Stupid security measures, a contest
"Human rights watchdog Privacy International has launched a quest to find the World's Most Stupid Security Measure. " http://www.theregister.co.uk/content/55/29279.html -- "It is seldom that liberty of any kind is lost all at once." -Hume - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
At 10:11 AM 2/12/03 -0500, Adam Shostack wrote: "Human rights watchdog Privacy International has launched a quest to find the World's Most Stupid Security Measure. " I can't imagine this is the stupidest, but there's a state office building in Missouri where (no doubt due to some Directive From On High), they've put up a wooden shack in front of the main entrance, where anyone going in or out has to pass through a metal detector. The wooden shack isn't directly in front of the entrance, however--probably, that would make life too hard on the smokers, who now have to go outside to smoke. It's more like about 50' in front of it, completely unconnected to the building. The really entertaining bit is that, since most people going into the building are basically law abiding (state employees), most people seem to go through the shack and get checked for weapons, rather than around the shack to save time. --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
If I were looking for a "winner" for this, I'd be especially interested in measures that end up reducing security rather than improving it. One category of these is those that improve one person or group's security a little but degrade someone else's a lot. An example of this would be the "require identification" fad, in which personal information is collected for even the most trivial transactions, creating attractive databases for identity theft and other mischief. I was recently asked, "for security reasons", by a department store to provide my social security number when I tried to exchange a shirt that was the wrong size that I had bought the day before for one of the correct size (When I offered to just leave the item there and dispute the original charge on my credit card, the clerk gave in and just wrote some made up numbers on the form.) An even stupider category includes mechanisms that end up degrading security for exactly the same people they supposedly are trying to protect. My favorite example concerns safety, not security, but it was just this past weekend, in Washington, DC, and is fresh in my mind. A walkway leading to a Metro station was closed because of icy conditions that made it too slippery and dangerous to cross. They posted a security guard at one end of the walkway to stop people, but not the other end, where there was no indication at all that anything was wrong. How do I know this? I crossed from wrong (unguarded) end, almost breaking my neck before I got to the security guard and the sign redirecting people to another entrance. He tried to send me back across the icy path, having been instructed not to let anyone go past his checkpoint. The most prevalent category, though, is where "security reasons" are invoked to explain away almost any inconvenience, expense, or indignity, no matter how unconnected to security it may be. "For security reasons" is now a mantra that can be used with a straight face to prefix almost any bad news. "For security reasons, we have raised our prices." > "Human rights watchdog Privacy International has launched a quest to > find the World's Most Stupid Security Measure. " > > > http://www.theregister.co.uk/content/55/29279.html > > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
On Wed, Feb 12, 2003 at 06:10:56PM -0500, Matt Blaze wrote:
> If I were looking for a "winner" for this, I'd be especially interested
> in measures that end up reducing security rather than improving it.
One of the worst security measures I've ever personally seen:
Some years ago I was invited as an expert (for security) into a german
ministry/government department. I received a paper document which was
classified as "confidential". I was asked to take it with me, read it,
comment it, and then put it in a paper shredder.
As usual, every page of the document was marked as "confidential"
by having a large, bright grey writing from the bottom left to the
top right corner as a background of the text. (like the latex
draftcopy style)
At this time I was working at the University, and the University was
short of money, so we had only a very cheap paper shredder which was
cutting the paper only in stripes of about 3-4 mm width instead of
little particles as expensive shredders do. Usually it is still too
difficult to sort the stripes.
It turned out that it was just the diagonal "confidential" label which
made it absolutely easy to sort the stripes and to reassemble the
pages within seconds.
Another example:
There's a german bank which provides Internet Banking through a ssl
secured web page, which is after all not a bad idea. When you're on
the web page, it opens a new browser window through java script, which
then gives you access to the banking and asks for account number and
pin.
The web designers decided to open a window without the usual
browser decoration, i.e. without showing the URL the page came
from:
function openwin(){
var WinName='Internetbanking';
if(is.ie){
var
param='"toolbar=no,menubar=no,scrollbars=yes,resizable=yes,status=yes,width=800,height=600"';
var url='/OnlineBanking/fs_ie.html';
}
if(is.ns){
var
param='"toolbar=no,menubar=no,scrollbars=yes,resizable=no,status=yes,width=800,height=600"';
var url='/OnlineBanking/fs_ns.html';
}
msg=open(url,WinName,param);
}
So when you're on this page, you're on an encrypted page and the
browser shows the padlock symbol promising "security", but you can't
see whom you are talking with. So you could redirect the browser to
any other webserver with a valid SSL certificate and provide webpages
with a similar appearence, and ...[you know what].
I've contacted that bank and tried to explain the problem.
They completely denied it and claimed that they have high
level experts, much more experienced than I am, and that they
all said that they use SSL with 128 Bit encryption, which is
absolutely unbreakable. :-)
(If you wanna see it, try https://banking.diba.de . You could
argue that it is not trivial to intercept and modify this already
ssl-encrypted page to perform some redirection. I've given this
URL only for those who don't speak german and can't navigate through
the menues. Usually people start at http://www.diba.de, and with some
simple DNS spoofing or attack on a proxy it could simply redirect
telebanking to anywhere.)
regards
Hadmut
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
I'll never forget the first time I checked in at SFO International, back in 1996. They were rebuilding the whole place such that the security gates had been placed in the middle of a large room. Of course, one had to pass through these gates but, as is customary, you were not supposed to take bags through the checkpoint. What happened was that I gave my bag to one of those officers, then went through the gate, then was given back my bag which was not being checked at all... Cheers, Stefan. --- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail [EMAIL PROTECTED], http://www.secorvo.de --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
Matt, > If I were looking for a "winner" for this, I'd be especially interested in > measures that end up reducing security rather than improving it. one could argue whether or not the whole bunch of software tools would fit into that category which has been crypto-crippled due to export restrictions and which is, unfortunately, still widely being used. Cheers, Stefan. --- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail [EMAIL PROTECTED], http://www.secorvo.de --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
On Fri, Feb 14, 2003 at 01:33:26PM +0100, Stefan Kelm wrote: > to take bags through the checkpoint. What happened was that I gave my bag > to one of those officers, then went through the gate, then was given back > my bag which was not being checked at all... I had a similar experience: When US ambassador David Aaron was giving a speech about the "safe harbour" in December 1998 in Frankfurt, they had a metal detector frame where you had to go through and an armed american security guard who tried to look as evil as possible. I had a suitcase with me and - it was cold - was wearing thick clothes. When I went through the frame, it gave a very loud alarm. The guard asked me to put the suitcase on the table and go through the frame again. I did so and again, there was an alarm. He asked me to put my cloak on the table and to go through the frame again. Still giving alarm. I had to put my jacket on the table and so on until I finally had undressed about 4 or 5 layers of clothes. When I was wearing only the shirt, pants, shoes, and a tie, the alarm stopped after I took out the belt. The guard was satisfied and allowed me to pass without touching or even noticing the heap of clothes I put on the table and my suitcase. (There's a similar scene when Clint Eastwood is smuggling a tool in "Escape from Alcatraz".) I asked him "Now you know that my belt was causing an alarm. But how do you know that I don't have a gun in my cloak's pocket or my suitcase which could have caused the alarm as well?" For a second there was surprise and shock on his face, then he gave me an army-like command to take my belongings, walk in and stop causing a queue. But the unlucky guy who came just after me was searched extensively. regards Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Stupid security measures, a contest
On Fri, Feb 14, 2003 at 02:18:00AM -0800, alan wrote: > > The extra anal security guard can be fun to play with. A little bit more about "guards": In 1985/86 I did my compulsory army service in Koblenz, which also included to be the guard of the barracks for several days. When I was the guard of the main entrance, once an army vehicle approached to enter the area. I stopped the vehicle and asked for the identity card, driving license, and driving order, just as usual. The guy in the car gave each, but it was obvious that all three were wrong and forged. I told him to leave the car immediately and come with me to the officer in duty. He smiled and said "Congratulation, this was a security check and you have passed perfectly." I answered "Nice try", immediately pulled the gun, and arrested him, put him in the prison in the guard house, and informed the chief of the barracks area. It turned out that the guy indeed was a security officer of the army, and it was his job to perform security checks like this. The security department he came from was performing checks like that one for about 15 years. He said in about 25% of their checks the guards didn't realize that the papers are wrong and let the person pass without questions. In such cases the guards had failed the test. In the other 75% of their checks the guards realized and stopped the person, and so the guards had passed the check. But their officers never ever had to prove that they performed a security check and they never needed their real identity cards. He was the first one to find himself arrested. It was always enough to say "Congratulations, this was a security check and you have passed." to enter the area without further questions and to leave a happy guard behind. No one ever had any doubts. And nobody realized that this was a security leak. The effect was that the officers of that security department were entering barracks for 15 years as a security officer performing security checks without ever having to show a valid identity card and driving order, either in the first or the second way, and didn't realize that this was a security problem. :-) Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
