In 2010 little Ryan Owens died because a service weapon locked in a gun safe manufactured by Stack-On in Chicago, Illinois was defective in its security design, allowing it to be opened in seconds by a young child. A Class Action lawsuit was filed against the company in 2012 by Marc Tobias and Larry Drury which resulted in a multi-million dollar settlement. Several of their safe designs were defective. We believe that some of these problems still have not been remedied.

Read the Forbes article that was posted n August, 2012 by Marc Tobias.

See the detailed report that we posted in 2012 and the article that was written by Bruce Schneier.

Unsafe Safes – Schneier on Security

Watch the tragic story of the death of Ryan Owens on KENS-TV by one of their investigative reporters. Marc Tobias wrote a detailed story in Forbes about the case and posted extensive videos on YouTube to warn the public of the incompetent designs by the company.

A detailed article in Wired Magazine was published in July 2009 regarding the research project by Marc Tobias and Tobias Bluzmanis analyzing the security of Medeco High-Security locks. The eighteen-month project resulted in the filing of four patents and the publication of a book, “Open in Thirty Seconds.” See “Patents” on this site for copies of the Medeco patents that have been issued.

Watch the video with Charles Graeber author of the Wired Article. This was shot at Wired corporate offices in February, 2009.

The nations largest E-Discovery and Digital Forensic Conference was held by Techno-Security in 2008. One of the keynote speakers was Marc Tobias, discussing the analysis of Medeco high security locks.

Engadget is one of the leading technical blogs on the Internet. Marc Tobias wrote many articles for two years for them on gun locks, lock bumping, and security issues. See a listing of articles.

a number of lock experts and hackers gathered in New York in the summer of 2008 to demonstrate their talents. Marc Tobias and Tobias Bluzmanis participated and gave lectures during the conference. Read the article on CNET and watch the videos that shows some of the experts.

Read the article on CNET about Marc Tobias and his discussion about the ethics of disclosure involving several different lock manufacturers. it is an interesting and thought-provoking article.

3D-printed keys can be generated from a computer program for thousands of keyways, including high-security locks and safes. Alexander Triffault in France has spent several years developing such a program and providing it to French police agencies.  AT Security is one of the leading suppliers of specialized software for law enforcement agencies.

Watch the accompanying video that I shot in the Czech Republic during LockFest.

Walter Isaccson is a world-famous writer and historian at Tulane University. He lectures at the Aspen Institute every year, is often on MSNBC and other networks, and has written several books on technology and history, and profiles of famous individuals.

He produces a series for Dell Computers entitled Trailblazers, which is a podcast. He presented a brief history of lock development in his Podcast 4.5 edition, with interviews of many lock and digital security experts including Marc Weber Tobias.

To quote from his website:

No lock is unbreakable; all you’re ever doing is buying yourself time when a thief tries to access your valuables. To extend that time and make sure your security remains nearly impenetrable, you need two things: a strong lock and a unique key. Both of these have changed dramatically over the years. On Trailblazers, learn how we took the early lessons learned from great locksmiths and applied them to the digital era.

https://www.delltechnologies.com/en-us/perspectives/podcasts-trailblazers-s04-e05/

Listen to the audio clip of the discussion. it is fascinating.

Lock manufacturers can be liable for designs that have serious security vulnerabilities. Several class action lawsuits have been filed against lock makers for such design issues. Especially in the United States, liability can attach, especially is someone is hurt or killed, or significant property damage occurs. Essentially the rule is that if the lock has a state-of-the-art design and the attack is also complex or sophisticated, then the manufacturer will not be liable. However, if the design defect is simple and should have been anticipated, and the attack is also simple, then the lock make will be held responsible.

We have reduced this premise to our 3T2R rule, which states that the criteria is Time, Tools, and Training. If training to learn the attack is minimal, required tools are simple, and the time to bypass the mechanism is minimal, then liability will generally attach. However, if the reverse is true, then the lock maker should not be held liable. The other component to the test is Repeatability and Reliability of the attack. Just because there is an exploit does not mean the lock is not secure. However, if the exploit is both reliable and repeatable, then obviously there is a problem. Remember, all security is about time delay, and all Standards are also based upon the time it takes to defeat the lock.

Many lock makers have argued that they are not liable or anything because the locks were not used in their normal anticipated state. This is not correct, because locks are designed to be attacked. That is also why we have standards to assess their resistance to forced and covert entry.

There are several cases in this area that are instructive.

Kryptonite bike locks were attacked in 2004 by Marc Tobias, Matt Fiddler, and others, through the use of a ballpoint pen. The design engineers failed to “connect the dots” between the design of a tubular pin tumbler lock, impressioning technique, the diameter of the keyway and its correlation to the diameter of common plastic ballpoint pens. The defect was disclosed by Marc Tobias in 2004 and led to the recall of 350,000 locks, at a cost to the company of $10,000,000. The design issue also affected Kensington and its computer cable locks, and Harley Davidson motorcycles, as well as elevator control companies and others that utilized tubular lock designs in vending machines and alarm panels.

KABA SIMPLEX PUSH BUTTON LOCK

The Kaba Simplex 1000 push button lock was the subject of a class action lawsuit in 2010 because the locks had a fatal design defect that allowed them to be opened with a strong rare-earth magnet in seconds. These locks can be found in millions of installations including airports, banks, universities, hospitals and other areas that require some level of access control. The problem with the design was a critical component that was subject to magnetic fields. While the lock was designed in 1965 when the first patent was issued, it was still being sold in 2010, so 1965 standards did not apply with regard to security.

Kaba response to class action lawsuit Kaba_response

One of the best deadbolt locks made by Medeco was knocked-off and produced in Canada. The company copied a design defect that was corrected by Medeco in 2007.  The engineers that developed this lock failed to understand that the entire security of the system was based upon two tiny screws that retained the plug within the cylinder.

HP is a trusted company, and consumers believed they knew what they were doing when they designed their laptop lock to compete with Kensington, which is the leader and innovator in the industry. HP introduced a lock that was subject to attack within a couple of seconds and offered essentially no protection against theft.

HP produced an easily defeated laptop lock, which is an excellent example of insecurity engineering. Watch the video.

Stack-On is one of the largest gun safe and vault manufacturers in the United States. They produced a series of safes that were deemed defective in design and one of their safes caused the death of a three year old, which was examined by KENS-TV in Austin, Texas. That video report can be found on this site.

A class action lawsuit was filed by Marc Tobias and Larry Drury in 2012 and ultimately settled by the company without admitting liability. It cost them several million dollars.

Unsafe Gun Safes Can Be Opened By A Three-Year Old

Many of the supposedly secure prescription drug containers are far from that. Take for example the RX Locker that was sold and touted by Walgreens and other retailers as secure to protect medication from kids access. We analyzed this $;20 piece of plastic and contacted the inventor, who, after viewing our video, withdrew the product from the market. Watch our video and read my story in Forbes. The bottom line: investigate any security claims before you buy. We have seen this in countless products where the manufacturers have no idea what they are doing with regard to security. We demonstrated this in a recent analysis of containers to prevent theft of packages by  company called CleverMade. We posted s series of videos on this and another product, BoxLock.

Theft of packages is on the rise, especially with the heavy reliance on deliveries by Amazon, FedEx and the postal service. We analyzed two approaches to protection for containers that are left outside of residences or buildings. These are produced by a company called CleverMade, and by BoxLock.

Read the article in Forbes and watch the video segments.

i interviewed Jim Christy in 2014 at the U.S. Cyber Crime conference, a major gathering of experts near Washington, D.C that was organized by Jim Christy. He is the most famous for his investigation in 1986 of the famous hacking case from Hanover, Germany that attacked computers in the United States and was the basis of the book Cuckoo’s Egg by Clifford Stoll.

Watch my interview with Jim at the Cyber Crime Conference.

At the same conference I interviewed Phil Zimmerman, developed of PGP encryption. Read my article on Forbes. Phil was threatened with prosecution by the Federal government for disclosing the ability to encrypt communications.

Watch my interview with Phil Zimmerman.

Marc Tobias gave several presentations about the need for a type of Hogwarts for high school students to learn cyber and physical security technology. He was interviewed by Slashdot in New York at one of the Hackers On Planet Earth conferences.

Watch the interview.

Chris Dangerfield has been posting for quite some time in the UK about bump keys and related issues. He interviewed Marc Tobias in 2015.

You can read that interview here.

Marc Weber Tobias Interview by Chris Dangerfield

I interviewed one of the most clever and well-known covert entry tool designers in the world, from China, Mr. Li. He has designed many tools to open different vehicle locks rapidly. These tools are sold by Wendt in Germany as well as other vendors.

Read the Homeland Security Newswire that discussed our presentation at a cyber security conference and how easy it was to defeat the security of some locks by paper clips, screwdrivers and other simple implements.

The world (supposedly) safest locks easily defeated by paper clips, screw drivers _ Homeland Security Newswire

Senior engineering students at Pitt are working on several different projects in the Security Engineering Lab in the Swanson School of Engineering at Pitt. The lab is sponsored by Marc Weber Tobias and Tobias Bluzmanis with Security Laboratories. Projects include high security lock design, high-tech canes for the elderly, protective devices for portable electronic devices, integrated alarm safes, police pole-cams for conducting searches in difficult to reach areas, and many other projects relevant to security designs. The course is taught by Professor Eric Winter, who is a senior industrial design engineer. Students learn product design and realization issues and have a physical laboratory with sophisticated test equipment to work with in their projects. Security seminars are given twice a year for an evening of lock picking basics, power point presentations, and pizza for staff and students from Pitt and Carnegie Mellon University.

Read the articles about the lab.

Unlocking Potential _ Pitt Magazine _ University of Pittsburgh

Students ‘break in’ to security engineering at Pitt – The Pitt News

https://archive.triblive.com/business/technology/pitt-teaching-engineering-students-how-to-pick-locks/

Marc Tobias ans Matt Fiddler lectured at HOPE (Hackers On Planet Earth) in New York about some common tools that are employed to bypass the security of locks.

This talk will be a systematic approach to dissecting and disabling multiple layers of physical security in locks. In this presentation, the focus will be on embedded design defects in high security locks, and how their discovery translates into security vulnerabilities and the disclosure of such flaws. The attack methodology for high security locks will be reviewed. Demonstrations will include case examples, examining tolerance exploitation, code design analysis, and leveraging the interaction of internal components within a locking system to achieve different types of bypass. The application of this program in the development of covert, surreptitious, and forced methods of entry will be examined. Also discussed will be the concept of responsible disclosure upon the discovery of security vulnerabilities, and how this concept applies to both those who discover flaws and to the manufacturer that produces them, and why the same concept becomes a technical, logistical, legal, and financial minefield for manufacturers.

2010-08-hackers-high-tech

May « 2008 « Toool’s Blackbag

The Last HOPE conference, now being held in New York City, is as much for people interested in hacking the real world as it is for computer techies. Read the article from the 2008 Hackers on Planet Earth where Marc Tobias and Matt Fiddler lectured on high security lock designs.

Hacking Medeco locks – CNET

Listen to the interview on the radio program in New York hosted by the founder of 2600 magazine, Emanuel Goldstein, and Marc Weber Tobias.

Read the article by Bruce Schneier about the report at Def Con 17 by Marc Tobias and Tobias Bluzmanis that detailed the Assa Solo lock.

Hacking the Assa Solo Lock – Schneier on Security

Locks commonly used at homes and businesses worldwide were so easy to pick that children could do it, computer hackers practicing the skill were shown on Sunday.

Read the article in Energy Daily, August 6, 2006.

Lock picking child’s play at major US computer hackers conference

Read the article by noted security expert Bruce Schneier in 2008 about how the locksmith community has nothing but contempt for hobby groups that pick locks and thwart security.

Locksmiths Hate Computer Geeks who Learn Lockpicking – Schneier on Security

Newsweek reported on the HOPE (Hackers On Planet Earth) conference in New York in 2006 where lock enthusiasts and experts demonstrated and lectured about vulnerabilities, even in high security locks. Marc Tobias, Barry Wels, Bruce Schneier, Clyde Roberson (Medeco Locks), were all quoted.

Security issues with lock bumping, especially postal service locks, was discussed in detail. Read the article in Newsweek.

Security Flaw in Your Locks_

Slate Magazine did a feature post about lock picking and the growing interest in defeating locking mechanisms. As they pointed out, YouTube makes it easy to learn the finer points of breaking and entering—and locksmiths aren’t happy Marc Weber Tobias is quoted extensively in the article.

How professional locksmiths are getting picked apart online_

Read the article in Hackaday that was published in July, 2009 about the war between Marc Tobias, Tobias Bluzmanis, and Medeco and other lock manufacturers. It highlights the Wired article which was also published in 2009.

Marc Weber Tobias Vs Medeco _ Hackaday

Is a plastic drinking straw from McDonald’s the only thing keeping a thief — or worse, a child — from accessing the loaded weapon in your closet safe?

Read the article about Marc Weber Tobias and Tobias Bluzmanis as they demonstrate at Def Con in Las Vegas at the 2012 conference the defective security-designs in many Stack-On safes.

A Class Action lawsuit was filed by Tobias and Larry Drury in Chicago against the company, which was later settled.

Kids Can Open Gun Safes With Straws and Paper Clips, Researchers Say _ WIRED

Marc Tobias and Tobias Bluzmanis demonstrated at Def Con in Las Vegas certain design issues in the most popular high security deadbolt lock in the United States, produced by Medeco. As a result of the disclosures, Medeco made certain design changes in the lock to prevent the Tobias’ attacks shown.

Read the article in Wired by Kim Zetter.

Medeco Readies Assembly-Line Fix for DefCon Lock Hack _ WIRED

Read how plastic from credit cards were employed by Marc Tobias and Tobias Bluzmanis to simulate keys for conventional and high security locks at Def Con in 2008. See the detailed presentation in the Def Con slide deck as well.

Researchers Crack Medeco High-Security Locks With Plastic Keys _ WIRED

Lock bumping was introduced in the media in Europe in 2005, first in Germany on national television. In 2006, Marc Tobias met with several lock manufacturers to discuss the threats to security and in 2006 he went public in the United States at Def Con and on many television networks. The Association of Locksmiths of America attacked him as both irresponsible and that the problem really did not exist.

The technique of lock bumping was actually first discovered and patented in England around 1925, and was used by our intelligence services during WWII. it was largely forgotten until the 1980s when a series of burglaries occurred in Denmark, using the technique.

It became a major security issue in the U.S. and Europe after 2005 and lock manufacturers scrambled to deal with the issue. As a result of disclosures by Marc Tobias, Tobias Bluzmanis, Barry Wels, ToooL in the Netherlands, and other groups, it was demonstrated and understood that even high security locks could be bumped open. Today it is one of the primary tests to determine the security of locks, and is part of the ANSI and UL standards.

Read the articles that Marc Tobias published for the industry regarding lock bumping and how it worked, and why it was a threat. The subject was also treated extensively in “Open in Thirty Seconds: Cracking one of the most secure locks in America.”

Lock Bumping; A Threat to Physical Security_

White Paper: bumping_040206

Open letter to ALOA on lock bumping: ALOA RESPONSE

Read the article published by Marc Tobias on the ethics of full disclosure and non-disclosure by lock manufacturers:  Ethics of Full Disclosure

Lock bumping received a great deal of publicity in the media, both print and television. Read the article on KELO-TV.

KELOLAND.COM_ News, Weather and Sports for Sioux Falls, South Dakota, Minnesota and Iowa

Watch the special report on KELO-TV South Dakota, the statewide CBS affiliate.

Read the article posted in the Argus Leader, Sioux Falls, SD on lock bumping threat, posted in 2006..

Argus Leader – Business

In its Federal class action lawsuit, Marc Tobias and Larry Drury alleged that certain designs of Stack-On gun safes were defective. It is the opinion of Marc Tobias that Stack-On lacked competence in security engineering to understand the issues involved to make their safes secure. There have been several recalls by the CPSC regarding their safes, and there is significant evidence that the design of one of their safes led to the death of three-year-old Ryan Owens in Vancouver, Washington.

STACK-ON COMPLAINT

Stack-On has never admitted any liability, nor that there designs were in any way unsafe. As a lawyer and physical security expert, i would highly recommend that no consumer purchase any Stack-On product to protect weapons.

Watch our videos of the analysis of different Stack-On designs.

The Air Traffic Control Center (ATC) in Iceland controls all of the air traffic over the North Pole and from North America to Europe. Read my story in Forbes and watch my interview with Asgeir Palsson., the Director of ATC.

Grey market cameras may be less expensive, but you get what you pay for, and in the end, you may receive less value than you anticipated. I interviewed Henry Posner at B&H Photo Video in New York about these products and why consumers should be careful. Read the story on Forbes.

Watch my interview with Henry Posner.

A company in New York, Keyme, has invented and deployed more than a thousand key machines throughout the United States for consumers to duplicate many common keys, including car keys and RFID key fobs. Read my article in Forbes and watch the interview with the CEO of Keyme, Greg Marsh.

The Lock Busters _ WIRED

A lock picking contest and meeting from all over Europe was held in Sneek, Netherlands in 2005. This was sponsored by ToooL, The Open Organization of Lock Pickers, with Barry Wels and Han Fey as the chairman. This was covered in Wired by Charles Graeber.

Read the article about electronic locks and potential vulnerabilities in The Economist, December 2004. The article is entitled: Security technology: A new kind of door lock combines low-tech and high-tech approaches to enhancing securitybut is it really safer?

ECONOMIST

Popular Mechanics posted an article in their magazine in December, 2004 describing how the tubular pin tumbler lock in the Kryptonite was compromised easily with a ball point pen. This attack was published on security.org in 2004 by Marc Tobias, and resulted in the recall of 350,000 bike locks by Kryptonite and Schlage Lock Company.

Read the article in Popular Mechanics. PM1204

Read the article in Business Management with Marc Weber Tobias discussing different issues involving laptop computer security.

HardwareEdlr

DUBAI_AIRPORT_CITIES

Read the article from the Dubai Airport Cities magazine,  page 14. This article details serious issues in protection of critical infrastructure, especially airports.

CONSUMER_REPORTS

How to avoid break-ins at your home is the subject of this article, quoting Marc Tobias. Web videos that demonstrate how to make a “bump key” are especially unnerving because unlike so much other sketchy content online, these tutorials are real. These instructional pieces typically reveal that any key “when properly used, will open any lock that it fits into,” as boasts one Web instructor.

Security Laboratories is part of the European Lockmasters Group. It is a collection of experts in locks, safes, covert entry tools, and vehicle security systems. it was founded twenty-five years ago by Addi Wendt, a pioneer in the industry and provider of tools throughout the world.

The photograph shows the members at the European Locksmiths Group meeting in 2010.

european_lockmaster_group_englishE

Toool The Open Organization Of Lock pickers in the Netherlands posted an article on BlackBag  in May, 2008 that they acquired a Medeco official key machine in order to produce bump keys to test the methods described in the book “Open in thirty seconds” in which Barry Wels wrote one of the Forewords.

May « 2008 « Toool’s Blackbag

A 2003 article by the New York Times examined the security vulnerabilities of master key systems, especially in apartment complexes. Matt Blaze first reported on the issue, and Marc Tobias was also quoted in the article.

In the research paper, Mr. Blaze applies the principles of cryptanalysis, ordinarily used to break secret codes, to the analysis of mechanical lock designs. He describes a logical, deductive approach to learning the shape of a master key by building on clues provided by the key in hand — an approach that cryptanalysts call an oracle attack. The technique narrows the number of tries that would be necessary to discover a master-key configuration to only
dozens of attempts, not the thousands of blind tries that would otherwise be necessary.

Many Locks All Too Easy To Get Past – The New York Times

How The Lock Industry Put Its Head In The Sand, Rather Than Deal
With Vulnerabilities To Locks. This article was published in May, 2009 and refers to the Medeco attacks by Marc Tobias and Tobias Bluzmanis, as well as the intense dissatisfaction by the locksmith and manufacturing industry at disclosures the lock picking groups and experts.

How The Lock Industry Put Its Head In The Sand, Rather Than Deal With Vulnerabilities To Locks _ Techdirt

An article originally appears in Phys.org  in 10`0 and was republished by AFP about hackers the discovered security vulnerabilities in supposedly high-tech locks.  Marc Tobias and Tobias Bluzmanis demonstrated the design problems with numerous locks, including the famous iLoq from Finland, BioLock from Hong Kong, Amsec safes, Kwikset SmartKey, and other electromechanical locks that were equally vulnerable.

2010-08-hackers-high-tech

An article by Glenn Chapman of AFP was published in 2010 about different security vulnerabilities that were showcased at Def Con. This was republished in the Phys.org publication and describes some of the hacks at the conference.

2010-07-internet-warriors-hone-skills-black

A detailed report in 2004 was published by Marc Tobias and Investigative Law Offices, P.C. to warn consumers about the dangers in relying upon the security of many different gun locks. Read the report, which detailed an eleven-year boy in Toronto who was able to remove gun locks from weapons in seconds.

GUNLOCK_SECURE

Marc Tobias met with Josh Nekrep, former editor of Lock Picking 101 (LP101, for an interview in Toronto on the new book about Medeco locks, entitled “Open in Thirty Seconds.”

Listen to the interview.

James Charles O’Gara was a disbarred lawyer living in Omaha, Nebraska. He was a convicted felon, and worked with John Sherman of Minneapolis to perpetrate a fraud on multiple individuals for hundreds of thousands of dollars.  O’Gara was a first-class con artist. He had convinced bankers and other reputable financiers and wealthy business people that he was legitimate. He got people to vouch for him as credible.

He represented to business owners in need of capital that he had access to millions of dollars in funding for projects. He worked with John Sherman, a former registered securities broker who lived in Plymouth, Minnesota and claimed he knew nothing about O’Gara’s background, when interviewed by Marc Tobias.

As a result of a background investigation by Tobias regarding the defrauding of several of his clients and colleagues, and undercover wires by Tobias with O’Gara and others, the FBI arrested O’Gara. He subsequently plead guilty and served more than two years at Leavenworth Federal prison in Kansas.

This is a classic case that anyone seeking funding from individuals claiming they have access to financing should understand that background investigations and due diligence are mandatory, especially in the Internet era where documents can be easily forged.

Read the seven-part article in the Omaha World Herald by Karyn Spencer, a highly talented investigative reporter who went on to work for the Public Defenders Office in Omaha as an investigator.

OMAHA_WORLD_HERALD_JIM_O’GARA_STORY

Computer-hardware makers keep churning out new laptop locks, and Marc Tobias keeps trying to crack them — often with what he says is absurd ease.
Read the story in Your Tech Blog published in 2006.

Your Tech Weblog_ Think the laptop lock is secure

Wired published a story about the attack on tubular pin tumbler locks which were utilized in Kryptonite bike locks and computer locks. The article began “A 50-year-old lock design was rendered useless last week when a brief post to an internet forum revealed the lock can be popped open with a cheap plastic pen.”

The original report was released by Marc Tobias on security.org. The issue with many tubular locks and specifically those used by Kensington has been resolved many years ago.

Read the article: Wired News_ Twist a Pen, Open a Lock

Read the article posted by WCCO in Minneapolis about thieves using the lock bumping technique to compromise pin tumbler locks. The problem still exists in 2020, although many manufacturers have taken steps to minimize the threat.

wcco.com – Thieves Using ‘Lock Bumping’ To Gain Access

USA Today posted a story in 2004 regarding kryptonite bike locks being easily opened with a ball point pent. It led to several Class Action lawsuits and the recall of 350,000 bike locks.

USATODAY.com – Kryptonite faces bike lock fiasco after easy hack revealed

The Boston Globe published a similar story as well.

Boston.com _ Business _ Technology _ Cyclists_ Bike locks easy prey for thieves

ABC New York Channel 7 News posted a report on Kryptonite bike locks as well.

7Online.com_ Kryptonite, Its Bike Locks Rendered Powerless by a Pen, Scrambles to Recover

Hogwarts for the real world? Brains, hacking and the social order also concerned the day’s most thought-provoking talk, a one-hour study and
discussion on the prospects for a National Security College that could harness hacker intelligence, creativity and patriotism as the Peace Corps once harnessed the abilities of an earlier generation.

Marc Tobias presented the idea at HOPE for a National Security College for young students to be schooled in a broad range of topics in a boarding school curriculum.

Read the article in USA TodayUSATODAY.com – Fifth HOPE, Day 2

This was also covered by CQ Homeland Security in 2004, Harry Potter as a CIA Spy? One Man Says It’s Worth a Shot.

CQ Homeland Security 2004.

Hackers met in Las Vegas at Def Con in August, 2006 to lecture and exchange information about the insecurity of hardware and software. Read the ABC report. ABC News_ Hackers Meet to Exploit Computer Flaws

CNN filed a similar report about the vulnerability of electronic passports and other software and hardware-based products. Read the article.

CNN.com – Researcher_ New passports vulnerable – Aug 6, 2006

Canadian Television CTV also reported on the Def Con conference and the problems with biometric passports. CTV.ca _ Electronic passports vulnerable, expert says

The Washington Post also reported on different issues at the 2006 Def Con.

Hackers Meet to Exploit Computer Flaws

Read the MSNBC article about Def Con 2006 and e-passports.

Expert warns on e-passport security – Security – MSNBC.com

Bruce Schneier, renowned security expert, reported on different attacks on electronic cylinders by Lockmasters Security Group in Europe, Toool, Security Labs and Marc Tobias. See also the video of Addi Wendt, discussing how the original concept was developed at his facility in Bergheim, Germany.

Magnetic Ring Attack on Electronic Locks – Schneier on Security

IEEE Spectrum reported on the Hackers on Planet Earth meeting in New York in July, 2006. Read the article. IEEE Spectrum_ Picking Your Security Apart

The AP and NJ.COM reported on the disclosures that were originally in the New York Times regarding the insecurity of master key systems. Matt Blaze original exposed the vulnerabilities in master keyed systems, especially in apartment houses and other buildings. Marc Weber Tobias was also interviewed in the article.

NJ.com – NewsFlash

A lecture was given on the use of polygraph as an investigative tool by Marc Weber Tobias, a polygraph examiner in South Dakota and Nebraska. The lecture was at The University of Cambridge, Computer Security Lab.

talks.cam _ _ The Polygraph

Marc Tobias has been involved in the design and vulnerability analysis of security devices to protect portable electronic devices since 2004 when he issued the first report on the ability to bump open the tubular pin tumbler lock that was employed by several companies that produced computer cable locks. This also affected other sectors of the security industry that provided locks for motorcycles, alarm panels, elevator control panels, and bike locks.

The media covered this issue in detail and often because of its broad security impact. Read some of the articles in the St. Paul Pioneer Press and Slashdot.

St. Paul Pioneer Press _ 09_11_2006 _ Lock guru says Targus still leaves notebooks vulnerable

St. Paul Pioneer Press _ 08_31_2004 _ Laptop locks easily picked

St. Paul Pioneer Press _ 07_31_2006 _ Taking stock of computer locks

Slashdot _ Kensington Laptop Locks Not So Secure

Opening locks by bumping in five seconds or less: is it really a threat to physical security? Marc Weber Tobias gave a lecture at the University of Cambridge Computer Security Lab on the design issues that allowed pin tumbler locks to be opened in seconds. Security Seminar – 23 May 2006_ Marc Weber Tobias, Investigative Law Offices

The subject of lock bumping was introduced at Def Con in 2006 by Marc Tobias and Matt Fiddler. an eleven year old girl, Jenna Lynn demonstrated how to bump open popular locks at the Lock Picking Village and in the lecture by Tobias and Fiddler. watch the video.

The following year she demonstrated how to bump the Medeco high security locks with ARX high security pins. Watch the video. The demonstration was viewed by many experts and verified.

The book “Open in thirty seconds” by Marc Tobias and Tobias Bluzmanis fully explore the ability to bump and pick Medeco and other high security locks.

ALOA, the Associated Locksmiths of America, attacked Marc Tobias and others for demonstrating the ability to bump open pin tumbler locks, and also disputed the information published about Medeco High Security locks. Marc Tobias has been a member of ALOA since 1991. Marc posted an editorial, Part I and Part II to state his opinion with regard to the position taken by ALOA and its Board.

PART_I_EDITORIAL_MEDECO

PART_II_EDITORIAL_MEDECO

The death of Ryan Owens likely could have been prevented if Stack-On Corporation had designed their safe properly so it could not be jiggled open. In our opinion, they had no idea what they were doing and the consequences in using a solenoid design to keep their safes locked. Ed Owens, the father, filed a lawsuit against the sheriffs department in Vancouver, Washington and one that suit. The media reported on the death and the lawsuit. Watch the TV reports where Marc Tobias demonstrated how to open the suspect safe model from Stack-On. The safe was provided by the Sheriffs Office for testing.

This report is from KATU-TV.

This report is from KGW-8 TV

This is an interesting Research Paper on physical key security, published by Benjamin Laxton, Kai Wang and Stefan Savage, Department of Computer Science & Engineering University of California, San Diego La Jolla, California, USA. It examines physical key control and the ability to duplicate, replicate, and simulate keys through various means.

The access control provided by a physical lock is based on the assumption
that the information content of the corresponding key is private — that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the everincreasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption.

Using modest imaging equipment and standard computer vision algorithms,
we demonstrate the effectiveness of physical key teleduplication—
extracting a key’s complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.
SNEAKEY

In 2007, Security Labs gave a Def Con lecture about the design flaws in the Medeco Maxum deadbolt lock. The issue allowed a small screwdriver to be utilized to open the lock in a few seconds. Medeco quickly remedied the problem, but the underlying lessons remain.

Read the White Paper that was published by Marc Tobias on this issue. it is also the subject of the Def Con lecture on this site.

MEDECO_DEADBOLT

Post office box locks are standard five pin tumbler cylinders that can be easily bumped open, even though they have a restricted and protected keyway. Unfortunately the keys and locks can be purchased on eBay because they are surplussed out at closed military bases. Marc Tobias conducted an in-depth analysis of locks by USPS and by UPS Mail Boxes. These locks are not secure and as demonstrated in the video, can be quickly opened by bumping with an easy-to-produce blank.

Watch the special report on KELO-TV Sioux Falls about security and post office boxes.

Download the video file from this report: KELO-TV VIDEO RE BUMPING 040406

Todd Morris is the CEO of Brickhouse Security in New York. This is one of the primary suppliers of GPS tracking hardware and software, as well as surveillance technology including miniature cameras and audio recorders. They were featured in a Forbes story written by Marc Weber Tobias.

Watch the interview with Todd Morris and Marc Tobias.

Marc Tobias was interviewed at Brickhouse Security offices in New York by Todd Morris, their CEO. Marc discusses the security of locks and insecurity engineering issues.

Security Labs analyzed the BioLock 333, produced in Hong Kong and was being sold by Brickhouse Security in New York. Our lab was asked to evaluate its design. We found it could be opened in seconds with the insertion of a paperclip into the keyway. We would not recommended that anyone purchase this lock, even though it looks secure. it is not.

The Amsec 1014 small consumer safe is not secure and can be opened in seconds by jiggling, as shown in the video by a child. This safe relies upon a solenoid to accomplish locking, but solenoids are not secure at all and can be vibrated open. See the reports on Stack-On Safes to learn what can happen. Their safe was opened by a child, which resulted in the death of a three-year old in Vancouver, Washington.

A good report was aired on WMC-TV Channel 5 in Memphis, featuring a local locksmith speaking about the threat of lock bumping.

Roger Johnston is the Team Leader at Argonne National Labs near Chicago. This article is about vulnerability assessments and discusses history and goals to discover security flaws and vulnerabilities.

SecureWorld Expo Keynote

This article is about Overcoming the Threat of the Bump Key: Protecting Your Self-Storage Facility From This Theft Device and the threat from bump keys.

Overcoming the Threat of the Bump Key_ Protecting Your Self-Storage Facility From This Theft Device _ Inside Self-Storage

Marc Tobias was interviewed by Josh Nekrep for the Lock Picking 101 web site about Open in Thirty Seconds, the book about Medeco.

Lock Picking 101 Forum • How to Pick Locks, Locksport, Locksmithing, Locks, Lock Picks_

“How anyone – including you – could break into any lock in less than 10 seconds…and what you better know about it…”

This article was posted by Mulholland Brands Manufacturing about the threat from lock bumping. Read down to the middle of the page to find the article.

Lock Bumping _ MulhollandBrand.com

How secure is the deadbolt in the Kwikset Kevo smart lock? Experts and amateurs alike allege that Kwikset SmartKey locks are flawed and unsafe. What does this mean for the Kevo?

Read the analysis by CNET and the comments of Marc Weber Tobias.

How secure is the deadbolt in the Kwikset Kevo smart lock_ – CNET

A schedule of seminars at the Computer Security Lab at Cambridge, from 2010-2020, including lectures by Marc Tobias and Tobias Bluzmanis.

Department of Computer Science and Technology – Security Group_ All

Kwikset locks were reviewed in Wirecutter. This is an excellent article about the analysis and criteria for door locks. Marc Tobias and others are quoted in the article with regard to design and security.

The Best Door Lock _ Reviews by Wirecutter

Medeco is ostensibly the Rolls Royce of locks. Their clients include the Department of Defense, the White House, the United Nations, and the British Royal Family, all because their products are considered “high-security” — which technically only means their locks take at least 10 minutes to crack. No lock is unsolvable, but by the time you’ve spent 10 minutes fiddling with one in the Pentagon, someone is hopefully going to notice you and arrest your fiddly ass.

This was an excellent article about “5 Crusading Trolls Who Pranked The Rich And Powerful.”

It discusses in item #1, the analysis of Medeco locks and how they were compromised.

5 Crusading Trolls Who Pranked The Rich And Powerful _ Cracked.com

A three-part story was aired on KELO-TV in Sioux Falls in 1995, the statewide CBS affiliate, about private investigators and how they work. The story featured Marc Weber Tobias and Lorin Pankratz, detailing their high-tech approach to investigations. Watch the coverage.

Argonne Vulnerability Assessment Team (2012)

The Argonne National Laboratory has a world renown vulnerability assessment team, which was led by Roger Johnston. They are Internationally recognized in their expertise in tags, seals, access control, anti-counterfeiting,
cargo security, nuclear safeguards, & physical tamper/intrusion detection.

This article is by Roger G. Johnston, Ph.D., CPP, and Jon S. Warner, Ph.D.
They are with the Vulnerability Assessment Team at Argonne National Laboratory. Read about common cargo security blunders in the following article.

_cargo security blunders (2010)

“We’ve never seen what we would consider effective tamper-detection for a drug product,” says Dr. Roger Johnston, head of the Vulnerability Assessment Team as Los Alamos National Laboratories. In this exclusive interview,

Johnston gives us the ten top failings of anti-tampering efforts, and solutions for improvement. Also, click the “Download Now” button at the end of the
article to obtain Johnston’s PowerPoint presentation on improving tamper detection systems.

Why Pharma’s Tamper-Evident Packaging Strategies Don’t Work _ Pharmaceutical Manufacturing

Security in Depth is a good thing: 4 layers of security trumps 1 layer of security every time, right? Well, not so fast! Layered security can be a useful tool, but it also holds lots of hidden dangers.

Almost every vulnerability assessor is familiar with the following scenario, which the author has personally witnesses at least 2 dozen times (including at nuclear facilities): A security manager is shown a simple, successful attack on a security device or system, or a portion of the overall security program. Then he/she is shown an inexpensive counter-measure, or at least a partial fix that is relatively painless. The instant response: “Well, yes, that is all very interesting, but we have multiple layers of security, so a failure in one layer does not mean that our overall security has failed. Thus, we don’t need to be concerned with this vulnerability, nor do we need to implement the recommended countermeasure(s).”

security in depth (2009)

This is an excellent paper on many facets of cargo security, written by the team at the Los Alamos National Laboratory. It covers seals, RFID, GPS, terminology, tags, and overall security considerations and vulnerabilities.

cargo security issues (2006)

cargo security issues (2006) Powerpoint Presentation

Read the article by Dr. Roger Johnston and the LANL team.

SECURITY IN DEPTH

Security in Depth is a good thing: 4 layers of security trumps 1 layer of security every time, right? Well, not so fast! Layered security can be a useful tool, but it also holds lots of hidden dangers.

Almost every vulnerability assessor is familiar with the following scenario, which the author has personally witnesses at least 2 dozen times (including at nuclear facilities): A security manager is shown a simple, successful attack on a security device or system, or a portion of the overall security program. Then he/she is shown an inexpensive countermeasure, or at least a partial fix that is relatively painless. The instant response: “Well, yes, that is all very interesting, but we have multiple layers of security, so a failure in one layer does not mean that our overall security has failed. Thus, we don’t need to be concerned with this vulnerability, nor do we need to implement the recommended countermeasure(s).”

Is this the correct decision? Ultimately, maybe it is and maybe it isn’t. But to knee-jerk the decision not to explore the possibility of improving a given layer or portion of a security program based solely on the idea that there are additional layers is certainly not the right response.

The VAT analyzes the most common security blunders. Here are their Top Ten:

1 Lack of Critical/Creative Reviews & AVAs
2 No countermeasures for Cognitive Dissonance
3 Compliance-Based Security
4 Confusing Inventory with Security
5 Confusing Control with Security

6 Thinking that finding vulnerabilities is bad
news & means that somebody has been
screwing up
7 Mindless faith in “Security in Depth”
8 Thinking that all vulnerabilities can be found
& eliminated
9 Focusing on threats instead of vulnerabilities
10 Mindless faith in Technology & Snake Oil

Read the article by Jon S. Warner, Ph.D.,  Roger G. Johnston, Ph.D.,  CPP and  the Vulnerability Assessment Team Argonne National Laboratory.
287 security blunders (2009)

Bahrain talk (2006)

A lecture by Roger Johnston, Ph.D. at Argonne National Labs.  He discusses the following myths:

 security maxims (there’s no free lunch)
 high tech ≠ high security
 inventory ≠ security
 RFIDs & CMBs
 GPS
 tamper-indicating seals & cargo security
 tamper-evident packaging
 biometrics & access control systems
 counterfeiting security devices
 data encryption/authentication
 polygraphs
 “security in depth”
 effective vulnerability assessments

Read about the common security maxims:

1. Infinity Maxim: There are an unlimited number
of vulnerabilities, most of which will never be
discovered (by the good guys or bad guys).

2. Arrogance Maxim: The ease of defeating a security
device is inversely proportional to how confident the
designer, manufacturer, or user is about it, and to how
often they use words like “impossible” or “tamper-proof”.

3. High-Tech Maxim: The amount of careful thinking that
has gone into a given security device is inversely
proportional to the amount of high-technology it uses

4. Low-Tech Maxim: Low-tech attacks work
(even against high-tech devices).

5. Yipee Maxim: There are effective, simple, & low-cost
countermeasures to most vulnerabilities.

6. Arg Maxim: But users, manufacturers, and
bureaucrats will be reluctant to implement them.

7. Insider Risk Maxim: Most organizations will ignored
or seriously underestimate the threat from insiders.

AE Seals (2006)

Summary: Current tamper-indicating seals are WAY too easy
to spoof.

 That’s bad because they are protecting important
stuff.
 There are workarounds.
 But much better seals are both needed and
possible: Anti-Evidence Seals

This article is about anti-tamper seals and how easily they can be defeated.

Seals are used in a variety of protective environments. This article explores the use of seals and their often simple bypass.

AE seals summary (2007)

examples of seal applications
• utility meters
• records integrity
• nuclear safeguards
• waste management
• cargo & port security
• banking & courier bags
• ballots & voting machines
• computer physical security
• loss detection & prevention
• law enforcement & forensics
• protecting medical sterilization
• protecting instrument calibration
• hazardous materials accountability
• protecting food & drugs, etc

POWERPOINT: VAT and human factors (2009)

VAT human factors research (2010) Article by Roger Johnston and the Vulnerability Assessment Team at LANL.

This article covers: 

Nuclear Safeguards
Vulnerability Assessments
Novel Security Approaches
Human Factors in Security

future (2008) Power Point presentation 

future (2008) Article

This is a presentation by Roger Johnston  and Jon S. Warner, Ph.D. at LANL. The authors discuss the future direction and technology that will appear in security issues and protection. This includes:

• Wishful thinking about high-tech will only increase.
• As high-tech increases, careful thinking about security will decrease.
• At some point, a terrorist incident will shut down a major U.S. port/s with severe economic & geopolitical implications.
• The RFID allure will die out and will be replaced by true security devices, including RF devices.
• There will be serious GPS spoofing incidents.

how to do seal VAs (2006) Power Point

how to do seal VAs (2006) Presentation

Watch the Powerpoint Presentation by the Team at LANL.

defeating a seal:  opening a seal, then resealing (using the original seal or a counterfeit) without being detected. Defeating seals is mostly about fooling people, not beating hardware (unlike defeating locks, safes, or vaults)!

attacking a seal:  undertaking a sequence           of actions designed to defeat it.

This presentation is by the Vulnerability Assessment Team at LANL (Los Alamos National Labboratory).

In this Powerpoint presentation, the LANL Team discusses new approaches regarding tamper intrusion and detection. Definitions are presented, including:

tamper detection:  delayed (after the fact) detection of unauthorized access.

intrusion detection:  immediate (real-time) detection of unauthorized access.

lock:  a device to delay, complicate, and/or discourage unauthorized entry.

seal :  a tamper-indicating device (TID) designed to leave non-erasable, unambiguous evidence of unauthorized entry or tampering.  Unlike locks, seals are not necessarily meant to resist access, just record that it took place.

tag:  a device or intrinsic feature (“fingerprint”) for uniquely identifying an object or container.

defeating a seal:  opening a seal, then resealing (using the original seal or a counterfeit) without being detected.

attacking a seal:  undertaking a sequence  of actions designed to defeat it.

new approaches (2003)

Imagine an anti-counterfeiting tag that:

Is inexpensive & unobtrusive.

Is very difficult to counterfeit in large numbers.

Can be automatically checked by wholesalers, retailers, or volume end users (with an inexpensive reader).

Can be checked by consumers (without a reader).

Typically detects more than 98% of the fakes examined.

Effectiveness scales automatically with the level of concern.

Does not become easier to defeat over time, or as technology advances.

product authenticity strategies (2012)

product authenticity strategies (2012) Powerpoint

product authenticity talk (2011)

These articles and powerpoint presentations considers different issues involving:

numeric tokens (CNT)
trusted manufacturer & good cargo security
dedicated manufacturing day(s), on-site personnel, courier(s)
buy the manufacturer (maybe team with other end-users)
make he product yourself (maybe team with other end-users)
tags
taggants
measure orthogonal physical properties
product forensic analysis
track & trace
don’t buy brokered, resold, repackaged products
don’t accept low bids or lowest prices

See the three different presentations below about the concept of “security theater.”

security theater (INMM 2010)

security theater talk (INMM 2010)

security theater talk

This is a presentation by Roger G. Johnston and Jon S. Warner, Vulnerability Assessment Team, Nuclear Engineering Division, LANL.

ABSTRACT

“Security Theater” (also known as “Ceremonial Security”) involves procedures, policies, and technologies that give the superficial appearance of providing security without actually countering malicious adversaries to any significant degree. As vulnerability assessors, we frequently find Security Theater across a wide range of different physical security devices, systems, and programs,
as well as in domestic and international nuclear safeguards. Security Theater is not automatically a bad thing; it can have its uses. The real problem occurs when Security Theater is not recognized as such, or when it stands in the way of good security or is preferred over real security. In this paper, we present a vulnerability assessor’s view of where future arms control verification regimes are likely to be plagued by Security Theater, based partially on our understanding of current security vulnerabilities and our experience with Security Theater. We also offer suggestions for spotting Security Theater, and for preventing it. Future nuclear safeguards measures that are particularly at
risk for becoming merely Security Theater include tamper-indicating seals and information barriers.

This article discusses “Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities* It was published by the LANL Vulnerability Assessment Team.

threats vs vulnerabilities (2010)

The author begins the article by stating: The following ideas are common, but I think quite wrong and thus myths:

A Threat without a mitigation is a Vulnerability.
A Threat Assessment (TA) is a Vulnerability Assessment (VA).
Threats are more important to understand than Vulnerabilities.
Many of the most common tools used for “Vulnerability Assessments”
(whether true VAs or actually TAs) are good at finding Vulnerabilities.

perceptual blindness (INMM 2010)

perceptual blindness talk (2010)

Perceptual Blindness, also called Inattentional Blindness, is the common phenomenon of a person failing to perceive objects or actions that are in plain sight. Causes beyond just basic human psychology can include not having a mental framework prepared in advance to perceive the objects or actions (that is, not being ready for the unexpected); wishful thinking or denial (due to cognitive dissonance) that prevents someone from seeing what he or she would like not to exist; intense mental focus on certain features which can cause mental distraction in regards to others; or deliberate misdirection by another person.

Fortunately there are potential—though largely untested—
countermeasures to perceptual blindness. These include choosing one or more inspectors or security guards to be the generalist to examine the general scene without specific assigned detailed observational responsibilities; conducting training to improve observational skills; making relevant personnel aware of perceptual blindness issues and demonstrating perceptual blindness to them; using magicians to demonstrate misdirection and sleight-of-hand techniques; engaging in frequent mental “what if” exercises to better mentally prepare observers for the unexpected; and implementing countermeasures to groupthink, denial, cognitive dissonance, and wishful thinking.

Possible results:

There are serious implications for security guards
& safeguards inspectors, especially those who:
 check security badges
 watch video monitors
 make daily rounds
 inspect seals
 guard gates
 operate safeguards equipment

ShmooCon talk (2010)

The Vulnerability Assessment Team at LANL has worked hundreds of security problems, including:

Seals & Tamper/Intrusion Detection
Cargo security
First to show how easy it is to spoof, not just jam GPS. First to
suggest countermeasures.
Defeats of a number of different biometric and other access control
devices (many different ways).
Attacks on RFIDs & contact memory buttons
Sticky bomb detection
Demonstrated attacks on an electronic voting machine from the voters’ end.

Product authenticity (especially wine & pharmaceuticals)
Questioning the security of urine drug tests
Better ways to protect logged/monitoring/surveillance data
Nuclear Safeguards
Special Field Tools
Vulnerability Assessments
Consulting & Security Training
Human Factors in Security / Security Culture & Climate

sticky bomb detection paper (2010)

This is a paper by Roger G. Johnston Ph.D., Jim Vetrone, and Jon S. Warner from LANL.

A “sticky bomb” is a type of improvised explosive device (IED) placed on a
motor vehicle by (for example) a terrorist. The bomb is typically attached with
adhesive (“duct”) tape, or with magnets. This paper reports some preliminary
results for a very rudimentary demonstration of two techniques for detecting the placement of a sticky bomb on a motor vehicle. There are other possible security applications for these techniques as well.

snake oil talk (2006)

This is a presentation by Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D., from LANL Vulnerability Assessment Team.

They present a history of snake oil:

Ancient World: medicines made from snakes are believed to have curative powers.

1880: John Greer’s snake oil cure-all.

1893: Clark Stanley (“The Rattlesnake King”) sells his Snake Oil Liniment at the World’s Columbian Exhibition in Chicago. A big hit. Contained mineral oil, camphor, turpentine, beef fat, and chile powder…but no snake extract!

Today: A product is called “snake oil” if it is fake, shoddy, or severely over-hyped.

TEP and new seals (2006)

This is an article by Roger G. Johnston, Ph.D., CPP*, Jon S. Warner, Ph.D., Sonia J. Trujillo, Anthony R.E. Garcia, Ron K. Martinez, Leon N. Lopez, and Adam N. Pacheco of the Vulnerability Assessment Team Los Alamos National Laboratory.

Product tampering is a serious product safety issue. Unfortunately,
neither tamper-evident packaging used on consumer products, nor
tamper-indicating seals used for cargo, warehouse, and factory security
provide reliable tamper detection. We believe there is a better approach
to tamper detection, at least for tamper-indicating seals: anti-evidence
seals. Conventional seals must store evidence of tampering until such
time as the seal can be inspected. But adversaries can too easily hide or
erase the evidence, or replace the seal with a counterfeit seal.

With anti-evidence seals, in contrast, we store information when the seal is first installed that tampering has NOT yet been detected. This information
(the “anti-evidence”) gets instantly erased once tampering is detected.
There is thus nothing for an adversary to hide, erase, or counterfeit. This
paper discusses 5 new prototype electronic seals based on the anti-evidence
concept.

security advice (2012)

In contemplating the use of any new security measure, strategy, or product, you need to determine the correct answers to 3 questions:

(1) To what extend does this really improve security?

(2) What are all the costs, trade offs, and side effects (because there always  some)?

(3) Is 1 commensurate with 2?

This is a paper written by Roger G. Johnston, Ph.D., CPP, Vulnerability  Assessment Team, Los Alamos National Laboratory

seal VAs (2005)

The Vulnerability Assessment Team (VAT) at Los Alamos National Laboratory
(LANL) has studied tamper detection for 13 years. We have conducted vulnerability assessments (VAs) on hundreds of seals and cargo security programs, and undertaken research and consulting for over two dozen government agencies and private companies. This article discusses how we conduct VAs and what we have learned about seals.

older election integrity invited talk (2011)

suggestions for better election security (2012)

election security invited talk (2012)

An analysis  of election security issues by Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D.

So Why So Much Bad Physical Security?

Security Theater is easy, thinking and Real Security is hard
Committees, bureaucrats, & knuckleheads are in charge
People & organizations aren’t used to thinking critically about it
Physical Security as a “Taking Out the Garbage” slam dunk thing
“If it’s important, somebody must have thought it through” Myth
Lots of hype, snake oil, & bad products
Blind faith in precedence and “authorities”
Physical security is not a well developed field

Usually we can defeat security devices (including high-tech ones) without attacking the computer/microprocessor, reverse engineering the software, or having an owner’s manual! Might this also be true for electronic voting machines?

chirping tag and seal (2010)

This conference presents information on seals and their security. The LANL Vulnerability Assessment Team analyzes many different kinds of seals, including:

customs
cargo security
counter-terrorism
nuclear safeguards
counter-espionage
banking & couriers
drug accountability
records & ballot integrity
evidence chain of custody
weapons & ammo security
tamper-evident packaging
anti-product counterfeiting
medical sterilization
instrument calibration
waste management &
HAZMAT accountability

how to spot security theater (2010)

Bruce Schneier coined the term “Security Theater” to describe the situation where phony security measures provide a feeling of improved security, but in reality provide little or no actual security.[1,2] Another name for Security Theater is “Ceremonial Security”.

As a vulnerability assessor, I frequently find Security Theater across a wide range of different physical security devices, systems, and programs, as well as in domestic and international nuclear safeguards. It’s important to realize, however, that Security Theater is not automatically a bad thing. It can present the appearance (false though it may be) of a hardened target to potential adversaries, thus potentially discouraging an attack (at least for a while). Security Theater can reassure the public while more effective measures are under development, and help encourage employees and the public to take security seriously.

phys security education (2006)

Definition of Physical Security

Protecting valuable tangible assets from harm, or using
physical methods to protect intangible assets. Tangible assets can include, for example, people, equipment, buildings, cargo, money, weapons, museum artifacts, consumer products, food and drugs, medical supplies and equipment, chemicals, hazardous materials, etc.

Intangible can include, for example, computer data, software code,
communications, trade secrets, intellectual property, medical histories and
other sensitive personnel data, instrument calibration, sterility of medical
supplies/equipment, etc.

The “harm” we wish to avoid can include theft, sabotage, tampering, destruction, vandalism, espionage, or counterfeiting. Physical methods for protection can include guards, guns, fences, access control, biometrics, closed-circuit TV cameras, intrusion detectors, locks, safes, vaults, and tamper-indicating seals…plus a lot of other things. Cyber security, cryptography, forensics, and background investigations are

changing security paradigms (2010)

Any field is molded and constrained by its paradigms. A “paradigm” can be defined as:
(1) a pattern, example, or model;
(2) a mode of thought or practice; or
(3) an overall concept or strategy accepted by most people in a given field.
The field of security relies on a number of paradigms, both stated and unstated. Many of these are in the process of changing—or at least should change—in order to adapt to a rapidly changing world and to improve security effectiveness.

pharma security issues (2010)

There are many widespread mistakes & myths about cargo security and physical security that should be avoided. Current tamper-indicating seals, tamper-indicating packaging, and product anti-counterfeiting tags aren’t very effective.

There’s little sophisticated R&D underway—mostly people and companies
are pushing pet technologies, not trying to solve the problem holistically.
Product counterfeiting and (especially) product tampering are going to get
a lot worse, including terrorist acts.

For many pharma manufacturers, there is a Due Diligence problem for:

tampering & counterfeiting.
Don’t underestimate virtual numeric tokens!

how to be a better seal user (2003)

Tamper-indicating seals have been used for over 7,000 years. Today, seals are widely used to help counter cargo theft, smuggling, sabotage, vandalism, tampering, terrorism, and espionage. Despite their antiquity and modern widespread use, however, there remains considerable confusion about
seals, as well as a lot of misconceptions, wishful thinking, sloppy terminology, and poor practice.

The Vulnerability Assessment Team (VAT) at Los Alamos National Laboratory has intensively studied tamper-indicating seals for the last 12 years. We have provided consulting, vulnerability assessments, and security solutions for over two dozen government agencies and private companies. This article summarizes some of our recommendations for using seals more effectively and with greater sophistication.

drug anti-counterfeiting (2005)

The counterfeiting of pharmaceuticals continues to be a major worldwide problem, with serious public health and economic consequences. In theory, anti-counterfeiting tags could help to solve this problem. Unfortunately, there are currently no practical, effective tags that significantly resist counterfeiting. This paper discusses a different, relatively low-tech and low-cost approach called the “Call-in the Numeric Token” (CNT) technique. It relies on participation by pharmaceutical customers (possibly including consumers). They check, via phone or Internet, on the validity of the unique, random, unpredictable identity (ID) number assigned to each pharmaceutical container they possess. The numerical container ID is a virtual tag or token, rather than a physical one that is susceptible to counterfeiting.

Counterfeiters are hampered by being unable to guess valid IDs, by being unable to easily acquire large numbers of existing valid IDs, and by being detected when multiple customers report the same IDs. At least some counterfeits can be detected even if only a small percentage of customers participate. The technique is particularly well suited for single-dose (“unit of use”) packaging, but can otherwise be adapted and automated for resellers, wholesalers, re-packagers, and other high-volume customers. While it will not absolutely end counterfeiting, CNT can make pharmaceutical counterfeiting easier to detect and study, and more difficult for counterfeiters. The technique is also applicable to other kinds of products.

choosing seals and using PSA seals (2006)

Some Comments on Choosing Seals & on PSA Label Seals

Maxims for Choosing Seals!•

There is no 􀀂best􀀃 seal. The optimal seal
depends on details of your application
including:!
– Goals!
– Adversaries!
– Consequences of Failure!
– Facilities!
– Personnel!
– Ergonomics !
– Training!
– Containers!
– Hasps & Doors!
– Time & Money Constraints

insider threat mitigation (2012)

Security Culture & Climate

Security Climate (informal perceptions) is probably even
more important than Security Culture (formal policies &
procedures)

In a healthy security culture/climate:

Everybody is constantly thinking about security.

There are on-the-spot awards for (1) good security practice & (2)
proactive/creative thinking and actions.

Security ideas, concerns, questions, suggestions, criticisms are welcome from any quarter.

No scapegoating! Finding vulnerabilities is viewed as good news.

CFP talk (2011)

Physical Security: Scarcely a field at all

You can’t (for the most part) get a degree in it from a major 4-year research university.

– Not widely attracting young people, the best & the brightest.
– Few peer-reviewed, scholarly journals or R&D conferences.
– Lots of Snake Oil & Security Theater.
– Shortage of models, fundamental principles, metrics, rigor,
R&D, standards, guidelines, critical thinking, & creativity.
– Often dominated by bureaucrats, committees, groupthink,
linear/concrete/wishful thinkers, cognitive dissonance.

Johnston Microsoft Talk

The author notes some cyber dumbness:

Failed Electronic Redaction

Inadvertent release of information embedded
inside Office & Acrobat documents

Malicious Thumb Drive in the parking lot problem
(or CD on the desk with a fake IT Department memo)

Susceptibility to Phishing

Security Theater with Adhesive Label Seals

Closed Source

Amateur Hour Cryptography

“It takes a smart man to know he’s stupid. — Barney Rubble, The Flintstones”

GPS cargo tracking (2003)

The Global Position System (GPS) is being increasingly used for a variety of critical applications. These include public safety services (police, fire, rescue and ambulance), marine and aircraft navigation, cargo security, vehicle tracking, and time synchronization for utility, telecommunications, banking, and computer industries.

While people tend to think about GPS as being high-tech and thus high security, the fact is that the satellite signals used in most GPS applications are not secure. The civilian GPS signals—the only ones available to private industry and the vast majority of the federal government—are neither encrypted nor authenticated. They are thus easy to counterfeit, unlike the military GPS signals.

wine authenticity (2008)

When the Roman historian Pliny the Elder wrote “in vino veritas” – in wine, there is truth – he must not have been drinking from a counterfeit bottle. Argonne researchers Roger Johnston and Jon Warner have created a device
to ensure that modern wine connoisseurs can have faith that they are drinking what they pay for.

Marc Tobias and Tobias Bluzmanis did an analysis of the popular Yale X Nest smartlock for the Wall Street Journal in August, 2021. Watch the video to see why homeowners will ultimately upgrade to a smartlock. There are many to choose from and depends if you want only electronic access, or a bypass key, such as with Kevo by Kwikset.

Watch the report on WTAE-TV about intercom consoles for buildings and the locks that are being used to secure the housing. Many can be opened in seconds.

Watch the report on WTAE-TV by Marc Tobias, demonstrating how a five-year-old child can remove a gun lock from a revolver in seconds. Gun locks are inherently not secure.

Watch the report on ballot box insecurity and how votes can be stolen. This was filmed in Sioux Falls, SD by Marc Tobias prior to the 2020 election.

Watch the demonstration of how the Geminy system protects profile cylinders in Europe. This was filmed at Wendt-Lockmasters in Germany, by Marc Tobias and Addi Wendt..

Three-year-old Ryan Owens was killed because of a defective safe that was produced by Stack-On in Illinois. The security of the safe is based upon the use of a solenoid for its locking mechanism. Virtually all enclosures that rely on solenoids can be defeated easily. Watch the report.

iLOQ is a company in Finland that produces energy-harvesting locks that are sophisticated and secure. However, in 2011 our lab was able to defeat their locks by circumventing the electronics in different ways. The company responded and resolved the security design issues. Watch the animation on how these locks work. The case is also described in the new book entitled Tobas on Locks and Insecurity Engineering, published in 2024 by Wiley.

Dentry safe produced a fire container that used a solenoid to accomplish locking and its primary security. It could be opened in seconds with a rare earth magnet. Watch Terry Win-Yates with Marc Tobias open the safe at his lock shop in Vancouver, BC.

WILEY MASTER INDEX

WILEY JACKET FINAL DESIGN

TOBIAS ON LOCKS INTRO-pdf

WILEY Tobias Flyer

University of Pittsburgh news release about Tobias on Locks and Insecurity Engineering book by Wiley.

https://news.engineering.pitt.edu/reducing-insecurity-in-security-engineering/

Article by the University of Pittsburgh about Tobias on Locks and Insecurity Engineering

https://news.engineering.pitt.edu/reducing-insecurity-in-security-engineering/