Banking on Physical Firewalls 03/16/03 By: oz0n3 There was a time where securing a server was almost impossible. Software and hardware were vulnerable to attacks and users were not versed on good security practices. A few years go by and now we have firewalls and filters that add a new layer of security that increases the barriers to unwanted entry. There is still one major problem with all of the advancements in technology today, the user. As much as you may tell them, lecture and bitch, users not adhering to security protocol yield a crack. There is also another aspect that not many people may think about either, physical security. Now, here's a little story about a bank and how people like, the Property Manager, the Security Company's head office personnel and Monitoring Center's ignorance, naivety and laziness open a gaping security hole larger than the Ozone's. "Welcome to the TD Creekside Corporate Center", says the guard at the desk of 4720 or 4880 Tahoe Blvd. In Mississauga, ON, Canada. Hired by O&Y CB Richard Ellis, Group 4 Falk Security is to keep the building and staff secure from harm and unwanted entry. Well worth your security buck? Nope. Security guards are useless unless paid handsomely. Why? If someone had a gun, your security officer will breakdown and cry, begging for his/her life. Have a bribe? The officer will now work for you. Once you pass that barrier, you can now transfer yourself an unimaginable amount of money, infect all the OS/2 and Windows 2000 servers with viruses, find out who the banks are invested in, change your credit rating or just plain smash everything. How? Tisk tisk. Remember that human component? Well, it just so happens, as I've roamed around and entered server room after server room, I noticed something. Every server was logged in on an administrative access level. I would have been able to compile an internal IP addressing structure, purge the Oracle database or even disable servers. More scary; I could have installed an 802.11x service that would allow me to 'play' without having physical access the next time. Now, please don't do this. That would be counterproductive to the point of this article and even though a few people would learn a HUGE lesson in proper security, it's not the moral thing to do. If you asked me my opinion in what to do, I'd tell you to NEVER have an account with TD Canada Trust. Besides the fact that they are not secure, they pay their staff poorly and hire through an agency so as not to pay for employee benefits. When the profit margin is first priority, I'm never a fan of a company that neglects those who've made the company who they are. Let me explain a little something about how Security companies work and how a guard knows what his job is. The property management company hires the security company and something called, Post Orders, are drawn up. These Post Orders are what the guards use as a bible when on duty at a site. It will explain what to do in emergency situations and in everyday interactivity with the staff on site. The Post Orders for the TD complex is still non-existent. I don't have enough fingers to count the amount of times insecure activity was observed. Personally, I've told staff – that I know work there – they were not allowed access without their pass cards, while other guards open rooms without a second thought. I made one employee even drive home to retrieve it. One hour later, he walked in and never spoke to me again. Although you might be more polite than that eighth grade teacher's pet, the staff will look down upon the security guard and hold a grudge for simply doing their job. The pass cards they have are made by CHUBB. Proximity cards on Pelco/RCI equipment that read the serial number of the card by way of radio transmission. This serial number is cross-referenced with the Microsoft SQL Server using a proprietary software interpreter that queries and controls access. In addition, there is also a client interface for security guards to access over a class C network and administrative interface for managing those users. This proprietary software is also used to log card use within the complex and notify guards of trouble (Door Forced, Door Held Open, Fire, Broken Glass). This is all monitored over broadband lines by CHUBB's monitoring center. When an emergency occurs, the monitoring center calls the security desk to assess the situation. The guard will provide the pass number and either clear or confirm the alarm. Now this may seem like a pretty secure plan but it's a false sense. The monitoring software, running on windows 2000, minimally requires 48 MB of the system's RAM and crashes constantly. When crashed, the system doesn't stop logging card use – due to the reader keeping a buffer to send to the server – but does get overflowed if the server is not accessible for a long period of time or the software lag is tying up the network. A separate server controls access so that people will be able to get around. The particulars of this I am unaware of but the concept is still the same. How does this make it insecure? Fluke I guess but due to all the lag and crashes, the system would allow for a cardholder to enter areas unlogged and as I've played with the software, I know it's possible to reproduce the lag when wanted. Key duplication can also be achieved. Although I know nothing regarding the chips used in the cards. I was told by someone who has experience, that I could use the card to be reprogrammed and if not, it could easily be replaced by chips that could be. One example are those key tags that Shell issues for their Fast Pay service at the pump and at the cash. A reader for the card could also be constructed using household items. One could collect the CEO's card serial number by just brushing by them in the hall or in the lunch line. Write that serial number to the new/used chip and you are now the CEO, unknown to the security guards who only care if your card works or not. Suppose you don't have a pass card or a reader but still want access. This can be done very simply. Apart from being able to roam freely during office hours and hide in the bathrooms until everyone has gone home, there are door locks that can be easily fooled. At this location, there are two different types of door locking mechanisms. The first and more secure is one that allows the door pin (the thing that hides in the door when you turn the handle) to pass through the doorframe. It uses a little latch, electronically controlled, to release a metal stopper when access is granted and then secures itself after five seconds or so. Placing a small piece of wire or wood between the doorframe and the metal stopper can easily circumvent this. The door will close properly, and since you need a pass card to release the stopper, no one will be the wiser unless they forget to pass the card by the reader and notice the door unlocked. The second method used to secure the doors is placed all over the lobby floor. These are electromagnetic locks that magnetize a plate that's affixed to the door and secures the charged plate on the doorframe. Red LED means 'not secure' and green means 'secure'. About 90% of the time the magnetic locks work and the door is secure. If you want the magnetic locks to look locked, a normal piece of paper between the plate and the frame will allow for a lock. The really neat thing about this is that you can't easily open the door but just by applying a little bit of pressure, the lock will release. Now, a piece of paper will fall every time the door is opened. This is not a good thing unless you know you are the only one to come through the door. If you want to duplicate this effect on every lock, use a sticky label. Not a Post-It – they work but don't stick well – but the Avery labels sold in most office supply stores (8½"x11" sheet cut into six labels would be a perfect size). These locks can be wired to notify the security guard that the door has been held open but as unsecure as the people at CHUBB are, they thought it wasn't necessary. Now all the really neat plasma screens, IP phones and desktops used in training and conference rooms at the lobby floor can easily be compromised. They never listen to young people with good ideas, we know nothing… eh?! Someone might ask, 'How about video surveillance'? There is video but stored digitally in AVI format at 320x240. Try recognizing your own face at that resolution. These files reside on the HDD and are replaced with newer files as the 40 GB are filled. I'm not sure if CHUBB downloads them for storage but I highly doubt it. One last thing, when the cleaners are working, the broken glass alarms go off like a match to dry grass. They are all disregarded and by order of the Property Manager, the guards call in to have them bypassed until the cleaners have left. Now, how do these alarms trigger? Sound and vibration. Push on the glass and shake your keys and it will go off. Although cheaper than wiring all the windows, this is very sensitive and most likely a problem for those who have this installed. Reason I say that is due to the two buildings I have observed on this site. Everything mentioned can easily be known by simply walking in the building during business hours. All the equipment is still labeled and spec sheets from construction time are still lying around in certain areas that are not secured. Plus with the five other buildings going up using the same contractors, I highly doubt that the issues above will ever be addressed. Just to reiterate, please do not try and break in and steal the computers and plasma screens at 4720 Tahoe Blvd. That would be wrong and the bank will probably increase service charges to cover the cost. This article was to inform people that physical security is severely overlooked and overrated. I personally tried to rectify the situation but was blown off, what do you expect from a Supervisor who doesn't know what a desktop is in Windows, or that you don't have to run seven instances of an application to get it to full screen. Basically, ladies and gentlemen, instead of feeling threatened by smarter or more aware people at the job site, acknowledge them and give them praise, we don't always want your job, we just want to know we are doing ours well. This will help to keep jealousy and ignorance out of the way of securing your site.