Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-27 Thread Erik Goldoff 
and ...

Security is an ongoing process, not a one time event !

On Fri, Jul 27, 2012 at 9:36 AM, Andrew S. Baker  wrote:

> Well said, Ken.
>
> And that is why we have to stop thinking about security in absolute terms
> -- at least as pertains to the end result.
>
> And that's also why we have to consider designing things with a balance of
> convenience/functionality and security, where the former does not readily
> undermine the later.   Time is already not our friend, so no need to make
> it much easier for our future enemies. :)
>
> **
>
>*ASB* *http://XeeMe.com/AndrewBaker <http://xeeme.com/AndrewBaker>* 
> *Harnessing
> the Advantages of Technology for the SMB market…
>
> *
>
>
>
> On Fri, Jul 27, 2012 at 2:02 AM, Ken Schaefer wrote:
>
>> 10 years ago, when these things came onto the market, $50 bought you
>> nothing. Most laptops were in the $2000-3000 range.
>>
>> I think it would be almost impossible to build a commodity appliance
>> device today, that is designed to resist an examination by a skilled and
>> determined hacker in 10 years' time, who is equipped with all the modern
>> technology that will be available in 10 years' time.
>>
>> Cheers
>> Ken
>>
>> -Original Message-----
>> From: Ben Scott [mailto:mailvor...@gmail.com]
>> Sent: Thursday, 26 July 2012 11:45 PM
>> To: NT System Admin Issues
>> Subject: Re: Computing physical security entire family of locks
>> compromised AT RISK when you stay in a hotel
>>
>> On Thu, Jul 26, 2012 at 9:07 AM, Ken Schaefer 
>> wrote:
>> >[These locks are] not designed to keep an intelligence agency out of
>> your room.
>>
>>   Sure, but it'd be nice if they were designed to keep someone with
>> $50 worth of commodity hardware out of my room.
>>
>>  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-27 Thread Andrew S. Baker 
Well said, Ken.

And that is why we have to stop thinking about security in absolute terms
-- at least as pertains to the end result.

And that's also why we have to consider designing things with a balance of
convenience/functionality and security, where the former does not readily
undermine the later.   Time is already not our friend, so no need to make
it much easier for our future enemies. :)

* *

*ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of
Technology for the SMB market…

*



On Fri, Jul 27, 2012 at 2:02 AM, Ken Schaefer  wrote:

> 10 years ago, when these things came onto the market, $50 bought you
> nothing. Most laptops were in the $2000-3000 range.
>
> I think it would be almost impossible to build a commodity appliance
> device today, that is designed to resist an examination by a skilled and
> determined hacker in 10 years' time, who is equipped with all the modern
> technology that will be available in 10 years' time.
>
> Cheers
> Ken
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, 26 July 2012 11:45 PM
> To: NT System Admin Issues
> Subject: Re: Computing physical security entire family of locks
> compromised AT RISK when you stay in a hotel
>
> On Thu, Jul 26, 2012 at 9:07 AM, Ken Schaefer 
> wrote:
> >[These locks are] not designed to keep an intelligence agency out of your
> room.
>
>   Sure, but it'd be nice if they were designed to keep someone with
> $50 worth of commodity hardware out of my room.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-27 Thread Ben Scott 
On Fri, Jul 27, 2012 at 2:02 AM, Ken Schaefer  wrote:
>> Sure, but it'd be nice if they were designed to keep someone with
>> $50 worth of commodity hardware out of my room.
>
> 10 years ago, when these things came onto the market, $50 bought you
> nothing. Most laptops were in the $2000-3000 range.
>
> I think it would be almost impossible to build a commodity appliance
> device today, that is designed to resist an examination by a skilled
> and determined hacker in 10 years' time, who is equipped with all the
> modern technology that will be available in 10 years' time.

  Hmmm.  A very good point.  And a scary thought.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ken Schaefer 
10 years ago, when these things came onto the market, $50 bought you nothing. 
Most laptops were in the $2000-3000 range. 

I think it would be almost impossible to build a commodity appliance device 
today, that is designed to resist an examination by a skilled and determined 
hacker in 10 years' time, who is equipped with all the modern technology that 
will be available in 10 years' time.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, 26 July 2012 11:45 PM
To: NT System Admin Issues
Subject: Re: Computing physical security entire family of locks compromised AT 
RISK when you stay in a hotel

On Thu, Jul 26, 2012 at 9:07 AM, Ken Schaefer  wrote:
>[These locks are] not designed to keep an intelligence agency out of your room.

  Sure, but it'd be nice if they were designed to keep someone with
$50 worth of commodity hardware out of my room.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ben Scott 
On Thu, Jul 26, 2012 at 12:36 PM, Andrew S. Baker  wrote:
> If I make a "secure door", and add a stupid convenience feature of
> a big hole next to the doorknob so that you can reach in an easily
> personalize the door -- but which hole also lets you circumvent the
> security -- then that is just a stupid security-undermining feature, not
> an attempt at security by obscurity.

  Correct.

  However, when you then put a piece of paper over the hole, and hope
nobody notices it is there, and now sell the entire package as a
secure solution, *that* becomes STO.

> Oh, and for the record, I think that obscurity as part of security
> is not necessarily a bad thing.

  Sort-of.  Keeping a low profile to make it harder for attackers to
find you, and *depending* on that low profile to keep you secure, are
not the same thing.  :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ben Scott 
On Thu, Jul 26, 2012 at 10:11 AM, Andrew S. Baker  wrote:
>>   But assuming it's just a mechanism designed to bypass all the other
>> security features -- e.g., for service by the manufacturer -- it very
>> much is a case of security-through-obscurity.  STO is information
>> which, if disclosed, compromises the security design.
>
> I don't see that as security by obscurity.  It's just the inclusion of an
> item of convenience that totally undermines the security.
>
> Security through obscurity would be relying that port to add, in some way,
> to the security of the room.

  The port is part of a lock design that is intended to add security
to the room.  If the port compromises the security of the lock design,
that still counts.

  The obscurity part comes in because in the given scenario[1], the
manufacturer deliberately compromised the security design, and counted
on the fact that nobody knew about it to keep the lock design secure.

-- Ben

[1] Note "given scenario".  Ken's point that this could be a bug
stands.  It might be this was a facet of the design that nobody at the
mfg considered before now.[2][3]

[2] That might qualify the manufacturer as being bad at engineering in
general, but it's not a deliberate attempt to hide something.

[3] And if, after product release, someone at the mfg realizes the
problem, but the mfg decides to ignore it in the hopes that nobody
else discovers it, the bug now becomes an STO scenario.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ben Scott 
On Thu, Jul 26, 2012 at 9:07 AM, Ken Schaefer  wrote:
> Hmm - this isn't "security through obscurity" per se ...
> This seems to be a code path that bypasses (or is designed to bypass)
> the rest of the security options. The article does note that it doesn't
> work on all locks - so maybe it's a bug.

  You made a good point about it possibly being a bug or common
misconfiguration.

  But assuming it's just a mechanism designed to bypass all the other
security features -- e.g., for service by the manufacturer -- it very
much is a case of security-through-obscurity.  STO is information
which, if disclosed, compromises the security design.

  A proper security design can have all the design details known to
everyone and still remain secure.

> [These locks are] not designed to keep an intelligence agency out of your 
> room.

  Sure, but it'd be nice if they were designed to keep someone with
$50 worth of commodity hardware out of my room.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ziots, Edward 
Yep,

Hotel Wireless networks have been a hotbed of hacker community focus for
a while. Also some high end hotels using Zigbee technology on door locks
and codes which can be bypassed also. 

Josh Wright has published a lot on this subject:
http://inguardians.com/pubs/toorcon11-wright.pdf

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, July 26, 2012 8:34 AM
To: NT System Admin Issues
Subject: Re: Computing physical security entire family of locks
compromised AT RISK when you stay in a hotel

On Thu, Jul 26, 2012 at 1:34 AM, Kurt Buff  wrote:
> http://www.extremetech.com/computing/133448-black-hat-hacker-gains-acc
> ess-to-4-million-hotel-rooms-with-arduino-microcontroller
>
> A hacker publicly demonstrated how criminals can easily break into any

> of four million hotel rooms in the USA. For

  Security through obscurity strikes again.

  I long ago gave up any hope that companies will learn from the
mistakes of others.

> I suspect every hotel chain will press Onity for a free fix, for a 
> total of four million locks.

  If those locks don't have programmable firmware, things will get
interesting.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ken Schaefer 
Hmm - this isn't "security through obscurity" per se - a hotel guest can't get 
access to a room by randomly trying to guess the value that gives them access 
for the next 24 hours (i.e. the value that would be encoded onto your card if 
you actually have a valid reservation).

This seems to be a code path that bypasses (or is designed to bypass) the rest 
of the security options. The article does note that it doesn't work on all 
locks - so maybe it's a bug.

Lastly, these locks came onto the market in 2002 (apparently). I imagine they 
are similar in function to the locks at the Park Hyatts I used to work in back 
in the early 90s. They're not designed to keep an intelligence agency out of 
your room. If you are that important, you have your own security.

Cheers
Ken

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, 26 July 2012 10:34 PM
To: NT System Admin Issues
Subject: Re: Computing physical security entire family of locks compromised AT 
RISK when you stay in a hotel

On Thu, Jul 26, 2012 at 1:34 AM, Kurt Buff  wrote:
> http://www.extremetech.com/computing/133448-black-hat-hacker-gains-acc
> ess-to-4-million-hotel-rooms-with-arduino-microcontroller
>
> A hacker publicly demonstrated how criminals can easily break into any 
> of four million hotel rooms in the USA. For

  Security through obscurity strikes again.

  I long ago gave up any hope that companies will learn from the mistakes of 
others.

> I suspect every hotel chain will press Onity for a free fix, for a 
> total of four million locks.

  If those locks don't have programmable firmware, things will get interesting.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ben Scott 
P.S.:


On Thu, Jul 26, 2012 at 8:33 AM, Ben Scott  wrote:
>   I long ago gave up any hope that companies will learn from the
> mistakes of others.

  Or their own, for that matter.

  While we're on the subject of card locks, the 125 kHz proximity
cards used by a huge number of places for their locks are pretty
simple, too.  Most of them just encode a 24-bit field.  On some
systems, only the 16-bit "card number" is significant (the "facility
code" is ignored).  If you can obtain a card with the same card
number, you're indistinguishable from the real card holder.  You can
specify the card number range and facility code on the distributor
order form.  The card number is often printed on the edge of the card,
although that is an option when ordering.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Computing physical security entire family of locks compromised AT RISK when you stay in a hotel

2012-07-26 Thread Ben Scott 
On Thu, Jul 26, 2012 at 1:34 AM, Kurt Buff  wrote:
> http://www.extremetech.com/computing/133448-black-hat-hacker-gains-access-to-4-million-hotel-rooms-with-arduino-microcontroller
>
> A hacker publicly demonstrated how criminals can easily break into any
> of four million hotel rooms in the USA. For

  Security through obscurity strikes again.

  I long ago gave up any hope that companies will learn from the
mistakes of others.

> I suspect every hotel chain will press Onity for a free fix, for a total
> of four million locks.

  If those locks don't have programmable firmware, things will get interesting.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin