21C3 Schedule Release 1.1.7

21st Chaos Communication Congress
Lectures and workshops

Speakers
Picture of Mark Seiden Mark Seiden
Picture of Barry Barry
Schedule
Day 2
Location Saal 1
Start Time 20:00 h
Duration 02:00
INFO
ID 130
Type Lecture
Track Hacking
Language english
FEEDBACK

Physical Security

The Good, the Bad and the Ugly

Physical security is an oft-overlooked but critical prerequisite for good information security. Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system.

Physical security is an oft-overlooked but critical prerequisite for good information security. A bad guy with a console root login can obviously adversely affect behavior in basic or profound ways, but it may not be obvious how a brief/seemingly limited physical exposure can result in complete breach of trust using today's spiffy and inexpensive attack tools (all available on eBay).

Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. You might expect that, for example, a badge access control implementation would be as simple as the model seen by the user -- "wave the badge at the reader, and you're in (or not)", but by the time the coders are done, it's more than 200K lines of C, and as buggy as any other large program. I'll discuss some of these bugs, and one vendor's response to them.

Another dirty little secret: When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system. Typical excuses include "We're trying to raise the bar high enough to deter a typical burglar", "We don't think that attack is likely to occur", "We do better than locks and keys", and "That's not our problem". I'll talk about outsourcing and colocation facilities which present the perception (but seldom the actuality) of security, and more generally the problems and solutions involved in trusting outsiders to supply your physical security.