winkhaus lock is not the problem. There's a really easy to pick lock with just about 3 pins on the left side of the fridge that is protecting the whole refrigerator. While opening the boxes, of course non-destructive, could take a while, opening the door for all boxes together would be matter of seconds. Not the best situation for the students but good for our environment - you shouldn't keep the refrigerator open for too long anyway.   

Providing the necessary environment

This shot was taken in Hagenberg in front of the bank. Just think about possible security implications out of this situation. Do you see any mistakes made?

I've marked some major vulnerabilities in the next picture. The weakest link is the tilted window. It's just a matter of seconds to open such a window. The next mistake is the design of the entrance. An attacker doesn't need any preparations like a ladder to get onto the canopy of the building where the window resides.

[Edited on August, 12th] Thanks to a friend of mine who made me aware of the simplest of all attack points. I first thought that trying to batter the front door would alarm to police and there would not be practical. But indeed, there ramp to the door is so big that you could even drive your car/jeep into the bank. Inside there is an ATM, which could be pulled out with the help of the car. Therefore it would not take too much time to steel the ATM and the money inside. 

One of the easiest and inexpensive ways to lower the risk of such an attack would be to put some concrete posts in the middle of the access road. Although this would not prevent some big cars to break in, it would be a first step to make this site more secure. Thanks to Hector for this hint.

Secured by a plate

Yesterday, while travelling home from Koeln, I noticed a hot dog stand at the departure platform in the central railway station. I thought about the fact, that it's not easy to secure this small hot dog stand and how they managed to do this. You can see the booth in the next picture.

After one minute of thinking, I noticed a little plate at the top of the window. It was so obvious, why should someone break into a hot dog stand, if there's nothing to get?

(Written on the plate: "Intrusion unprofitable, no cash available.").

Keep the door opened

The best security mechanisms are useless if there's no one who cares. This picture was also taken at the airport in Frankfurt. Apparently, the person responsible for the room was too annoyed in opening the door every time he enters the room.

The room on the photo filled with toilet accessories, as you can see on the next picture.

At first, it doesn't look like a big vulnerability, but it's the first possible entry to a social engineering attack. Someone could take some papers, the appropriate clothes and a broom could pretend to be an employee. Perhaps this could lead to further intrusion to the airport. And as you can see, you could enter the room without being asked what you are doing.

Perhaps the airport is starting an awareness campaign for the stuff sometime to improve the understanding of the security implications by leaving non-public rooms open and unattended. 

Security Cage

This picture was taken by a friend of mine at the airport in Frankfurt. The security cage, positioned right near the entry to the airport after arriving from the plane, should prevent people from entering a restricted area. But as long as it is not energized, it will just help to prevent cats and dogs from entering, but not trained people. I suppose it's just a matter of seconds to climb the cage, as there is no fence at the top.

Video Surveillance

This video camera had been found in Hagenberg at the University. Apart from the question whether video surveillance makes sense or not, it does not make sense to install it this way - the power jack accessible right near the camera itself.

Public display panels in the subway

I guess, all the people in Vienna might know the green VOR-panels in the subway stations.

I'm wondering, why nobody ever had used it for their own purposes of publishing information. Most of the panels have bad or no security at all.

First of all, the locks that are used offer no real security. Second, no matter how (un)secure the locks are, the implementation is - let's say - not the best. Here are pictures of two panels.

Both are locked, but in the first picture you will notice that it was locked BEFORE the panel was closed.

In the second picture the bolt from the lock is loose so that the panel can't be locked at all.

Don't abuse this information but have a look at it, when you cross the Vienna underground station the next time. Perhaps, someone from VOR will notice this and will fix this issue.

What's the basic idea behind SecurityPitfalls.org?

The basic principle of Security Pitfalls.org is easy - most of you might have passed high security places where doors have been left open or might have noticed a small sheet of paper with the password written down, right near the computer. These situations are security pitfalls - where security is too high so that people just ignore it or where no one ever cared about security in risky areas.

SecurityPitfalls.org is a community project where we work together and collect such situations in forms of photos, stories or movies. Just send it to incoming {at} securitypitfalls.org and we will post your experiences you want to share with other people.

Whats the goal of this project?

First, it's increasing awareness at home and in companies in all security relevant areas ranging from IT-aspects to physical security. Second, we create a common repository for stories to tell, which can be particularly usefull in discussions with unaware clients and friends. Third, it's just pretty much fun. :)

So, let's share our experiences. When you are passing a door to an 'interesting place', just secured with lisle or when you are entering a building where everyone has to wear IDs but you just passed without passport - take a photo with your camera or mobile phone, send it to us with some background information and share it to the world!