Hex dump of Gibe-F worm.

Physical Security

Physical Security for Cyber Security

This area of security is sometimes summarized as "Guards, Gates & Guns". Information technology people tend to overlook this area, but it is vital.

If you don't have physical security, you can't have security.

If someone can walk off with a disk or other data storage unit, or an entire computer, your careful system administration and file system permission settings accomplish nothing.

NIST SP 800-116
(nist.gov)

U.S. NIST has Special Publication 800-116, "Guidelines for the Use of PIV Credentials in Facility Access", describing how federal government agencies should control physical access with personal identification cards.

Hardware
Security

I don't have a lot of information here, but I do have a few examples and stories. See the hardware security page if you're instead looking for the (in)security of physical information processing and storage devices — CPUs, memory, Trusted Platform Modules, and so on.

OPSEC and Physical Security

There was a sudden panic in January 2018 when people realized that uploading exercise data to Strava does exactly what their project announced it would do: built a world-wide searchable "heat map" of exercise activity.

It uses a mobile phone's GPS, plus that from fitness devices like Fitbit and Jawbone.

The thing is, when U.S. military personnel use this around their bases in areas where the local population doesn't do elective exercise with electronic equipment, things become obvious.

Sites like an apparent drone base in Djibouti, Diego Garcia, and Guantanamo become obvious, as do sites guarded by personnel interested in fitness and possessing personal gear very unlike the locals. For example, in Somalia, Kismaayo Airfield, Ballidogle Airport, Baidoa Airport and some spot north of Galkayo. Or this unlabeled airport north of Assab, Eritrea, where it seems that people walk on the runways.

There's pretty good analysis by a writer for the Daily Beast.

Then in July 2018, journalists used the fitness app Polar to uncover HUMINT operations in Milan and Dubai, and to track personnel at NSA, MI6, GCHQ, GRU, SVR, and other intelligence agencies. See the de Correspondent article for details.

We don't change the combination. Ever.

Once upon a time, I worked on a contract just outside Washington DC at Fort Belvoir. I was down the food chain, working for a subcontractor who was working for Raytheon, who in turn was working for the U.S. Department of Defense.

I was being shown around the facility on the first day on the job. "Here's the SCIF* where you'll work, down that hall are the toilets and the water cooler and coffee machines", and so on.

* A SCIF is architecture as Faraday cage, if you're not into the DOD acronym-speak.

My tour guide had worked the cipherlock to get us into the SCIF, and I was thinking ahead to my first solo trip to the toilets (and hopefully back!), so I asked what the combination was.

"Oh, it's 'FACTORY'", he said.

I dutifully leaned down to examine the cipherlock. Huh. Five buttons: 1, 2, 3, 4, 5 and no letters. How am I supposed to spell the word FACTORY with the digits 1–5?

I asked, and received a look of disbelief that I was so naive as not to realize that — of course — they keep their cipherlocks at the factory default so anyone with half a clue knows how to get in. Well, I was SO naive that I had to ask what that default was. That got me a look of disgusted disbelief.

It's 2+4-3 for that brand. That is, 2 and 4 at the same time, then 3. That's conveniently right around the middle and a sequence I thought I had better remember.

It's more secure at the youth hostel

Now I more recently taught a course on information security in Annapolis, Maryland, which meant that most of the attendees were from NSA or a related agency, or from their many contractors and their subcontractors.

I told my story about the factory default locks and they chuckled at my naivete, and then chuckled a little uncomfortably because many of them had seen that sort of thing, sometimes recently.

The class ended on Friday, having gone well, and I got everything packed up and handed over to the shippers. Then I went into Baltimore to stay over the weekend and do some tourism. I stayed at the HI hostel in an old mansion next to the one where Poe got his big break in writing, so it was just $25 a night for a bunk in a shared room. Not like I was in some security-minded government facility or anything.

The exterior doors and bedrooms had cipherlocks with TEN digits and FOUR number combinations. So, let's see, a combinatorial advantage of 10,000 vs 125, or an 80:1 ratio, over 3 presses choosing from five buttons.

53 = 125
104 = 10000
10000/125 = 80

But no, it's far better than that. I was going to leave Tuesday afternoon. I checked out and stored my pack that morning and did a few more things until after lunch. Then they had to buzz me back into the building when I returned to pick up my things, because I had checked out and the unique door codes specific to me had expired at noon.

That's right, everyone staying there gets unique combinations for the outer door and the door to their room, good only for the length of their stay. As they explained it to me, they just find it far easier to operate that way. Since you obviously want a combination to work for a limited time, and you don't want the hassle of announcing daily door codes, you have unique ones for each guest's visit. And, if you were the sort of place wanting to enforce some sort of audit trail as opposed to just keeping the vagrants and crazies and thugs out of the building (this being Baltimore, after all), you would also get that. Yes, that was the obvious and easy solution, at least for them.

So.... The next time I teach an infosec class, I'll tell the Fort Belvoir cipherlock story. But now I have a new Part Two for the story

HI-Baltimore hostel at right in an old brick mansion.  Two buildings to the left is the Latrobe House, where Poe's 'MS. Found In A Bottle' was awarded a fifty dollar prize.

The HI-Baltimore hostel is the brown brick mansion at right. The red brick building two doors to its left is the John Latrobe house, where Poe was awarded a fifty dollar prize for his story "MS Found In A Bottle". Click here for lots more details and pictures of Poe sites in Baltimore.

Only trustworthy people can get drivers' licenses, right?

The U.S. has a lot of Security Theatre that accomplishes nothing beyond inconvenience and waste of time and money. There is an obsession with state driver's licences — if you have one, you must be no threat, because you can't get in without showing one, but as soon as you show that you are authorized to operate motor vehicles, you can go right in. This is despite the fact that every one of the 9/11 hijackers had valid U.S. state driver's licenses.

One time in Washington D.C. I saw that the Department of the Interior had a small museum with an exhibit of photographs of UNESCO World Heritage Sites in the United States. That sounded interesting, so I went.

Entrance to the Department of the Interior building requires your participation in some silly security theatre. The guard first looks at your driver's license, and I would wager that mine was the first Indiana one he could remember seeing. He clearly did not really know whether what I had handed him was a valid Indiana driver's license or not. But he stared at it for a number of seconds, handed it back, and told me to go over to a podium across the lobby and sign in on the visitors' log.

So I signed in as I always do in these situations: Richard Milhous Nixon.

On the rare occasions when you also have to sign out, I am sometimes pleased to see in the useless log that my vice-president Spiro T Agnew signed in soon after I did.

Richard M Nixon U.S. commemorative stamp

Richard Nixon. Or me.

United States Department of the Interior.

U.S. Department of the Interior.

How should this really be done?

Go to a major office building in Manhattan some time. The guards are quite friendly, there's little of the obligatory threatening thug attitude that seems to be required in Washington. But what they do is useful — They look at your ID, but then they slide it into a device designed especially to photograph ID cards and passports. They also have you look at a small digital camera. They now have a photograph of you and of your ID, and they issue you a limited-time badge (usually a sticker). That often includes a bar code or speckle code required to get you through the turnstyle.

Oh, and how was the museum?

Quite lame, beyond the nice new pictures of the World Heritage sites.

My favorite part was one of the display cases explaining what the Department of the Interior does. It said that Interior controls mineral rights, the extraction of which provides material vital for everyday household items:

"For example, the vinyl used to produce 33-1/3 RPM long-playing records."

I looked at the rest of the exhibits, took a couple of pictures, and left.

LP record 'Actual Business Letters'.
LP record 'You're My Girl' by Jack Webb.

Fly through the Atlanta Airport, get shoulder surfed

Shoulder surfing in the Atlanta airport.

Not all shoulder surfers are this obvious.

The Atlanta airport promotes the use of their wireless networking with this poster.

Or maybe they're promoting the activity of "shoulder surfing", simply reading other people's sensitive data off their screens.

Some suggestions about electromagnetic shielding

A recent study has questioned the effectiveness of an aluminum foil hat for blocking mind control rays: "On the Effectiveness of Aluminium Foil Helmets: An Empirical Study", Ali Rahimi1, Ben Recht2, Jason Taylor2, Noah Vawter2, 17 Feb 2005
1: Electrical Engineering and Computer Science department, MIT.
2: Media Laboratory, MIT.

However, as explained on the excellent Zapatopi website, that study has several serious flaws.

Vendors of EMI/RFI shields and filters include:
Coilcraft CTS Corporation EMI Solutions Inc Leader Tech Mouser Electronics MTE Corporation Murata Tech-Etch TE Connectivity Zippertubing

Murata offers a lot of background information, including a 13-part noise suppression course.

Back to the main Security Page