Schneier on Security
A blog covering security and security technology.
« TSA Website Hacked? |
| Movie Plot Threat in Vancouver »
February 20, 2007
Real-World Back Doors
From The Register:
In a recent social engineering test undertaken by UK-based security consultancy NTA Monitor, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers.
Posted on February 20, 2007 at 2:19 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Mr. Potato Head! Mr. Potato Head! Back doors are *not* secret!
Did the door have "Joshua" written on it?
Hey, no reason to bring me into this. >.>
I consult for a company that doesn't allow smoking anywhere in the huge building, one must go outdoors. All the doors have locks based on company ID cards and can only be opened without one from the inside. I smoke. As a sort of badge of honor, I don't dress up for a visit to them, I look like one of the normal worker types, not an executive, and the place is large enough that many of the people don't know one another. When I go out to smoke, I just get back in behind someone else getting back in, and have never been questioned about it by anyone -- people there are friendly and courteous. Once I even waved at the door for someone inside to open it with the comment "forgot your ID, eh?". I mentioned this to the CEO. He sort of grimaced but there was nothing to be done about it. If he had his way, of course, no one would smoke (at least anyone working for him, he is very anti all drugs) at all. But even the power of a CEO-owner has its limitations. At least the front door is guarded by a real human. But this one knows me so well (and knows I am welcome there) I don't need ID to get in there either!
smokers have no committment - they should either be fully alight or not at all ...
People are never going to shut the door in someone else's face, no matter what you ask them to do.
You need to move your security checkpoint past the front door if this is going to be a problem.
One place i worked a security guard helped open the back door for a (recently fired) employee to lift a half-ton flow solder machine through - doh!
Another time a security guy opened the door for a colleague who was waiting outside the door with another man.
The colleague said "thanks - have you met our physical security auditor?"
And the moral is as we all know,
"Smoking is bad for your health"
Be you an individual or company...
I have also noticed (especialy in hot weather) that the man that delivers the bottles for the water coolers is also waved through even if he is new.
One company I was visiting I arived at the same time as the water man, he was obviously new because he told the Security bod he was new to the round and actually asked where he had to deliver the bottles to. The security gaurd actualy held the gate open for him and told him which floors to go to. Unlike me he was not asked to sign in (so much for fire regulations) or wear a badge, and from what the security bod said it looked like he was going to get access to sensitive floors within the building...
Smokers going out; water deliveries coming in...
I say, channel them into one another and harvest the energy from their annihilation.
I think the moral might be "don't make your smokers smoke outside."
My local bridge club recently banned smoking inside. Instead of them smoking in a side room which I never had reason to enter, now they smoke outside the front door. I fail to see how this helped anyone.
(I am anti-smoking, but I think a small room is a better place to isolate them.)
Building security is, as Bruce would probably say, security theater. It's just like these "gated communities" that are all over the place now. You put up a fence and hire a few guards, but they'll still let you in if you just tell them you're going to look at a house for sale or are playing tennis at the club. But it does sound good to say you live in a "gated community" because that's code word for a more upscale neighborhood. The same principle applies to office building security. It primarily serves as an indicator of cost and it works very well in that respect.
Once interviewed at a company that found a solution to this problem. They had open air courtyards that people used to smoke, unaccessible from the outside building unless you scaled a wall and walked over the roof.
The last place I worked had about 5,000 people. FTD deliveries came right through security without signing in, showing ID, or letting their bouquets be inspected.
The guards might stop a delivery person looking like The Terminator, but I wouldn't put cash money on it.
>> Building security is, as Bruce would probably say, security theater. It's just like these "gated communities" that are all over the place now. You put up a fence and hire a few guards, but they'll still let you in if you just tell them you're going to look at a house for sale or are playing tennis at the club.
They will also look askance at you if you leave with a pickup truck full of TV sets. Think of the guards as built-in witnesses.
>> But it does sound good to say you live in a "gated community" because that's code word for a more upscale neighborhood. The same principle applies to office building security. It primarily serves as an indicator of cost and it works very well in that respect.
Good physical security is multilayered. No one layer is going to catch everything. We cut the vulnerabilities down to size, layer by layer. To get through each layer, an intruder has to use a capability or give up a piece of information, preferably both.
You can have this laptop if you can:
1) get past the guy at the front desk
2) find out what floor I'm on
3) wangle an invitation to visit someone on my floor
4) slip into my office when I'm not there
5) use your bolt cutters to cut the lock securing my laptop
6) sneak it out the door
... but if the guy at the front desk catches you with a pair of bolt cutters and/or my laptop, you're going to end the day in jail. Even so, by the time we go back through the cameras and talk to whatever silly employee let you in, we will know who you are and sic either the DA or the High Tech Crimes unit on you, depending on circumstances. So don't, OK?
The smoke court at a large three-letter-agency in DC is in the center of the building in an inner exposed courtyard. So you're still in the secure area when you go out to smoke.
I have to agree with Andrew. It takes pieces/layers strung together and overlapped to make physical security work.
Primary layers of physical security exist to hinder the _urge_ to commit the security breach by making it psychologically less appealing and forcing you to remember while walking up the metal detector, exactly what might be in your pocket right then. The second layer, cameras (especially motion or access triggered photography) are the audit trail to figure out in reverse how the security breach occured. The badges let in the employees, but some companies go so far as to give badges to their vendors (whom might even rotate delivery people). The badges are more security holes than anything else in most building designs. It's one of the reasons many companies encourage others to verify anyone you are letting in has a badge, and then put as many locked doors and long halls between the front door and the most secured room as possible.
If I stole Andrew's laptop and actually made it outside, they could go backwords through every camera I was tracked on and nail every employee that held a door for me, achieving at least a "modest" attempt at fixing their security breach _after_ the fact.
I don't think there is a security enforcement company on this planet that when their "100% security guarantee" is questioned, isn't going to cough into their hand and mention "well, there was this one time..." to keep from being sued later (before holding the door for you while you both have a smoke).
New cypher? New hacker. New security? New burglar.
i can get in through the front door at most companies just by carrying a pizza box (yes, there's a warm, aromatic pizza in there) and if the front desk hassles me, i can say ok, i get to eat this pizza myself, my condolences to the guy who ordered it, hope he doesn't fire you.
There is a solution to the problem, and I've only seen it in play at a few places. You have card readers used for *exiting* also. And your system has to be smart enough to know not to let "out" a card that's already "out", and not to let "in" a card that's already "in". That way, everyone has an incentive to swipe out or in, even if they're following someone else through the door.
This is the other side of social engineering. The problem is that people are naturally friendly and helpful. You change the situation such that the act of pointing out that someone hasn't swiped their card successfully isn't accusative, but instead helpful (you're helping them in that, if they don't swipe in, they'll have a problem getting out). You're also making it so that the act of failing to swipe in/out is less a mark of laziness, and more something suspicious.
This could be resolved with a fenced off outdoor area, with access only from within the secure indoor zone, perhaps directly from the coffee room, and could be utilized by both smokers and non-smokers. Adding some some sun & rain shelter overhead, grass or outdoor carpet beneath, along with some outdoor furniture. The fence could be made of glass or thin bars, as psychological deterant more than anything.
@Joe Patterson" "There is a solution to the problem, and I've only seen it in play at a few places. You have card readers used for *exiting* also. And your system has to be smart enough to know not to let "out" a card that's already "out", and not to let "in" a card that's already "in". That way, everyone has an incentive to swipe out or in, even if they're following someone else through the door."
And there is a solution to the exit-reader: pull the fire-alarm. In any place other than true high-security installations (where people dying is preferable to secrets leaking), all of the automated/electronic exit controls will be disabled during an emergency. The disorganized mass exodus of people will probably help cover your escape.
>>One place i worked a security guard helped open the back door for a (recently fired) employee to lift a half-ton flow solder machine through - doh!
@dom - this might be filed under "damage control" - hey, the door's still there, right? I doubt it would stop anyone who's *lifting* half a ton.
But seriously, most building security is there to witness what happened rather than prevent it.
@X the Unknown
Yes pulling the alarm will make it easier to escape if you are up to no good, but that's not what the countermeasure was addressing. Correct me if I am worng, but I believe it is to help combat one of the ways to get in, not out. It does that by making it it harder for the average employee to get in without swiping on a regular basis which makes the "I forgot my badge" trick a little harder. There will always be exceptions, so we just want to raise the bar a little more.
Try my workplace for security theater. A smattering of examples:
Oh, this is a corporate campus for a large, midwestern-based telecommunications company.
- There is a guard shack at the front entrance. Its usually empty and there are no gates or any other way to stop people anyway. Also, there are several other drivable entrances.
- For the main entrance to most buildings, you have to scan a badge to open the door, then scan again at these electronic 'turnstiles.'
- There are guards at the main entrance to all buildings. After 9/11 (because we are a target. believe it) they insist on looking at your badge also. They do this from their seat, several yards away. Its a check that you have a photo on the ID, not that it matches, or you are even still an employee.
- But, there are side entrances also. Those, you just scan your badge thru and you are in. Its a snap to follow someone else.
- After 5 pm there are no building guards at all. Even if you have a team working late, and ask, you cannot have security. Supposedly there is roaming security, but I've never seen it. Among other things that happen at night is housekeeping backing vans up to the door to vaccuum the building. This involves propping the doors open. In the middle of the night. Without security.
- Security never stops you for anything. I have moved things like plotters around, and between buildings. No one cares. Who is suprised that we lost like 30 projectors? And now, every projector has an alarm on it.
- No cameras. Security doesn't pay attention, there are thousands of us, and there are no cameras. There's no record of entry or theft to speak of. Please, come and steal things.
I did work someplace that required individual badge swiping for entry to or exit from the parking garage. However, if someone forgot their badge on exit, they had no way to get out of line. Invariably the next person in line would get out of the car and scan them out. It seemed to not count entries and exits, as it was fine with you exiting twice.
When I was in college I worked as a security guard, and then as a supervisor of security guards for a contractor who rented guards out all over town.
We didn't call it security theater, but at every step along the chain of command it was made crystal clear that security theater was the purpose of security guards. As a supervisor it was my job to make sure those guards didn't do anything. Do you know how hard it is to make people sit somewhere, look presentable and alert, yet do nothing? Friendly security guards open the doors for people, flirt with the ladies, etc; this draws complaints. Cop wannabe security guards throw their weight around, demand to see ID, act like tough guys, etc; this draws even more complaints. Lazy guards fall asleep since they don't have anything to interest them, and people complain about this too. The best guards were the guys from the halfway house for people with closed head injuries. The halfway house made sure they were presentable and punctual, they were grateful for the job so they behaved, and they weren't sharp enough to get bored so they never found ways to busy themselves. Perfect.
Since my time working security, I have never felt particularly secure around security guards. In fact quite the opposite. I know what kind of people work in those jobs. The best of them are plumb useless, and it only goes downhill from there.
"through a back door that was left open for smokers"
In our building, that phrase could easily be replaced with "a back door that was left open *BY* smokers." We have the same back door as everyone else, it seems, that requires a security pass to get through.
Unfortunately, it seems that smokers, while perfectly capable of remembering their smokes and their lighters, seem incapable of remembering their door passes, so they resort to rooting around in the underbrush near the back door and finding a rock to block the door open with. Frequently it's a small rock that's only just big enough to keep the latch from engaging. If they can't find a rock, they just pull the floormat from inside the door through the doorway to prop the door open.
The best security is no security at all, apparently. It always pisses me off when I walk up to that door after "smoking time" and the door is still propped open with nobody around.
Working for a defense contractor, I once visited a room that had been made expressly for working on top secret electronics. To guard against any possibility that someone might pick up emissions from the electronics gear while it was tested and aligned and somehow deduce something about their operation from that, the room was a Faraday cage - lined on all 4 walls, ceiling, and floor with copper plates soldered together, with copper mesh covering the ventilators. For physical security, you entered the room by going into a hangar, going through the offices at the back of the hangar, where some tough Army sergeant would be sure to ask you your business, check ID, and make you log in, and finally used a combination plus a key to open bank vault type of door into the room.
But it also had to have a fire escape: an ordinary metal door (like a good quality house door) opening directly to the outside, and on the side of the building facing the runway, so there weren't many people going by who might notice something peculiar going on and stop to check it out. Furthermore, since the ventilation wasn't too great, when the room was in use this door was usually propped open.
I had noted long before, while in the Air Force as an F111 electronics tech, that the main purpose of our regulations for handling classified documents was not to safeguard them, but to cover our rear in case they did get stolen. Off your desk while you were at lunch, very bad. Out of the locked drawer, which could be jimmied in 5 seconds with a screwdriver, OK - because you could prove there was a break-in. Pure security theater. (Of course, the general opinion of everyone working on F111's was that we hoped the Soviets would steal the plans and be stupid enough to build copies - they'd have gone broke a decade earlier if they'd had to pay the maintenance costs of those pigs. If only our security theater had persuaded them it was worthwhile to risk spies in a break in...)
The Soviets DID build a copy:
The SU-24 (a.k.a. the 'F-111-ski')
Prime example of the Communist development process: take a disappointing aircraft and make it worse; then build lots.
@Security Nomad: "Correct me if I am worng..."
I was specifically replying to Joe Patterson's comment that preventing unauthorized exits was a good additional security measure - presumably, part of "defense in depth". It probably is a good idea in general, but it has the obvious weakness I pointed out.
TED, I've seen pictures of the SU swing-wings, they don't look like exact copies of the F111. I suspect they're simplified compared our designs, and also I would be surprised if they didn't manage to identify some of the mistakes in the F11 design and avoid them - especially the fundamental one of trying to make one airframe do everything. (In the original plan, F111's were even going to fly combat air patrol over carriers - so the Navy wanted an interceptor, while the Air Force wanted something that should have been called a medium bomber instead of a fighter at all, and Mcnamara made them compromise on one airplane, The compromise was really a pretty good light bomber when everything's working, but it's too heavy for most carriers, it doesn't belong in a dogfight any more than a B52 does, and it's too small for some of the jobs the Air Force wanted to cover.)
"Off your desk while you were at lunch, very bad. Out of the locked drawer, which could be jimmied in 5 seconds with a screwdriver, OK - because you could prove there was a break-in. Pure security theater."
Not necessarily. A major difference between information security and most of the rest of physical security is that it is possible to steal information and leave it too. This means that security systems based on audits and investigations may fail to be even activated. Additionally, some types of information loss can be largely or completely mitigated if they are detected promptly (passwords, PINs, unissued crypto keys, CC numbers, schedules, contract tenders, ...).
Either way, a locked but breakable container may be imperfect security but it is simple to apply and is vastly better than simply leaving the document in open view.
Another factor to consider is that an opportunistic thief doesn't know what he is looking for, while a deliberate thief may not know where to look for it. Either way, he is forced to concentrate on only those documents in open view or else jemmy dozens of locks and greatly increase the risk of capture.
In short, a thief who was fully appraised of what he was looking for and where to find it, AND didn't care about being detected, would find no impediment from that lock; but in more likely scenarios it is not an insignificant barrier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.