Schneier on Security
A blog covering security and security technology.
« Using Imagery to Avoid Censorship |
| Proactive Defense Papers »
February 4, 2013
I don't see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies.
Posted on February 4, 2013 at 1:43 PM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Squid Friday, Seal Monday.
Anything protected by one of
these should be fine for some time.
Don't hear about them because of the recession in candle/wax industry.
Thanks for sharing.
It is always educative to think about creative ways of breaking something. I especially liked this section and the emphasis on human aspects (training inspectors, making inspectors comfortable to report suspicions, controlling the supply and production chain for seals, ...).
"There are at least 105 different generic methods for potentially defeating a seal. These include, for example, picking the seal open without leaving evidence, counterfeiting the seal, replicating the seal at the factory, changing the serial number, tampering with the database of seal serial numbers, drilling into the seal to allow interior manipulation then repairing the hole, cutting the seal and repairing the damage, not installing the correct seal in the first place (then later replacing it with the correct seal), etc. "
Security Engineering by Ross Anderson also has a chapter on secure printing which mentions some of the more technical aspects of security seals. It discusses the threat model fairly extensively as well: http://www.cl.cam.ac.uk/~rja14/book.html.
What would you like to know?
As a reference, I am a member of the MFP who have won the DEFCON Tamper Evident contest consistently (and with a decent margin) for the years it has been put on. We have also run our own contests at other conferences and have done quite a bit of research on the matter.
Ideally, we would like to get a wiki up one of these days where we can dump a lot of our research, but until then...
I especially appreciated the UX/HF concerns, all too often glossed over in security, no matter how much we talk about long passwords, etc. Nicely stated:
"Generally, seals that are complex, difficult to use, or present significant ergonomic problems will be resisted by seal installers and inspectors and will not provide good security."
Replace "seals" with any other technical measure and maybe "ergonomic" with "cognitive" for some measures, and this is a generally-applicable phrase.
Yes, I too was looking forward to Seal Monday.
On topic, the article has two really good points: stating that seals should only be a method to detect tampering and making sure adhesive is appropriate and cured.
The effective application of these two point really shows how valuable the tamper resistance is to the manufacturer. For example, the food and software industry both use seals, but the difference in security is remarkable.
On the food side we have the likes of Ben&Jerry who use the seal as more of a barrier than a seal. It is basically shrink wrapping with no indication that the product has been open and replaced. In this category there are also juice drinks whose caps do not show tampering, so they have paper seals that have to broken to remove the cap. I have seen many cases where these seals are not well bonded to the bottle. I suppose that these can just be discarded at the store, but a consumer who does not understand that the seal must be well bonded is put at risk.
Speaking of tamper evident caps, and security by psychology, the soft drink bottles have never made any sense to me. Buy two identical bottles, cut the cap out of one, open up the other and cut off the ring, place the undamaged cap back on. Non trivial but not a huge impediment. Glass bottles with non-twist caps seem marginally more secure.
For software and computers the seals seem to be a bit more than security theater. To open a Apple produce, one has to either break the bag or break the seal. I think it would be difficult to open a Macbook and move it to a new seal bagged without access to the factory. Of course if one lived in China gaining access to those factories and stealing seals might not be so hard.
As a transportation relocation engineer I have seen trailer doors where the nut on the hasp latch was to the outside. you could remove the nut and open the door and then reverse the operation. and what the hay when you get to the final dest they very seldom check the seals, just break it.
The one major failing ALL security has is the underlying assumptions of the technology in use.
In this respect security seals are no different. After all why deal with the seal when it's easier to deal with the container the seal is put upon?
As an example CD's and the cases or envelops they are put in.
A quick look at CD cases shows they are sealed in one of two basic ways. The first is the equivalent of the old celophane wrapper used on boxes from atleast the early 1900's if not earlier. The Second is a "security seal" half way down the opening side of the case across the two halves. Usually in addition there is a very low cost proximity alarm tag attached to the outside such that if you try to walk out of the shop door with it an alarm will go off.
Of the two the first is actualy the more secure in that it takes a bit more work. I won't describe it but note it's no harder than unwrapping an Xmas/birthday present without damaging the wrapping paper. As such this wrapper is not designed to be realy tamper evident unless it's torn.
The second is visualy more of a deterrent in that the seal is often printed in such a way that it is easily damaged and tamper evident. But why bother with even trying?
A quick look at a CD case showes it's design to be three snap together plastic mouldings. The cover being only held on by two small lug hinges and a friction fit holding dimple to keep it closed.
You will also see that the hinge pins do not have a security mechanism locking lug so you can lift the hinge of the pin by gently inserting your fingernail. With just a little practice you can slip both hinges of their pins in less than a second. The cover would normaly fall off at this point, but the security seal now becomes the new hinge...
You can then slip out the CD and one half of the cover artwork. Getting the second half of the cover artwork out is only fractionaly more difficult.
You now have the valuable parts out of their container... The security seal and the alarm tag are still attached to the now striped down CD case. You can fairly safely leave these behind in the shop as you can buy a new CD case for less than ten cents retail. You can put the valuable bits into a new case and put a new security seal on the edge and sell it on at only a slightly reduced cost. The seal you put on can be any appropriate looking seal it does not have to be original as few people have any idea what the original seal looks like...
But what about CD's in books?
Originaly the "software CD" was put in a simple paper envelope with a celophane window and this was "glued" inside the back cover.
Again a simple examination shows up the weakness of the system. The envelopes have a customer openiing flap that is securely glued down and this is done as part of the envelope manufacturing process long prior to the CD being put in the envelope. So that the CD can be put in the envelope there is a slot in the back of the envelope that is not sealed. What happens is the envelope is "glued" into the back of the book on the back cover, in such a way that the slot is covered by the back cover of the book.
The thing is though is that what holds the envelope in the back cover was not a glue but a surface contact gum, which just like a postit note gum has no setting time and thus can with care be "unstuck" by gentle physical effort the CD slid out of the back of the envelope through the slot it was put into the envelope, and the envelope pressed down again, all without visably showing signs of what has been done. All of which could with a little practice be done in the book shop without attracting attention.
Obviously the book publishers woke up to this and tried different techniques. All of which fail.
These days if you look the CD is usually in an envelope where it has been properly glued in and the envelope put in as part of the book binding process.
However there are right glues and there are wrong glues and the paper of the envelope has thickness...
Further the envelope customer flap is often easily lifted enough to get a thin bladed knife (such as a kitchen pairing knife) underneath. To take advantage of this fact you need to sharpen the blade of the knife in such a way that although sharp it is not too sharp and the edge of the blade is like a microscopic saw. Basicaly sharpen it and then dull it with a steel or diamond sharpener by cuttin back from the edge rather than down the edge.
You gently insert the knife/saw ubder the flap and by gently sawing cut either the glue or the underside surface off of the paper. Either way with practice this can be done in such a way that it leaves no visable sign on the outer surface of the envelope. To reseal the envelope simply apply a very thin smear of that white PVA paper/wood glue that drys clear to the underside of the flap and press down firmly and
I forgot to mention that the same technique can be used to open ordinary mail envelopmes down the side thus keeping the flap security features in place. Such techniques have been known about for getting on for a centuary.
In my country they mail new business checks in a sealed 'tamper proof' bag, with tape over top that says 'security tape report if tampered' or something similar.
So criminals just made up copies of both, open it, would steal a few cheques out from a book, replace with new bag and their own tape. Nobody ever checks the packaging to make sure if it looked exactly like the last one a few months ago, they just verify everything is sealed and it was.
They caught these guys for something else then found out about their cheque scam
So what happens if the seal is broken? I assume that they break all the time purely by accident. Whack one with a hammer and perhaps a customs officer things it was just smacked by a loading cart or something.
Would an effective denial of service be to start breaking seals just to grief the customs on the other end of the world?
Would an effective denial of service be to start breaking seals just to grief the customs on the other end of the world?
Ideas like that will in some cases get you far, and in some cases a fetching bright orange "Onesie" to go with it and perhaps a nice beach front residence "in the bay"...
Mind you it is a fun idea :-)
You would need to find an "incoming port" that has a high level of problems with low level smuggling and illegal immigration.
One such place is the UK's Dover Port where many lorries from all over Europe, Russia and places beyond get entry to the UK. And for some very strange reason lots of people want to come to the UK illegaly (whilst many of us born here just want to get out) so anything leaving France from places like Sangatte is distinctly suspect.
Esspecialy as it is rumoured that the French Gov is doing all it can to make the UK's Illegal Imigration issues worse...
I think however if at Dover they see any fun and games like you suggest and can atribute them to you they are going to have a serious sense of humour failure that would make the 600lb Gorilla's of the TSA look like comical sugar plum fairies. For instance I've been told that "UK Customs" is part of the "Excise" who have legal powers many of which go back centuries many of which have never been repealed, and some of which reserve no punishment for an Excise man who kills a suspected smuggler during execution of his duties. The Duties were never specified and historical records indicate interrogation techniques back then were a little more to the point (of a sword or hot poker) than are considered normal practice for more regular LEA's these days. I must admit I was always slightly inquisitive on if the word terror came from or was incorparated in the word "inTERROgate"...
Like that thought. And if I may add: What if you broke the seal, but added another one next to it. Would that be even more confusing?
Security seals are inherently insecure and fairly simple to defeat. No matter how much you train them, they will always have a major flaw - fish. You can use the old standby of a trail of fish to an enclosure to capture the seal. This has the drawback of having the seal give a caterwauling warning once it finishes the bucket of fish you left in the enclosure. A tranquilizer in the fish might be better, as long as the correct dosage is used.
That works (for a given value of "works") only in a specific set of circumstances:
1. No logging of seals/seal applications
2. A large operation where not everyone knows everyone, and it could be assumed that "some other working stiff had to open it and resealed it". (Not that it's appropriate, but people do just want to do their jobs. . .)
3. An operation where it's acceptable to reseal without removing the old one.
Point 3 is where it should break down immediately, assuming correct implementation. We all know what happens when we assume. It should not be possible to add confusion to the DoS effect of broken seals, but given that humans are involved it can't be ruled out.
The big question is the expected value of the loss from having the seal protocol defeated versus the cost of doing it right. I'd guess that the added cost of the protocol (inventory, training, security, examination time) is anywhere from a few dollars to a few tens of dollars per seal (with occasional excursions into the hundreds or thousands when large teams and heavy equipment must wait for verification).
If your expected loss is a few percent, then you'd better be dealing in high-value items where there aren't a lot of cheaper ways to find out about thefts and diversions. (Just for a hypothetical on the CD example, probably way cheaper to have a few test buyers looking for stolen copies than to beef up the cases, seals and employee training.)
@Clive: No, its from "inter-rogare" "to ask among" plus the suffix -tio "process of Ving." Lat. terror comes from a different verb. But a nice pun, and the kind of thing that Varro or Isidore would have happily taken and run with.
I have always found amusing over-the-counter medications which have a seal on the mouth of the bottle imprinted with the instructions "Do not use if this seal is damaged or missing".
But a nice pun, and the kind of thing that Varro or Isidore would have happily taken and run with
Alas you have caught me out, in a little word play, but if I remember correctly Varro and Isidore, were pressing the Athenian Timor for his debts long due?
I guess I'll have to go and look up Shakespears least known play "The Life of Timon of Athens" again, for it is a problem nigh tragedy, the rememberence of which does allude me.
--The last thing we need is another KCN-Tylenol incident, no matter how rare and spectacular. Oh, it's still an unsolved case...
This is another example of of how seals are used to cover the retailers exposure. Friends have told me how easy it was to buy CDs at Walmat, remove the CDs, and then return the empty cases. One can imagine that these would be restocked, sold, and the hapless consumer would be left with no product. Such a thing did happen to me once at a legitimate record store. What could I do, return an opened empty box? I had to eat the purchase.
My friend got an iPod back in their hayday. Upon opening, we found 50 cents in quarters and two sticks of gum.
We went back to the store and explained the situation. It took less than 30 seconds for them to get a replacement in our hands, opening it to make sure it was there.
I guess they had made the decision that the good faith towards customers was worth the cost of sucking up the cost of thievery from their store.
I am a specialist in package engineering and author of the Packaging Machinery Handbook. I occasionally speak on product surety which includes tamper evidency as well as counterfeiting and other aspects.
Cans are widely believed, even in the industry, to be tamper proof, not just tamper evident. In my talks, I use a can which I have opened using a sidecutting can opener. I fill the can with M&Ms and glue the lid back on.
To make it even more obvious, I create a fake label. It looks like the Borden's label except that it has my face where Elsie the cow should be.
I pass it around after saying that cans are tamperproof. Nobody, in the hundreds of people that have handled these cans in my talks, has ever noticed that 1) the bottom lid is glued on 2) the label has my face on it 3) that if shaken it rattles slightly. (Milk in a can generally does not rattle)
They are always amazed when a volunteer opens the can and they see the M&Ms
How can we have any hope that the average consumer will recognize tampering when professionals, in a setting where there might be reason to suspect a trick, can't pick up on something so obvious?
We need to fight for product surety on all fronts but it seems to me that a lot of it is just security theater, as our host calls it in other instances.
John R Henry CPP
One thing I've not seen mentioned is securing the seal itself.
Case in point: Last month I was at a national-brand petrol station in the US. The credit card reader portion of the pump had a big red " SECURITY SEAL" sticker on it. They even had a placard affixed to the pump promoting the security features of their new card readers.
However, there was a nearly-full roll of the security seal decals sitting on top of the pump. I'm assuming some employee got called away whilst doing checks on the pumps. I will admit that I did ponder swiping the roll for fun and affixing said decals to their toilets, but resisted the temptation.
Similarly, I remember making fake IDs in high school using a roll of UV-hologram laminate which some other student had swiped from the DMV counter when they weren't looking. Sadly, our fake IDs looked more real than the ones issued by the DMV due to their crappy printing, bad camera, and laminator which had seen better days.
/Does anyone know why US DMVs use such crappy cameras? I think most mobile phone cameras take a better picture.
I shared this for amusement with an expert on a different kind of seal: cylinder seals, as used by the ancient babylonians and others. She replied (in part):
In the second paragraph it says:
"… a seal is not intended to delay or discourage unauthorised entry... Instead, a seal is meant to leave behind unambiguous, non erasable evidence of unauthorised entry."
The second use of the word "unauthorised" is completely superfuous. It does indeed "leave behind unambiguous, non erasable evidence of entry", authorised as well as unauthorised!
Outside the royal storeroom in the 18th century BC palace at Mari, in Syria, there were masses of broken sealings left around the door and belonging to the people authorised to open the stores for deposit and/or removal of materials. From this we know that two people had to be present to unseal and reseal on each occasion. This was still the formula in Soviet Russia, and in the Museum in Turin in or around the 1980s!
Upon reading the title, I thought of this. ;-)
+1 for Seal Monday.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.