And what are you doing during your working time?

Flo did another trip around Europe and brought sent some pictures to SecurityPitfalls.org, thanks for that. This time, we clearly see that he was passing by one of the IBM offices. To be more specific, this shot was taken in one of the branches of IBM in London.

The more interesting part of this story is that he got a very good view into the offices and could directly see the computer screens of the employees. Besides the fact, that it might be interesting for someone to see if the employees are productive - and they really are according to those pictures - this shows a tremendous security risk.

From this very public place you can easily spy on the company's data, you could have a look at interesting project files lying on desks or you might get the chance to observe someone typing in a password or important information. 

Some companies might not think about the risk of someone external walking through the company's premises looking for important data on tables or the computer screen. However, not caring about the fact you can easily get an insight into a company from a public place where you can sit down and take photographs all the time, is a different level of risk. IBM should probably rethink their office design.

By-passing Security Gates

In Hagenberg, Upper Austria, there is a security gate that should prevent external people from entering the student village's premises. This picture is taken from Google Maps and shows how easily this security measure can be circumvented.

Actually, there are parking lots near the gate and right near the entrance of the first building there is enough space for a car to bypass the security gate.

I guess, even one little, heavy plant placed on the by-pass road would prevent the people from using this route. Most of the time, people could close security loopholes by spending none or little money. They just need a little help to find their vulnerabilities.

Need any help in finding the key?

This pictures was posted on Hirngulasch's Soup and was discovered and reported by N0rb. It shows a message left by one of the children which says "Mum, the key is on the balcony!!!!".

Unfortunately, we could not find the owner of the picture and therefore we cannot be sue if this is a true story. Nevertheless, it points out an important topic - awareness. It's not just that children are often not aware of risks, we have to face the same problems in companies with unaware employess. Unless they are not trained to focus on specific types of risk, they would never think that actions they carry out could be a security risk for the company.  The solution is simple, talk to the people and talk to your children and explain it to them, they will understand as long as they care about their place of living and working.

Open day at a youth hostel

Flo submitted the following security pitfalls from a youth hostel in Linz, Upper Austria. In the following picture you can see how the building looks from the street.

Taking a look around, he discovered the first issue. There was a back entry which was opened and would make a perfect entry point for an attacker. The entry to the stairs leading to the door, was secured by 1.5m high railings. Without a doubt, an easy to surmount obstacle.

On the back side of the building, or what somewhat could be called a backyard, Flo discovered the next entry point. There was a service entry for a building attached to the youth hostel. 

The entry opened up access to a variety of rooms, not part of the normal housing. Flo did not enter the corridor, as this would have not been allowed in terms of the Austrian legislation. Another point that caught Flo's attention were all the containers and garbage around. Assuming that, like in other hostels already described on this blog, access codes to rooms were set using a specific algorithm, old code numbers could give access to rooms in the hostel and a free night.  

Thanks to Flo, for his contribution to the project.

Getting to know your friends

This privacy issue was reported back in December. It is about Facebook and its friend status. In general, it should not be possible to see information about another unknown person, when this person did not configure his/her page to do so. However, there was this issue, that you could send a friend request to this person, waiting for confirmation.

The issue was, that even without the person accepting the friend request, the "is now friends with" status message of this person was updated. Thus, it was possible to track a person's friends without their permission.

Unattended Working Places - Part 2

Another entry in the series of unattended work places. This picture was taken in the e-lab at the campus of the Edith Cowan University in Mt. Lawley, Western Australia.

This notebook was left unattended for about 10 minutes. An attacker prepared for this kind of attacker would need approximately 10 seconds for inserting a USB stick and installing a rootkit. When working in external environments employees should never leave their notebook unattended for more than 5 minutes, depending on the security level of the data stored on it. In some cases there is really no excuse to leave the notebook unattended. When leaving the working place for short periods of time, f.e. getting a coffee, the OS should always be locked to prevent unauthorised access. However, be aware, that there are also attacks possible on locked screens.

Security is no matter of daytime

You might say, "Of course, security has to be applied 24/7", but the obvious is not the standard. An example was given by Sebastian Klipper on his blog "Klipper on Security: Ps(i)2 - Sicherheit in Informationssystemen". Thanks for sharing the content of his post by CC license.

During the night, journalist Tommaso Cerno did a short trip to the airport of Rome and shared his  experience on the web. The problem? There was no security at all. The screening lines and the security areas are freely accessible, doors secured by access codes or code cards are open, homeless people are taking a nap in the interior. Tommaso filmed the his tour through the airport and published it online: 

 

http://espresso.repubblica.it/multimedia/home/22897704.

 

It would be an easy task to smuggle weapons or drugs into the airport during night. The only risk would be that one of the homeless people could find it before the next day and take it away, so Sebastian Klipper.