August 2009 Archives

When the time has come to think about your keypad

By Tom on August 30, 2009 1:48 AM | 1 Comment | No TrackBacks
Thanks to Norb, who mailed me the link to an interesting entry on Bruce Schneier's blog. With the permission from Bruce Schneier we will present you his pictures from some keypads.

Can you guess the right combination?

security-keypad-2.jpg

What about this one?

security-keypad.jpg


In the first picture the numbers are 1-6-8-9. Of course, someone could try out every combination, but there are combinations that are more likely than others. Perhaps you have guessed them already, the most common ones would be 1986 or 1968, perhaps depending on the age of the admin or the company. :) The second one is easier and the most likely combination is 1234.

There are also some very interesting comments to the blog entry. One user said, that on some keypads you don't have to try out all the possible combinations. Just press all four numbers at the same time. After pressing a few times within a short interval the keypad will get confused and will think that the correct combination was given.

Another user states that most of the locks just check the last four numbers. Therefore, by pressing the combination 123412314231243121342132413214321 an attacker would just need to press 33 times instead of 96.

Solutions must be applied to every situation individually

By Tom on August 25, 2009 5:31 PM | No Comments | No TrackBacks
I got these two pictures from JG - thanks for sending them in - that lead to a very interesting discussion regarding security solutions. 

This door is leading to a beach volleyball court. Most of the time the door is unlocked and open for anyone to play. At the time, when this picture was taken, the door was locked, but did of course not have any effect on people playing or not. So, what's the intended goal of this door? 

Volleyball_SecurityCost_01.JPG

Volleyball_SecurityCost_02.JPG

If the goal was to stop cars from entering the court, it would fulfill its purpose under normal circumstances. People trying to break the door by driving through with a truck would not consider the door as a great obstacle. Looking at the issue that one side of the door was open most of the time, but locked at specific dates, raises another interesting question: What was the purpose of locking the door? The door is not high enough to keep people from jumping over it. If the owner just wanted to indicate, that he doesn't like anyone to play there, but doesn't care if someone does - then it fulfilled its purpose. If he really wanted to keep people from playing he either didn't want to spend more money on building higher walls, he didn't want to build higher walls because the would look bad or he just didn't think of someone climbing over closed doors. Of course, the intention of locking the door could have also been to have legal possibilities to sue people using the court without asking. Or, he just didn't think anything when leaving the place locked or unlocked. 

As you can see, security must be applied individually to each situation, purpose and financial situation. Therefore finding appropriate solutions after doing an assessment can only be done in cooperation with the responsible persons to ensue that the solution really fits the needs and means available.

Unattended cars

By Tom on August 19, 2009 5:18 PM | No Comments | No TrackBacks
It seems our unattended category is growing. Thanks to Flo who sent in some pictures he had taken from a private parking space owned by the company 'Lidl' in Austria. He was driving past this building, as he recognized, that no one was here to look after the car, the goods inside and the open entry to the building. So he stopped and took some photos for us, showing that having no policies concerning leaving cars without locking them in place can lead to secrity risks.

In this first picture you can see the parking lot and the opened car and building.

Lidl_Unattended_Cars_03.JPG 

Of course, there is a sign saying something like "Entering this site is prohibited!" ...

Lidl_Unattended_Cars_05.JPG

... but would an attacker care?

Lidl_Unattended_Cars_06.JPG

Flo, who took the pictures, didn't enter the area more than this, but I think the picture makes it clear that an attacker could easily get access to the car, the goods or the building. This are just some ideas to get you to think. Some might say "There could be people inside and no goods in the car at all - so this is not a risk".

What if the driver of the car or the driver of the forklift left his buch of keys in the vehicle? Perhaps there are also some keys not only for the vehicle, but for some doors to the company? An attacker would just need a few seconds to a few minutes to grab some good impressions of all keys and leave without any notice to make his own access keys to the company at home. 

High-secure vending machine

By Tom on August 13, 2009 4:49 PM | No Comments | No TrackBacks
I found this one at the train station in Glendalough, Perth, Western Australia. These vending machines are wrapped in some kind of container - i suppose to prevent vandalism. The two video cameras look great in this picture, but I think they are for observing the train station and not especially the vending machines. :)

Getraenkeautomat.JPG

There might be a few problems with this high security station. First it just protects against acts from drunken people, as they just kick or push against the machines. Attackers who first think about possible attack points will enough to go further. For example - there must be some openings for selecting the goods, paying and taking the selected drink. In this case these openings are very generous and you have enough space to get your whole hand or some tools in. You can't see this in this picture, but the machines are placed about 20-30 cm behind the first door, which gives enough room for attacks. 

Second, the whole security is built upon the security of the padlock you can see in the middle of the picture. It doesn't look like a high-security padlock. I leave the rest to you imagination. 

The third point to mention is that the hinges are accessible for the attacker. This might or might not be a problem. As attacking the hinges will take some time and make some noise, so that security personell will perhaps recognise the attack. I have not and will not try out this scenario.

Perhaps you might come to some additional attack points or have an other opinion. In such a case, don't hestitate to write your opinion as comment to this article.

Secure small entry points

By Tom on August 6, 2009 6:15 PM | No Comments | No TrackBacks
The following pictures were shot in Austria. It's all about getting entry through a small leakage. As you can see in the next picture this is the back side of a police station. These doors are the entry to the police cars of this station.
 Police_Car_Entry_1.JPG

Unfortunately, you can't see the switch for opening the main gates in this picture. It's a little more on the left side, just between the entrance to the police station itself and the door to be openend.

Police_Car_Entry_3.JPG

Although the attacker isn't able to get through this hole herself, she just would need to dismount the outer and the inner grid of this leakage and pull the switch to open the main gates with the help of some experienced tools like a stick. 

Police_Car_Entry_2.JPG

Please, also look at small leakages when you are doing an assessment or planning the security of a building.

The presence of a lock doesn't mean that the door is locked

By Tom on August 1, 2009 12:29 PM | No Comments | No TrackBacks

Thanks to Trixi for sending in those pictures. These are taken in Hagenberg for about 2 weeks ago. I think it's the entrance to a cellar near the castle in Hagenberg.


Unlocked_Door_Hgb_1.jpg


I think the message of these photos is pretty clear - the presence of a lock doesn't mean that the door itself is locked.


Unlocked_Door_Hgb_2.jpg


The question is, what should you do in such situations? The most important point is to take a photo and send it to Securitypitfalls.org as Trixi did. :) Afterwards you could keep it as it is, lock the door or replace the lock with a peace of wood to show the owner the value of his lock and put it on the ground. Choose whatever option you want. :)

« July 2009 | Main Index | Archives | September 2009 »

Search

User ranking

User     Reported Pitfalls
Flo3
Norb3
Berni2
Sup2
Ali1
Churchy1
JG1
Nuuz1
Trixi1
vmorbit1

Idea behind SecurityPitfalls.org

SecurityPitfalls is an educational, supportive and fun project and depends strongly on the community that drives this project. For further information visit the article What's the basic idea behind SecurityPitfalls.org

About this Archive

This page is an archive of entries from August 2009 listed from newest to oldest.

July 2009 is the previous archive.

September 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Categories

Monatsarchive Archives

Send in your photos and stories

SecurityPitfalls.org is a community project where we work together and collect situations where security fails, primarily for educational purpose, as source for discussions and presentations and fun. Send your photos (digi cam/handy), stories or movies to incoming {at} securitypitfalls.org and we will post your experiences you want to share with other people.

Recent Comments

  • fl0: Hoi, additionally you could try to get hold of the read more
  • philipp: A link to the original blogpost of Schneier would be read more