This area of security is sometimes summarized as "Guards, Gates & Guns". Information technology people tend to overlook this area, but it is vital.
If you don't have physical security, you can't have security.
If someone can walk off with a disk or other data storage unit, or an entire computer, your careful system administration and file system permission settings accomplish nothing.
I don't have a lot of information here, but I do have a few examples and stories.
Once upon a time, I worked on a contract just outside Washington DC at Fort Belvoir. I was down the food chain, working for a subcontractor who was working for Raytheon, who in turn was working for the U.S. Department of Defense.
* A SCIF is architecture as Faraday cage, if you're not into the DOD acronym-speak.
I was being shown around the facility on the first day on the job. "Here's the SCIF* where you'll work, down that hall are the toilets and the water cooler and coffee machines", and so on.
My tour guide had worked the cipherlock to get us into the SCIF, and I was thinking ahead to my first trip to the toilets on my own (and hopefully back!), so I asked what the combination was.
"Oh, it's 'FACTORY'", he said.
I dutifully leaned down to examine the cipherlock. Huh. Five buttons: 1, 2, 3, 4, 5 and no letters. How am I supposed to spell the word FACTORY with the digits 1-5?
I asked, and received a look of disbelief that I was so naive as not to realize that — of course — they keep their cipherlocks at the factory default so anyone with half a clue knows how to get in. Well, I was SO naive that I had to ask what that default was. 2-4-3 for that brand, I'm pretty sure even now, conveniently right around the middle and a sequence I thought I had better remember.
Now I recently taught a course on information security in Annapolis, Maryland, which meant that most of the attendees were from NSA or a related agency, or from their many contractors and their subcontractors.
I told my story about the factory default locks and they chuckled at my naivete, and then chuckled a little uncomfortably because many of them had seen that sort of thing, sometimes recently.
The HI-Baltimore hostel is the brown brick mansion at right. The red brick building two doors to its left is the John Latrobe house, where Poe was awarded a fifty dollar prize for his story "MS Found In A Bottle". Click here for lots more details and pictures of Poe sites in Baltimore.
The class ended on Friday, having gone well, and I got everything packed up and handed over to the shippers. Then I went into Baltimore to stay over the weekend and do some tourism. I stayed at the HI hostel in an old mansion next to the one where Poe got his big break in writing, so it was just $25 a night for a bunk in a shared room. Not like I was in some security-minded government facility or anything.
The exterior doors and bedrooms had cipherlocks with TEN digits and FOUR number combinations. So, let's see, a combinatorial advantage of 10,000 vs 125, or an 80:1 ratio.
But no, it's far better than that. I was going to leave Tuesday afternoon. I checked out and stored my pack that morning and did a few more things until after lunch. Then they had to buzz me back into the building when I returned to pick up my things, because I had checked out and the unique door codes specific to me had expired at noon.
That's right, everyone staying there gets unique combinations for the outer door and the door to their room, good only for the length of their stay. As they explained it to me, they just find it far easier to operate that way. Since you obviously want a combination to work for a limited time, and you don't want the hassle of announcing daily door codes, you have unique ones for each guest's visit. And, if you were the sort of place wanting to enforce some sort of audit trail as opposed to just keeping the vagrants and crazies and thugs out of the building (this being Baltimore, after all), you would also get that. Yes, that was the obvious and easy solution, at least for them.
So.... The next time I teach an infosec class, I'll tell the Fort Belvoir cipherlock story. But now I have a new Part Two.
The U.S. has a lot of Security Theatre that accomplishes nothing beyond inconvenience and waste of time and money. There is an obsession with state driver's licences — if you have one, you must be no threat, because you can't get in without showing one, but as soon as you show that you are authorized to operate motor vehicles, you can go right in. This is despite the fact that every one of the 9/11 hijackers had valid U.S. state driver's licenses.
One time in Washington D.C. I saw that the Department of the Interior had a small museum with an exhibit of photographs of UNESCO World Heritage Sites in the United States. That sounded interesting, so I went.
Richard M Nixon.
Entrance to the Department of the Interior building requires your participation in some silly security theatre. The guard first looks at your driver's license, and I would wager that mine was the first Indiana one he could remember seeing. He clearly did not really know whether what I had handed him was a valid Indiana driver's license or not. But he stared at it for a number of seconds, handed it back, and told me to go over to a podium across the lobby and sign in on the visitors' log.
U.S. Department of the Interior.
So I signed in as I always do in these situations: Richard Milhous Nixon.
On the rare occasions when you also have to sign out, I am sometimes pleased to see in the useless log that my vice-president Spiro T Agnew signed in soon after I did.
How should this really be done?
Go to a major office building in Manhattan some time. The guards are quite friendly, there's little of the obligatory threatening thug attitude that seems to be required in Washington. But what they do is useful — They look at your ID, but then they slide it into a device designed especially to photograph ID cards and passports. They also have you look at a small digital camera. They now have a photograph of you and of your ID, and they issue you a limited-time badge (usually a sticker). That often includes a bar code or speckle code required to get you through the turnstyle.
|
|
| The latest trend in business and entertainment technology, according to the U.S. Department of the Interior. Or at least according to their museum. | |
Oh, and how was the museum?
Quite lame, beyond the nice new pictures of the World Heritage sites.
My favorite part was one of the display cases explaining what the Department of the Interior does. It said that Interior controls mineral rights, the extraction of which provides material vital for everyday household items:
"For example, the vinyl used to produce 33-1/3 RPM long-playing records."
I looked at the rest of the exhibits, took a couple of pictures, and left.
Not all shoulder surfers are this obvious.
The Atlanta airport promotes the use of their wireless networking with this poster.
Or maybe they're promoting the activity of "shoulder surfing", simply reading other people's sensitive data off their screens.
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
