Physical Security

Physical Security for Cyber Security

This area of security is sometimes summarized as "Guards, Gates & Guns". Information technology people tend to overlook this area, but it is vital.

If you don't have physical security, you can't have security.

If someone can walk off with a disk or other data storage unit, or an entire computer, your careful system administration and file system permission settings accomplish nothing.

U.S. NIST has Special Publication 800-116, "Guidelines for the Use of PIV Credentials in Facility Access", describing how federal government agencies should control physical access with personal identification cards.

I don't have a lot of information here, but I do have a few examples and stories. See the hardware security page if you're instead looking for the (in)security of physical information processing and storage devices — CPUs, memory, Trusted Platform Modules, and so on.

OPSEC and Physical Security

There was a sudden panic in January 2018 when people realized that uploading exercise data to Strava does exactly what their project announced it would do: built a world-wide searchable "heat map" of exercise activity.

It uses a mobile phone's GPS, plus data from fitness devices like Fitbit and Jawbone.

The thing is, when U.S. military personnel use this around their bases in areas where the local population doesn't do elective exercise with electronic equipment, things become obvious.

Sites like an apparent drone base in Djibouti, Diego Garcia, and Guantanamo become obvious, as do sites guarded by personnel interested in fitness and possessing personal gear very unlike the locals. For example, in Somalia, Kismaayo Airfield, Ballidogle Airport, Baidoa Airport and some spot north of Galkayo. Or this unlabeled airport north of Assab, Eritrea, where it seems that people walk on the runways.

There's pretty good analysis by a writer for the Daily Beast.

Then in July 2018, journalists used the fitness app Polar to uncover HUMINT operations in Milan and Dubai, and to track personnel at NSA, MI6, GCHQ, GRU, SVR, and other intelligence agencies. See the de Correspondent article for details.

Don't Be This Guy

I can't decide if the "James M Atkinson" persona on LinkedIn is performance art or delusional behavior or, less likely, the most spectacular OPSEC failure I could name. It purports to describe some blend of James Bond, Doc Savage, Dirk Pitt, and Tony Stark, who designs espionage equipment and personal weaponry and then trains the CIA and Navy SEALs in their use. And then, sighing heavily, takes on the mission himself, because no one else could possibly succeed. "Considered to be the Leonardo da Vinci of Bug Sweeps." Trains snipers, but U.S. Citizens only. "Post-graduate emergency medicine training from Harvard." Multiple certificates and a degree from Bunker Hill Community College. And on and on and on.

Getting Out of Online Listings

As I mentioned in my Cybersecurity Basics pages, under Be Careful on Social Media, everything you post on social media sites is now out of your control and it belongs to the social media companies. The more you post on social media, the easier you make it for criminals to steal your identity.

Somewhat related are the "people finder" aggregators. They collect and index publicly available records, and make it easy for other people to look up information about you. Some let you request that they hide your listings:

1. Spokeo tells you to search for yourself, copy the URL, paste it into their opt-out page, and submit your request.
2. Radaris has directions on removing your listing. There is further information here.

At least Pipl.com is honest. Their search results link to the places where they collected the data about you. They recommend that you search for yourself, then remove your information from the pages they found. For your current social media accounts, you can delete those. But all the other sites turn this into an unending project.

ZabaSearch says that the only way to remove your listing is to transmit a fax^* of your driver's license to +1-425-974-6194 and then wait 4 to 6 weeks.

We don't change the combination. Ever.

Once upon a time, I worked on a contract just outside Washington DC at Fort Belvoir. I was down the food chain, working for a subcontractor who was working for Raytheon, who in turn was working for the U.S. Department of Defense.

I was being shown around the facility on the first day on the job. "Here's the SCIF^* where you'll work, down that hall are the toilets and the water cooler and coffee machines", and so on.

My tour guide had worked the cipherlock to get us into the SCIF, and I was thinking ahead to my first solo trip to the toilets (and hopefully back!), so I asked what the combination was.

"Oh, it's 'FACTORY'", he said.

I dutifully leaned down to examine the cipherlock. Huh. Five buttons: 1, 2, 3, 4, 5 and no letters. How am I supposed to spell the word FACTORY with the digits 1–5?

I asked, and received a look of disbelief that I was so naive as not to realize that — of course — they keep their cipherlocks at the factory default so anyone with half a clue knows how to get in. Well, I was SO naive that I had to ask what that default was. That got me a look of disgusted disbelief.

It's 2+4-3 for that brand. That is, 2 and 4 at the same time, then 3. That's conveniently right around the middle and a sequence I thought I had better remember.

It's much more secure at the youth hostel

I more recently taught a course on information security in Annapolis, Maryland, which meant that most of the attendees were from NSA or a related agency, or from their many contractors and their subcontractors.

I told my story about the factory default locks and they chuckled at my naivete, and then chuckled a little uncomfortably because many of them had seen that sort of thing, sometimes recently.

The class ended on Friday, having gone well, and I got everything packed up and handed over to the shippers. Then I went into Baltimore to stay over the weekend and do some tourism. I stayed at the HI hostel in an old mansion next to the mansion where Poe got his big break in writing, so it was just $25 a night for a bunk in a shared room. Not like I was in some security-minded government facility or anything.

The exterior doors and bedrooms had cipherlocks with TEN digits and FOUR number combinations. So, let's see, a combinatorial advantage of 10,000 vs 125, or an 80:1 ratio, over 3 presses choosing from five buttons.

53 = 125
104 = 10000
10000/125 = 80

But no, it's far better than that. I was going to leave Tuesday afternoon. I checked out and stored my pack that morning and did a few more things until after lunch. Then they had to buzz me back into the building when I returned to pick up my things, because I had checked out and the unique door codes specific to me had expired at noon.

That's right, everyone staying there gets unique combinations for the outer door and the door to their room, good only for the length of their stay. As they explained it to me, they just find it far easier to operate that way. Since you obviously want a combination to work for a limited time, and you don't want the hassle of announcing daily door codes, you have unique ones for each guest's visit. And, if you were the sort of place wanting to enforce some sort of audit trail as opposed to just keeping the vagrants and crazies out of the building (this being Baltimore, after all), you would also get that. Yes, that was the obvious and easy solution, at least for them.

So.... Now when I teach an introductory infosec class, I have the Fort Belvoir cipherlock story, plus Part Two.

The HI-Baltimore hostel is the brown brick mansion at right. The red brick building two doors to its left is the John Latrobe house, where Poe was awarded a fifty dollar prize for his story "MS Found In A Bottle". I have lots more details and pictures of Poe sites in Baltimore.

Only trustworthy people can get drivers' licenses, right?

The U.S. has a lot of Security Theatre that accomplishes nothing beyond inconvenience and waste of time and money. There is an obsession with state driver's licences — if you have one, you must be no threat, because you can't get in without showing one, but as soon as you show that you are authorized to operate motor vehicles, you can go right in. This is despite the fact that every one of the 9/11 hijackers had valid U.S. state driver's licenses.

One time in Washington D.C. I saw that the Department of the Interior had a small museum with an exhibit of photographs of UNESCO World Heritage Sites in the United States. That sounded interesting, so I went.

Entrance to the Department of the Interior building requires your participation in some silly security theatre. The guard first looks at your driver's license, and I would wager that mine was the first Indiana one he could remember seeing. He clearly did not really know whether what I had handed him was a valid Indiana driver's license or not. But he stared at it for a number of seconds, handed it back, and told me to go over to a podium across the lobby and sign in on the visitors' log.

So I signed in as I always do in these situations: Richard Milhous Nixon.

On the rare occasions when you also have to sign out, I am sometimes pleased to see in the useless log that my vice-president Spiro T Agnew signed in soon after I did.

Richard Nixon. Or me.

U.S. Department of the Interior.

How should this really be done?

Go to a major office building in Manhattan some time. The guards are quite friendly, there's little of the obligatory threatening attitude that seems to be required in Washington. But what they do is useful — They look at your ID, but then they slide it into a device designed especially to photograph ID cards and passports. They also have you look at a small digital camera. They now have a photograph of you and of your ID, and they issue you a limited-time badge (usually a sticker). That often includes a bar code or speckle code required to get you through the turnstyle.

Oh, and how was the museum in Washington?

Quite lame, beyond the nice new pictures of the UNESCO World Heritage sites.

My favorite part was one of the display cases explaining what the Department of the Interior does. It said that Interior controls mineral rights, the extraction of which provides material vital for everyday household items:

"For example, the vinyl used to produce 33-1/3 RPM long-playing records."

I looked at the rest of the exhibits, took a couple of pictures, and left.

Fly through the Atlanta Airport, get shoulder surfed

Not all shoulder surfers are this obvious.

The Atlanta airport promotes the use of their wireless networking with this poster.

Or maybe they're promoting the activity of "shoulder surfing", simply reading other people's sensitive data off their screens.

Some suggestions about electromagnetic shielding

A recent study has questioned the effectiveness of an aluminum foil hat for blocking mind control rays: "On the Effectiveness of Aluminium Foil Helmets: An Empirical Study", Ali Rahimi¹, Ben Recht², Jason Taylor², Noah Vawter², 17 Feb 2005
1: Electrical Engineering and Computer Science department, MIT.
2: Media Laboratory, MIT.

However, as explained on the excellent Zapatopi website, that study has several serious flaws.

Vendors of EMI/RFI shields and filters include:
Coilcraft CTS Corporation EMI Solutions Inc Leader Tech Mouser Electronics MTE Corporation Murata Tech-Etch TE Connectivity Zippertubing

Murata offers a lot of background information, including a 13-part noise suppression course.