Security Pitfalls

By-passing Security Gates

2010-07-19T16:19:13Z

In Hagenberg, Upper Austria, there is a security gate that should prevent external people from entering the student village's premises. This picture is taken from Google Maps and shows how easily this security measure can be circumvented.

Actually, there are parking lots near the gate and right near the entrance of the first building there is enough space for a car to bypass the security gate.

I guess, even one little, heavy plant placed on the by-pass road would prevent the people from using this route. Most of the time, people could close security loopholes by spending none or little money. They just need a little help to find their vulnerabilities.

Need any help in finding the key?

2010-07-02T10:06:06Z

This pictures was posted on Hirngulasch's Soup and was discovered and reported by N0rb. It shows a message left by one of the children which says "Mum, the key is on the balcony!!!!".

Unfortunately, we could not find the owner of the picture and therefore we cannot be sue if this is a true story. Nevertheless, it points out an important topic - awareness. It's not just that children are often not aware of risks, we have to face the same problems in companies with unaware employess. Unless they are not trained to focus on specific types of risk, they would never think that actions they carry out could be a security risk for the company. The solution is simple, talk to the people and talk to your children and explain it to them, they will understand as long as they care about their place of living and working.

Open day at a youth hostel

2010-05-30T08:49:04Z

Flo submitted the following security pitfalls from a youth hostel in Linz, Upper Austria. In the following picture you can see how the building looks from the street.

Taking a look around, he discovered the first issue. There was a back entry which was opened and would make a perfect entry point for an attacker. The entry to the stairs leading to the door, was secured by 1.5m high railings. Without a doubt, an easy to surmount obstacle.

On the back side of the building, or what somewhat could be called a backyard, Flo discovered the next entry point. There was a service entry for a building attached to the youth hostel.

The entry opened up access to a variety of rooms, not part of the normal housing. Flo did not enter the corridor, as this would have not been allowed in terms of the Austrian legislation. Another point that caught Flo's attention were all the containers and garbage around. Assuming that, like in other hostels already described on this blog, access codes to rooms were set using a specific algorithm, old code numbers could give access to rooms in the hostel and a free night.

Thanks to Flo, for his contribution to the project.

Getting to know your friends

2010-04-30T18:39:59Z

This privacy issue was reported back in December. It is about Facebook and its friend status. In general, it should not be possible to see information about another unknown person, when this person did not configure his/her page to do so. However, there was this issue, that you could send a friend request to this person, waiting for confirmation.

The issue was, that even without the person accepting the friend request, the "is now friends with" status message of this person was updated. Thus, it was possible to track a person's friends without their permission.

Unattended Working Places - Part 2

2010-03-31T11:27:57Z

Another entry in the series of unattended work places. This picture was taken in the e-lab at the campus of the Edith Cowan University in Mt. Lawley, Western Australia.

This notebook was left unattended for about 10 minutes. An attacker prepared for this kind of attacker would need approximately 10 seconds for inserting a USB stick and installing a rootkit. When working in external environments employees should never leave their notebook unattended for more than 5 minutes, depending on the security level of the data stored on it. In some cases there is really no excuse to leave the notebook unattended. When leaving the working place for short periods of time, f.e. getting a coffee, the OS should always be locked to prevent unauthorised access. However, be aware, that there are also attacks possible on locked screens.

Security is no matter of daytime

2010-02-28T09:17:23Z

You might say, "Of course, security has to be applied 24/7", but the obvious is not the standard. An example was given by Sebastian Klipper on his blog "Klipper on Security: Ps(i)2 - Sicherheit in Informationssystemen". Thanks for sharing the content of his post by CC license.

During the night, journalist Tommaso Cerno did a short trip to the airport of Rome and shared his experience on the web. The problem? There was no security at all. The screening lines and the security areas are freely accessible, doors secured by access codes or code cards are open, homeless people are taking a nap in the interior. Tommaso filmed the his tour through the airport and published it online:

http://espresso.repubblica.it/multimedia/home/22897704.

It would be an easy task to smuggle weapons or drugs into the airport during night. The only risk would be that one of the homeless people could find it before the next day and take it away, so Sebastian Klipper.

Ever thought about asking for the master key?

2010-02-10T09:05:55Z

Sebastian Klipper, Senior Information Security Consultant, recently wrote on his blog Klipper on Security about an incident he experienced in a hotel. It is quite usual to have safes in hotel rooms to store important documents. It might also be obvious that lots of these safes have master key combinations to open them in case of emergency. But, he was quite surprised as he noticed how easy it was to get the master key and that it was only 3 digits long.

One day when he wanted to open the safe with his 4 digits code, it just responded with the message "BATTERY ERROR!". Hence, he made is way down to the reception, asking for help. The friendly receptionist went upstairs with him to have a look at the safe. After demonstrating the problem, the receptionist positioned right in front of the safe started entering a code and said:

"Enter, 0, 0, 2, Enter, Enter."

Open! That's it and after the receptionist left, Sebastian Klipper knew the master code. Sometimes the easiest way to circumvent the security system is, ask friendly for help.

Thanks very much to Sebastian Klipper who gave us the rights to publish his story with his pictures on SecurityPitfalls.

Key lesson

2010-02-04T19:52:20Z

Berni sent us the following story from Steyr in Upper Austria. On a visit at the University of Applied Sciences she found an accessible, locked room on one of the floors. The only drawback, somebody left the keys there.

Now, the question is, how much value does access to this room have?

First of all, you can steal paper, but that shouldn't leave too much damage to the company. Secondly, an intruder could wait for some important documents printed out. As this room is locked during the day, it could be an interesting place for getting information. Another source of information is the key itself. Even if an attacker can't get much value out of the information in the room, she could try to copy the key or just take notes about the cuts of the key. This can enable the attacker to duplicate it or use in combination with some other keys to rebuild the master key of the university's locks.

So the key lesson of this story: never leave your keys unattended - and never leave it on the doors. :) Thanks to Berni for sending in this story and the pictures.

Update (7/2/2010): Churchy added another security issue that wasn't mentioned in the blog posting above. An attacker could use the printer's network cable to get access to the network. This could be interesting especially in situations where you just have access to a secured WLAN that is separated from the internal LAN.

Security in Hostels

2010-01-01T22:00:35Z

As we've already seen, there's very little security in hostels. Another example is given by Norb who discovered the next few situations in a hostel in South Korea.

A system that might look pretty secure for a hostel, at first, ...

... is pretty useless, if all authentication credentials are given on a sheet nearby.

But it seems that the owners of the hostel are not aware of possible threats ...

... or they are just very trustful to all the people around. :)

Stupidity of guessable Access Codes

2009-12-01T11:32:30Z

During my trip through Australia I've discovered different security and access control systems of hostels all over the country. Unfortunately, most of them are not very secure and as a proof, I'd like to show you some of the access codes of my last hostel.

Actually, these access codes are retrieved from the doors of my rooms "40" and "35" where I have slept in. "CX90" and "CI15" are the id from the floor where the rooms are located, whereas the last part is set to the last room on the floor "48" or "38". Some of my friends have slept in room 32 and got room code "C15Z32".

As you see, the codes are not very hard to guess and offer no security for the backpackers sleeping in there. As there was no locker available, you just could hope everybody was so friendly not to steal anything while you've been out for a few drinks.

Therefore, if you have access codes in place, they should never be guessable and of course, they should be changed from time to time, so that, in case somebody publishes the codes or gets access to these codes, your company still remains secure.

Would you trust this ATM?

2009-11-19T12:08:14Z

Looks good from the front...

... but would you use it after you've seen that it's unprotected from the back?

I haven't thought too much about ATM security before, but it doesn't look very trustworthy, does it?

Trustful Austria

2009-11-08T05:35:05Z

Thanks to Berni, who sent us the following pictures from the Beachvolleyball Grand Slam in Klagenfurt. Impressingl, these pictures have been taken in 2 subsequent years - 2007 and 2008 - and nothing has ever changed.

Have you already recognised the issue in this picture?

It's really impressive, that you can still leave your keys at your bike in Austria, but I wouldn't recommend that. :)

One year later, at nearly the same spot, at the same time, at the same event - people haven't learned anything.

As long as nothing happens, all seems to be fine, but don't get upset, when someone steals your bike.

Configured to leak data

2009-10-30T08:19:16Z

The Stellenwerk Newsletter of the University of Hamburg was leaking data from some of their users. Because of a configuration error the mailing list relayed replys to their e-mails to all subscribed users. Unsubscribe messages and advertisement were spread over the mailinglist within this period of time. The responsible persons apologised for the inconvenience caused and already fixed the problem.

The original e-mail in German:

Subject: Entschuldigung vom Stellenwerk

Sehr geehrte Damen und Herren,

unsere gestrige E-Mail an Sie und andere Kunden hatte aufgrund eines Systemfehlers unangenehme Folgen: Einige Antworten wurden nicht nur an uns, sondern an andere Empfänger gesendet. So sind sie eventuell auch in Ihrem Postfach gelandet.

Dafür möchten wir uns bei Ihnen entschuldigen und können Ihnen versichern, dass der Fehler mittlerweile behoben werden konnte und dass es nicht wieder vorkommen wird.

Wir sind alle sehr betroffen und hoffen, dass Sie auch zukünftig unseren Service gerne nutzen.

Wir bitten um Ihr Verständnis und verbleiben

mit freundlichen Grüßen

xxxxx xxxxxxxx
Leitung Stellenwerk
_______________________________________

Thanks to Sup for reporting this incindent.

Not even Security by Obscurity

2009-10-16T01:34:57Z

Got the link to this image from vmorbit - thanks for your contribution to the project.

Is this really working? Can't add anything more to this - check it out yourself.

Unattended Working Places - Part 1

2009-10-09T03:21:52Z

Our unattended series goes on and this time we discovered an unattended working place at the airport in Munich. At first, I was not really shure what was going on, should have people really left the place unattended or was she just around the corner?

But, indeed, after 5 minutes of waiting, no one was showing up and the blue sign on the desk saying "Be right back." seemed to be there for a reason. I took a second, closer picture of the working place, noticing that all the screens were not locked and paper sheets were lying on the desk.

Apart from the possibility that an attacker could exploit this situation to try to get access to the systems, it may have been enough for an attacker to study all the information presented to him by the paper sheets and the computer screens.

Therefore, companies should raise awareness for such problems and insist their employees to always lock the computer desktops when leaving the working place and to hide important working papers when there's the possibility that attackers could get advantage by reading them.