Visit the Ironworks Gaming Website Email the Webmaster Graphics Library Rules and Regulations Help Support Ironworks Forum with a Donation to Keep us Online - We rely totally on Donations from members Donation goal Meter

Ironworks Gaming Radio

Ironworks Gaming Forum

Go Back   Ironworks Gaming Forum > Ironworks Gaming Forums > General Discussion

Reply
 
Thread Tools Search this Thread
Old 08-05-2011, 02:34 PM   #1
Bungleau
40th Level Warrior
 

Join Date: October 29, 2001
Location: Western Wilds of Michigan
Posts: 11,752
Crazy Odd news: August 2011

Quote:

Defcon Lockpickers Open Card-And-Code Government Locks In Seconds


By Andy Greenberg | Forbes

To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever.

Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that "security" irrelevant.

At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba's E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access.

In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called "rapping" to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures.

A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock's software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute.

"The issue is simply insecurity engineering," says Tobias, who works as a consultant to several major lock firms and contributes blog posts to Forbes.com. "They simply don't get it."

Here are a few videos created by Tobias and Bluzmanis that demonstrate those security exploits:

In other techniques that Tobias plans to share privately with Kaba engineers in Zurich next week and demonstrated for me, additional vulnerabilities allowed him to open the lock silently and without a trace in seconds. Tobias asked me not to describe those methods, and argued that they're too sensitive to show to the Defcon audience before giving Kaba a chance to fix the problems.

Frank Belflower, the chief operating officer of Kaba's U.S. subsidiary Kaba Ilco responds to Tobias's claims by pointing out that he and Bluzmanis were using a lock on a wooden mount rather than on a door. "In a lab and on a mount is different than in the real world," says Belflower.

He argues that Kaba's locks claim only to be "access control devices, not high security locks," and says less than 500 have been sold to government customers. He adds that the company "reviews all data and input from the market to constantly enhance our product, and we'll take to look at these findings to enhance the locks and make them better."

Tobias says that in private conversations with Belflower, he learned that 1,500 of the locks have been sold. But that relatively small number encouraged Tobias and Bluzmanis to come forward with their findings before the hardware was more widely installed.

The holes in Kaba's security carry a larger lesson, says Tobias: that lock firms spend their resources trying to comply with standards like FIPS 201 without considering more imaginative attacks intruders might attempt. "The problem is that the engineers don't know security," he says. "They know about meeting the standards. But the criminals aren't keeping a copy of the standards in their back pockets."

For Kaba, the presentation comes is the second potential blow to its security reputation this year: In November 2010, customers filed a class action lawsuit against Kaba after they found that its Simplex lock, a simpler punch-code product, could be opened with a large magnet. The hack was originally discovered in Orthodox Jewish communities, where many religious residents don't carry keys on the Sabbath.

Kaba's E-Plex 5800 has far fewer users, but given its government target market, potentially far more secure ones. But better to expose to the lock's insecurities now, Tobias argues, than after it's installed in applications like the Pentagon and in airports. "Will they fix these issues? Yeah," says Tobias. "But the issue isn't whether they'll fix it. The issue is what sort of vulnerabilities would have been created for the government if we hadn't found them first."
Ummm... yeah. Well, they didn't put the lock on a real door, so they didn't really break in.

What?

No, I'm not going to let them try to break into our offices.
__________________
*B*
Save Early, Save Often Save Before, Save After
Two-Star General, Spelling Soldiers
-+-+-+
Give 'em a hug one more time. It might be the last.
Bungleau is offline   Reply With Quote
Old 08-21-2011, 08:52 AM   #2
Bungleau
40th Level Warrior
 

Join Date: October 29, 2001
Location: Western Wilds of Michigan
Posts: 11,752
Default Re: Odd news: August 2011

Quote:

Ferry runs aground after captain stuck in toilet

Reuters

HELSINKI (Reuters) - A Finnish ferry has run aground while its captain was stuck in the bathroom.

One member of staff managed to slow the island-hopping tourist ferry down, but the vessel, carrying 54 passengers, slammed onto a rock near the shore of Helsinki, the Finnish coastguard said Friday.

The captain got stuck in the bathroom because of a jammed lock and yelled for help, the coastguard said.

Some passengers were bruised and tableware was broken in the incident. The coastguard is investigating whether the captain's actions amounted to criminal endangerment.

"He was stuck in the toilet. As soon as the staff member got the door open, it was too late," said Jan Sundell, head of investigation.

(Reporting by Jussi Rosendahl)
Gives a whole new meaning to "hit the head"...
__________________
*B*
Save Early, Save Often Save Before, Save After
Two-Star General, Spelling Soldiers
-+-+-+
Give 'em a hug one more time. It might be the last.
Bungleau is offline   Reply With Quote
Old 08-27-2011, 07:54 PM   #3
Timber Loftis
40th Level Warrior
 

Join Date: July 11, 2002
Location: Chicago, IL
Posts: 11,916
Default Re: Odd news: August 2011

http://asianbankingandfinance.net/fi...-gets-head-job
__________________
Timber Loftis is offline   Reply With Quote
Old 08-28-2011, 02:15 AM   #4
Timber Loftis
40th Level Warrior
 

Join Date: July 11, 2002
Location: Chicago, IL
Posts: 11,916
Default Re: Odd news: August 2011

What what?
http://www.youtube.com/watch?v=-cuSi...layer_embedded
__________________
Timber Loftis is offline   Reply With Quote
Old 08-28-2011, 09:16 AM   #5
VulcanRider
Lord Soth
 

Join Date: July 25, 2002
Location: Melbourne FL
Age: 59
Posts: 1,971
Default Re: Odd news: August 2011

But the other guy matched him move for move. It's either edited or they planned it for the cameras...
__________________

-----
Help feed animals in shelters with just a mouse click at The Animal Rescue Site !!
VulcanRider is offline   Reply With Quote
Old 09-01-2011, 08:10 AM   #6
Raistlin Majere
Ra
 

Join Date: March 26, 2002
Location: Finland
Age: 36
Posts: 2,323
Default Re: Odd news: August 2011

Quote:
Originally Posted by Bungleau View Post
Gives a whole new meaning to "hit the head"...
Haha, didn't expect to see news from my neck of the woods here
__________________
If the radiance of a thousand suns were to burst forth at once in the sky, that would be like the splendor of the Mighty One.

"I am become death, the destroyer of worlds."
Raistlin Majere is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Odd News: July 2011 Bungleau General Discussion 4 08-02-2011 11:57 AM
Odd News: June 2011 Bungleau General Discussion 20 06-28-2011 03:41 PM
Odd News April 2011 Bungleau General Discussion 14 04-30-2011 07:43 PM
Odd News: March 2011 Bungleau General Discussion 15 03-30-2011 02:19 PM
Odd News... January 2011 Bungleau General Discussion 6 01-24-2011 12:46 PM


All times are GMT -4. The time now is 11:55 AM.


Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
©2024 Ironworks Gaming & ©2024 The Great Escape Studios TM - All Rights Reserved