Physical security hot links

Click the banner for the site map of NoticeBored.com, the information security awareness service

Physical access controls

Mythbusters explored a variety of physical security controls including fingerprint readers, intruder detectors that detect body heat and a safe-breaking technique involving water and a depth charge (!).

Security Magazine focuses on physical security.

The curious ‘urban sport’ of draining, also known as infiltration, should be of concern if you depend on the physical security on a large or sensitive site undermined by storm water drains, sewers, and air conditioning/cabling ducts. Curious kids with boots and torches may not be the worst threat.

Information assets are frequently stolen from vehicles, despite policies, procedures and guidelines warning people not to leave them unattended on display. Casual vehicle crime can be extremely damaging, particularly if the stolen materials concern national security. Blithely hoping that a briefcase or laptop thief is just a junkie is not a valid control, especially as those further up the criminal food chain are more likely to be (IT) literate. Given that the preventive controls are clearly imperfect, what are your contingency plans for responding to and dealing with incidents of this nature?

The US General Audit Office’s guide to Technologies to Secure Federal Buildings, and NIST’s FIPS PUB 31 ADP Physical Security & Risk Management Guide, are both helpful in respect of physical site security.

Procedures are necessary to govern the authorization, issue, use, checking and return of visitor passes or badges, and to control visitors’ movements and activities whilst on-site. Cards that visually expire reduce card reuse, while holographic overlays make forgeries harder - provided anyone actually checks them!

If a skilled adversary can gain physical access to a system, it’s probably game over as far as information security is concerned. Without appropriate controls in place, he/she can potentially install a hardware keyboard logger, reboot from a complete operating system on, say, a USB memory device, steal the hard drive or other components, destroy the system ...

It is good security practice always to use a strong front gate, and to observe the requirements at airport-style metal detectors.

Fed with the right search term, Google will serve up a list of Internet-connected webcams all over the world, a few of which look like they are possibly being used to monitor building security. One would have thought such video streams are confidential and should be encrypted. More information at VNUnet.com, BoingBoing and The Register.

The fine art of picking (“manipulating”) combination locks on safes relies heavily on physical imperfections in the mechanical construction of the locks, coupled with the accumulated effects of wear. HowStuffWorks published a simpler article on lock picking and there is still more in Johnny Long’s book No Tech Hacking.

Computers that are no longer required should not simply be thrown in the trash, especially if they contain sensitive information, and especially especially if you are a Dutch prosecutor ...

Air conditioning, power & computer room design

If you are tasked with building, renovating or updating the corporate datacenter, take a look at Enterprise data center design and methodology by Rob Sneveley in the Sun Blueprints series (~US$80 from Amazon) or Build the Best Data Center Facility for your Business by Douglas Alger from CISCO (~US$57 from Amazon). Both books cover typical data center/computer room design considerations such as capacity sizing, site selection, environmental considerations, network infrastructures, building code and construction considerations and hazard avoidance.

IBM, Sun and other suppliers also offer advice regarding space, loading, power, HVAC, earthing and other computer room requirements when planning to install their shiny boxes.

Be conservative, though, in your power and AC planning: “10kW per rack or more can result from the deployment of high-density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2kW.” says APC. 10kW per rack is a lot of heat to remove from such a confined space.

Zinc fingers, microscopic strands of zinc plating from the movement of raised floor tiles, can be blown around the data center by the air conditioning, causing short circuits and sporadic equipment failures. If you still doubt that this is genuine, check out credible sources such as NASA even if you ignore the potentially biased warnings from cleaning companies and data center suppliers.

Swiss national TV and radio were knocked out during an Olympics closing ceremony after a squirrel got itself electrocuted and backup power supplies were inadequate. Talk about visible failure!

A power outage that took down a datacenter for an hour illustrates the unfortunate impact of rare but not impossible coincidences. The datacenter had sensibly rented a standby generator to provide cover whilst installing a new genny. That should have been enough to keep the UPS topped up when the mains supply failed ... except for a coincident problem with water in the standby genny’s diesel fuel supply. Oops. This kind of “something else [also] went wrong” situation explains the value of true contingency planning.

An article in Telepolis Magazin covers the main issues associated with electrical power in the context of blackouts in New York, London, Denmark and Italy, claiming that blackouts “bare the Achilles Heel of our ‘information society’.”

Hardware hacking and modding

Reverse-engineering the FLASH ROM boot code on a PC network card enabled a hacker to demonstrate the possibility of infecting the card with malware, malware that would of course survive not only a C: drive rebuild but even complete replacement of all the hard drives in the machine. Nasty.

PC or games console video cards have proven quite popular among the hardware hacking crowd, often as brute force password crackers thanks to their embedded parallel processing arrays intended for processing screen pixels but equally capable of processing bits in an encryption key.

Apparently Infineon’s Trusted Platform Module, a hardware security subsystem and vault built in to some laptops, is vulnerable to a hardware hack despite the obvious design goal to be highly secure.

Expensive commercial quantum key distribution systems have fallen to hardware hacks due to implementation errors - there’s even a university research team dedicated to hacking quantum systems.

A DefCon presentation demonstrated the vulnerability of door access control system card readers, and potentially even biometric input devices using the same Wiegand protocol, to physical attacks.

Miscellaneous physical security resources

Physical security should include preventing the installation and use of bugging devices, but this is much easier if the policeman that installed them was incompetent.

Johnny Long’s book on social engineering and site intrusion (~US$33 from Amazon) is hardly revolutionary but it is certainly readable. Billed as “A guide to social engineering, dumpster diving and shoulder surfing”, Johnny meanders through the field, explaining techniques that seem obvious or basic, yet we know they are powerful in the right hands. Book such as this neatly complement and extend the awareness materials in January’s NoticeBored module.

Microwaves101, a site dedicated to the engineers who work on microwave radio systems, has accumulated a smashing collection of images of installations affected by fires, overloads, lightning strikes and floods - peek into the Microwave Mortuary for all the gory details.

In his book Physical Security For IT (~US$66 from Amazon), Michael Erbschloe advises on the protection of computing and telecommunications facilities against malicious damage by foes, activists, disgruntled staff, terrorists and vandals. [Although this is valid and worthwhile content, it’s a shame the book does not appear to cover the related and arguably more pressing needs to protect IT facilities against accidental damage such as fire/smoke and flood, overheating and power failure - other important aspects of physical IT security that are covered by ISO/IEC 27002.]

Bank customers using Automated Teller Machines (ATMs) are being compromised using “skimmers” - card reader devices and hidden cameras. It’s worth getting to know ATMs in your area. Take a good look at a range of machines. Look particularly at the shape of the card slots. If you go to use a machine and notice ‘something odd’ about the slot, do not feed in your card in but either call the Police or go in to the nearest bank branch and report your suspicions to the branch manager. Do not take matters into your own hands: the gang is probably watching nearby and bank robbers, as a breed, are not exactly meek ...

Industrial-sized shredders and disintegrators can cope with serious quantities of paper, computer media, hard drive units and even whole systems. If standard office shredders just don’t cut it for you, check out the brochures from companies such as ABT Shredders. There’s even a professional trade association for companies providing information destruction services called NAID (National Association for Information Destruction Inc.). Watch several industrial-sized shredder units in action here.

Studies have repeatedly shown that a fair proportion of computer disks for sale on auction sites still have valuable/sensitive data on them. A UK/US/Australian study using simple point-n-click forensic tools found that more than two-fifths of the drives had commercially sensitive information on them - using more sophisticated forensic tools, the proportion would undoubtedly have been still higher. A free software tool can help you delete data from hard disks prior disposal, assuming the disks are still usable: Darik’s Boot and Nuke (DBAN) is a Linux-based bootable disk utility providing a range of deletion options for SCSI and IDE drives. There are alternatives, of course.

If you have a policy on document retention and destruction, don’t forget to allow for legal holds on documents sent for destruction at the expiry of their retention periods due to ongoing investigations, advises a law firm.

TEMPEST is not an acronym but the name of a group of techniques used by the military to prevent the radiation of radio signals by electronic devices such as computers, monitors, telephones and modems. TEMPEST 101 has a useful description of TEMPEST and briefly outlines techniques used to intercept signals. Although not updated for several years, The Complete, Unofficial TEMPEST Page still offers a wealth of information and anecdotes on TEMPEST incidents.

Check these really bad wiring jobs and work through all four episodes for some truly horrific health and safety, service resilience and support nightmares.

Here’s a primer and 2nd part on physical security in an IT context.

In the hands of careless or ignorant workers, mechanical diggers (backhoes, Caterpillars, big boys Tonka toys) are a serious threat to underground communications lines and power feeds.

Physical access controls

Air conditioning, power & computer room design

Hardware hacking and modding

Miscellaneous physical security resources

Related NoticeBored links collections