Inconvenience Means Unsecure

On 10.21.09, In KAUST, sad realizations, By Dan

It’s been said many times many ways, but the weakest point of a security system is the user.

Feynman had a great story about the commanding officer at Los Alamos demanding the most advanced safe available for all his secret documents. This was problematic when the CO passed on before revealing the combination. An amateur lock-picker, Feynman was extremely interested in how the “pros” solved it. It turned out to not be that hard, as it was still on the default combination.

There is a door on campus that is extremely convenient to use as an entrance, but for “security reasons,” it was designated as an exit-only door, and cannot be opened from the outside. Enter ingenuity. We put a doorstop in it, propping it open, nullifying all the security value it would have otherwise had.

Tyler, a friend of mine, pointed this fact out – that by making the “real” solution difficult, they’ve shot themselves in the foot.

Another appropriate example is one of our computer labs. On the entrance, there’s a device that requires a password and a fingerprint scan, but anyone who’s seen “Spaceballs” could guess the combination, and the scanner at this point doesn’t recognize any fingerprints – it just requires that there’s a finger placed on it. An alternate method to gain entry is to slip in a credit card into the door. As a result of the scanner being difficult to set up, any purpose it might have had is gone.

Of course, it’s difficult to get onto campus in the first place, so this aren’t huge issues in my mind, but they seem overtly serious about security when clearly they are not. I get hassled regularly by security guards demanding to see my ID, and yet I’ve had a backpack, a camera and a Nintendo DS stolen. In separate incidents. The camera was even taken from a drawer which is locked more than 95% of the time. In my office. In the building with the highest security priority.

Tagged with:
 
0 Comments
Leave A Response

Injection Attack

On 08.22.08, In computer science, web, By Dan

For those of us familiar with SQL, we’re almost certainly familiar with SQL injection attacks. We’ve talked about them in class, and maybe the more nefarious of us has even tried it on a form or two. There are vulnerable ones out there – I remember having to tell an experienced programmer about sanitizing his form input. If you’re reading this, you know who you are.

For those of you who don’t know about SQL injection attacks, the long and short of it is you try to give input in a form that will be interpreted as SQL and executed. So, for example (see comic link below), you might try to give input that deletes records, or inserts malformed records. For example, a simple, well-formed request to insert a comment might be:


INSERT INTO `comments` (`name`, `comment`) VALUES ('Bob', 'My comment');

If Bob’s comment has a quote in it, though, if you haven’t sanitized the input, you’ll get something that doesn’t make any sense to the interpreter:


INSERT INTO `comments` (`name`, `comment`) VALUES ('Bob', 'It's my comment');

Say Bob were feeling malicious, part of his comment could be an entirely new command that the interpreter would deem valid. If his comment were “Haha suckers!’); DROP TABLE `comments`;”, then we’d get two well-formed commands that would get executed:


INSERT INTO `comments` (`name`, `comment`) VALUES ('Bob', 'Haha suckers!'); DROP TABLE `comments`;');

This, as you can imagine, is not desirable. So, part of sanitizing input is to escape out characters that are normally recognized by the interpreter:


INSERT INTO `comments` (`name`, `comment`) VALUES ('Bob', 'Haha suckers!'); DROP TABLE `comments`;');

At any rate, a few months ago, I actually had an attempt more or less ‘caught on tape’ in the comments section of my blog. I got an email that there was a new comment awaiting moderation, and it was this:


Bill164415140′,’311521868billy@msn.com’,”,’30.68.179.4′,’2008-03-12 16:12:16′,’2008-03-12 16:12:16′,”,’0′,’lynx’,'comment’,'0′,’0′),(’0′, ”, ”, ”, ”, ‘2008-03-13 16:12:16′, ‘2008-03-13 16:12:16′, ”, ’spam’, ”, ‘comment’, ‘0′,’0′ )

Not exactly the most harmful stuff. Still, it was nice to see an attempt in the wild.

Another good example is this xkcd comic.

Tagged with:
 
0 Comments
Leave A Response

Password Security

On 04.14.08, In computer science, By Dan

One of my favorite things is when websites show me this when I register:

I hate security

It’s almost as if they’re saying – “we hate strong passwords.” And it makes me trust even more that they’re actually hashing it in their database.

Tagged with:
 
0 Comments
Leave A Response

Bump Key

On 08.29.07, In projects, toys, By Dan

Bump KeyIt is not unlikely that you’ve run across this technique on the internet (http://www.metacafe.com/tags/bump+key/). It involves taking a key that fits a given set of locks, and then for each pin, filing down to the lowest pin setting. Relatively simple, and the process on the whole is something that supposedly any mildly adroit beginner should be able to complete successfully.

Interviews of lock-picking hobby groups are filled with comments about the absurd ease and dull simplicity of this method. Admittedly, to a certain extent, I was skeptical.

I went to Lowe’s and bought a set of files (~$5) (the one I was after was axially triangular), and made a copy of key (~$1.50) I had laying around and to whose corresponding lock I had access. As per a suggestion in one video, I marked with a permanent marker the placement of the pins along the key, and then filed down to the lowest setting at those points, leaving a sawtoothed edge.

Cautiously, I inserted it to the first pin in the lock and tried to remove it. Down the fourth pin I was able to remove it. Upon inserting it completely, however, I was stuck. Opened the lock, removed the pins and slid it out. I filed down more so that the peaks between the pins were no more than approximately 45º. Thereafter, I was able to easily slide the key in and out. While removing the pin, I noticed that on top of the driver pins, there were springs, making me even more incredulous. (http://en.wikipedia.org/wiki/Pin_tumbler_lock)

The first dozen attempts or so on one lock proved unsuccessful, but it was kind of an awkward setup – in order to unlock, the key had to turn counter-clockwise, and holding the key in my left hand was more conducive to turning it clockwise. I tried instead to lock the lock with the same method, and it worked! A second time! After those successes, it was harder to duplicate, but this lead me to believe that it was simply a matter of improving technique at this point. I moved onto another lock that they fit, and it was able to unlock it repeatedly.

From what I’ve read, and now from experience, the biggest difficulty is simply applying the proper amount of torque in the key when bumping it. On all attempts, however, when I released the torque in order to withdraw the key, I could very clearly hear pins being sprung back into position.

It amazes me that these kinds of locks are so vulnerable to so simple an attack. All in all, it was a fun and revealing experiment, and I encourage people to try it out themselves.

Tagged with:
 
2 Comments
Leave A Response
Go To Top »