Thursday, September 24, 2009
Best greets to Norb, who sent us pictures from Seoul, South Korea. He is living together with some other students in a student housing. One day, he made an interesting discovery. He found a white case in the recreation room of this house.
After opening he found the LanSwitch of the whole floor unprotected and unlocked. Of course, Norb didn't actually connect to the switch, but an attacker could gain access to the whole network, install a sniffer and collect usernames and passwords from all students living in the dormitory.
Additionally, there was a surveillance camera installed in the room, which was recording the entrance, but not the area around the central LAN switch.
Posted by Tom at 3:47 AM
Tuesday, September 15, 2009
The unattended cars series goes into round two. Thanks to Flo, who has sent in some pictures he had taken from an unattended car in Austria. Obviously, the owner doesn't really care about the security of his transport vehicle. The rear door isn't really closed, allowing attackers easy entry into the car.
A clever attacker wouldn't start opening the car right away, without investigating further, thus finding out that it isn't locked at all.
I think, the main problem here is, that just a few minutes of unthoughtfulness can have long-term affects on the security of a whole company or household. So, when you leave your car open and unattended, be aware of the possible outcomes. Especially for all private people, who are reading this blog, don't be paranoid, just be aware. :)
Posted by Tom at 4:01 PM
Tuesday, September 8, 2009
Thank you very much to Sup for sharing his experiences he made in a chemical company. It's a very great example of how companies should NOT design their entrance areas.
Unbelievable, but true: This chemical company has a non-locked entrance door. The anteroom is neither staffed nor camera monitored. There is a plate with the information that this would be the status quo for the next few weeks. Nothing easier than that for visitors - they can issue an identity (visitor) card (!!!) themselves. All that you need is directly placed on the desk (even blank cards to fill in). After that you can try to open the next (main) door by lockpicking (I guess it is not so easy to use the given electronic possibility) or you'll wait until the next friendly person gets out of the main building and holds the door open for you.
BTW: You'll find all telephone numbers of all staff members ready for the next social engineering attack right next to the blank ID-cards. And, something positive, the telephone was not free for numbers outside the company.
Posted by Tom at 3:42 PM
Thursday, September 3, 2009
Great thanks to Churchy for submitting this nice programming mistake. Unfortunately, this is not a singular case and the one or the other will find himself trapped into the same sort of problem. But don't bother, Churchy is explaining the pitfalls.
A common way to protect web forums or blog comment areas from unwanted spam without the need of manually checking all new messages before publishing them is to include captchas. Captchas are intended to be readable by humans only, thus preventing automated bots from submitting forms with spam content. However, a mechanism intended to rise the security level can also suffer from flaws that make the mechanism useless. A german news site seen in the first picture lets users post comments and includes a captcha. The first pitfall is obvious.
The letters and numbers in the captcha can be read easily. They look exactly like typed letters, are perfectly ordered, do not include optical noise, always have the same background, have the same size and are not rotated at all. No OCR software should have any problems in reconstructing the contents of the image. However, the second and probably even worse pitfall lies in the way the images are generated. Have a look at the source code of the site:
Who would need to find a way to reconstruct captcha images, if all you need to know is already waiting in the source code, easy to be parsed using regular expressions? Maybe the shown web site is not quite popular and submitted spam can easily be removed again by an admin, but why would you want to include a security measure that does not add any real security value at all? However, as flawed as the shown implementation might be, it may protects against bots that to not target this specific site (and flaws) but just randomly submit forms on any web site they find. Or, as Ted Humphreys would have said: Whether this solution is appropriate depends on the risk you are facing. :-)
Posted by Tom at 8:13 AM