Physical Security

Objekt

Titel
Physical Security
Beschreibung
Physical security is an oft-overlooked but critical prerequisite for good information security. Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. When critically examined, physical security policies and mechanisms have (perhaps have *always*) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system.about this event: http://www.ccc.de/congress/2004/fahrplan/event/130.en.html
content
Physical security is an oft-overlooked but critical prerequisite for good information security. A bad guy with a console root login can obviously adversely affect behavior in basic or profound ways, but it may not be obvious how a brief/seemingly limited physical exposure can result in complete breach of trust using today's spiffy and inexpensive attack tools (all available on eBay).

Software has leaked into every aspect of modern life and now controls access to physical resources as well as to business and personal information. You might expect that, for example, a badge access control implementation would be as simple as the model seen by the user -- "wave the badge at the reader, and you're in (or not)", but by the time the coders are done, it's more than 200K lines of C, and as buggy as any other large program. I'll discuss some of these bugs, and one vendor's response to them.

Another dirty little secret: When critically examined, physical security policies and mechanisms have (perhaps have always) contained substantial snake oil components, including back doors, extensive use of protection by "security through obscurity", and piece solutions which ignore their environmental context or need to function in a system. Typical excuses include "We're trying to raise the bar high enough to deter a typical burglar", "We don't think that attack is likely to occur", "We do better than locks and keys", and "That's not our problem". I'll talk about outsourcing and colocation facilities which present the perception (but seldom the actuality) of security, and more generally the problems and solutions involved in trusting outsiders to supply your physical security.
Veröffentlichungsdatum
28 Dezember 2004
Beteiligte Person
Mark Seiden
Barry
Is Referenced By
21C3 Website Screenshot21C3 Website
Umfang
0:44:50
Typ
video/mp4
Tag
21c3
Hacking
Identifikator
ark:/45490/bgshAt