Original spanish entry [0]
First answer
When you open a lock you can grab a device, open it and tamper with it or get keys stored in a drawer, access an unprotected terminal, sensible printed documention, install an usb keylogger, video splitter, network sniffer, take a backup tape, or, why not, steal a production disk. Not enough, too corporate.
Second answer
A key is an authentication factor [1][2], something I have.
The lock maker is in the same position as someone who implements an authentication algorithm. The one who installs the door, an authentication system.
Copying a key is like stealing passwords by means of shoulder surfing, keylogging or phishing.
You can ask a locksmith to copy them or take a photo or cast. Shoulder surfing is watching over someone else's shoulder while he is typing the password, keylogger is a program that captures every keystroke and send it to the attacker, phishing is asking someone to type his passwords in a fake web site under an attacker control.
To move the latch without moving the lock is like taking advantage of a crytographic system or web appliation design flaw, like CSRF or session fixation.
Can shim[3] of Devian Ollam is an example of the first, you use a can to open a padlock, like a credit card to open a door. To explain CSRF is not so easy, but it's kind of using the victim's session to make a transaction in a web application. Session fixation allows the attacker to get an authenticated session without getting the password.
Impressioning is the process of trying a blank key and filing where a mark appears until the lock opens and it is like a timing attack when you can recover a password from the variation of time in invalid login attemps.
I can not find a good comparisson for lifting. You open the lock pin by pin. It has some resemblance with a timing attack, but you open the door without getting the key.
Racking is brute lifting, like trying combinations, called brute force attack.With a combination padlock it is like trying every number. Racking is like a dictionary attack as it is trying common numbers in a combination padlock.
If a password is hashed and the attacker get it and find another password with the same hash value (it is called colission) it is like having a master key.
If someone has the same passwords in different accounts, if one of the sites get compromised, the attacker can attack all the accounts. It is like having the same key for all the doors.
Bumping is bumping the lock with an special key and it is like changing the execution flow of a program with a buffer overflow.
Vulnerabilities comparisson
avoids authentication mechanisms | got a copy of the key or the password | |
---|---|---|
keylogger | no | yes |
shoulder surfing | no | yes |
phishing | no | yes |
csrf | yes | no |
session fixation | yes | no |
dictionary | no | yes |
brute force | no | yes |
collision | in some way | in some way |
buffer overflow | yes | no |
timing attack | no | yes |
repetition | no | implies that the first one has been captured |
key copy | no | yes |
can shim | yes | no |
lifting | no | no (*) |
impressioning | no | yes |
racking | no | no |
master key | in some way | in some way |
social engineering | yes | probably |
bumping | no | no |
Responsabilities and mitigations
responsible | mitigation | |
---|---|---|
keylogger | user | do not install malware |
shoulder surfing | user | get smart |
phishing | user | get smart |
csrf | provider | secret toke |
session fixation | provider | discard session |
dictionary | user | check against dictionary |
brute force | destiny | stronger passwords(**) |
collision | provider | improve algorithm (***) |
buffer overflow | provider | do not trust 0 as a string end |
timing attack | provider | fixed time comparissons |
repetition | user | use different keys and passwords |
key copy | user | do not give key away |
can shim | provider | block latch |
lifting | provider | improve design (****) |
impressioning | provider | rounded pines |
racking | provider | improve design (****) |
master key | shared | asume risk |
social engineering | user | get smart |
bumping | provider | springs with different strength |
(*) I guess that someone with enough experience could imagine the key and build it.
(**) Stronger passwords mean longer with numbers, symbols, upper and lowercase characters.
(***) The attacker that does not know the algorithm, can not find colissions. The theory says that the algorithm is not secrect, but defense in depth say so.
(****) Includes using special pins, different strengh springs and a more contorted profile
Not enough, too academic.
Third answer
There is another answer related to mental state, attitude. The spirit of lockpicking is the same as the hacking spirit.
The feeling of opening a lock without the key is like hacking a system in a laboratory or ethical hacking, of course.
Disposable lockpicking at http://seguridad-agile.blogspot.com/2013/04/disposable-pick-tools-for-office.html
If you do not like my english, welcome aboard, please be kind.
[0] http://seguridad-agile.blogspot.com.ar/2013/09/por-que-lockpicking.html
[1] http://en.wikipedia.org/wiki/Multi-factor_authentication
[2] http://seguridad-agile.blogspot.com/2013/11/por-que-no-biometria.html
[3] http://deviating.net/lockpicking/media/can_shim.avi
No hay comentarios:
Publicar un comentario