Low Skilled Access to Locked Firearms

Security doesn’t stop on computers. I wanted to take a common firearm lock and demonstrate a low skill attack on breaching the wafer core on the device.

In my experience, this lock is equally as easy to SPP (single pin pick) as it is to rake open, but to truly highlight how easy it is… I went for raking.

Raking is a technique where you take a picking tool that looks like a snake, and you insert it into a lock while applying tension. You can then draw the rake along the pins/wafers until all of them are set on a shear line. Raking is a quick and effective way to breach low security locks… As you’ll see.

I’m a bit of a mouth breather, so I covered it up using a song YouTube recommended. With that said, it’s a bit loud. Sorry:

Observations at a Security Conference

Nearly every year since 2009, when THOTCON started, I’ve went as an attendee. My first year, I was still working in physical security. Both the conference and I have matured and it is great being a part of this field.

Each time I leave with new motivation, and a little more caution about how data is handled. This year I noticed three problems during this trip, the most egregious being…

Speakers Taking Attendees Out to Lunch

It should be a fair assumption that a conference speaker should follow best practices of security hygiene at all times. In this case, I seen a previous year’s speaker with a pretty clear American Express card, strapped face up onto a bag. This picture has been purposefully blurred and pixelated — the original having the numbers legible. The bag is also clearly abandoned at this point with nothing but a keychain stopping me from grabbing that card.

Credit card number face up, attached to a backpack
Let’s go shopping!

How Suite of You <3

Holiday Inn generally maintain very clean hotels, great staff, and decent rates. I have, however, been issued room keys just by giving out a room number or asking housekeeping staff. Somehow, this seems worse…

Hope that’s not a PIN…

Behind each of the small podium-style desks hung the master keys for the building. I could have potentially done the following:

  • Climbed onto the roof and realized I was afraid of heights and done nothing
  • Broke into the breakfast bar and made a leaning tower of 25 Belgium waffles
  • Went into the laundry room and OD’d on Tide Pods
  • Went into the pool after hours and… enjoyed myself? (Still can’t figure out why they close it on me)
  • Or perhaps most obvious, went room to room taking down TVs, collecting laptops, jewelry… Or obviously much worse.

I was an avid watcher of a show called Hotel Impossible. In this, the host (Anthony Melchiorri) had demonstrated how bad this is… He filled up the back of a cameraman’s SUV with a hotel’s televisions. He also hid in the bathroom of a room that was supposed to be empty, only to demonstrate to the housekeepers that he could have attacked them. He got this master key off of a roll-around maintenance cart. The show is fantastic, and I’d recommend it to travelers and hoteliers alike.

A friend of mine (who bought too much pickup truck) had checked bags at this hotel as well. We were pretty darn close to missing the Metra pickup time due to a fantastic SDR talk. Our Lyft driver got us to the hotel just in time to pick up our bags, and then get to the train station. My friend (with the oversized cab) ran in, said he needed the bags for room 143, and was in a hurry — the bags were handed over without question based on room number… Not name, identification, room key, etc.

Possibly the least entertaining problem, however, goes to the good ol’ United States Postal Service:

PII, Delivered

This postal worker was really friendly, carrying letters into a local business. The problem being is that there are a few folks standing outside of this business with flashing badges with stormtroopers on them, another badge with a chalk outline of a dead person, and shirts that say “HACKING IZ KEWL” on them… And this guy leaves a bin — on wheels — full of mail in front of those people while he goes inside of a business.

Meh, they’re probably just bills anyways.

Takeaway

Really — the takeaway here is — please train your federal employees, your hotel management, and your conference speakers on security. It truly is important, and most people aren’t like me — most will ignore these issues. Some will take pictures, laugh about it with friends, maybe make a blog post (this is me). But there are others who will just grab this stuff. Look around your cube right now… Do you have your wallet on your desk? Do you have your keys sitting out? Can I take pictures of them? (See: TSA keys leaked, for example). Do you have an empty package of Master Locks in your trash with the bitting code facing up? I’ve seen all of this within the past few weeks. Stop making me sad.

I read 500 SSL Certificates so You Don’t Need To


First things first: There is no such thing as a SSL certificate. There’s digital certificate key pairs, and then there’s the protocols: SSL and TLS namely. But I’m mentally unable to break the habit of calling them “SSL Certs”, so it made it into the title.

The goal was to grab the Alexa Top 500, and do a quick scan of their certs — length, time until expiration, issuers and so on. My goal failed when I realized Alexa will give you the top 50, and wants simoleons to do so. This made my decision to use the Moz Top 500 an obvious fix — with a smooth CSV export to boot!

There’s some duplication across the top 500 (list-manage.com and list-manage1.com, google.com and goo.gl). There’s also differing services from the same vendor (YouTube and Google, Microsoft and Bing). I made no effort of deduplicating either of these metrics, my feelings being that they still reflect a large part of the internet and therefore have the same impacts.

So I set off on building a script to browse to the Top 500, and throw it into a database. It worked pretty well for most of them — 76 didn’t make the cut. I then turned off peer name verification and got that down to 60. Turning off certificate verification dropped that down to 50.

Most Popular Issuers

Top Certificate Issuers in the Moz Top 500

Of the 450 domains I was able to pull a certificate for quickly and programmatically, I found that DigiCert Inc. was -by far- the most popular issuer of certificates. Any sites that had unique certs (e.g. it was the only site that used that vendor) were ignored to keep this list easy to read.

Again, there’s duplication here — GoDaddy.com and Starfield Technologies are the same issuer, just different names.

I was really happy to see my personal favorite — Let’s Encrypt — made the list. I have no affiliation with them other than using their free certificates for my websites (including this one). The only reasons I can see for companies to continue to consume paid certificates are:

  • They don’t realize Let’s Encrypt offers free certificates for both standard and wildcard certificates
  • They don’t want to deal with 90-day certificate expiration, and don’t have the ability to rollout certbot or the equivalent
  • They are still within the validity period of their current cert, riding that out until expiration.

Average Validity Length (Days)

Moz Top 500’s list of certificate providers, ordered by average validity length in days

Charts, graphs, pies… Only one of those is fun in a meeting. Since we’re all out of pie, I decided to add a nifty drop shadow to this one. I’m sure you appreciate the beauty.

In the graph, you can see on the left we have Thawte Inc. comes in at 1,106 days average validity for their certificates. That seems like an awful long time for a certificate to be valid, and I was curious who was using those:

https://npr.org/
https://list-manage.com/
https://list-manage1.com/
https://bmj.com/
https://xiti.com/
https://blackberry.com/
https://iso.org/
https://unicef.org/

Well, good to know I guess… Nobody is going to most of those anyways. Obviously I’m listing domains here — not all that I’ve went to myself, so if you don’t like the content, then I probably wouldn’t either.

On the other hand, Google Trust Services certs are at 84 days, and as most people know, Let’s Encrypt’s are at 90.

What can we learn from all of this? Maybe not much. Presumably, these are all industry-leading domains, so their choice of vendors and lengths may highlight some interesting information.

Stop Using Security Questions

Please stop using security questions.

Why security questions were designed with good intentions

If you forget your password, a site can ask you a series of security questions. This allows you to recover your account while still potentially authenticating you with questions only you know.

Account recovery options are always a great idea, but doing so with security questions is bad.

Insecurity Questions

Seriously — they introduce insecurity. In my experience, I’ve come across a form like this:

What is your favorite color?

Your security question must contain at least five characters!

What do you think the most popular colors are? Red? Blue? What about: teal, gray/grey, etc. A form I’ve came across actually had a 5-character minimum, which removed options from this answer and made guessing black/green/white/yellow a bit easier. My wife will tell you that everybody from the 90’s would say “Crayola Cerulean” is their favorite — I’m inclined to agree.

Facebook even has a feature where people can “know you better” where you can answer questions about yourself and paste it on your profile. Yikes!

Mother’s maiden names are easy to get from your social network (click you, click your mom, look at her friends names, or look at whom you call “aunt”, “uncle” etc).

Distributing Security Questions

I’ve once seen an admin that would screenshot a page that shown user’s security questions. This page existed to help admins verify users are who they say they are over the phone. In lieu of using it for this function, people were screen shotting this info and sending it to users who “forgot” them. Yikes.

I’m a site user — what should I do?

If a site insists you complete security questions, generate random text and throw that in the box. If you need to recover the account later, paste in that random text. While there, look for the company’s security@ e-mail, Twitter, etc. Tell them to fix it.

I’m a webmaster on the world wide web

Heh, old terms. Disable the requirement for security questions, remove account recovery until you can fix it. Replace it with CAPTCHAs and allow them to reset it via an e-mailed link. Make the link valid for <30 minutes, and with a bunch of entropy in the query string. Don’t store the expiration in the query string. If their e-mail is compromised, they indeed can steal this account. For this reason, it is imperative for users to have secure e-mail accounts. Also, wipe the security questions out of the database. If you’re compromised, those answers can quickly become public.

What if I follow the email reset and security questions?

You could. It’s better than no email reset.

 

A Quick Shout-out to Marriott Hotels

Peepholes — The Window you didn’t know you had


UPDATE: Marriott hotels has been breached, leaking ~500 million accounts, potentially with passport data. So you know, that’s a pretty big contradiction. to this post. Otherwise, I’ll leave the post intact.


Any hotel will have a peephole through the door, a small tube with a fisheye lens at the outset that allows you to see if there is a pizza delivery person or a murder in a clown suit outside your door.

If you walk up to these peepholes from the outside, and try to look in, it is very hard to see the room — with some fisheye lens correction, you can revert the image to a somewhat original state. Other risks, for example, are if somebody were to loosen it and install a camera into the hole. This isn’t as crazy as it seems.

Lastly, even if you use it the old fashioned way, an observer from outside can see if light is coming through it and becomes obstructed (from you looking through it). This can validate if you’re home, and that you’re on the other side of the door.

I have traveled often for both work and pleasure, and the only hotel chain I’ve seen that installs shutters on their peepholes is Marriott (and Fairfield Inn, owned by Marriott).

Just a shout out to them as a thanks for taking security to the next level.

Telltale Signs of Impending Password Breach

For most, password restrictions are an annoyance that prevents them from using easy to remember passwords, like “password” or “123456”. You can generally tell how a company handles your private information, and I’ll teach you a few tricks on determining which sites potentially store your password insecurely.

Smart Password Complexity Requirements

(none of these should be taken to indicate an insecure storage methodology)

  • Minimum character limits (for example, your password must contain at least 8 characters)
  • You must use numbers/uppercase/lowercase/symbols
  • You cannot use a dictionary word
  • You cannot use your name/username/email/other identifier in your password

Stupid Password Complexity Requirements

(it is probable that sites with these requirements are storing your password wrong)

  • Disallowing -any- symbol, be it dollar sign, comma, quotes/double quotes, hashes, less than/greater than, ampersand, and so on
  • Mentioning any upper limit to the length of your password (maximum 10 characters) *
  • Odd requirements, for example, requiring your password start or end with certain characters (letters, numbers) or prohibiting the ends of passwords from having specific characters.

*- There are functional limitations here, like the maximum POST size practical in a browser, yes, but if you can’t use a 100 character password, this is a problem.

What is a Password Hash?

There’s a separate blog post for that wee lil’ question:

What is a Password Hash?

In short, companies that care, use hashing for your passwords.

So you’re calling a company dumb, why?

Properly hashed data will return a relatively short hash from any sized input data — this is important to know, as it highlights exactly why having a maximum password length is a bad thing — it is a clear sign they’re storing your password in a really stupid way, or their devs are stupid. Either way, means bad security for you.

Now I love Southwest Airlines — a lot, I love flying with them I love their attendants, and none of their pilots have killed me. What else can you expect?

Well, I’d expect a certain level of hashing on my passwords:

Their reply wasn’t what I wanted. Basically reiterating the limitations of the form. It should be noted that this does not mean they’re vulnerable or are storing your passwords wrong, but it does make a pretty solid case that it’s possible.

Another company I used a very long time ago was TCF Bank. Now I know what you’re thinking — lmao, TCF. Yeah, their bill pay was garbage, their online banking from the 90’s, etc. I can’t speak for the interface now, but one thing that stuck out to me was the password length limit.

I’m done calling companies out now…

…Mostly because I don’t have more examples from the top of my head. When you see stupid password policies in place, it is generally in place because of a poorly configured WAF, or poorly built site. They are worried you’ll pass variables or SQL injections into their software so they filter the characters you use. Properly hashed passwords are completely inert — they are made up of hexadecimal letters without spaces, they will not execute as code.

Oh — One more thing, password resets:

If you reset your password and you get an e-mail back with your password, then they are clearly storing it WRONG. Change all of your passwords (except this site) and stop using it immediately. Close your account if possible. This site, once breached, will present no difficulty to anybody wanting your password.

Finally: Security questions suck really bad. Tell me what your favorite flavor of ice cream is in the comments!

What is a Password Hash?

What is encryption?

Encryption is a reversible message obfuscation technique which applies keys or mathematical models against a string of text. The key here is that, with the proper password or key, you can retrieve the original contents of the message.

Remember making up codes like “A=Z, B=Y, C=X” in school (this is a ROT13 Caesar Cipher by the way)?

That is encryption. Horrible encryption, since it is really easy to break, but it still counts.

What is Hashing?

Hashing is an irreversible message digest technique which applies mathematical models against a string of text. The same string of text will always generate the same output hash.

Let’s use MD5 because it’s old and people will comment on my blog if I mention it:

If I MD5 the word “hello”, I get the string “5D41402ABC4B2A76B9719D911017C592”

Go ahead, try it for yourself!

Every time you run a word through a hashing algorithm, it comes up with the same value. In theory, you can never “decrypt” a hash since the original information is no longer stored in it, just a representation of that data. This is the formats best selling point, and also it’s greatest weakness.

Password hashes, if unsalted/unpeppered, are vulnerable to these issues right out the gate:

  • Collisions, since we are using a limited amount of characters (in the case of MD5, 32 hex or 128-bits), it would be fundamentally impossible to ensure there is no collisions when hashed strings are both longer and shorter than 32 hexadecimal bytes.
  • Precomputed hashing tables “Rainbow Tables” — With enough time or storage, it is trivial to generate an MD5 hash of every common password (these lists are very easy to get). It is easy to reverse MD5/SHA1/any improperly handled hash. One of the biggest threats to password hashing is evolution — it used to take a “long time” to generate an MD5 hash, now GPUs can spit them out at astonishing rates. When your password is leaked by a company improperly storing your passwords, this is usually the first step — reverse all of the hashes.

 

What is a salted or peppered hash?

Due to the risks of precomputed hash tables, programmers have to work around the users. People will still pick terrible passwords that rainbow tables will contain. For this reason, a properly salted password is one that contains a randomly generated string for each password on the site. This is important, as using the same salt is as good as using no salt. People will get an export of your database, and generate a new table specific for your application. Having a salt for each password drastically increases the time to successfully attack your userbase (this is where password expiration come into play).

A peppered hash is a bit more uncommon, but still has it’s place. This value is an additional salt that exists only in the software. These are generally common across all passwords or are generated from other repeatable values. The purpose is layers — if the database leaks, and the pepper didn’t, it will be harder to get a password.

What is a Password Hash?

Finally — the question the post was made to answer. A password hash is simply a representation of your password that is repeatable and difficult to recover for the owners of the system and for attackers.

When you create an account, your password is hashed, therefore the site has your password but stores it in a secure manner.

When you log into the site later on, your password is again hashed and that hashed value is compared to the one from the time you created your account. If there is a match, you’re logged in. If not, it is “Forgot my Password” time.

 

 

 

Home Depot Replacement Card Misfire

Today, I received a new credit card from The Home Depot. (In the picture, the top one is my old one and the bottom is, obviously, the new one). The first thing I noticed was the new card was attractive and that they added a chip. I thought that was fantastic that a store card would go through the work. I then dug a bit further, and was less happy.

Behind the card, there is a mag stripe still. The Home Depot (“Home Depot”) cards are not valid at other stores (like a Visa, MasterCard, etc). This means that they control the entire payment ecosystem. My local Home Depot has chip technology, as have a few other locations I’ve been to. This means that they could have issued strictly chip cards and done away with the magstripe entirely. This would make them a clear leader in payment technology and I would have really been impressed. Sadly, they didn’t. Oh well, most companies don’t even have chips, and the big banks universally issue mag+chip cards.

The next issue I noticed (honestly, it is kind of a nice feature even it if it incredibly insecure) was that the card comes activated, ready to start using. I don’t need to call from my home phone, I don’t need to activate online. Just go and start buying lumber, screws, or even a garage kit… Oh, and look — the credit limit is printed right on the paperwork!

The next issue is that the entire card number is printed on the flyer attached to the card. You might believe that this is a bit pedantic because, after all, the card is attached. If somebody stole the mail, they’d surely have the card #.

Sadly, this makes it much easier to shine a light through the envelope and see the entire card number unmolested. Likewise, after disposing of the document (if unshredded), now your entire card number is in the bin somewhere.

The final issue is that this was an unsolicited bulk card reissue. I didn’t lose my old card, I didn’t know a new card was on its way. The issue with all of these vulnerabilities is magnified when an event like this happens. Somebody like me can receive a card, realize these issues, and then start grabbing these documents out of the mail. Postal workers can bring a flashlight and a cellphone to work and start capturing these numbers enmasse. The chip was a nice addition, and the new card looks great. The security, however, leaves much to be desired.

Scanning IDs — Making Fakes Easier

Not long before I procured my wonderful license, they were printed pieces of paper with a photograph attached, then laminated.

For both security and durability reasons, the state (Illinois) had moved away from this technique of identification. It was trivial to make fake IDs, and people knew it.

I used to smoke, up until November of 2016, and as part of being a smoker, I would have to engage with store clerks. My receding hairline was usually enough evidence that I was old enough to buy them, but the occasional pedant would request proof anyways. Being a cashier at a gas station years ago, I understand the request and the problems with not doing so, therefore I obliged the request. They view the license, DOB, expiration date and make sure it matches me. Transaction success.

A strange new behavior has developed where companies are forcing cashiers to scan in the driver’s licenses. I’m not sure what they stand to gain, are you hiring people so incompetent that you can’t trust them to read dates off of a license? (You also trust them with the entire shifts income, sans-drops). If I were a cashier, I’d be insulted by this policy.

This is where it becomes interesting. Driver’s licenses have a plethora of features, holograms and colored stripes that cross over both the date of birth, as well as expiration dates. More modern licenses even have underage kids with a vertical orientation and different colored banners.

The holograms and stripes are to prevent bleaching, a technique where a legitimate, government-issued identification is otherwise modified to indicate a different date.

There are a few barcodes on the back of an Illinois license, one of them looks similar to the barcode on a can of tomatoes (this is your license number). The more complex one that looks like a long QR code — this one is what they usually scan.

The Problem with Scanning Identification Cards

Bar codes look secure, high tech, and modern to people who are none of the above. Barcodes are as easy to read and write as basic English given the “write tools” (punny). They are really hard to find. As a matter of fact, I used to host a driver’s license number generator on this site, and it turned out a few banks actually used it to validate that people were presenting real IDs!! The License number in IL is really easy to figure out. From the last 5 digits, for example, I can tell your date of birth and gender. The first four are encoded with soundex, and the middle three are from a lookup table from your first name.

Generate a License Number

The entire number is generated from just a few facts about you:

A123-4567-8900

A123 – Your last name, encoded with Soundex. Try me!

456 – Your first name and middle initial, compared against a lookup table

7-8 – The year of your birth (1978)

900 – This is your month of birth, minus one, times 31. Then you add the days. So for somebody born on January 25th, 1978, you would get: ((1-1)*31)+25 or 025. If you are a female, you add 600 (and get 625).

Make it a Bar Code

So you now know how the number is decided, and lucky for you the American Association of Motor Vehicle Administrators (AAMVA) is a standards organization that specifies exactly how to format the barcode on your license (how to structure the data), and how you should use the PDF417 styled barcodes. Really though.

So if you don’t think you can trust that person reading a driver’s license, remember you’re now trusting the bearer to present it honestly, and it is much easier to trick a computer than a person. We call this “client-side security.” You’re letting them forge variables with impunity.

What about the consumer?

I stopped by a BP station in my neck of the woods a few years ago to buy some of my Marlboros. I wanted to feel like a real rancher that day. They insisted that they scan my ID, which I politely declined, explaining that my address is not pertinent to my purchase of cigarettes. The clerk told me “well you paid with your credit card, and they have your information.”

I was surprised he didn’t see the distinction. A company that I have made a financial partner would, obviously, have my information to contact me about payments and debts. A gas station does not require an ongoing level of trust. I pay, they provide, and I leave.

The large barcode contains everything from your address to your eye color. It is trivial to log more information than simply checking your DOB and expiry.

Nobody benefits

In the end, retailers are put at increased risk while causing consumers more privacy invasion issues. Nobody is the winner here. I’m not cool enough on the internet to drive enough interest to my blog to see change happen, however you can. Throw tape over the barcode. If you get pulled over, either pull it off or make the officer type it in manually. If you buy smokes and they’re willing to hire people they don’t trust, why are you trusting them not to swipe your card in a square reader of their own?

 

Free Corporate Security Training

(Link is at bottom of post).

Every company should have a certifiable online security training, from how to handle documents to different techniques such as phishing, social engineering, etc.

I am an avid certification collector, so long as I don’t have to pay for it (and some I did). The United Nations offers several great courses in cyber security, active shooter response, and security in the field.

The two we’re going to talk about today are the foundational and advanced certificates:

Information Security Awareness - Advanced
Information Security Awareness – Advanced

Information Security Awareness - Foundational
Information Security Awareness – Foundational

The Certifications

The courses and training do have some UN-specific elements, such as reference documents within the UN pertaining to retention periods, classification and destruction of data, and UN or military-related scenarios.

I found it trivial to relate the work being done in the scenarios to my day-to-day tasks, and I find most people will not struggle with the material. There’s nothing against taking notes, but I did not need to at any point.

The foundational course is a prerequisite to the advanced course, and then there is a third one (that I have not completed) that deals with additional training.

The training reinforces best security practices:

  • Verifying encryption is being used (VPN or HTTPS)
  • Prioritizing cell-phone based hotspots instead of public wireless if possible, or falling back to encryption.
  • Scenarios demonstrating who you should share your password with and how they are social engineered from people (yes, even your manager should not have your password).
  • Password complexity rules, and entropy (how adding characters adds time to crack a password).
  • How to spot phishing sites (paypal.example.org, etc).
  • Navigating away from browser-based virus popups instead of installing the software.
  • Always reporting errors and security issues to the IT staff.

Obviously, there’s a lot covered, as you will see. The course is offered free to everybody, so I cannot see why this would not be a good solution for small companies that cannot afford proctored exams or the development of training material.

Has anybody else found great employee-level solutions for security training? I’d love to hear about it!

Here’s the link! United Nations Information Security Portal