Physical security in corporate environment is serious business. I spent most of my life working for small companies which didn’t really require top notch physical access constraints or security features. Last one to leave bolts the front door and turns off the light – that’s pretty much the extent of security I have witnessed at most small firms I had the pleasure to work with. But whenever I venture out into the big corporate world I am always impressed and intimidated by what they do to keep their company secrets and employees safe. Of course sometimes these impressive measures are just a facade.
Not so long ago I was visiting a certain large company and I really, really wanted to snap a picture of the number pads on their doors. Not because they were cool though. They were fairly standard actually. In fact, I was initially very impressed by how locked down the whole facility was. To get where I was going I had to pass through a security desk, a metal detector gate, and two key-code locked doors. Hell, even the restrooms in the building required you to punch in a code to get inside.
Then I got a closer look at the actual key pads next too each of the doors and noticed that some buttons were worn down more than others. In fact, it was the exact same 5 buttons on each door. I really wanted to take some pictures but I didn’t think it was appropriate, plus I thought that the security folks wouldn’t probably like some dude walking around taking pictures of their door locks. So here is a slightly exaggerated mock-up of what I have been seeing all over the building:
Do you see a pattern here?
The buttons 5-9, 0 and * were all shiny and new. All the other keys were faded out, scratched up and darkened from use. If the key-codes were rotated regularly, then the wear and tear ought to be evenly distributed across all the keys. The pattern like the one shown above could only be produced if the same code was used for a very long time without change.
Of course a wear patter on a keypad does not necessarily give away a password. It simply helps us to narrow down our key space. The only thing we know for sure is that the pass contains only 5 characters which are 1-4 and #. We can also assume that it is likely to be 5 characters long, but it does not need to be the case. Any number of the worn out keys can repeat any number of times without significantly altering the wear pattern potentially extending our password length. In either case, we do have a significant number of combinations that we would need to try to open this door.
But… What combination would you try first?
Personally, I’d start with the infamous Space Balls combination:
Why? Well, why not. If you never change the combination on your key locks, then chances are that you are also using the simplest and easiest combo you can think of. In this case it would be 1, 2, 3, 4, #. That ladies and gentlemen was exactly the code used in the building I was visiting.
This would be a major security problem if any of these doors were facing the street or publicly accessible parts of the building. Fortunately they were not. To get to any of them you still had to go past the security desk in the main lobby and walk through a metal detector gate. Only employees and authorized guests would actually get this far – so these security systems were mostly a nuisance for the people that worked there every day. That’s likely why no one ever bothered changing the combination, or at the very least replacing the key pads.
What is the lesson here? I guess it’s that applying too many access controls to a system may actually decrease its overall security. If you make your employees change their password every week, then they will end up writing it down on a sticky note and put it on their monitor. If you force people to get through 3 pairs of security doors just so that they can reach the hallway and use a restroom, the key combos for these doors will likely use the Space Balls numbers. And if you make people carry the RSA authenticator fobs with them they will likely attach them to their laptops. Oh, and they will also tape their user names and passwords to the back so that whoever steals their laptop has all the authentication information in a neat little package. People can be quite ingenious when it comes to circumventing security measures.
But this sort of thing only happens when you let people get away with it. What you need is someone in your organization whose job it is to look for security issues like the one I described above, and fix them. Such a person must be able to inspire fear, and be able to deliver massive amounts of pain, fire and brimstone onto anyone stupid enough to tape their passwords to the monitor or attach their RSA fob to their laptop. And your local NOC dwelling BOFH is probably not the best candidate for this position because while he probably enjoys whipping lusers into shape, things like wear and tear on key locks might be out of his scope of influence. But I guess that’s just my opinion.
In the comments let’s talk about other examples of secure systems that are secure in name only. Have you ever encountered worn down key locks? How about swipe card doors that are permanently wedged open using a door stop?
How about biometrics? Have you ever worked at or visited a facility that foolishly decided to use biometric identification? If yes, tell me about the massive amounts of failure that had to come out of that experiment. Do they still use it, or did they revert to something more sane?
When Bell Canada introduced their “voice authetication” feature for customers to verify there accounts using the phrase “At bell my voice is my password”, I was reminded of that movie sneakers where they sneak into the ultra secure building using (among other things) a tape recorded splicing of some guys voice they got by sending someone on a date with him.
A friend of mine went so far as to call a canadian, and get him to say all the words required by bell by pretending he was a librarian calling about over due books (i see here you have “for whom the bell tolls” over due). He spliced to words from the call together and had no problem accessing the guys account.
He even did a podcast about it http://www.phonelosers.org/media/plaradio17.mp3
Hey Luke, I just started a new job at a utility company and the control room (and our server room unfortunately) is under some pretty heavy security (or at least the most I’ve had to subject myself too). Every time I need to go back there to check on a server or what not I have to swipe my RFID card AND have my thumb print scanned. However, if I don’t place my thumb just right on the scanner it doesn’t scan. A lot of times I have to do it three times just to get it to work. Kind of a pain really.
heh, at my moms work they implemented 3 card swipe thingies as a “check in” system to punish ppl coming late about 2 years ago
first they desynchronized them (they were so cheap that each card reader has its own independent clock instead of being centralized) so you had one running 15 mins late and another running 30 mins late
now they caught some dude swiping a keychain with like 20 cards on camera (there is a camera pointing right at the readers), the solution: fingerprint scanners (which of course will be the cheapest ones you can easily fool with a high dpi print/photocopy of the thumbprint)
i should mention that my mom works at a government building and in my country we have a HUGE, HUUUUUUUGEEEEE “ñoqui” problem (ppl that get paid but never ever work, often have better salaries than real workers if they got their “job” though syndicate/political party contacts, they recently tried to trim them off which is why they imposed the card reader thing in the first place)
At work we had the three week password change thing. It was quite annoying as I can’t remember anything and I had to change my password every three weeks.(That’s how I got locked out of my bank account multiple times.)
So after I was prompted to change my password again I went on a small tirade(more a louder than necessary venting off my emotions), after which I got help from the people who had worked there for quite some time. Instead of really changing the password you would just append one “1” to your password. So you just had to try any number of ones before you got the right password. Later I found out that almost everyone was using this technique. Still not secure, but I don’t think you can expect your employees(or at least me) to remember a password, which changes every three weeks. (It took me about a year to remember the 4-digit lock code, which we have at my other job.)
In Brazil it is now trendy to have biometrics at the entrance of commercial buildings. It is a pain! Every time you go to a new building (even if you never plan to return there in your life), you have to give your ID to create an account and register your finger read.
Then, you have to bear the queues of people that form in these buildings’ entrance because, you know, you have to put your finger 3 or 4 times to get it to read correctly.
@ sapientidiot:
LOL! This is pretty funny. This is why I always say that biometrics are the worst possible authentication system ever invented. They are like a password that can never be changed even after it is compromised.
@ Rob:
Well, at least they use two factor authentication and not rely on the biometrics alone which is encouraging. One must wonder though if it wouldn’t be cheaper, more convenient and more secure to just use an entry pin instead of a fingerprint.
@ JKjoker:
Ah, see – here in US we found a perfect way to deal with the “ñoqui” problem. We just promote them away from the positions that require actual skill. Basically people just fail upwards until they are so high up the chain they actually don’t have to do any real work, and people working underneath them are sort of expected to quietly smooth out and fix all the stupid decisions they make. At least that’s how it seems to work in the technology sector. ;)
@ Neo Angelus:
Every 3 weeks is a bit to often. It is much more effective to train users to use long and strong pass phrases than to make them change the password so frequently.
@ Ricardo:
Someone really needs to translate that Mythbusters biometrics episode and send it to Brazil. :P
Intel has ridiculous security. I have to scan my badge 3 times to get inside the lab, and 3 to get outside. Stuck in a corridor? You’re on camera. ;)