We all get complacent. We look at something that we believe works and we believe it still works. This is not, of course, an appropriate mindset for the cyber security world. We need to be inquisitive, challenge conventional beliefs, and generally skeptical of new tools as well as the ones we use. We need to ask ourselves, “is this firewall really protecting me from malicious email attacks?” or “Is my password really hard to discover, observe or crack?”
I have become skeptical of the security of many physical locks. I’ve mentioned this before, and today I have two new items to add to the list.
First, here is a story about a motorized, computerized combination lock picker. The device uses a motor, an Arduino computer, and 3D printed parts to open a combination locks. The motor spins the dial and a little lever tests the shackle. The device may only work for Master locks, but it stall helps us challenge our beliefs. Even in school when we used these locks for lockers, or maybe now when we use them on storage areas or fence gates, we believed them to be secure. To discover that a simple device can open the lock in 30 seconds should help increase skepticism of the security of these and other locks. (Those without a 3D printer can learn to do it by hand.)
Another family of padlocks has a series of dials (often four) on the bottom. Entering the correct combination involves aligning the dials to form a particular four-digit number, e.g. 9539. One valuable advantage of these locks is that the user can change the combination at will. However, when watching videos of combination lock picking, I found multiple examples of opening these in seconds. Some were for the Master 175 and others were for different brands. (I’m not picking on Master here. Their locks are quite common and I suppose that’s why folks are choosing them to attack.)
For years people believed that proximity card locks were secure. It turns out that they may be less secure than many believe. On a more “cyber” note, anti-virus tools may not be as successful as we want to believe. Sophisticated software didn’t stop the OPM attack, and Distributed Denial of Service attacks are still difficult to prevent and stop.
When I teach in Learning Tree’s System and Network Security Introduction as I did recently, I find many participants still want a “set and forget” solution – the idea of ongoing monitoring and evaluating is an anathema to some. In that class we work to instill that mindset that complacency may lead to failure and diligence is required. I hope we are successful. I also hope these two example lock stories help you to begin to challenge your beliefs and presuppositions about security.
To your safe computing,