Category Archives: Physical Security

Lock your stuff up!

Filed under Physical Security

<%image(20080214-master_lock.jpg|85|124|Master Lock)%>

So I was at the gym yesterday and noticed something that really bothered me….

As soon as I pulled into the gym parking lot I noticed that it was packed! Seems like everyone wanted to workout last night for some reason. So I grabbed my gym bag and went into the locker room to change. The locker room isn’t very big to begin with so I started to hunt for an open locker to drop my stuff into. Most every locker had a “Master Lock” brand combination or key lock. I finally found three lockers in a row that didn’t have locks. I opened up the first locker and it wasn’t empty. Someone’s cell phone, wallet, and ID all available for the taking. So I thought to myself, ok someone just forgot their lock right? I opened up the locker next to that one and saw another guys wallet and PDA just sitting there! No way…two in a row? Thinking that there is no way there would be three lockers in a row unsecured I opened up the third locker…what do you know…someones bag with car keys just sticking out of the bag. Amazing.

Lucky that I have some ethics and wouldn’t take someones stuff but the sad truth is that someone else could have easily stolen all of this stuff…wallets with credit cards, drivers license, PDA’s and cell phones all could be used for simple transactions or even worse identity theft.

Whats the lesson here? Buy yourself a lock! A Master Lock is like $3.99 (or cheaper). While you could crack one of these locks with very little effort, it does provide a good “deterrent” to prevent simple physical theft. At a busy gym someone might say something to you if you were trying to break a lock off by force, calculating magic numbers or by picking it!

Lock your stuff up at the gym…please!

Sneaky White Hats Pull Surveillance Cam Switcheroo

Filed under Physical Security

Remember the movies where the bad guys replace the security guards video feed with a fake one showing an endless loop of nothing? Security researches have just figured out how to do this on a AXIS 2100 Surveillance Camera. This is a popular camera that can be remotly controlled – and viewed over the web.

“This hack (.pdf) works by combining a few vulnerabilities in how the camera’s accompanying software accepts input — a type of security hole known as cross site scripting, or XSS.

In this case, the attacker first sends some malformed information — which is actually JavaScript — to the camera’s web server, which then writes that information to the log files. When the camera’s administrator checks the logs, the JavaScript executes, creating a new user account and e-mailing the attacker that the new account has been created.

…From there the attacker can simply change the HTML on the camera viewing page to secretly point the playback screen to another video file — one that can even be hosted on another web site.”

The trick is to get the administrator to check the logs which could easily be done by sending a flood of traffic to the camera causing a temporary denial of service to the camera. You can view the entire hack here. Full article is below.

Sneaky White Hats Pull Surveillance Cam Switcheroo