martes, 11 de febrero de 2014

Why lockpicking

What is the relationship between opening a lock and infosec? Why are you paying attention to that teenager activity? It is kind of an illegal kid's game!

Original spanish entry [0]

First answer


When you open a lock you can grab a device, open it and tamper with it or get keys stored in a drawer, access an unprotected terminal, sensible printed documention, install an usb keylogger, video splitter, network sniffer, take a backup tape, or, why not, steal a production disk. Not enough, too corporate.

Second answer


A key is an authentication factor [1][2], something I have.

The lock maker is in the same position as someone who implements an authentication algorithm. The one who installs the door, an authentication system.

Copying a key is like stealing passwords by means of shoulder surfing, keylogging or phishing.

You can ask a locksmith to copy them or take a photo or cast. Shoulder surfing is watching over someone else's shoulder while he is typing the password, keylogger is a program that captures every keystroke and send it to the attacker, phishing is asking someone to type his passwords in a fake web site under an attacker control.

To move the latch without moving the lock is like taking advantage of a crytographic system or web appliation design flaw, like CSRF or session fixation.

Can shim[3] of Devian Ollam is an example of the first, you use a can to open a padlock, like a credit card to open a door. To explain CSRF is not so easy, but it's kind of using the victim's session to make a transaction in a web application. Session fixation allows the attacker to get an authenticated session without getting the password.


Impressioning is the process of trying a blank key and filing where a mark appears until the lock opens and it is like a timing attack when you can recover a password from the variation of time in invalid login attemps.

I can not find a good comparisson for lifting. You open the lock pin by pin. It has some resemblance with a timing attack, but you open the door without getting the key.

Racking is brute lifting, like trying combinations, called brute force attack.With a combination padlock it is like trying every number. Racking is like a dictionary attack as it is trying common numbers in a combination padlock.

If a password is hashed and the attacker get it and find another password with the same hash value (it is called colission) it is like having a master key.

If someone has the same passwords in different accounts, if one of the sites get compromised, the attacker can attack all the accounts. It is like having the same key for all the doors.


Bumping is bumping the lock with an special key and it is like changing the execution flow of a program with a buffer overflow.

Vulnerabilities comparisson


avoids authentication mechanismsgot a copy of the key or the password
keyloggernoyes
shoulder surfingnoyes
phishingnoyes
csrfyesno
session fixationyesno
dictionarynoyes
brute forcenoyes
collisionin some wayin some way
buffer overflowyesno
timing attacknoyes
repetitionnoimplies that the first one has been captured
key copynoyes
can shimyesno
liftingnono (*)
impressioningnoyes
rackingnono
master keyin some wayin some way
social engineeringyesprobably
bumpingnono




Responsabilities and mitigations



responsiblemitigation
keyloggeruserdo not install malware
shoulder surfinguserget smart
phishinguserget smart
csrfprovidersecret toke
session fixationproviderdiscard session
dictionaryusercheck against dictionary
brute forcedestinystronger passwords(**)
collisionproviderimprove algorithm (***)
buffer overflowproviderdo not trust 0 as a string end
timing attackproviderfixed time comparissons
repetitionuseruse different keys and passwords
key copyuserdo not give key away
can shimproviderblock latch
liftingproviderimprove design (****)
impressioningproviderrounded pines
rackingproviderimprove design (****)
master keysharedasume risk
social engineeringuserget smart
bumpingprovidersprings with different strength

(*) I guess that someone with enough experience could imagine the key and build it.
(**) Stronger passwords mean longer with numbers, symbols, upper and lowercase characters.

(***) The attacker that does not know the algorithm, can not find colissions. The theory says that the algorithm is not secrect, but defense in depth say so.

(****) Includes using special pins, different strengh springs and a more contorted profile



Not enough, too academic.

Third answer

There is another answer related to mental state, attitude. The spirit of lockpicking is the same as the hacking spirit.

The feeling of opening a lock without the key is like hacking a system in a laboratory or ethical hacking, of course.

Disposable lockpicking at http://seguridad-agile.blogspot.com/2013/04/disposable-pick-tools-for-office.html

If you do not like my english, welcome aboard, please be kind.

[0] http://seguridad-agile.blogspot.com.ar/2013/09/por-que-lockpicking.html
[1] http://en.wikipedia.org/wiki/Multi-factor_authentication
[2] http://seguridad-agile.blogspot.com/2013/11/por-que-no-biometria.html
[3] http://deviating.net/lockpicking/media/can_shim.avi

No hay comentarios:

Publicar un comentario