Slashdot Mirror
The Study of Physical Hacks at DefCon
eldavojohn writes "DefCon usually focuses on electronic security, but Saturday a talk was held that focused on possibly the oldest form of hacking — lockpicking. As software security becomes better and better, the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are left on overnight. From the article: 'Medeco deadbolt locks relied on worldwide at embassies, banks and other tempting targets for thieves, spies or terrorists can be opened in seconds with a strip of metal and a thin screw driver, Marc Tobias of Security.org demonstrated for AFP ... Tobias says he refuses to publish details of 'defeating' the locks because they are used in places ranging from homes, banks and jewelers to the White House and the Pentagon. He asked AFP not to disclose how it is done.' I'm sure all Slashdot readers are savvy enough to use firewall(s) but do you know and trust what locks 'physically' protect your data from hacks like these?"
...with a Smith & Wesson (or a Glock, or a Bushmaster, or a Remington).
>>do you know and trust what locks 'physically' protect your data from hacks like these?"
I know I weld my doors shut nightly. You should too!
Shiny. Let's be bad guys.
"...simple hacking tips like looking over someone's shoulder for their password."
How far the meaning of this word has come from it's original usage.
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
Because doors are riddled with 0-day exploits in the frames and hinges. With even a small vehicle, you can exploit a stack-overflow in the frame, popping the entire door out. DOS attacks against hinge pins can also be used to completely bypass a lock.
the focus may be shifting towards simple hacking tips like looking over someone's shoulder for their password, faking employment or just picking the locks to gain access to the building where machines are left on overnight.
It's not shifting at all. I've done my share of hacking when I was younger (ahem) and the weakest link was always the human link. It was much easier to con the secretary into giving a password than hacking the secretary's computer, and I suspect it's even more the case now with more solid computer systems. That's called social engineering and it will always work very well indeed, because much to my dismay, computer users get dumber and dumber as computer get more and more powerful.
As for lockpicking, it's not really a secret that no lock is safe. Look up "bump key" in your favorite search engine and you'll see what I mean.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
My own data is kept at home, where my windows are left open all day and the locks can be picked by amateur locksmiths in a few minutes. It's basically there for the taking, but as it happens there's really very little of value - I don't keep identifying information like social security numbers electronically, and I don't happen to own any intrinsically valuable data. The reason I protect my computers is to avoid seeing them used by others to launch attacks; between the legal concerns and a simple moral obligation to the rest of humanity, I don't want that happening. The actual data that needs protecting is stored elsewhere - in a bank vault, perhaps. The real concerns are around all the corporations and government agencies which insist that they need all this information but then do nothing to protect it - physically or electronically. Given their lax electronic safeguards, I don't really see much point in improving physical security: right now my data can be obtained more easily and with less risk of detection by electronic means than by physically breaking into a data centre.
makes you a scriptkiddie then
Aw, pfsst, boring! Anyone has any clue?
I would be a lot less worried about locks being picked then any number of other "social engineering" methods.
This program was made possible by a grant from the Ultra-Humanite, and viewers like you.
Why do they put door locks on a convertible?
What?
...by a bunch of people who were shaken down for lunch money in grade school talking about physical security?
The Schwartz space ain't from Spaceballs.
You are warned!
"Thank you for using Stop-n-Drop, America's favorite suicide booth since 2008"
Google is your friend. All of about 30 seconds of searching came up with this article as well as others. Although I didn't watch them I also found a few videos posted on YouTube that claim to demonstrate how to do it.
Yeah you can get an army of zombies to help you pick the lock, but you have to get the in close proximity to the lock and make sure they don't trip over each other.
Besides, most zombies don't have the physical dexterity necessary for good lock-picking. In large groups they are good at tearing the door off its hinges or ramming through it though.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Anyone can make *claims*. Either put up or shut up.
---- Booth was a patriot ----
There's probably a door around back that is standing open.
lol: You see no door there!
Anyone else bothered by the incorrect use of "hack" here?
The cuts in the key are individually angled so they rotate the tumblers as well as lifting them. Slots in the tumblers are lined up by the rotation to unlock a sidebar that fits into a longitudinal slot in the cylinder.
Bump keys can't even get started opening that.
More burglars have feet than have lockpicking skills. Step one in physical security is to combat kick-in attacks. Replace your strike plate, which I can almost guarantee is inadequate, with a reinforced model like the Mag-3 and most important, install it with #10 wood screws at least 3" long, so it can't tear out of the studs when subjected to a good kick. Predrill the holes and put soap on the threads so you don't break screws as you install it.
A block watch is a great idea too. Neighbors are a security mechanism.
An alarm system also protects you against fire, which depending on where you live can be a bigger threat than burglary.
Not for securing a fortress. Surveillance with active IDS is a better deterrent eg: armed guards patrol premises and monitor video stations vs. a medico lock.
boycott slashdot February 10th - 17th check out: altSlashdot.org
The summary must be butchering Marc Tobiases recent claim of the obvious: The slider mechanism in the Medeco M3 is a patent extension feature and provides virtually no additional security.
Gasp! You don't say?
Almost all lock manufacturers add these useless features every time their patent expires. The M3 one being particularly worthless, but others that come to mind are the Bilock trigger, the Schlage Everest Slider, and the Mul-T-Lock interactive element. I believe it's EVVA that added a similar mechanism to their locks, but one that is almost worthy of being called an upgrade.
They all accomplish the same thing: A "specially" made portion of the key, moves(or allows to move) a spring loaded obstruction until it now longer obstructs the shear line. Most of these obstructions can be cleared out of the way with a lockpick or aren't even an issue if the lock is being picked.
If Marc Tobias ACTUALLY accomplished as the article suggested, then he would have to provide extraordinary proof to match his extraordinary claim. I am intimately familiar with Medeco, and a strip of metal and a paperclip isn't going to open these locks mounted on a door short of a comb attack which I doubt would work, or through an extraordinary amount of skill. Medeco are a BITCH to pick.
... is all I need to physically protect MY data. >:D
One summer I was forced to park right in the same neighborhood as crack houses, etc, because of where I had to work. As did my co workers. They all locked their doors and trunks, result, all of them got busted glass and popped trunks. I warned them too, I really did, I said "look at reality, these cars are targets now". Nope, none of them listened. I left my doors unlocked and the trunk slightly open, just eased down. The ride was so old and ratty I wasn't afraid of it getting stolen, albeit that was a chance. There was nothing left in the car to steal, a very cheap in dash radio not even worth a dollar at a pawn shop, but I made it easy for the crooks to ascertain that, because I knew they would look.
Ya, it sucked doing that,the principle rankled me, but my practical nature took over, because it was better than having to replace a door window.
Most modern stick frame construction houses are vulnerable to a razor knife. Just pick a section of wall and slice a hole. You got plastic siding, a thin tyvek sheet, some cheap ass pressboard stuff,(glorified cardboard really), some spun fiberglass insulation, then drywall. That's all you need, a couple minutes with a razor knife and any thief can get in easy, let alone if they use something like a cordless sawzall thing.
A big problem with mechanical locks is the form factor. Anything that has to fit in a standard US cylinder lock hole is inherently weak. It's just too small.
There are some good locking systems out of Israel. Mul-T-Lock makes door locks that extend three or four deadbolts through the door and into the frame, like a vault door. These are made to work like ordinary door lever locks.
The best residential doors are found in older HUD-financed housing projects in bad neighborhoods. Apartment doors are steel fire doors mounted in steel frames, and walls are reinforced concrete. Those things will resist a battering ram. The lock mechanisms usually aren't that great, but the threat there is generally brute force, not lockpicking.
It's surprisingly hard to get good doors and locks in the US. There are better locks in parts of the Third World.
Defcon routinely deals with physical security as a subset of the overall program. Last year it was lock-bumping. At least that was somewhat unexpected. A couple of years before that (the last time I attended), there was all kinds of information on lock-picking (a co-worker even purchased a lockpick kit from one of the vendors represented).
None of this is news, and frankly doesn't seem Slashdot-worthy.
I'm in Florida - we have Stand your Ground laws and the Castle Doctrine. Who needs a safe and 911 when you could reach for 357?
I think it is medeco http://www.medeco.com/ not "medico". Medico locks are for locking up your girlfriend so nobody can access her private parts.
These locks are harder, but not impossible to bump for a very skilled locksmith. Nothing is 100% hack-proof, just harder to hack.
Everything I write is lies, read between the lines.
That's what encryption is for. Even with physical access, your files are secure as long as the key lives inside your brain.
Of course they can then be deleted, but someone who would have access to my computer could only "damage" my most precious data, not read it. A computer does not work like a safe, it can be much more efficient.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
God Be Gone
...nuff said.
Bot Assisted Blogging
this book for WAR CRIMINALS.
Feloniously,
W.
And, as with any discussion of security, the least secure thing in the building is the Windows...
Locks are easy compared to trying to unhook her bra with your left hand in the dark.
I'm currently managing a transition to using only encrypted file systems, using loop-aes. As the parent says, one reason to use encrypted file systems is protection against burglars. The access keys for the data disappear as soon as the power is disconnected, so the burglar gets the hardware but no data. Thieves have to be unusually smart if they want to copy the plaintext - they'll have to trick you into revealing the key to them somehow.
But it doesn't just protect my data from burglars. It also enables me to return hard disks for warranty replacement without worrying that the manufacturer will be able to look through my files. I don't have to scrub my disks before sending them off. Disk scrubbing is never 100% effective, and might not even be possible if the controller has failed.
Loop-aes is now supported by Debian stable. I just needed to apt-get two packages, loop-aes-utils and loop-aes-modules-$KERNELVERSION. Through this, it is very easy to add non-root encrypted filesystems to your machine. An encrypted root filesystem is harder to arrange, but well worth having. There are HOWTO guides to help you set one up. The usual implementation requires you to enter a passphrase as your machine boots.
>north
You're an immobile computer, remember?
Where I live we've had our share of "be wary of lockpicks" type campaigns. I've had my eyes on the "RFID Digital Door Lock"* from ThinkGeek for some time, and thought that maybe this would be the thing (except I rent my home, so it's not really my door to drill holes in). At least, it ought to be difficult to pick; it would be just as easy as ever to just bust in the entire door.
Are there any slashdotters out there who have actually bought and tried this lock? Any good/bad reviews to be had?
* http://www.thinkgeek.com/gadgets/electronic/77af/
"Good news, everyone!"
The Dell key-logger hoax has probably the best decoy story to move
_ html/jbug-Usenix06.html
professional hackers/security staffers into the wrong direction, as in
May 2006, USENIX published the following research article :
"Keyboards and Covert Channels"
by Gaurav Shah, Andres Molina and Matt Blaze , 2006-05-17
Department of Computer and Information Science
University of Pennsylvania
http://www.usenix.org/events/sec06/tech/shah/shah
In it the authors demonstrate that todays unwarranted wire tapping NSA
activities, normally don't result in much success as serious internet
users routinely apply encryption into their communications, like IPSec
tunneling, ssh, VPN access connections, secure web-traffic https when
i.e. doing Internet banking activities.
However, secret service found a clever approach to all this, by
covertly installing a Keyboard JitterBug into your keyboard. Here's
how to secure your most trusted keyboard :
Keyboard JitterBug eavesdropping
http://crashrecovery.org/internet/#jitter
where i may add, that lock picking _ALSO_ has been the best hoax ever
on public display. Why? How many people today design their _OWN_
locksmith locks? All installed door-locks worldwide are somehow sold in
stores, hence its products and replacement keys are in the archives of
the local secret service.
Robert
I remember reading about how most locks can be easily defeated using a technique called bumping. This site also has PDFs and videos describing how it's done. Also searching Google for "bumping" gives you a lot of information on the subject, so unless this is something radically new, I don't understand what they're trying to hide.
Remember, there were no nuclear weapons before women were allowed to vote.
My favorite social hack.
Parent's point I'd guess would be that it's an arms war. If you're saying that the way to stop being knifed is to carry a knife yourself, then the criminals carry guns. And if you match that with a gun, surely the only solution is for everybody to carry fecking ridiculous big guns around? Personally I am happy to be able to walk down to the shops without needing to carry a weapon.
If weapons stop crime, how come the USA, one of the most tooled up countries in the world, has so much crime and so many people die from gun injuries?
How do you protect your servers from all their abusive subpoenas?
I remember buying a Samsonite briefcase with digital lock. Two weeks later I had a bunch of people try to open it over a weekend. Nobody managed to crack the 4 digit lock during the two days despite trying all available combinations and despite me opening it every time when I was handed it.
:-)
Why?
Because they DIDN'T try all available combinations. I discovered that the Samsonite digital lock with 4 positions from 0..9 can have a total of 11110 combinations instead of 10000 because you do not need to use all positions (which is not even in the little manual). In other words, the number of possible combinations is 10000 + 1000 + 100 + 10. The combination in use was "9" with me pretending to press the remaining 3 digits so there was a little bit of misdirection involved
Having said that, that specific lock has a more fundamental flaw that allows it to be easily reset, and this type of briefcase is not popular with airport security so I eventually stopped using it.
Insert
I just unlock it from the inside after climbing in your window.
"Reasonable force" in the USA basically means equivalent force, which is ridiculous in cases of someone breaking into your home. A gun or knife is typically considered a dangerous weapon no matter where you aim, and basically any object which can kill is considered a deadly weapon if you direct it at a vulnerable and potentially lethal part of the body. So if your intruder is unarmed, and you hit him in the face with an iron pan, killing him, you've used excessive force and may be liable for manslaughter, even if it was self-defense. Many states have what is known as the "Castle Doctrine" - a man's home is his castle, and he has no duty to flee before attempting force - but a few states actually require you to try to run away first, even in your own home.
Now, if there is an imbalance between the you and your assailant - say, your attacker is 2m tall 180kg jock, and you are a little old woman - then the court will typically make an allowance if you shoot the S.O.B.
In my opinion, it is ludicrous to have to think about "how much force can I safely use to repel my attacker" in the moment before they lunge at you. This is one area where Texas is actually *saner* than many states. One, you have no duty to retreat if someone breaks into your home and two, you can use deadly force to repel an intruder in your own home.
"Defense of others" counts as self-defense in the US as long as you acted reasonably.
A sign saying 'This house is protected by ADT' is going to do little but make the burglar stare at the camera and say, "This burglar is armed with wirecutters and knows enough to clip the phone line." If he has a sense of humor, he'll also throw in, "I know when you're home, and when you're not!" followed by, (really odd voice) "I can pick most locks with a credit card!"
He'll then continue mocking old ADT commercials while rifling through your possessions.
As for a burglar not knowing you have a gun in your house, he'll quickly find out. In the worst case scenario, he'll learn from his mistake. In the best case scenario, he won't be around afterward and you'll have cleaned up someone else's mistake.
Finally, as for people being 'more often victims of their guns'... Maybe, just maybe, they should... I don't know, take some NRA courses or whatnot to learn how to use their gun? I'm sorry, but I really have no remorse over the injuries/deaths of people who treat their guns like toys, or do absolutely stupid things like attempting to clean them with a round in the chamber.
Wiggum: Once a man is in your home, anything you do to him is nice and legal *rubs gun*.
Homer: *out window* Flanders, get in here.
Flanders: *offscreen* Okily-dokily.
Wiggum: Uhh... it doesn't work if you invite them.
*Flanders enters the Homer's kitchen*
Homer: *disappointed* Flanders, go home.
Your ad here. Ask me how!
Lockpicking? I don't know. What was used before lockpicking? Guards? Common sense from neighbors et al? What about hunting for mammoths? I don't have a good answer but I suspect there are better ones. Willing to hear yours.
WE DON'T NEED NO BLOG CONTROL.
Lockpicking is the oldest form of cracking, not hacking. Hacking is best summed up as "unconventional and creative use of technology". It is not a synonym for breaking and entering.
This used to be news for nerds -- please get it right.
While I agree that replacing those one inch screws on your latch with something a bit sturdier is a great idea, you can buy a cheap cordless sawzall for less than $50. If it is quiet enough around for someone to kick a door in, its probably quiet enough to use a cordless sawzall. Heck, pull up in van and dress like a contractor and the neighbors will think you're just having some repairs done while you are at work. Most new houses these days are nothing more than vinyl siding with a few studs, some drywall and insulation in between. Maybe some plywood at the corners, but more likely just some OSB. I could cut my own door in less than five minute. Even quicker, pop off the outside door trim and just cut through the screws holding the door frame in. I'll bet with this technique you could easily enter a few dozen unoccupied houses without even needing to recharge the battery. And don't think your brick veneer provides that much more security, you can often rip that stuff off with your bare hands.
I voluntarily put my computer out there by hooking up to the internet. Insofar as it's easy for people wishing to grab things like my credit card info to try it with thousands of systems and connections in a short amount of time, I realize that I could easily be a target and I am responsible for my own security. With my house, I'm far less concerned. It's harder to break into a house because you actually need to go there. I'm not concerned about the Russian mob trying to break into everything house in the city one night. Also, my taxes pay for things like the police and the entire justice system. It's far from perfect, but we already have pretty significant deterants against physical breaking and entering and theft. Does that mean I shouldn't be worried at all? No, but there is a very high chance that someone's going to probe my firewall for weaknesses (or rather, someone's script is), and a relatively low chance that someone will break into my house and then attempt to access my computer locally. They may take jewelry, but they probably won't spend much time looking in my system in hopes of finding a credit card number or an Amazon.com login. If I had something really really important on my computer, and someone knew about, then sure, they'd probably try to break in. Banks and embassies know this, and generally don't rely solely on deadbolts. In my home, I think I can be fairly content that the deadbolt will stop the neighborhood kids from taking off with cat, and I know that I don't have anything valuable enough to warrant truly expensive security. I'm never going to hire armed guards to patrol my yard...it's much cheaper just to replace the occasional stolen bicycle.
The "pressboard stuff" you're referring to is called OSB (Oriented Strand Board). Yeah it does look cheap, like scraps glued together, but actually it's stronger than either plywood or a wooden plank of the same thickness. (Both plywood and OSB are what they call engineered woods)
Anyways there's no way in hell you're going to punch a hole that you can walk through on an OSB exterior wall with a razor, in any reasonable amount of time. (it will take you hours)
Yes you can saw through it with a power tool, but that applies to any wooden house of any vintage, not just "modern stick frame" ones.
Seeing his slashdot ID, and his kind of communication, this could actually work.
Moms basement is a secure shelter, and in the 40 years of living there he has enough time to really secure it.
Also, in opposition to mose other people who are half of the time out of their house (thus leaving it undefended), he doesnt really have that problem...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
How secure or not are those?
I really don't want to advertise but here in Finland about 99.99% of households and companies use Abloy locks. Yes, they have sort of monopoly here but that's gained on true merits. The locks are so hard to pick, that if you lose your key, locksmiths will just break your door or the lock if possible. It's not worth spending 10 hours picking it. A second good reason for using Abloy is that it doesn't freeze or get jammed as like pinlocks. There does exists tools to open Abloy locks but they can be used only on models made in the 70's so they basically useless.
cheap lock mechanisms that are readily bypassed by picking or force.
I don't think anyone makes an individual RFID or biometric doorlock that stands up to scrutiny.
Bear in mind your home insurance may be invalidated if you fit a poor quality lock...
There are not that many "doors" that will stand up to typical household deconstruction instruments. If you want to protect against those, you're already up to a vault-style room at least. If you have a more expensive lock on a regular door, you can expect that lock to be bypassed by brute force rather than whatever it would take to "pick" it.
stuff |
A regular lock is basically useless if you are even dealing with a run-of-the-mill lock pick. I learned to pick locks a couple of years ago and then proceeded to pick all of the locks in my house for practice (just a piece of advice, DON'T try this at home, if you are inexperienced you may fuck up the lock beyond repair.) Anyway like the article says you only need a screwdriver and a strip of metal or analogous equipment. Circular locks are much better and much harder to pick unless you have specific lockpick equipment. If you are worried about security get a circular lock or some other non-standard lock that will require and expert to pick, there are a lot less professional lock picks out there than there are amateurs who could easily pick a standard lock in a few seconds. Even then you are not 100% secure. You need layers of security just like a computer system so get an alarm and practice any other anti-theft method that may be practical for your application.
Time makes more converts than reason
It seems that Abloy also owns Mul-T-Lock. Along with Medeco.
The thin strip of metal is called a "key" - you insert it into the "lock", and turn it. I'm not sure of the screwdriver's purpose. Perhaps you use it to scratch your head, wondering why you brought it along.
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
I keep mine in a secret volcano lair - I learned this trick from a guy with a PhD -
You know, Scott. I've been a frickin' evil doctor for 30 frickin' years, OK? Cut me some "frickin'" slack. You forget Scott. We're in a volcano. We're surrounded by liquid hot magma.
I came in here to read about locks and lock security and lockpicking. Instead it has turned into almost complete gun control debate. Letting people stray so far off topic should be discouraged so we can read posts that relate more to the subject at hand. /if there is an off topic mod I guess this should be given the same rank as well.
My Xbox Live Gamer Card
I get the impression of a guy hacking down a locked door with a big axe.. not the impression I think the article meant to give.
"MIT betrayed all of its basic principles."
Rate of homicides, although much lower than in US, is among the highest in the "old" EU (this just the first Google match I got: http://www.csdp.org/research/hosb1203.pdf
"For the period 1999 to
2001, the average rate (the number of
homicides per 100,000 population) was 1.6 in
the EU with the highest rates in Finland (2.9),
Northern Ireland (2.7) and Scotland (2.2). For
the other countries, the highest rates were
found in Russia (22.1), Estonia (10.6),
Lithuania (10.6) and the USA (5.6)."
(If you want find reasons for that, looking at the alcohol consumption patterns would be a good place to start. Fight between drunkards, with one of them ending up stabbed to death is the traditional way of Finnish homicide.
Secondly, if you want to have a gun in this country (Finland that is) you need a permit from police - and if you try get one for "personal protection", you won't get it. Hunting weapons are common in country with low population density and most of the area forested (and almost all the male population trained in the use of firearms by the government), but shoot a burglar with one and manslaughter conviction is practically guaranteed. Use of fire arms for protection in this country is highly discouraged, unless you a wearing a official uniform (and even the police are not that trigger happy and almost never shoot to kill)
by the time chuck norris gets close, hes dead