The document discusses security in software and locks, emphasizing the importance of integrating security during the design phase rather than treating it as an afterthought. Walter Belgers, a lockpicker and security expert, highlights various methods of attacks, including social engineering and brute force, and stresses the need for awareness and robust security measures. Additionally, it touches on the significance of certification and threat modeling in maintaining security.

1. HackIT 4.0, Kyiv
Lockpicking and IT Security
Walter Belgers, M.Sc., CISSP, CISA, CEX

2. HackIT 4.0, Kyiv
Your Photo
Name: Wалтер Белгерс
Company: Toool
Position: President
Company
logolinkedin.com/in/walter
walter@toool.nl

4. • 20+ years of lockpicking experience
• President of TOOOL,The Open Organisation of Lockpickers
• Fastest Dutch lockpicker ;-)
• Also: penetration tester/social engineer for 15+ years

6. SEA

9. Root user

11. Design - software
• Security often a small component in software and
hence, often an afterthought
• Functionality is more important than security

13. source:Wikipedia

14. Design - locks
• Locks are always there to provide security, so no
afterthought
• Lock manufacturers are good in specifying requirements
• Risks are pretty well understood (but not by all!)
• Locks are tested (e.g. for certification)

15. • Secure against what?
• Key control (who can copy)
• Protection against destructive attacks
(drilling, pulling, breaking)
• Protection against non-destructive attacks (lockpicking,
pickgun, bumping, impressioning)
• Tight cost and space constraints
Design - locks

16. Design: KABA E-plex 5800
forbes.com

19. http://null-byte.wonderhowto.com/how-to/turn-innocent-dry-erase-marker-into-hotel-hacking-machine-0139534/

20. https://www.youtube.com/watch?v=6txFFS1TwSE

21. Implementation error

22. animation: Deviant Ollam

23. Implementation error

24. •Awareness is
always a problem
•Password guessing
•Social Engineering
•Showing your keys..

25. Showing (master) keys
http://www.nbcbayarea.com/investigations/One-Gas-Pump-Key-Lets-Thieves-Steal-Your-ID-177999751.html

26. Showing (master) keys

28. Backdoors

30. Pictures: Oliver
Diederichsen

31. Key re-use

32. (Partial) key re-use
http://www.crypto.com/papers/mk.pdf

33. (Partial) key re-use
http://www.crypto.com/papers/mk.pdf

34. Root user
•Often, there is an omnipotent user
•root
•Domain Administrator

35. Root user

36. Root user

37. Using sample code

38. Using sample ‘code’
http://www.youtube.com/watch?v=Ti9S1qzPXTI

39. Remember showing keys?

40. Brute force attacks

41. Brute force attacks

42. Brute force attacks

43. Denial of Service

44. Denial of Service

45. Denial of Service

46. Sequential attacks
• “Unknown user” versus “Incorrect password”
• Timing attacks

47. Sequential attacks

48. Sequential attacks

49. Sequential attacks

50. Sequential attacks

51. Sequential attacks

52. Sequential attacks

53. Security testing
• Let an experienced security consultant look at the security?
• Use automated vulnerability scanners?
• Certification?

54. Certification

55. Tooling

56. Tooling
http://www.revk.uk/2013/12/abs-lock-vs-3d-printer.html

57. Holistic view
• You are depending on the environment
• You are as secure as the weakest link

58. Holistic view

59. Threat modeling

60. Thank you for
your attention
Any questions?
walter@toool.nl