Tuesday, September 27, 2011

Photos and Names ... Please

I was on Twitter the other night and read a posting by a real locksmith who used a 'mug shot' in the profile.   There was a web address too and I just had to follow it.  Not a face to be seen and not a personal name either.  It was 'family owned' but so is every mafia front company.

We all know how this goes.  A company really only exists because of the people within it.  We do the work and the company pays us. Simple really. What sort of company does not name the owners or staff?  Think of it a bit.

One type is where there are so many it is impossible to keep up and where each is so interchangeable with the next it matters little who each person really is.  Or it is just so large it is hard to know where to start.  You know these companies by reputation and you may not get a GREAT product but you know where to find some level of manager.  In this group think of MacDonalds or IBM. Such web sites do not have staff often but have locations and detailed phone numbers. 

Another type of company has no pride in its service and no interest in you as a customer.  You are as replaceable as the crowd at the midway.  Next week its a new city and the carny who never cared before is seeing new suckers now.  In the locksmith trade, these are the call centre operations.  You can not find who they are since they have no interest in that.  You can only see one phone number and it is for booking a job only. 

And I keep hearing questions on how to fight back.  How do you keep shady operations from undercutting you with poorly trained staff doing shoddy work?  Of course they charge less for less.

Locksmith fight back by setting up web pages which show you are in this for the long haul.  You give an address and your names.  You show photos of your people.  You show the training of your staff.  I am a Certified Journeyman Locksmith (CJL) in my province. Spill folks.  If you bought a business licence, toss up a scan of it.  Show the ALOA registration card for the last conference.

And stop letting government off the hook.  If they have regulations for business licenses and criminal record check for locksmiths, ask they get some enforcement. Often they will say they wait for consumer complaints. Easy answer but nothing stops governments from protecting the consumer before many get ripped off.

And lets also be real here.  In the end people do business with people -- even if the money sometimes flows from company to company.  When you answer the phone you say your name.  When you pass out a business card, you say your name.  The call centres can never do this since they are not in your city.

So ... are you going to have your name and photo on your web pages or not?  It's your reputation. It's one more chance to differentiate yourself from the rogue elements.

--- --- --- --- ---
The contents of this post are released for non-profit or educational use in whole or in part provided this statement and the attribution below are kept attached.

Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @ http://lauxmyth.blogspot.com/ 

Friday, September 9, 2011

Mapping Computer Security onto Physical Security: Two Factor Authentication

I just heard of the hack of the Twitter account for @nbcnews* from @gcluley in the Naked Security blog.  In the post, he suggests "an additional level of authentication" which is the idea of two factor authentication.  To access the account, you verify two kinds of data at once.  I will not go into how this is done with computers but there are a few ways.  The problem for Twitter -- and the end users -- it is slightly more expensive and not as convenient.  The computer security people and locksmiths know that the average 'joe' will torpedo security measures to get convenience.  In work environments, clear articulation of required protocols will lessen such failures for both the computer and physical security.  Without monitoring, however, you will find it hard to discipline for breaches.  Likewise, if you can not show action on small infractions, a firing for a large infraction is hard to support.

In my world, two factor authentication happens for high value targets.  One example would be some storage room with very controlled inventory such as narcotics, weapons, ammunition, explosives or sensitive documents.   The room is only to be opened when two people are present.  We set it up with two locks and each is keyed differently.  The locks are almost without exception high security types with UL 437 rating.  (In other parts of the world other standards come to play. The idea is very tight control on production of additional keys and the cylinders are very resistant to non-destructive bypass methods.)  Typically, a shop would make two keys only and one is put in service and the second is given to a superior who will often receive it with such a tight grip the blood is not getting into the knuckles around that key. 

In use, one key is signed to one staffer and the other key is assigned to another.  Having seen such rooms, they often have alarms for just this space and you just KNOW the two people each have to enter a different code to turn the alarm off.  Where does this fail?  One mode of failure is when the key is easy to copy and one staffer can get the other key.  Another -- and I have seen this -- is when the operation is short staffed and makes the choice to sign both keys to the same person. Another one would be a corrupt locksmith who supplies more keys than declared. As with any security process, there are certainly other modes of failure including some which may have not even been found yet.

Another common dual custody situation is often done in large retail operations where the cash office signs a deposit off an armoured truck team.  The staff in the cash office will drop the deposit into a chute inside a big safe where the deposit sits unreverable in the lower compartment.  When the truck comes, they know one of the lock combinations for the depository but only the store staff know the other.  In this way, the safe with the most money does not get opened unless both are present.

All for now, but I have been thinking of mapping the issues of computer security faults into the real world of keys and locks for a while now.  Consider this chapter one.

* Since this account has been compromised, it makes little sense to link to it.

--- --- --- --- ---
The contents of this post are released for non-profit or educational use in whole or in part provided this statement and the attribution below are kept attached.

Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @ http://lauxmyth.blogspot.com/

Thursday, September 8, 2011

The Triangle of Security - Convenience - Cost

The Triangle of Security - Convenience - Cost

In dealing with clients, you often have to remind them that some goals to some degree are in conflict for a project or even just one door.  In a past post, I spoke of how secure a lock is based on 3-T's of Time, Tools, and Training.  For the most difficult safe containers you need all three to even hope to open it.  With doors,  you can make a few concessions in your training or tools but only if you take more time.  It is a balance but eventually when you compromise on all three, you really can not open a locked door with anything more than a 'police pick' -- kick it in.

The work of hardware has a similar triangle. I can get better security from an ordinary door by using a mortice block instead of a cylindrical lockset.  However, it is at higher cost for both the lock and the door. You also get more convenience with the mortice block as more functions are possible and the lock cylinder can be quickly changed out.

Clients want convenience to get into rooms or out.  The out direction is often defined by fire exit codes. When a door has to plausibly serve 100s of people fast, the opening must have exit hardware.  That is more expensive than door knobs and always will be.  For entrances where you need to allow the frail or handicapped, lever sets are needed over knobs, but again those have a higher price point. For the ultimate in easy access, install an auto-operator.  One simply pushes a button and the door opens.  Convenience costs money.

A good example of a secure door with ease of access is an electrified exit device with a high security cylinder in the outside trim. Everybody enters using a RFID fob and PIN number and then the door pulls open.  It is under camera and I am guessing when you scan your fob, the camera image is tossed up beside the photo of the person associated with that fob to some guard desk. It would be consistent with the place. The key was given very limited availability and I am certain would trigger a forced-entry alarm if used as it would be opening the door without an audit trail getting a name. (For doors on access control which have this set up, the alarm system can not tell the authorized key holder is opening the door from somebody just breaking in with a wrecking bar.)

Now I can get you low cost too.  On some back exit from an office block where it goes outside, you can supply grade 2 panics which are not fire rated.  The parts look thin and you know they would pry open easier than the best grade one devices.  There is one model with a terrible way to hold its rim cylinder in the outside trim.  A big screwdriver could rip that cylinder out. Where the best models will hold onto the door with up to 6 bolts, some of these will use 2.  You get the point.  However, the client wants a low price and as long as you explain the limits of the hardware you are providing, it is fine in my books.

Really, the summary of all this boils down to "You can have it all, but not all at once" or 'You get what you pay for".



--- --- --- --- ---
The contents of this post are released for non-profit or educational use in whole or in part provided this statement and the attribution below are kept attached.

Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @ http://lauxmyth.blogspot.com/

Wednesday, September 7, 2011

Artificial Code Restrictions on Safe Locks



If you service digital locks at all, you will find the methods for how some people select the code. The convenience for the end user to set a combination, also means they sometimes choose poorly. The most common group 2 locks accept a six digit code and so have one million theoretical codes.  Some are in use as instructions or factory codes and you really should also toss out stuff like 111111 and 999999.  This means there are less than one million but it is very close.

The process used to get a new code is often done with some method to help memory but it has the problem of significantly restricting the available codes which are selected from at any time.  This is less of a vulnerability during a midnight break in where the intruder knows nothing of the safe except that it has to be in here somewhere.  However, the greater risk is from unauthorized staff or former staff who may have seen somebody open the container or know the system used to get a code.  I once heard a manager tell another the safe code is always a six letter word spelled out and it was said with unauthorized staff in the room.  (The risk here is lessened by this being a locked office to which only the managers have keys and the place runs 24/7.  However, why was it lessened at all.)

With that, I am going to explore the mathematics of how some of these methods of code restriction affect how many codes you are really choosing from when you could be selecting from a pool of almost one million.  I have built these around the LaGard 33E keypad (seen above) which is very common in the North American trade.  There are other keypads and while the shape differs the fundamental problem persists. I will show and discuss these below.


Doing Some Lines of Code

One of the common methods is to choose a pair of straight lines to get the six digits needed.  You can write out all the common 3 number blocks on the face of the above keypad and to get more codes I have even given the three number crooked lines.

Simple Lines
123 & 321
456 & 654
789 & 987
147 & 741
258 & 852
369 & 963
580 & 085

159 & 951
357 & 753

Humps and Valleys
426 & 624
759 & 957
153 & 351
486 & 684
709 & 907

Arrow Points
157 & 751
268 & 862
248 & 842
359 & 953
426 & 624
759 & 957
153 & 351
486 & 684
709 & 907

Assuming the end user gets no fancier than this, you have exactly 46 sets of three number blocks. Since a code would be any triplet followed by another, the possible codes from this system is 46 x 46 or  2116 codes. 

So let's be clear.  You have thrown away over 99% of the possible codes to make it easy to remember.  It does not seem a good price to pay for the memory advantage.


Six Letter Words

End users will use a six letter word to make a code. Doing this, 'lemony' gets you '536760' on the LaGard keypad above.  In any such list, there are words which many users would know like 'mammal' and words few would know like 'meloid'.[1]  If you are looking for a simple way to learn the code, the codes from common words would still be more common than chance.

I could find no definitive source, but his page claims to show the six letter words in English.
http://clubefl.gr/games/wordox/6.html
It does not give a count.  I printed it in small type and counted a few lines and counted the lines to get this at about 15 000 items.  This roughly agrees with another sources I found. 

There are two ways you can get more choices for code.  You can use a phrases of shorter words to get to six letters such as "big egg".  Also, shorter nouns can be pluralized or verbs moved to another tense to get to the needed 6 letters.  On the other end, it is possible some of these words convert into the same 6 digit number since some keys have three letters which all give the same digit.  I can think of no way to research how many codes this would get but it could be roughly double the number of 6 letter words.  So lets assume we get to 30 000 codes.  The lock allows just shy of a million codes and this system leave about 97% of the possible codes unused.  I would say not a good choice either.


Other Key Pads

You can see from these other pads two types of variations.  If they arrange the numbers in a different pattern, the method of getting lines of numbers changes slightly. As such the number of lines change slightly but the basic problem exists.  Also, sometimes the mapping of letters onto the number keys is different so the same word will generate a different code. [2]  Still, English still has the same number of words and six letter phrases so that problem is the same. 

However, some of these allow for codes longer than six digits or even allow codes of various lengths at the same time by different users.  While this changes the numbers the ratios become even worse not better.  You are still tossing out more codes than you are keeping to do either method above.

Sargent and Greenleaf. Like our example but the letters are under different numbers.  It does not always take a 6 digit code.

AMSEC keypad.  Another common brand.  Notice no letters.
LaGard Basic Keypad.  The numbers are in a different shape so the top line could give 123 and then 234 while the verticals could give 269 and 370.  Still limiting.

Found on the net.  No more detail than that.  It just looks fun.
A gun same.  No letters to guide you. Has a key over-ride so if you do forget the code, you can still open it.
A common hotel same.  Only takes 4 digits so only has 1000 codes. More secure in that you do not store anything in it for a long time which limits the time for a person to hack or learn your code.  Typically, upper management of the hotel can over-ride this lock and also open this safe.

Some Methods to Choose Better Codes

Well, almost anything is better than those above.  If a method tosses out 10% of the possible codes, it is probably workable.  Here are three I like and since you do not know which I am using when, good luck working backward.

The phone book gives lots of numbers.  Go to some page which you can remember such as page 39 -- my age, honest.  Choose the last two digits of the first three numbers in some column.  My code would then be 55-57-28.  I would have to remember which phone book, which column, my system and my age.  (I have also chosen the last digit of the last six phone numbers on the page.  My code would now be 769850.)

A little old book of math tables.  You find these in old book stores often for a dollar.  They have pages and pages of numbers of things like the cubic roots of all the numbers from one to 100.  Go to some page which means as much as a tax table to you and find any six digits in a row.  Next time choose another page and point to pick your 6 numbers.

Nice little book from 1918.  It was the 'calculator' of its day along with a slide rule.

Carry a few pages of numbers from Random Org ( http://www.random.org/integers/) and when you want a code just pick 6 numbers.  You could toss this out from time to time and get a new one. (Do not circle or mark the numbers you choose.  If somebody finds the pages, it is giving away too much information.)  Or, if the screen is right there, just pull up the page and use it once.

There are also many other systems to find collections of mixed up numbers and if you go to a different source each time, then your safe code will not fall into a pattern.  My goal was just to dissuade you from using two systems to get a safe code which clearly lack the random nature needed to give you the security you paid for in this safe with this kind of lock.

------------------------

[1] I do not know this word.  I hope I did not just swear!  (Well, just looked up and it is a group of beetles.  So relieved.)

[2] You might have noticed that telephones arrange the keypad with 1 on the upper left but computers put it on the lower left.  I went looking for the reason historically, but closest I found was this from How Stuff Works: http://www.howstuffworks.com/question641.htm


Friday, September 2, 2011

A Security Audit OF a Locksmith, Round One

Commercial locksmiths love when a bank or some other institution has a security audit since it often gets the shop work.  You get work right after the audit and sometimes in the week just before the next audit.  I also know the auditors find all kinds of accounting and personnel procedures to change as well but that does not get us work.  In all this, I was wondering if anybody with serious security concerns was looking a bit deeper.  With that in mind, I have written a series of questions to audit the locksmith since the security of the end user is partly dependent on the diligence of the locksmith shop.  There are occasional robberies of shops after all.

I am not making any comment on any of the shops I know.  Also, I am trying to strive for best practice at all times.  However, answers need to be realistic in the real world we all work.  I have chosen to toss out the questions first and invite anybody to add others for later revisions.  After the questions, I will give my thoughts on what is best practice for each item.  I fully expect 'not applicable' will be the correct reply for some shops to many of the questions.

Yikes, did I ever open a bucket of worms.  I keep finding questions about areas of vulnerability.  I am tossing these out now hoping I get some ideas of other questions to ask.  I still have a page of question on staffing I have not typed.

--------------------------------------

Physical Security

(This set of questions should be answered for each building used by the locksmith where it has multiple locations.)

Does the shop have high security locks on all exterior doors?  Do all exterior doors have deadbolts with 1 inch or 2.5 cm of throw? Are astragals or blockers in place if appropriate? Do cylinders have taper rings to limit extraction? Are all doors code compliant as emergency exits?

Are the exterior door of good enough construction to resist some physical attack?

Would broken glass in the door or sidelight be an effective way to open any door?  Are all such glass surfaces coated in security films?  Does breaking glass trigger an alarm?

Are records kept in an interior locked room also with a high security key?  After hours, would an alarm condition exist before an intruder reaches this room?

Does the alarm system have contacts on all doors and openable windows?  Does it have motions sensors to cover all interior space?  Is the alarm monitored?  Does the alarm have battery and cell phone backup?  Is the cell phone back-up guarded against a fast disable?

Does the shop have interior space monitored by cameras?  Do the cameras have IR ability?  Where does the signal feed?  Backup?  Offsite backup?  How long are the files or video tapes kept?  Are the record secured from tampering?

Are any exterior walls vulnerable to a mining attack from outside or an adjacent building? Are all places directly inside under a motion sensor?  How far could an intruder move before tripping a double hit on the alarm?


Record Keeping

Are files with master and restricted keying records kept locked in a cabinet or safe when the business is closed?  Give the rating of the this cabinet or safe.

During business hours, are they also secured from non-cleared staff? 

Is there any leakage of key codes or other sensitive security information into the accounting stream?

Are ready-to-use keys kept in the files associated with the building they operate? 

Is any kind of encoding used on key records sent with staff outside the building?  Are keys tagged with the function and location?

How long are dormant files kept after the last work done in a location?  Is the building or operation notified of their destruction?

Who owns the keying record of the building and how do you make this clear to the end user who buys a master key system?  Is the end user given a choice??


Staffing
(Whole page of questions pending.)


Procedures

Are old master keys decoded before planning new systems?  Is this done in a way you can reasonably know all the old keys are retired?

Are all keys shipped to the end user with standard codes?  Could they be shipped without code if asked or fully blind codes??

Do you keep off site records off all the key system files you have on record?

What computer systems exist connected to the internet?  If a trojan was ever installed what kinds of data could leak?
___ keying charts  ___ client names ___ financials  __ emails  ___ quotes
___ others, specify __________________________________

Of computers not connected to the internet, are they systematically backed up?  Are the systems checked for viruses from sources like CDs and USB sticks?  Is data stored overnight as encrypted files?  Good encryption??

Are all laptops in use at the site equipped with recovery software?  Do they encrypt key data?  Will it erase if a brute force attack is tried?

Are all passwords strong on all critical systems?  No really … how strong are they?   Are they written on paper but only in a safe?



Get back to me with more good questions you think would help this topic along.

--- --- --- --- ---
The contents of this post are released for non-profit or educational use in whole or in part provided this statement and the attribution below are kept attached.

Laux Myth ... Thoughts From a Locksmith
By MartinB, Found @ http://lauxmyth.blogspot.com/