Irritate Hotels with this One Simple Trick

It is still July and I’ve already been on 22 flights this year, even more nights in hotels. I’m not the most traveled person year over year, but I’ve learned a few tricks that might help you out. This isn’t really security related but I’ll try pulling a few elements in to make it interesting.

TSA Pre-Check

Yes. If you travel, this is fantastic. I leave all my belongings in a bag, the lines are short and even when you get pulled into secondary to see if your laptop is explosive heroin, you still come out way ahead of the regular lines. I won’t say buy this if you’re flying primarily international, or not often. But if domestic flights are your weekly chore, this saves an amazing amount of time.

Taxi, Uber or Lyft?

I stopped taking taxis. I’ve found that they are often just dirty and there’s no really good way to ensure the rate is understood and you may not even get a receipt.

I live in the range of MKE (General Mitchell Airport, Wisconsin), MDW (Midway Airport, Chicago IL), and ORD (O’Hare International, Chicago IL). Because of that, I try to take the smaller airports if possible… But the most cost economical option as far as ride sharing apps go that also offers several non-stop domestic and international flights will be ORD. MDW offers Southwest (which I love), but the rideshare fares there are usually $85 each way. Uber tends to surge price up to $135 each way. Lyft is pretty consistent and I ended up taking them during the surge pricing.

Last week I noticed that surge pricing when I flew from ORD to LAX. Today I decided I would check into the pricing when flying from ORD to BOS, and here’s what I seen:

Lyft vs. Uber
Lyft vs. Uber

Right there is nearly $20 savings for no other reason than selecting Lyft. Really a shame since I have so many points with Uber and over 50 rides, but the numbers don’t lie. On a side note, Lyft won’t let you book a ride without tipping, rating and writing a review about your last ride. Pretty annoying when you just got off a plane an to the rideshare area, but still, worth it.

Texting, E-Mailing or Working on the plane

Yes, I can pretend to look down at the endless clouds and also see you typing up E-Mails with your Apple ID, the profit margins of your doctors office, or anything else you’re typing. You don’t know who you’re sitting next to, so remember that before pulling up information that can easily be compromised by strangers.

Not all heros wear capes

Plug Splitters
Plug Splitters

Here I am at the Godfrey Boston, finding a great way to turn one outlet into 5. You can plug in phone chargers, laptops, whatever you want… And TSA allows these and they will make you have an easier time at the hotel, and a friggin’ hero at the airport when tons of people can share an outlet (or, an outlet sticker ;)).

Backup Batteries

Great for when you’re away from an outlet, I have a wireless battery brick that’s right at the TSA limit and juices up my phone. These are allowed not in your checked luggage, but your carry-on. This is due to the lithium batteries. They don’t want the luggage compartment to go up, they’d rather notice sooner than later.

First Class Seats

Unless you’re a “person of size”, first class is a gimmick. Those seats are only marginally bigger than economy and you’re better off just sucking it up for the few hours you’re on a plane. There’s very little interesting about sitting next to folks just like you who feel stupid for paying an extra $230 for a 1st class seat.

You can lockpick on a plane… Seriously!

Picking on a Plane
Picking on a Plane

Here I am cracking open a Master 140 and a few 142s in the middle of California airspace. Over and over again. (I’m still working on getting a 570 :(). TSA is perfectly fine (https://www.tsa.gov/travel/security-screening/whatcanibring/items/lock-picks) with them (just use something to protect the sharp parts of your picks, such as a water bottle, endmill sleeve or bubble packaging). These are fidget spinners for folks in security and really helps to pass the time.

Turbulence Ain’t Nuffin’

I’ve flown through nasty thunderstorms (they look really pretty from ~37k feet, really dark and flashy at about ~10k feet, and really wet around 6k feet). I’ve been in 19-passenger jets as well as American 777-300’s with high-300 person capacities. All of them tend to have some bounces in mid air, while landing, and sometimes take their sweet time pulling up in the air. Oddly enough, I’m still alive. Pretty neat.

Real ID Act

October 1st, 2020, the TSA will require “Real IDs”. Read up on the Real ID act if you’d like. Illinois, like usual, isn’t onboard with much and has pushed off moving to real IDs for some time. You can submit the plethora of documentation to get a Real ID, or in my case, you can just get a passport card. A rarity for American families, my wife and kids all have traveled internationally and have passports and passport cards. They’re good for 10 years (5 if you’re really young) and work just fine. Passport cards are only good for domestic flights, or boat/land borders. International travel still requires the good ‘ol book.

I don’t know it all

I’d love to hear your traveling tips in the comments, maybe I’ll add them to this document as well! Safe travels!

Lockboxes and Key Space Exhaustion

On a rare occasion, I’ll have a chance to check out a thrift shop or antique store and see what sorts of locks or security equipment they have for sale. I’ve wanted to check out those realtor lockboxes for some time, but didn’t want to spring $25 for minimal entertainment value.

Today, I stopped in a Goodwill and seen a Kiddie KeySafe unit for sale for $4.99. I decided that price point is exactly what I’d pay for an otherwise useless toy. The first thing I did was open the manual it came with:

Kiddie KeySafe
Kiddie KeySafe

The instructions state right away that “KeySafe is a convenience product, not a security product.”

Boy they couldn’t be more correct.

What is “Key Space”?

In cryptography, key space expresses how many permutations are available within the boundaries of a key. To put it plainly, if you can only have a PIN number that is four digits, then you can choose anything between 0000 and 9999. This gives you 10,000 possible permutations (or a key space of 10,000).

What is “Key Space Exhaustion”?

When you don’t know a password or PIN number, you’ll generally start guessing numbers. You may start with “0000”, then “0001” and keep going. Banks will see this sort of activity and freeze down an account, but lock boxes are not like that. You can try every single number until it opens. Key Space Exhaustion is when you go through, iteratively, each permutation until you get an “unlock” state.

What do Lock Boxes have to do with this?

I gave myself a rather relaxed time trial and found that I can enter a code (whether wrong or right) on average in around 5.25 seconds for a 5-digit code. Most people would assume that is probably pretty good, after all a lock that takes a 5-digit code has 100,000 permutations, right? That would mean I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked. I’d argue that’s reasonably secure.

I’d have to type in numbers for 24 hours a day for a little over six days to get this thing unlocked.

Except one little funny thing: Lockboxes do not have permutations that spread across the entire spectrum of possibilities. Some lockboxes have limiting factors, such as:

  • Numbers can only be entered once, so 1-2-3-4-5 is a valid code, but 1-1-2-3-4 would not work.
  • Number Ordering is Irrelevant, so 1-2-3-4-5 is equivalent to 5-4-3-2-1, which greatly brings down the key space.

Identifying Lock boxes with this Fault

You can identify the first issue (entering each number once) by pressing it and listening for a click. If it only clicks once, it probably only accepts the combination once. For the second issue — I do not know a way currently without actually testing it, but it is probably safe to assume most are designed this way.

As for my lock… This lock can accept either 5, 6 or 7 digit combinations. For sake of clarity, I am operating under the pretense that folks are going to use 5-digit codes (Pro-tip: It is probably the address of the building).

With those constraints in mind, how much does that reduce the Key Space?

Key LengthFull Key SpaceActual Key SpacePermutations
4-Digit10,000210List
5-Digit100,000252List
6-Digit1,000,000210List
7-Digit10,000,000120List

Yikes! That deescalated quickly.

As I mentioned before, I did a time trial. I set my lockbox to 01279. As you can see in my permutation lists on GitHub, that is the 20th 5-digit code available. It took 1:45 for me to “breach” the lock by going code to code, trying and clearing each one. So, remember when I said it would take 6 days to breach that 5-digit lock? Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes. That’s insanity. 22 minutes infers that I will hit your code last.

Because of the insane limitations of this design, I could have this lockbox in an unlocked state within 22 minutes.

This is a complete design fault and is something manufacturers should look to improve upon. The actual time it would take to breach this lock can vary, as I would have to try the 5, 6 and 7 digit lists. With that said, there are ways to make the breach more rapid for these variable-length locks. Stay tuned.

Observations at a Security Conference

Nearly every year since 2009, when THOTCON started, I’ve went as an attendee. My first year, I was still working in physical security. Both the conference and I have matured and it is great being a part of this field.

Each time I leave with new motivation, and a little more caution about how data is handled. This year I noticed three problems during this trip, the most egregious being…

Speakers Taking Attendees Out to Lunch

It should be a fair assumption that a conference speaker should follow best practices of security hygiene at all times. In this case, I seen a previous year’s speaker with a pretty clear American Express card, strapped face up onto a bag. This picture has been purposefully blurred and pixelated — the original having the numbers legible. The bag is also clearly abandoned at this point with nothing but a keychain stopping me from grabbing that card.

Credit card number face up, attached to a backpack
Let’s go shopping!

How Suite of You <3

Holiday Inn generally maintain very clean hotels, great staff, and decent rates. I have, however, been issued room keys just by giving out a room number or asking housekeeping staff. Somehow, this seems worse…

Hope that’s not a PIN…

Behind each of the small podium-style desks hung the master keys for the building. I could have potentially done the following:

  • Climbed onto the roof and realized I was afraid of heights and done nothing
  • Broke into the breakfast bar and made a leaning tower of 25 Belgium waffles
  • Went into the laundry room and OD’d on Tide Pods
  • Went into the pool after hours and… enjoyed myself? (Still can’t figure out why they close it on me)
  • Or perhaps most obvious, went room to room taking down TVs, collecting laptops, jewelry… Or obviously much worse.

I was an avid watcher of a show called Hotel Impossible. In this, the host (Anthony Melchiorri) had demonstrated how bad this is… He filled up the back of a cameraman’s SUV with a hotel’s televisions. He also hid in the bathroom of a room that was supposed to be empty, only to demonstrate to the housekeepers that he could have attacked them. He got this master key off of a roll-around maintenance cart. The show is fantastic, and I’d recommend it to travelers and hoteliers alike.

A friend of mine (who bought too much pickup truck) had checked bags at this hotel as well. We were pretty darn close to missing the Metra pickup time due to a fantastic SDR talk. Our Lyft driver got us to the hotel just in time to pick up our bags, and then get to the train station. My friend (with the oversized cab) ran in, said he needed the bags for room 143, and was in a hurry — the bags were handed over without question based on room number… Not name, identification, room key, etc.

Possibly the least entertaining problem, however, goes to the good ol’ United States Postal Service:

PII, Delivered

This postal worker was really friendly, carrying letters into a local business. The problem being is that there are a few folks standing outside of this business with flashing badges with stormtroopers on them, another badge with a chalk outline of a dead person, and shirts that say “HACKING IZ KEWL” on them… And this guy leaves a bin — on wheels — full of mail in front of those people while he goes inside of a business.

Meh, they’re probably just bills anyways.

Takeaway

Really — the takeaway here is — please train your federal employees, your hotel management, and your conference speakers on security. It truly is important, and most people aren’t like me — most will ignore these issues. Some will take pictures, laugh about it with friends, maybe make a blog post (this is me). But there are others who will just grab this stuff. Look around your cube right now… Do you have your wallet on your desk? Do you have your keys sitting out? Can I take pictures of them? (See: TSA keys leaked, for example). Do you have an empty package of Master Locks in your trash with the bitting code facing up? I’ve seen all of this within the past few weeks. Stop making me sad.

Telltale Signs of Impending Password Breach

For most, password restrictions are an annoyance that prevents them from using easy to remember passwords, like “password” or “123456”. You can generally tell how a company handles your private information, and I’ll teach you a few tricks on determining which sites potentially store your password insecurely.

Smart Password Complexity Requirements

(none of these should be taken to indicate an insecure storage methodology)

  • Minimum character limits (for example, your password must contain at least 8 characters)
  • You must use numbers/uppercase/lowercase/symbols
  • You cannot use a dictionary word
  • You cannot use your name/username/email/other identifier in your password

Stupid Password Complexity Requirements

(it is probable that sites with these requirements are storing your password wrong)

  • Disallowing -any- symbol, be it dollar sign, comma, quotes/double quotes, hashes, less than/greater than, ampersand, and so on
  • Mentioning any upper limit to the length of your password (maximum 10 characters) *
  • Odd requirements, for example, requiring your password start or end with certain characters (letters, numbers) or prohibiting the ends of passwords from having specific characters.

*- There are functional limitations here, like the maximum POST size practical in a browser, yes, but if you can’t use a 100 character password, this is a problem.

What is a Password Hash?

There’s a separate blog post for that wee lil’ question:

What is a Password Hash?

In short, companies that care, use hashing for your passwords.

So you’re calling a company dumb, why?

Properly hashed data will return a relatively short hash from any sized input data — this is important to know, as it highlights exactly why having a maximum password length is a bad thing — it is a clear sign they’re storing your password in a really stupid way, or their devs are stupid. Either way, means bad security for you.

Now I love Southwest Airlines — a lot, I love flying with them I love their attendants, and none of their pilots have killed me. What else can you expect?

Well, I’d expect a certain level of hashing on my passwords:

Their reply wasn’t what I wanted. Basically reiterating the limitations of the form. It should be noted that this does not mean they’re vulnerable or are storing your passwords wrong, but it does make a pretty solid case that it’s possible.

Another company I used a very long time ago was TCF Bank. Now I know what you’re thinking — lmao, TCF. Yeah, their bill pay was garbage, their online banking from the 90’s, etc. I can’t speak for the interface now, but one thing that stuck out to me was the password length limit.

I’m done calling companies out now…

…Mostly because I don’t have more examples from the top of my head. When you see stupid password policies in place, it is generally in place because of a poorly configured WAF, or poorly built site. They are worried you’ll pass variables or SQL injections into their software so they filter the characters you use. Properly hashed passwords are completely inert — they are made up of hexadecimal letters without spaces, they will not execute as code.

Oh — One more thing, password resets:

If you reset your password and you get an e-mail back with your password, then they are clearly storing it WRONG. Change all of your passwords (except this site) and stop using it immediately. Close your account if possible. This site, once breached, will present no difficulty to anybody wanting your password.

Finally: Security questions suck really bad. Tell me what your favorite flavor of ice cream is in the comments!